Play interactive tour

Edit tour

Windows Analysis Report setup.exe

Overview

General Information

Sample Name:	setup.exe
Analysis ID:	502663
MD5:	fe5c2e1333b4477d029dedc9c1b5dd4d
SHA1:	ce7e5a597b98eb1ec36a48e4368997b787228544
SHA256:	fc91558efb40b16dd9f6b0e93c972a0f1ff85cad3ddefdd7028c2628d75a9ab9
Infos:
Most interesting Screenshot:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

PE file contains executable resources (Code or Archives)

Classification

Process Tree

System is w10x64

setup.exe (PID: 7152 cmdline: 'C:\Users\user\Desktop\setup.exe' MD5: FE5C2E1333B4477D029DEDC9C1B5DD4D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: setup.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED

Source:

Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00531CB0 FindFirstFileW,FindClose,

0_2_00531CB0

Source: setup.exe	String found in binary or memory: http://apache.org/xml/UknownNS
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UCS-4
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/calculate-src-ofs
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/disable-default-entity-resolution
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/dom-has-psvi-info
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/dom/byte-order-mark
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/dom/user-adopts-DOMDocument
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/schema/ignore-annotations
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation-error-as-fatal
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/cache-grammarFromParse
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/ignoreCachedDTD
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema/skip-dtd-validation
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/use-cachedGrammarInParse
Source: setup.exe	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: setup.exe	String found in binary or memory: http://apache.org/xml/messages/XMLDOMMsg
Source: setup.exe	String found in binary or memory: http://apache.org/xml/messages/XMLErrors
Source: setup.exe	String found in binary or memory: http://apache.org/xml/messages/XMLValidity
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml
Source: setup.exe	String found in binary or memory: http://apache.org/xml/parser-use-DOMDocument-from-Implementation
Source: setup.exe	String found in binary or memory: http://apache.org/xml/properties/scannerName
Source: setup.exe	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: setup.exe	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: setup.exe	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: setup.exe, setup.exe, 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartup
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartupSOFTWARE
Source: setup.exe, setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/exke86
Source: setup.exe	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: setup.exe	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: setup.exe	String found in binary or memory: http://xml.org/sax/features/validation

Source: setup.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED

Source: setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_005780FA	0_2_005780FA
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_005713F0	0_2_005713F0
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00587710	0_2_00587710

Source: setup.exe	Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: setup.exe	Static PE information: Resource name: RT_GROUP_CURSOR type: unicos (cray) executable

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_005F67C0 FormatMessageW,GetLastError,

0_2_005F67C0

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_0053F498 FindResourceW,LoadResource,LockResource,FreeResource,

0_2_0053F498

Source: setup.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: setup.exe	String found in binary or memory: jp-ocr-b-add
Source: setup.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: setup.exe	String found in binary or memory: jp-ocr-hand-add
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: setup.exe	String found in binary or memory: pre-install
Source: setup.exe	String found in binary or memory: ISO_6937-2-add
Source: setup.exe	String found in binary or memory: The host/address '{0}' could not be resolved
Source: setup.exe	String found in binary or memory: "%s" -startDir "%s" -xmlPath "%s"
Source: setup.exe	String found in binary or memory: NATS-SEFI-ADD
Source: setup.exe	String found in binary or memory: NATS-DANO-ADD
Source: setup.exe	String found in binary or memory: "%s" -v -startDir "%s" -xmlPath "%s"
Source: setup.exe	String found in binary or memory: "%s" -filePath "%s" -startDir "%s" -xmlPath "%s"
Source: setup.exe	String found in binary or memory: User agreed to pre-install.
Source: setup.exe	String found in binary or memory: .NET 3.5 pre-install is needed, but user denied the prompt to install. Cannot continue - exiting.
Source: setup.exe	String found in binary or memory: .NET 3.5 pre-install is disabled via command-line or setup.ini flag -- nothing to do.
Source: setup.exe	String found in binary or memory: .NET 3.5 pre-install is not required on this OS -- nothing to do.
Source: setup.exe	String found in binary or memory: .NET 3.5 not in distribution or pre-install disabled -- nothing to do.
Source: setup.exe	String found in binary or memory: .NET 4.0 pre-install is needed, but user denied the prompt to install. Cannot continue - exiting.
Source: setup.exe	String found in binary or memory: .NET 4.x pre-install is disabled via command-line or setup.ini flag -- nothing to do.
Source: setup.exe	String found in binary or memory: .NET 4.5.x or 4.6.x install requested, but we are on Server 2003 or XP. Skipping pre-install so that the distribution launch (or m
Source: setup.exe	String found in binary or memory: .NET 4.x not in distribution or pre-install disabled -- nothing to do.

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: setup.exe

Static file information: File size 1466368 > 1048576

Source: setup.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x144200

Source:

Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0057683A push ecx; ret		0_2_0057684D
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00576B39 push ecx; ret		0_2_00576B4C

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_0058D233 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_0058D233

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00538C8C MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,

0_2_00538C8C

Source: C:\Users\user\Desktop\setup.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-11812
Source: C:\Users\user\Desktop\setup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-11915

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00531CB0 FindFirstFileW,FindClose,

0_2_00531CB0

Source: setup.exe

Binary or memory string: hGfsu

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00570867 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00570867

Source: C:\Users\user\Desktop\setup.exe

0_2_0058D233

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00570867 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00570867
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0056F98F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0056F98F

Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoA,	0_2_0059B90E
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	0_2_005E9980
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoA,	0_2_005981A5
Source: C:\Users\user\Desktop\setup.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_005972AD
Source: C:\Users\user\Desktop\setup.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_00597350
Source: C:\Users\user\Desktop\setup.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00597314
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_00596DCB

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_005319A0 GetVersionExW,

0_2_005319A0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Path Interception	Software Packing1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information11	LSASS Memory	Application Window Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
setup.exe	1%	Virustotal	Browse
setup.exe	5%	Metadefender	Browse
setup.exe	7%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://apache.org/xml/parser-use-DOMDocument-from-Implementation	setup.exe	false	high
http://apache.org/xml/messages/XMLValidity	setup.exe	false	high
http://apache.org/xml/features/validation/dynamic	setup.exe	false	high
http://apache.org/xml/features/continue-after-fatal-error	setup.exe	false	high
http://apache.org/xml/features/standard-uri-conformant	setup.exe	false	high
http://apache.org/xml/properties/schema/external-schemaLocation	setup.exe	false	high
http://apache.org/xml/features/dom-has-psvi-info	setup.exe	false	high
http://apache.org/xml/features/validation/identity-constraint-checking	setup.exe	false	high
http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UCS-4	setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	false	high
http://apache.org/xml/features/validate-annotations	setup.exe	false	high
http://apache.org/xml/features/dom/byte-order-mark	setup.exe	false	high
http://xml.org/sax/features/namespaces	setup.exe	false	high
http://apache.org/xml/features/dom/user-adopts-DOMDocument	setup.exe	false	high
http://apache.org/xml/features/nonvalidating/load-external-dtd	setup.exe	false	high
http://apache.org/xml/features/validation/schema-full-checking	setup.exe	false	high
http://apache.org/xml/features/schema/ignore-annotations	setup.exe	false	high
http://xml.org/sax/features/namespace-prefixes	setup.exe	false	high
http://apache.org/xml/features/generate-synthetic-annotations	setup.exe	false	high
http://apache.org/xml/UknownNS	setup.exe	false	high
http://apache.org/xml/features/validation-error-as-fatal	setup.exe	false	high
http://apache.org/xml/features/calculate-src-ofs	setup.exe	false	high
http://apache.org/xml/features/validation/cache-grammarFromParse	setup.exe	false	high
http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation	setup.exe	false	high
http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml	setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	false	high
http://xml.org/sax/features/validation	setup.exe	false	high
http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI	setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	false	high
http://apache.org/xml/features/validation/use-cachedGrammarInParse	setup.exe	false	high
http://apache.org/xml/messages/XML4CErrors	setup.exe	false	high
http://apache.org/xml/properties/security-manager	setup.exe	false	high
http://apache.org/xml/features/validation/schema/skip-dtd-validation	setup.exe	false	high
http://apache.org/xml/properties/scannerName	setup.exe	false	high
http://apache.org/xml/features/disable-default-entity-resolution	setup.exe	false	high
http://apache.org/xml/features/validation/schema	setup.exe	false	high
http://apache.org/xml/features/validation/ignoreCachedDTD	setup.exe	false	high
http://apache.org/xml/messages/XMLDOMMsg	setup.exe	false	high
http://apache.org/xml/messages/XMLErrors	setup.exe	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502663
Start date:	14.10.2021
Start time:	08:36:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	setup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 26.7% (good quality ratio 25%) Quality average: 73.1% Quality standard deviation: 28.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 20.54.110.249, 40.112.88.60, 2.20.178.56, 2.20.178.10, 8.247.248.249, 8.247.248.223, 8.247.244.249, 20.199.120.182, 2.20.178.24, 2.20.178.33, 95.100.216.89 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.907283747504906
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	setup.exe
File size:	1466368
MD5:	fe5c2e1333b4477d029dedc9c1b5dd4d
SHA1:	ce7e5a597b98eb1ec36a48e4368997b787228544
SHA256:	fc91558efb40b16dd9f6b0e93c972a0f1ff85cad3ddefdd7028c2628d75a9ab9
SHA512:	04892dfb3d356952a3bd4cac9026a3fac52b220af6b8a6371e81293483dbdeb76f08e8182ae0301dedef4d2904a6c113d02d8d48307fe498a428b595b0ec03b4
SSDEEP:	24576:wJx22KNk+2ygEZZU6xUohcGGopn9iWsq/A9fzIDODmJfbtvyYtQEnRA2S/Y:w+29+2yn5+ohcGHpn97s7JzIa6dY4/RC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(.pA(.pA(.pA-./A,.pA...A+.pA!..A..pA!..A..pA6..A+.pA.K.A..pA.K.A7.pA(.qA..pA!..A..pA!..A).pA6..A).pA!..A).pARich(.pA.......

File Icon


Icon Hash:	80b0a4b4a4e4e4e4

Static PE Info

General
Entrypoint:	0x90cf20
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x59E4BE15 [Mon Oct 16 14:11:33 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ab8c7e344596e3e6d6c6a5375f98bde9

Entrypoint Preview

Instruction
pushad
mov esi, 007C9000h
lea edi, dword ptr [esi-003C8000h]
push edi
or ebp, FFFFFFFFh
jmp 00007FA984BCF942h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA984BCF91Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FA984BCF93Dh
jne 00007FA984BCF95Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA984BCF951h
dec eax
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FA984BCF906h
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FA984BCF984h
xor ecx, ecx
sub eax, 03h
jc 00007FA984BCF943h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FA984BCF9A7h
sar eax, 1
mov ebp, eax
jmp 00007FA984BCF93Dh
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA984BCF8FEh
inc ecx
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA984BCF8F0h
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FA984BCF921h
jne 00007FA984BCF93Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FA984BCF916h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [eax+eax]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022
[EXP] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2003 (.NET) build 3077
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x52f79c	0x6c	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52f41c	0x380	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50e000	0x2141c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x50d0cc	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x46e4ec	0xc0	UPX1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x3c8000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x3c9000	0x145000	0x144200	False	0.985229162649	data	7.92638129371	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x50e000	0x22000	0x21a00	False	0.829874825743	data	7.3682539138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x4b2700	0x134	data	English	United States
RT_CURSOR	0x4b2834	0xb4	data	English	United States
RT_CURSOR	0x4b28e8	0x134	data	English	United States
RT_CURSOR	0x4b2a1c	0x134	data	English	United States
RT_CURSOR	0x4b2b50	0x134	data	English	United States
RT_CURSOR	0x4b2c84	0x134	data	English	United States
RT_CURSOR	0x4b2db8	0x134	data	English	United States
RT_CURSOR	0x4b2eec	0x134	data	English	United States
RT_CURSOR	0x4b3020	0x134	data	English	United States
RT_CURSOR	0x4b3154	0x134	data	English	United States
RT_CURSOR	0x4b3288	0x134	data	English	United States
RT_CURSOR	0x4b33bc	0x134	data	English	United States
RT_CURSOR	0x4b34f0	0x134	data	English	United States
RT_CURSOR	0x4b3624	0x134	data	English	United States
RT_CURSOR	0x4b3758	0x134	data	English	United States
RT_CURSOR	0x4b388c	0x134	data	English	United States
RT_BITMAP	0x4b39c0	0x3e8	data	English	United States
RT_BITMAP	0x4b3da8	0x3e8	data	English	United States
RT_BITMAP	0x4b4190	0x1328	data	English	United States
RT_BITMAP	0x4b54b8	0x1328	data	English	United States
RT_BITMAP	0x4b67e0	0x3e8	data	English	United States
RT_BITMAP	0x4b6bc8	0x1328	data	English	United States
RT_BITMAP	0x4b7ef0	0x1328	data	English	United States
RT_BITMAP	0x4b9218	0x1328	data	English	United States
RT_BITMAP	0x4ba540	0x1328	data	English	United States
RT_BITMAP	0x4bb868	0x3e8	data	English	United States
RT_BITMAP	0x4bbc50	0xb8	data	English	United States
RT_BITMAP	0x4bbd08	0x144	data	English	United States
RT_ICON	0x511704	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x511830	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x4bc4dc	0x8a8	data	English	United States
RT_ICON	0x4bcd84	0x568	data	English	United States
RT_ICON	0x4bd2ec	0xca8	data	English	United States
RT_ICON	0x4bdf94	0x368	data	English	United States
RT_ICON	0x4be2fc	0x1a8	data	English	United States
RT_ICON	0x4be4a4	0x1a8	MPEG-4 LOAS, 4 or more streams, 8 or more streams	English	United States
RT_ICON	0x4be64c	0x1a8	data	English	United States
RT_ICON	0x4be7f4	0x1a8	data	English	United States
RT_ICON	0x4be99c	0x1a8	data	English	United States
RT_ICON	0x4beb44	0x1a8	data	English	United States
RT_ICON	0x4becec	0x1a8	data	English	United States
RT_ICON	0x4bee94	0x1a8	data	English	United States
RT_ICON	0x4bf03c	0x1a8	data	English	United States
RT_ICON	0x4bf1e4	0x1a8	data	English	United States
RT_ICON	0x4bf38c	0x1a8	data	English	United States
RT_ICON	0x4bf534	0x1a8	data	English	United States
RT_ICON	0x4bf6dc	0x1a8	data	English	United States
RT_ICON	0x4bf884	0x1a8	data	English	United States
RT_ICON	0x4bfa2c	0x2e8	data	English	United States
RT_ICON	0x4bfd14	0x128	data	English	United States
RT_ICON	0x4bfe3c	0x568	data	English	United States
RT_ICON	0x4c03a4	0x1a8	data	English	United States
RT_ICON	0x4c054c	0x2e8	data	English	United States
RT_ICON	0x4c0834	0x128	data	English	United States
RT_ICON	0x4c095c	0x568	data	English	United States
RT_ICON	0x4c0ec4	0x1a8	data	English	United States
RT_ICON	0x4c106c	0x1a8	data	English	United States
RT_ICON	0x4c1214	0x2e8	data	English	United States
RT_ICON	0x4c14fc	0x1ca8	data	English	United States
RT_ICON	0x4c31a4	0xca8	data	English	United States
RT_ICON	0x4c3e4c	0x668	data	English	United States
RT_ICON	0x4c44b4	0x1ca8	COM executable for DOS	English	United States
RT_ICON	0x4c615c	0xca8	data	English	United States
RT_ICON	0x4c6e04	0x668	data	English	United States
RT_ICON	0x4c746c	0x1ca8	data	English	United States
RT_ICON	0x4c9114	0xca8	data	English	United States
RT_ICON	0x4c9dbc	0x668	data	English	United States
RT_ICON	0x4ca424	0x668	data	English	United States
RT_ICON	0x4caa8c	0x668	data	English	United States
RT_ICON	0x4cb0f4	0x668	data	English	United States
RT_ICON	0x4cb75c	0x668	data	English	United States
RT_ICON	0x4cbdc4	0x668	data	English	United States
RT_ICON	0x4cc42c	0xca8	data	English	United States
RT_ICON	0x4cd0d4	0x1a8	data	English	United States
RT_ICON	0x4cd27c	0x1a8	data	English	United States
RT_ICON	0x4cd424	0x1a8	data	English	United States
RT_ICON	0x4cd5cc	0x1a8	data	English	United States
RT_ICON	0x4cd774	0x468	data	English	United States
RT_ICON	0x4cdbdc	0xca8	data	English	United States
RT_ICON	0x511d9c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2391312520, next used block 2005436558	English	United States
RT_ICON	0x512088	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15134197, next used block 14939634	English	United States
RT_ICON	0x512934	0x668	data	English	United States
RT_ICON	0x512fa0	0xea8	data	English	United States
RT_ICON	0x513e4c	0x54f3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x519344	0x9381	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x5226cc	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x522b38	0x10a8	data	English	United States
RT_ICON	0x523be4	0x25a8	data	English	United States
RT_ICON	0x526190	0x88fb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_DIALOG	0x4eb550	0x1e0	data	English	United States
RT_DIALOG	0x4eb730	0xe8	data	English	United States
RT_DIALOG	0x4eb818	0x64	PGP\011Secret Sub-key -	English	United States
RT_DIALOG	0x4eb87c	0x302	data	English	United States
RT_DIALOG	0x4ebb80	0x20	data	English	United States
RT_DIALOG	0x4ebba0	0x18	data	English	United States
RT_DIALOG	0x4ebbb8	0x144	data	English	United States
RT_DIALOG	0x4ebcfc	0x136	SysEx File -	English	United States
RT_DIALOG	0x4ebe34	0x32	data	English	United States
RT_DIALOG	0x4ebe68	0x1a4	data	English	United States
RT_DIALOG	0x4ec00c	0x296	data	English	United States
RT_DIALOG	0x4ec2a4	0x220	data	English	United States
RT_DIALOG	0x4ec4c4	0xc0	data	English	United States
RT_DIALOG	0x4ec584	0x238	data	English	United States
RT_DIALOG	0x4ec7bc	0x17e	data	English	United States
RT_DIALOG	0x4ec93c	0xe2	data	English	United States
RT_DIALOG	0x4eca20	0xd4	data	English	United States
RT_DIALOG	0x4ecaf4	0xe2	data	English	United States
RT_DIALOG	0x4ecbd8	0x114	data	English	United States
RT_DIALOG	0x4eccec	0x8c	data	English	United States
RT_DIALOG	0x4ecd78	0xd8	data	English	United States
RT_DIALOG	0x4ece50	0xca	data	English	United States
RT_DIALOG	0x4ecf1c	0x49e	data	English	United States
RT_DIALOG	0x4ed3bc	0x5f8	data	English	United States
RT_DIALOG	0x4ed9b4	0xe8	data	English	United States
RT_DIALOG	0x4eda9c	0x34	data	English	United States
RT_STRING	0x4edad0	0x5b4	data	English	United States
RT_STRING	0x4ee084	0x974	data	English	United States
RT_STRING	0x4ee9f8	0x86a	data	English	United States
RT_STRING	0x4ef264	0x358	data	English	United States
RT_STRING	0x4ef5bc	0x616	data	English	United States
RT_STRING	0x4efbd4	0x2ca	data	English	United States
RT_STRING	0x4efea0	0x446	data	English	United States
RT_STRING	0x4f02e8	0x44a	data	English	United States
RT_STRING	0x4f0734	0x3e6	SysEx File - Passport	English	United States
RT_STRING	0x4f0b1c	0x662	data	English	United States
RT_STRING	0x4f1180	0x90e	data	English	United States
RT_STRING	0x4f1a90	0x67e	data	English	United States
RT_STRING	0x4f2110	0x5da	data	English	United States
RT_STRING	0x4f26ec	0x7e6	data	English	United States
RT_STRING	0x4f2ed4	0x79c	data	English	United States
RT_STRING	0x4f3670	0x59e	data	English	United States
RT_STRING	0x4f3c10	0x540	data	English	United States
RT_STRING	0x4f4150	0x580	data	English	United States
RT_STRING	0x4f46d0	0xde	data	English	United States
RT_STRING	0x4f47b0	0x2f2	data	English	United States
RT_STRING	0x4f4aa4	0x4d2	data	English	United States
RT_STRING	0x4f4f78	0x288	data	German	Germany
RT_STRING	0x4f5200	0x20e	data	English	United States
RT_STRING	0x4f5410	0x252	data	French	France
RT_STRING	0x4f5664	0x148	data	Japanese	Japan
RT_STRING	0x4f57ac	0x14a	data	Korean	North Korea
RT_STRING	0x4f57ac	0x14a	data	Korean	South Korea
RT_STRING	0x4f58f8	0xe8	data	Chinese	China
RT_STRING	0x4f59e0	0x438	data	German	Germany
RT_STRING	0x4f5e18	0x33a	data	English	United States
RT_STRING	0x4f6154	0x418	data	French	France
RT_STRING	0x4f656c	0x22e	data	Japanese	Japan
RT_STRING	0x4f679c	0x232	data	Korean	North Korea
RT_STRING	0x4f679c	0x232	data	Korean	South Korea
RT_STRING	0x4f69d0	0x172	data	Chinese	China
RT_STRING	0x4f6b44	0x124	data	German	Germany
RT_STRING	0x4f6c68	0xf0	data	English	United States
RT_STRING	0x4f6d58	0x142	data	French	France
RT_STRING	0x4f6e9c	0x9a	data	Japanese	Japan
RT_STRING	0x4f6f38	0xb2	data	Korean	North Korea
RT_STRING	0x4f6f38	0xb2	data	Korean	South Korea
RT_STRING	0x4f6fec	0x6e	data	Chinese	China
RT_STRING	0x4f705c	0x166	data	German	Germany
RT_STRING	0x4f71c4	0x10a	data	English	United States
RT_STRING	0x4f72d0	0x14a	data	French	France
RT_STRING	0x4f741c	0xb2	data	Japanese	Japan
RT_STRING	0x4f74d0	0xb4	data	Korean	North Korea
RT_STRING	0x4f74d0	0xb4	data	Korean	South Korea
RT_STRING	0x4f7584	0x6e	data	Chinese	China
RT_STRING	0x4f75f4	0x1a0	data	German	Germany
RT_STRING	0x4f7794	0x16e	data	English	United States
RT_STRING	0x4f7904	0x1c6	data	French	France
RT_STRING	0x4f7acc	0xcc	data	Japanese	Japan
RT_STRING	0x4f7b98	0xd0	data	Korean	North Korea
RT_STRING	0x4f7b98	0xd0	data	Korean	South Korea
RT_STRING	0x4f7c68	0x78	data	Chinese	China
RT_STRING	0x4f7ce0	0x37e	data	German	Germany
RT_STRING	0x4f8060	0x294	data	English	United States
RT_STRING	0x4f82f4	0x35e	data	French	France
RT_STRING	0x4f8654	0x184	data	Japanese	Japan
RT_STRING	0x4f87d8	0x190	data	Korean	North Korea
RT_STRING	0x4f87d8	0x190	data	Korean	South Korea
RT_STRING	0x4f8968	0xdc	data	Chinese	China
RT_STRING	0x4f8a44	0x3b6	data	German	Germany
RT_STRING	0x4f8dfc	0x33a	data	English	United States
RT_STRING	0x4f9138	0x428	data	French	France
RT_STRING	0x4f9560	0x1ee	data	Japanese	Japan
RT_STRING	0x4f9750	0x1ee	data	Korean	North Korea
RT_STRING	0x4f9750	0x1ee	data	Korean	South Korea
RT_STRING	0x4f9940	0x134	data	Chinese	China
RT_STRING	0x4f9a74	0xb4	data	German	Germany
RT_STRING	0x4f9b28	0x88	data	English	United States
RT_STRING	0x4f9bb0	0xa0	data	French	France
RT_STRING	0x4f9c50	0x4c	data	Japanese	Japan
RT_STRING	0x4f9c9c	0x54	data	Korean	North Korea
RT_STRING	0x4f9c9c	0x54	data	Korean	South Korea
RT_STRING	0x4f9cf0	0x3c	data	Chinese	China
RT_STRING	0x4f9d2c	0x50	data	German	Germany
RT_STRING	0x4f9d7c	0x48	data	English	United States
RT_STRING	0x4f9dc4	0x50	PGP\011Secret Key -	French	France
RT_STRING	0x4f9e14	0x3e	data	Japanese	Japan
RT_STRING	0x4f9e54	0x46	data	Korean	North Korea
RT_STRING	0x4f9e54	0x46	data	Korean	South Korea
RT_STRING	0x4f9e9c	0x32	data	Chinese	China
RT_STRING	0x4f9ed0	0x47c	data	German	Germany
RT_STRING	0x4fa34c	0x380	data	English	United States
RT_STRING	0x4fa6cc	0x4f2	data	French	France
RT_STRING	0x4fabc0	0x2b6	data	Japanese	Japan
RT_STRING	0x4fae78	0x2aa	data	Korean	North Korea
RT_STRING	0x4fae78	0x2aa	data	Korean	South Korea
RT_STRING	0x4fb124	0x180	data	Chinese	China
RT_STRING	0x4fb2a4	0xa88	data	German	Germany
RT_STRING	0x4fbd2c	0x98c	data	English	United States
RT_STRING	0x4fc6b8	0xb36	data	French	France
RT_STRING	0x4fd1f0	0x524	data	Japanese	Japan
RT_STRING	0x4fd714	0x5ee	data	Korean	North Korea
RT_STRING	0x4fd714	0x5ee	data	Korean	South Korea
RT_STRING	0x4fdd04	0x390	data	Chinese	China
RT_STRING	0x4fe094	0x1dc	data	German	Germany
RT_STRING	0x4fe270	0x18c	data	English	United States
RT_STRING	0x4fe3fc	0x202	data	French	France
RT_STRING	0x4fe600	0xd8	data	Japanese	Japan
RT_STRING	0x4fe6d8	0xc6	data	Korean	North Korea
RT_STRING	0x4fe6d8	0xc6	data	Korean	South Korea
RT_STRING	0x4fe7a0	0x80	data	Chinese	China
RT_STRING	0x4fe820	0xa6	data	German	Germany
RT_STRING	0x4fe8c8	0x8c	data	English	United States
RT_STRING	0x4fe954	0xa6	data	French	France
RT_STRING	0x4fe9fc	0x6e	data	Japanese	Japan
RT_STRING	0x4fea6c	0x72	data	Korean	North Korea
RT_STRING	0x4fea6c	0x72	data	Korean	South Korea
RT_STRING	0x4feae0	0x40	data	Chinese	China
RT_STRING	0x4feb20	0x136	data	German	Germany
RT_STRING	0x4fec58	0x11e	data	English	United States
RT_STRING	0x4fed78	0x11e	data	French	France
RT_STRING	0x4fee98	0x11e	data	Japanese	Japan
RT_STRING	0x4fefb8	0xf4	data	Korean	North Korea
RT_STRING	0x4fefb8	0xf4	data	Korean	South Korea
RT_STRING	0x4ff0ac	0x11e	data	Chinese	China
RT_STRING	0x4ff1cc	0x5a	data	German	Germany
RT_STRING	0x4ff228	0x52	data	English	United States
RT_STRING	0x4ff27c	0x52	data	French	France
RT_STRING	0x4ff2d0	0x52	data	Japanese	Japan
RT_STRING	0x4ff324	0x44	data	Korean	North Korea
RT_STRING	0x4ff324	0x44	data	Korean	South Korea
RT_STRING	0x4ff368	0x52	data	Chinese	China
RT_STRING	0x4ff3bc	0x68	data	German	Germany
RT_STRING	0x4ff424	0x6a	data	English	United States
RT_STRING	0x4ff490	0x70	data	French	France
RT_STRING	0x4ff500	0x48	data	Japanese	Japan
RT_STRING	0x4ff548	0x4a	data	Korean	North Korea
RT_STRING	0x4ff548	0x4a	data	Korean	South Korea
RT_STRING	0x4ff594	0x38	data	Chinese	China
RT_STRING	0x4ff5cc	0x21a	data	German	Germany
RT_STRING	0x4ff7e8	0x222	data	English	United States
RT_STRING	0x4ffa0c	0x286	data	French	France
RT_STRING	0x4ffc94	0x11c	data	Japanese	Japan
RT_STRING	0x4ffdb0	0x174	data	Korean	North Korea
RT_STRING	0x4ffdb0	0x174	data	Korean	South Korea
RT_STRING	0x4fff24	0xcc	data	Chinese	China
RT_STRING	0x4ffff0	0x2d6	data	German	Germany
RT_STRING	0x5002c8	0x270	data	English	United States
RT_STRING	0x500538	0x2ce	data	French	France
RT_STRING	0x500808	0x168	data	Japanese	Japan
RT_STRING	0x500970	0x198	data	Korean	North Korea
RT_STRING	0x500970	0x198	data	Korean	South Korea
RT_STRING	0x500b08	0xde	data	Chinese	China
RT_STRING	0x500be8	0x1e0	data	German	Germany
RT_STRING	0x500dc8	0x12a	data	English	United States
RT_STRING	0x500ef4	0x17e	data	French	France
RT_STRING	0x501074	0xec	data	Japanese	Japan
RT_STRING	0x501160	0xe6	data	Korean	North Korea
RT_STRING	0x501160	0xe6	data	Korean	South Korea
RT_STRING	0x501248	0x98	data	Chinese	China
RT_STRING	0x5012e0	0x96	data	German	Germany
RT_STRING	0x501378	0x6c	data	English	United States
RT_STRING	0x5013e4	0x80	data	French	France
RT_STRING	0x501464	0x4a	data	Japanese	Japan
RT_STRING	0x5014b0	0x48	data	Korean	North Korea
RT_STRING	0x5014b0	0x48	data	Korean	South Korea
RT_STRING	0x5014f8	0x3a	data	Chinese	China
RT_STRING	0x501534	0x1f2	data	German	Germany
RT_STRING	0x501728	0x196	data	English	United States
RT_STRING	0x5018c0	0x21a	data	French	France
RT_STRING	0x501adc	0x132	data	Japanese	Japan
RT_STRING	0x501c10	0x11c	data	Korean	North Korea
RT_STRING	0x501c10	0x11c	data	Korean	South Korea
RT_STRING	0x501d2c	0xe2	data	Chinese	China
RT_STRING	0x501e10	0x50	data	German	Germany
RT_STRING	0x501e60	0x44	data	English	United States
RT_STRING	0x501ea4	0x42	data	French	France
RT_STRING	0x501ee8	0x2a	data	Japanese	Japan
RT_STRING	0x501f14	0x2e	data	Korean	North Korea
RT_STRING	0x501f14	0x2e	data	Korean	South Korea
RT_STRING	0x501f44	0x28	data	Chinese	China
RT_STRING	0x501f6c	0x4ae	data	English	United States
RT_STRING	0x50241c	0x3f0	data	English	United States
RT_STRING	0x50280c	0x3e2	data	English	United States
RT_STRING	0x502bf0	0x6c	data	English	United States
RT_STRING	0x502c5c	0xbe6	PGP\011Secret Sub-key -	English	United States
RT_STRING	0x503844	0x18a2	data	English	United States
RT_STRING	0x5050e8	0x478	data	English	United States
RT_STRING	0x505560	0x148	data	English	United States
RT_STRING	0x5056a8	0x2e8	data	English	United States
RT_STRING	0x505990	0x220	data	English	United States
RT_STRING	0x505bb0	0x22a	data	English	United States
RT_STRING	0x505ddc	0x82	data	English	United States
RT_STRING	0x505e60	0x2a	data	English	United States
RT_STRING	0x505e8c	0x184	data	English	United States
RT_STRING	0x506010	0x4e6	data	English	United States
RT_STRING	0x5064f8	0x264	data	English	United States
RT_STRING	0x50675c	0x2da	data	English	United States
RT_STRING	0x506a38	0x8a	data	English	United States
RT_STRING	0x506ac4	0xac	data	English	United States
RT_STRING	0x506b70	0xde	data	English	United States
RT_STRING	0x506c50	0x4a8	data	English	United States
RT_STRING	0x5070f8	0x228	data	English	United States
RT_STRING	0x507320	0x2c	data	English	United States
RT_STRING	0x50734c	0x42	data	English	United States
RT_ACCELERATOR	0x507390	0x10	Non-ISO extended-ASCII text, with NEL line terminators	English	United States
RT_GROUP_CURSOR	0x5073a0	0x22	data	English	United States
RT_GROUP_CURSOR	0x5073c4	0x14	data	English	United States
RT_GROUP_CURSOR	0x5073d8	0x14	data	English	United States
RT_GROUP_CURSOR	0x5073ec	0x14	data	English	United States
RT_GROUP_CURSOR	0x507400	0x14	data	English	United States
RT_GROUP_CURSOR	0x507414	0x14	Non-ISO extended-ASCII text, with LF, NEL line terminators	English	United States
RT_GROUP_CURSOR	0x507428	0x14	data	English	United States
RT_GROUP_CURSOR	0x50743c	0x14	data	English	United States
RT_GROUP_CURSOR	0x507450	0x14	data	English	United States
RT_GROUP_CURSOR	0x507464	0x14	data	English	United States
RT_GROUP_CURSOR	0x507478	0x14	data	English	United States
RT_GROUP_CURSOR	0x50748c	0x14	data	English	United States
RT_GROUP_CURSOR	0x5074a0	0x14	unicos (cray) executable	English	United States
RT_GROUP_CURSOR	0x5074b4	0x14	Non-ISO extended-ASCII text, with no line terminators, with escape sequences	English	United States
RT_GROUP_CURSOR	0x5074c8	0x14	data	English	United States
RT_GROUP_ICON	0x52ea90	0xae	data	English	United States
RT_GROUP_ICON	0x50758c	0x3e	data	English	United States
RT_GROUP_ICON	0x5075cc	0x14	data	English	United States
RT_GROUP_ICON	0x5075e0	0x14	data	English	United States
RT_GROUP_ICON	0x5075f4	0x14	data	English	United States
RT_GROUP_ICON	0x507608	0x14	data	English	United States
RT_GROUP_ICON	0x50761c	0x14	data	English	United States
RT_GROUP_ICON	0x507630	0x14	data	English	United States
RT_GROUP_ICON	0x507644	0x14	data	English	United States
RT_GROUP_ICON	0x507658	0x14	data	English	United States
RT_GROUP_ICON	0x50766c	0x14	data	English	United States
RT_GROUP_ICON	0x507680	0x14	data	English	United States
RT_GROUP_ICON	0x507694	0x14	data	English	United States
RT_GROUP_ICON	0x5076a8	0x14	data	English	United States
RT_GROUP_ICON	0x5076bc	0x14	data	English	United States
RT_GROUP_ICON	0x5076d0	0x14	data	English	United States
RT_GROUP_ICON	0x5076e4	0x30	data	English	United States
RT_GROUP_ICON	0x507714	0x30	data	English	United States
RT_GROUP_ICON	0x507744	0x14	data	English	United States
RT_GROUP_ICON	0x507758	0x14	data	English	United States
RT_GROUP_ICON	0x50776c	0x14	data	English	United States
RT_GROUP_ICON	0x507780	0x14	data	English	United States
RT_GROUP_ICON	0x507794	0x14	data	English	United States
RT_GROUP_ICON	0x5077a8	0x22	data	English	United States
RT_GROUP_ICON	0x5077cc	0x3e	data	English	United States
RT_GROUP_ICON	0x50780c	0x22	data	English	United States
RT_GROUP_ICON	0x507830	0x3e	data	English	United States
RT_GROUP_ICON	0x507870	0x30	data	English	United States
RT_GROUP_ICON	0x5078a0	0x14	data	English	United States
RT_GROUP_ICON	0x5078b4	0x14	data	English	United States
RT_GROUP_ICON	0x5078c8	0x14	data	English	United States
RT_GROUP_ICON	0x5078dc	0x14	data	English	United States
RT_GROUP_ICON	0x5078f0	0x14	data	English	United States
RT_VERSION	0x52eb44	0x2f8	data	English	United States
RT_MANIFEST	0x52ee40	0x5dc	ASCII text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
COMDLG32.dll	GetFileTitleW
GDI32.dll	ArcTo
MPR.dll	WNetGetUserW
ole32.dll	CoInitialize
OLEAUT32.dll	SafeArrayPutElement
PSAPI.DLL	GetModuleFileNameExW
RPCRT4.dll	UuidCreate
SHELL32.dll	DragFinish
USER32.dll	GetDC
VERSION.dll	VerQueryValueW
WININET.dll	InternetCheckConnectionW
WINSPOOL.DRV	GetJobW
WS2_32.dll	closesocket
WTSAPI32.dll	WTSFreeMemory

Exports

Name	Ordinal	Address
NI_MetaToolbox_MetaOutput_GetSharedGlobalData	1	0x61f710

Version Infos

Description	Data
LegalCopyright	Copyright 2003-2017. All Rights Reserved.
InternalName	MetaInstaller
FileVersion	17.5.0.170
CompanyName
ProductName	National Instruments Installer
ProductVersion	17.5.0
FileDescription	Installer
OriginalFilename	Setup.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany
French	France
Japanese	Japan
Korean	North Korea
Korean	South Korea
Chinese	China

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: setup.exe PID: 7152 Parent PID: 4616

General

Start time:	08:37:47
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\setup.exe'
Imagebase:	0x400000
File size:	1466368 bytes
MD5 hash:	FE5C2E1333B4477D029DEDC9C1B5DD4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: setup.exe PID: 7152 Parent PID: 4616 setup.exeCOMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 0053B595, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0053B595(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t58;
				struct HWND__* _t59;
				void* _t85;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E0053FEB1(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageW(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongW(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E00538CF9(E00538C8C(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E00536835();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E00538CF9(E00538C8C(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t123 + _t116 > _v28.right) {
					_t116 = _t108 - _v60.right + _v28.right;
				}
				if(_t116 < _v28.left) {
					_t116 = _v28.left;
				}
				if(_a4 + _t129 > _v28.bottom) {
					_t129 = _v60.top - _v60.bottom + _v28.bottom;
				}
				if(_t129 < _v28.top) {
					_t129 = _v28.top;
				}
				_t85 = E00540364(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15); // executed
				return _t85;
			}

0x0053b595
0x0053b595
0x0053b59e
0x0053b5a1
0x0053b5a9
0x0053b5ac
0x0053b5b1
0x0053b5bf
0x0053b5d1
0x0053b5c1
0x0053b5c4
0x0053b5c4
0x0053b5d7
0x0053b5db
0x0053b5e7
0x0053b5ef
0x0053b5f1
0x0053b5f1
0x0053b5ef
0x0053b5b3
0x0053b5b3
0x0053b5b3
0x0053b5b3
0x0053b5f3
0x0053b601
0x0053b60a
0x0053b6aa
0x0053b6b1
0x0053b6b8
0x0053b6c2
0x0053b610
0x0053b612
0x0053b617
0x0053b622
0x0053b62b
0x0053b62b
0x0053b622
0x0053b62d
0x0053b636
0x0053b677
0x0053b686
0x0053b693
0x0053b638
0x0053b638
0x0053b63f
0x0053b641
0x0053b641
0x0053b651
0x0053b664
0x0053b66e
0x0053b66e
0x0053b636
0x0053b6d1
0x0053b6d6
0x0053b6db
0x0053b6df
0x0053b6e2
0x0053b6e9
0x0053b6f3
0x0053b6fb
0x0053b703
0x0053b70a
0x0053b70f
0x0053b717
0x0053b717
0x0053b71d
0x0053b71f
0x0053b71f
0x0053b72a
0x0053b732
0x0053b732
0x0053b738
0x0053b73a
0x0053b73a
0x0053b74a
0x0053b752

APIs

Part of subcall function 0053FEB1: GetWindowLongW.USER32(?,000000F0), ref: 0053FEBC

GetParent.USER32(?), ref: 0053B5C4
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 0053B5E7
GetWindowRect.USER32(?,?), ref: 0053B601
GetWindowLongW.USER32(00000000,000000F0), ref: 0053B617
CopyRect.USER32(?,?), ref: 0053B664
CopyRect.USER32(?,?), ref: 0053B66E
GetWindowRect.USER32(00000000,?), ref: 0053B677

Part of subcall function 00538C8C: MonitorFromWindow.USER32(00000002,00000000), ref: 00538CA3

Part of subcall function 00538CF9: GetMonitorInfoW.USER32(00000002,00000000), ref: 00538D13
Part of subcall function 00538CF9: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 00538D39

CopyRect.USER32(?,?), ref: 0053B693

Strings

(, xrefs: 0053B62D

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: RectWindow$Copy$LongMonitor$ByteCharFromInfoMessageMultiParentSendWide
String ID: (
API String ID: 1958002487-3887548279
Opcode ID: 0301ea83d78be0bed72be9f2a896a88553c9cd8691816dfdd509a2b6300d6ca2
Instruction ID: db4271e4b473f894377dfc4e5b69affb8bad3c437f7b9462c24f3a519771846a
Opcode Fuzzy Hash: 0301ea83d78be0bed72be9f2a896a88553c9cd8691816dfdd509a2b6300d6ca2
Instruction Fuzzy Hash: E6514F76900219ABEF11DBA8CD89AEEBBB9FF88310F154115FA05E7151DB34ED018B64

Uniqueness

Uniqueness Score: -1.00%

Function 00550B78, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00550B78(void* __ecx) {
				intOrPtr _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t34;
				void* _t36;
				void* _t37;
				long _t39;
				void* _t40;
				long _t52;
				signed char* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				void* _t62;
				void* _t68;
				signed int _t69;
				void* _t72;
				void* _t73;

				_t73 = __ecx;
				_t1 = _t73 + 0x1c; // 0x8a9a3c
				_t34 = _t1;
				_v8 = _t34;
				 *0x7493b8(_t34, _t68, _t72, _t56, __ecx, __ecx);
				_t3 = _t73 + 4; // 0x20
				_t57 =  *_t3;
				_t4 = _t73 + 8; // 0x3
				_t69 =  *_t4;
				if(_t69 >= _t57) {
					L2:
					_t69 = 1;
					if(_t57 <= 1) {
						L7:
						_t13 = _t73 + 0x10; // 0xae05c8
						_t36 =  *_t13;
						_t58 = _t57 + 0x20;
						if(_t36 != 0) {
							_t37 = GlobalHandle(_t36);
							_v12 = _t37;
							GlobalUnWire(_t37);
							_t39 = E0051D870(_t58, 8);
							_t62 = 0x2002;
							_t40 = GlobalReAlloc(_v12, _t39, ??);
						} else {
							_t52 = E0051D870(_t58, 8);
							_pop(_t62);
							_t40 = GlobalAlloc(2, _t52); // executed
						}
						if(_t40 == 0) {
							_t16 = _t73 + 0x10; // 0xae05c8
							_t73 =  *_t16;
							_t86 = _t73;
							if(_t73 != 0) {
								GlobalFix(GlobalHandle(_t73));
							}
							 *0x7493b0(_v8);
							_t40 = E0053724F(_t58, _t62, _t69, _t73, _t86);
						}
						GlobalFix(_t40);
						_t18 = _t73 + 4; // 0x20
						_v12 = _t40;
						E00570A10(_t69, _t40 +  *_t18 * 8, 0, _t58 -  *_t18 << 3);
						 *(_t73 + 4) = _t58;
						 *(_t73 + 0x10) = _v12;
					} else {
						_t10 = _t73 + 0x10; // 0xae05c8
						_t54 =  *_t10 + 8;
						while(( *_t54 & 0x00000001) != 0) {
							_t69 = _t69 + 1;
							_t54 =  &(_t54[8]);
							if(_t69 < _t57) {
								continue;
							}
							break;
						}
						if(_t69 >= _t57) {
							goto L7;
						}
					}
				} else {
					_t5 = _t73 + 0x10; // 0xae05c8
					if(( *( *_t5 + _t69 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t25 = _t73 + 0xc; // 0x3
				if(_t69 >=  *_t25) {
					_t26 = _t69 + 1; // 0x4
					 *((intOrPtr*)(_t73 + 0xc)) = _t26;
				}
				_t28 = _t73 + 0x10; // 0xae05c8
				 *( *_t28 + _t69 * 8) =  *( *_t28 + _t69 * 8) | 0x00000001;
				_t32 = _t69 + 1; // 0x4
				 *(_t73 + 8) = _t32;
				 *0x7493b0(_v8);
				return _t69;
			}

0x00550b81
0x00550b83
0x00550b83
0x00550b88
0x00550b8b
0x00550b91
0x00550b91
0x00550b94
0x00550b94
0x00550b99
0x00550ba8
0x00550baa
0x00550bad
0x00550bca
0x00550bca
0x00550bca
0x00550bcd
0x00550bd2
0x00550bea
0x00550bf1
0x00550bf4
0x00550c02
0x00550c08
0x00550c0d
0x00550bd4
0x00550bd7
0x00550bdd
0x00550be1
0x00550be1
0x00550c15
0x00550c17
0x00550c17
0x00550c1a
0x00550c1c
0x00550c26
0x00550c26
0x00550c2f
0x00550c35
0x00550c35
0x00550c3b
0x00550c41
0x00550c4c
0x00550c55
0x00550c60
0x00550c63
0x00550baf
0x00550baf
0x00550bb2
0x00550bb5
0x00550bba
0x00550bbb
0x00550bc0
0x00000000
0x00000000
0x00000000
0x00550bc0
0x00550bc4
0x00000000
0x00000000
0x00550bc4
0x00550b9b
0x00550b9b
0x00550ba2
0x00000000
0x00000000
0x00550ba2
0x00550c66
0x00550c69
0x00550c6b
0x00550c6e
0x00550c6e
0x00550c71
0x00550c7a
0x00550c7d
0x00550c80
0x00550c83
0x00550c8f

APIs

RtlEnterCriticalSection.NTDLL(008A9A3C), ref: 00550B8B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,008A9A20,008A9A20,?,00551005,00000004,00545D0C,005372A3,005430AE,00406B82), ref: 00550BE1
GlobalHandle.KERNEL32(00AE05C8), ref: 00550BEA
GlobalUnWire.KERNEL32(00000000), ref: 00550BF4
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 00550C0D
GlobalHandle.KERNEL32(00AE05C8), ref: 00550C1F
GlobalFix.KERNEL32(00000000), ref: 00550C26
RtlLeaveCriticalSection.NTDLL(?), ref: 00550C2F
GlobalFix.KERNEL32(00000000), ref: 00550C3B
_memset.LIBCMT ref: 00550C55
RtlLeaveCriticalSection.NTDLL(?), ref: 00550C83

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeave$EnterWire_memset
String ID:
API String ID: 9613507-0
Opcode ID: 6f8d6f30161281281cf862120d1d7e397a8e2792848cb815e2bc836ac67d542e
Instruction ID: 564d4309e625a857bb4f95f85d942b08812d73238ef1c2063a61a3b07eff2068
Opcode Fuzzy Hash: 6f8d6f30161281281cf862120d1d7e397a8e2792848cb815e2bc836ac67d542e
Instruction Fuzzy Hash: 4E31CB75600705AFDB209F68CC89A6BBBF8FF86701B05892AE942D3291DB34EC44CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0049EBD0, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 222
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E0049EBD0(intOrPtr* __ecx, void* __ebp, char _a4, intOrPtr* _a8) {
				int _v28;
				intOrPtr _v36;
				WCHAR* _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t41;
				signed int _t50;
				void* _t55;
				WCHAR* _t56;
				intOrPtr* _t82;
				int _t87;
				void* _t88;
				intOrPtr _t91;
				intOrPtr* _t95;
				intOrPtr _t96;
				signed int _t98;
				intOrPtr* _t103;
				intOrPtr* _t106;
				signed int _t139;
				long _t141;
				signed int _t145;
				intOrPtr* _t146;
				void* _t149;
				void* _t152;
				void* _t153;
				signed int _t154;

				_t149 = __ebp;
				_t1 =  &_a4; // 0x504d50
				_t139 =  *_t1;
				_t95 = __ecx;
				if(_t139 < 0) {
					_t139 = 0;
				}
				_t41 =  *_t95;
				_t98 =  *(_t41 - 0xc);
				if(_t139 > _t98) {
					_t139 = _t98;
				}
				_t145 = _t98 + 1;
				_t131 =  *((intOrPtr*)(_t41 - 8)) - _t145;
				if((0x00000001 -  *((intOrPtr*)(_t41 - 4)) |  *((intOrPtr*)(_t41 - 8)) - _t145) < 0) {
					_push(_t145);
					E00402E90(_t95, _t95);
				}
				_t140 =  *_t95 + _t139 * 2;
				E004012F0(_t95, _t140, _t145, E0056FF76(_t95, _t140 + 2, _t145 - _t139 + _t145 - _t139, _t140, _t145 - _t139 + _t145 - _t139));
				_t103 = _a8;
				_t153 = _t152 + 0x14;
				 *_t140 = _t103;
				if(_t145 < 0) {
					L9:
					_push(0x80070057);
					E00401460(_t103, _t140, _t145, _t149);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0xffffffff);
					_push(0x708db8);
					_push( *[fs:0x0]);
					_t154 = _t153 - 0x14;
					_push(_t95);
					_push(_t149);
					_push(_t145);
					_push(_t140);
					_t50 =  *0x877864; // 0xf691760e
					_push(_t50 ^ _t154);
					 *[fs:0x0] =  &_v28;
					_t146 = _t103;
					E00536B44(_t95, _t103, _t131, _t140);
					_t55 =  *(_t146 + 0x98) + 0xfffffff0;
					__eflags = _t55 - 0x30;
					if(_t55 > 0x30) {
						L15:
						_t56 = _v48;
						 *(_t146 + 0x98) = 0;
					} else {
						switch( *((intOrPtr*)(( *(_t55 + 0x49ee70) & 0x000000ff) * 4 +  &M0049EE5C))) {
							case 0:
								goto L16;
							case 1:
								goto L16;
							case 2:
								_t56 = 0x7f03;
								goto L16;
							case 3:
								goto L16;
							case 4:
								goto L15;
						}
					}
					L16:
					__eflags =  *(_t146 + 0x98);
					_t96 =  *0x74979c;
					if( *(_t146 + 0x98) == 0) {
						E00540008(E0053FD25(_t146, 0x42d), 0);
					} else {
						_t87 = LoadIconW(0, _t56);
						_t140 = _t87; // executed
						_t88 = E0053FD25(_t146, 0x42d); // executed
						SendMessageW( *(_t88 + 0x20), 0x170, _t87, 0); // executed
					}
					__eflags =  *((char*)(_t146 + 0x9d));
					_t106 = _t146;
					if( *((char*)(_t146 + 0x9d)) == 0) {
						E0053FF3D(E0053FD25(_t106, 0x42c), 0x74a56c);
						E00540008(E0053FD25(_t146, 0x42c), 0);
					} else {
						_t140 = _t146 + 0x80;
						E0053D6BF(_t96, E0053FD25(_t106, 0x42c), _t146 + 0x80, _t146 + 0x80);
						_push(" >>");
						_t82 = E00427BB0(_t96,  &_v56, _t146 + 0x80);
						_t154 = _t154 + 0xc;
						_v28 = 0;
						E0053FF3D(E0053FD25(_t146, 0x42c),  *_t82); // executed
						_v36 = 0xffffffff;
						E004036F0( &_v56);
					}
					E0053FF3D(E0053FD25(_t146, 0x42e),  *((intOrPtr*)(_t146 + 0x78))); // executed
					E0053FF3D(_t146,  *((intOrPtr*)(_t146 + 0x74))); // executed
					E00545CFD(_t96, _t140, _t146, __eflags);
					_t141 = LoadIconW( *(E00545CFD(_t96, _t140, _t146, __eflags) + 0xc), 0x80);
					SendMessageW( *(_t146 + 0x20), 0x80, 1, _t141); // executed
					SendMessageW( *(_t146 + 0x20), 0x80, 0, _t141); // executed
					 *((intOrPtr*)( *((intOrPtr*)( *_t146 + 0x68))))( &_v56, 0);
					__eflags = _v56 - _v64;
					E0053FFC8(_t146, _v64, _v60, _v56 - _v64, _v52 - _v60, 1); // executed
					E0053B595(_t96, _t146, _v56 - _v64, "true"); // executed
					 *[fs:0x0] = _v72;
					return 1;
				} else {
					_t91 =  *_t95;
					if(_t145 >  *((intOrPtr*)(_t91 - 8))) {
						goto L9;
					} else {
						 *(_t91 - 0xc) = _t145;
						 *((short*)( *_t95 + _t145 * 2)) = 0;
						return _t145;
					}
				}
			}

0x0049ebd0
0x0049ebd3
0x0049ebd3
0x0049ebd7
0x0049ebdb
0x0049ebdd
0x0049ebdd
0x0049ebdf
0x0049ebe1
0x0049ebe6
0x0049ebe8
0x0049ebe8
0x0049ebed
0x0049ebf8
0x0049ebfc
0x0049ebfe
0x0049ec01
0x0049ec01
0x0049ec0f
0x0049ec1e
0x0049ec23
0x0049ec28
0x0049ec2b
0x0049ec30
0x0049ec4c
0x0049ec4c
0x0049ec51
0x0049ec56
0x0049ec57
0x0049ec58
0x0049ec59
0x0049ec5a
0x0049ec5b
0x0049ec5c
0x0049ec5d
0x0049ec5e
0x0049ec5f
0x0049ec60
0x0049ec62
0x0049ec6d
0x0049ec6e
0x0049ec71
0x0049ec72
0x0049ec73
0x0049ec74
0x0049ec75
0x0049ec7c
0x0049ec81
0x0049ec87
0x0049ec89
0x0049ec94
0x0049ec97
0x0049ec9a
0x0049ecc6
0x0049ecc6
0x0049ecca
0x0049ec9c
0x0049eca3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0049ecaa
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0049eca3
0x0049ecd4
0x0049ecd4
0x0049ecdb
0x0049ece7
0x0049ed1c
0x0049ece9
0x0049ecec
0x0049ecf5
0x0049ecf7
0x0049ed08
0x0049ed08
0x0049ed21
0x0049ed28
0x0049ed2a
0x0049ed99
0x0049edae
0x0049ed2c
0x0049ed2c
0x0049ed3f
0x0049ed44
0x0049ed4f
0x0049ed54
0x0049ed57
0x0049ed70
0x0049ed75
0x0049ed81
0x0049ed81
0x0049edc5
0x0049edd0
0x0049edd5
0x0049eded
0x0049edf8
0x0049ee06
0x0049ee16
0x0049ee2d
0x0049ee34
0x0049ee3d
0x0049ee4b
0x0049ee5a
0x0049ec32
0x0049ec32
0x0049ec37
0x00000000
0x0049ec39
0x0049ec39
0x0049ec40
0x0049ec49
0x0049ec49
0x0049ec37

APIs

_memmove_s.LIBCMT ref: 0049EC18

Part of subcall function 00401460: _memcpy_s.LIBCMT ref: 0040149A

LoadIconW.USER32(00000000,F691760E), ref: 0049ECEC
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0049ED08
LoadIconW.USER32(?,00000080), ref: 0049EDE8
SendMessageW.USER32(0000005C,00000080,00000001,00000000), ref: 0049EDF8
SendMessageW.USER32(0000005C,00000080,00000000,00000000), ref: 0049EE06

Strings

PMP, xrefs: 0049EBD3, 0049EC12, 0049EC74
>>, xrefs: 0049ED44

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: MessageSend$IconLoad$_memcpy_s_memmove_s
String ID: >>$PMP
API String ID: 907318859-534835389
Opcode ID: 189e79d193d55d8f073cc0309a3752b056caed33a4a57e7c4448716b63914ee2
Instruction ID: bd53efdd3fdfd790862edd6491ce7c4e2d0f8fd8af505d0aeda3c212e46c0740
Opcode Fuzzy Hash: 189e79d193d55d8f073cc0309a3752b056caed33a4a57e7c4448716b63914ee2
Instruction Fuzzy Hash: 5761D271704601ABDB14EB79D85AF2FBBA5BFC4700F00492EF6459B3C2DA78E8018799

Uniqueness

Uniqueness Score: -1.00%

Function 004052D0, Relevance: 3.1, APIs: 2, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E004052D0(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t25;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t42;
				void* _t43;
				intOrPtr _t45;
				void* _t53;
				void* _t56;
				short _t58;
				void* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				void* _t63;

				_t42 =  *((intOrPtr*)(_t63 + 0xc));
				_t61 =  *((intOrPtr*)(_t63 + 0xc));
				_t60 = __ecx;
				_t65 =  *((intOrPtr*)(_t61 + 0x14)) - _t42;
				if( *((intOrPtr*)(_t61 + 0x14)) < _t42) {
					E005C6EBE(_t42, _t56, __ecx, _t65);
				}
				_t25 =  *((intOrPtr*)(_t63 + 0x1c));
				_t58 =  *((intOrPtr*)(_t61 + 0x14)) - _t42;
				if(_t25 < _t58) {
					_t58 = _t25;
				}
				if(_t60 != _t61) {
					__eflags = _t58 - 0x7ffffffe;
					if(__eflags > 0) {
						E005C6E86(_t42, _t53, _t58, _t60, __eflags);
					}
					_t26 =  *((intOrPtr*)(_t60 + 0x18));
					__eflags = _t26 - _t58;
					if(_t26 >= _t58) {
						__eflags = _t58;
						if(__eflags != 0) {
							goto L10;
						} else {
							 *((intOrPtr*)(_t60 + 0x14)) = _t58;
							__eflags = _t26 - 8;
							if(_t26 < 8) {
								__eflags = 0;
								 *((short*)(_t60 + 4)) = 0;
								return _t60;
							} else {
								__eflags = 0;
								 *((short*)( *((intOrPtr*)(_t60 + 4)))) = 0;
								return _t60;
							}
						}
					} else {
						E00403B10(_t60, _t58,  *((intOrPtr*)(_t60 + 0x14))); // executed
						__eflags = _t58;
						L10:
						if(__eflags > 0) {
							__eflags =  *((intOrPtr*)(_t61 + 0x18)) - 8;
							if( *((intOrPtr*)(_t61 + 0x18)) < 8) {
								_t13 = _t61 + 4; // 0xf6917612
								_t45 = _t13;
							} else {
								_t45 =  *((intOrPtr*)(_t61 + 4));
							}
							__eflags =  *((intOrPtr*)(_t60 + 0x18)) - 8;
							_t62 = _t60 + 4;
							if( *((intOrPtr*)(_t60 + 0x18)) < 8) {
								_t28 = _t62;
							} else {
								_t28 =  *_t62;
							}
							_t43 = _t58 + _t58;
							E0056F99E(_t43,  *((intOrPtr*)(_t60 + 0x18)), _t28,  *((intOrPtr*)(_t60 + 0x18)) +  *((intOrPtr*)(_t60 + 0x18)), _t45 +  *(_t63 + 0x18) * 2, _t43);
							__eflags =  *((intOrPtr*)(_t60 + 0x18)) - 8;
							 *((intOrPtr*)(_t60 + 0x14)) = _t58;
							if( *((intOrPtr*)(_t60 + 0x18)) >= 8) {
								_t62 =  *_t62;
							}
							__eflags = 0;
							 *((short*)(_t43 + _t62)) = 0;
						}
						return _t60;
					}
				} else {
					E00403A70(_t60, _t61, _t58 + _t42, 0xffffffff);
					E00403A70(_t60, _t61, 0, _t42);
					return _t60;
				}
			}

0x004052d1
0x004052d6
0x004052dc
0x004052de
0x004052e1
0x004052e3
0x004052e3
0x004052eb
0x004052ef
0x004052f3
0x004052f5
0x004052f5
0x004052f9
0x0040531a
0x00405320
0x00405322
0x00405322
0x00405327
0x0040532a
0x0040532c
0x00405349
0x0040534b
0x00000000
0x0040534d
0x0040534d
0x00405350
0x00405353
0x00405369
0x0040536c
0x00405374
0x00405355
0x00405358
0x0040535b
0x00405363
0x00405363
0x00405353
0x0040532e
0x00405335
0x0040533a
0x0040533c
0x0040533c
0x0040533e
0x00405342
0x00405377
0x00405377
0x00405344
0x00405344
0x00405344
0x0040537a
0x0040537e
0x00405381
0x00405388
0x00405383
0x00405383
0x00405383
0x00405391
0x0040539e
0x004053a6
0x004053aa
0x004053ad
0x004053af
0x004053af
0x004053b2
0x004053b4
0x004053b4
0x004053be
0x004053be
0x004052fb
0x00405302
0x0040530c
0x00405317
0x00405317

APIs

Part of subcall function 005C6EBE: __EH_prolog3.LIBCMT ref: 005C6EC5
Part of subcall function 005C6EBE: __CxxThrowException@8.LIBCMT ref: 005C6EF0
Part of subcall function 005C6EBE: __EH_prolog3.LIBCMT ref: 005C6EFD
Part of subcall function 005C6EBE: __CxxThrowException@8.LIBCMT ref: 005C6F28
Part of subcall function 005C6EBE: ____lc_handle_func.LIBCMT ref: 005C6F3C
Part of subcall function 005C6EBE: ____lc_codepage_func.LIBCMT ref: 005C6F44

std::_String_base::_Xlen.LIBCPMT ref: 00405322

Part of subcall function 005C6E86: __EH_prolog3.LIBCMT ref: 005C6E8D
Part of subcall function 005C6E86: __CxxThrowException@8.LIBCMT ref: 005C6EB8

_memcpy_s.LIBCMT ref: 0040539E

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw$String_base::_Xlen____lc_codepage_func____lc_handle_func_memcpy_sstd::_
String ID:
API String ID: 489184297-0
Opcode ID: 5879186dc855cceef5483a5f4e46779c254ce7d14f2c6b3c1a58075a84d834e2
Instruction ID: 157bddca76530186635ccb9476b142bdd2dba0205a4a5cd56b7266942e9d9b00
Opcode Fuzzy Hash: 5879186dc855cceef5483a5f4e46779c254ce7d14f2c6b3c1a58075a84d834e2
Instruction Fuzzy Hash: FE31D232300A04CBC720EF58D98086FF3A9EFA1796710453FE812D7290E675AD458FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0053FF3D, Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0053FF3D(void* __ecx, WCHAR* _a4) {
				void* __esi;
				void* __ebp;
				int _t8;
				int _t10;
				void* _t12;
				void* _t15;
				void* _t16;

				_t13 = __ecx;
				_t16 = __ecx;
				_t18 = __ecx;
				if(__ecx == 0) {
					L1:
					E00537287(_t12, _t13, _t15, _t16, _t18);
				}
				_t8 = IsWindow( *(_t16 + 0x20));
				if(_t8 == 0) {
					if( *((intOrPtr*)(_t16 + 0x50)) == _t8) {
						goto L1;
					} else {
						L4:
						_pop(_t16);
						goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t16 + 0x50)))) + 0x88)));
					}
				}
				if( *((intOrPtr*)(_t16 + 0x50)) != 0) {
					goto L4;
				}
				_t10 = SetWindowTextW( *(_t16 + 0x20), _a4); // executed
				return _t10;
			}

0x0053ff3d
0x0053ff43
0x0053ff45
0x0053ff47
0x0053ff49
0x0053ff49
0x0053ff49
0x0053ff51
0x0053ff59
0x0053ff5e
0x00000000
0x0053ff60
0x0053ff60
0x0053ff65
0x0053ff67
0x0053ff67
0x0053ff5e
0x0053ff71
0x00000000
0x00000000
0x0053ff79
0x0053ff81

APIs

IsWindow.USER32(?), ref: 0053FF51

Part of subcall function 00537287: __CxxThrowException@8.LIBCMT ref: 0053729D
Part of subcall function 00537287: __EH_prolog3.LIBCMT ref: 005372AA

SetWindowTextW.USER32(?,?), ref: 0053FF79

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Window$Exception@8H_prolog3TextThrow
String ID:
API String ID: 3347280681-0
Opcode ID: d054a89460f8291d2b00725b0081c6f7dd7d7248ec5226e1a443906c7db248fd
Instruction ID: 70a20662f5b32ee10e0a08d486a50a32d116e754d716485771ffea5763631254
Opcode Fuzzy Hash: d054a89460f8291d2b00725b0081c6f7dd7d7248ec5226e1a443906c7db248fd
Instruction Fuzzy Hash: CAF06D36A00B14EBCB315B65D808AA7BBA5FF56365F00457AF98586920DB71EC10CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00579C4B, Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00579C4B(int _a4) {

				E00579C20(_a4);
				ExitProcess(_a4);
			}

0x00579c53
0x00579c5c

APIs

___crtCorExitProcess.LIBCMT ref: 00579C53

Part of subcall function 00579C20: GetModuleHandleW.KERNEL32(mscoree.dll,?,00579C58,00402F93,?,00587053,000000FF,0000001E,008473D0,0000000C,005870FF,00402F93,?,?,0058C36A,00000004), ref: 00579C2A
Part of subcall function 00579C20: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00579C3A

ExitProcess.KERNEL32 ref: 00579C5C

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 462cb4376b0596c75ec226fb25845ee3f4d1e10c3b7f38df21840519188178fc
Instruction ID: 2efecd15f43a1536a3a8646828dc2a44d3d0085f67d6c2f03addb2955e5a4461
Opcode Fuzzy Hash: 462cb4376b0596c75ec226fb25845ee3f4d1e10c3b7f38df21840519188178fc
Instruction Fuzzy Hash: B2B09B3100014C7BDF012F15DC0DC4A7F69EB81360B108011F50906131DF71DD92D594

Uniqueness

Uniqueness Score: -1.00%

Function 0053CC4F, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0053CC4F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t39;
				intOrPtr _t56;
				signed int _t58;
				signed int _t62;
				intOrPtr _t70;
				signed int _t76;
				void* _t78;
				void* _t82;
				intOrPtr _t83;

				_t82 = __eflags;
				_push(0x38);
				E00576795(0x72131b, __ebx, __edi, __esi);
				_push(0x5372a3);
				_t56 = E00550FB1(__ebx, 0x8a99d8, __edi, __esi, _t82);
				_t83 = _t56;
				 *((intOrPtr*)(_t78 - 0x18)) = _t56;
				_t84 = _t83 == 0;
				if(_t83 == 0) {
					E00537287(_t56, 0x8a99d8, __edi, __esi, _t84);
				}
				_t4 = _t56 + 0x58; // 0x58
				_t58 = 7;
				_t39 = memcpy(_t78 - 0x44, _t4, _t58 << 2);
				_t70 =  *((intOrPtr*)(_t78 + 0x10));
				_t76 =  *(_t78 + 8);
				 *_t39 =  *(_t78 + 0xc);
				 *((intOrPtr*)(_t56 + 0x60)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t56 + 0x5c)) = _t70;
				 *((intOrPtr*)(_t56 + 0x64)) =  *((intOrPtr*)(_t78 + 0x18));
				 *((intOrPtr*)(_t78 - 4)) = 0;
				if(_t70 == 2 &&  *((intOrPtr*)(_t76 + 0x4c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x4c)))) + 0x60))(0);
				}
				 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
				if(_t70 == 0x110) {
					E0053A4FE(_t76, _t78 - 0x28, _t78 + 8);
				}
				 *((intOrPtr*)(_t78 + 0x18)) =  *((intOrPtr*)( *_t76 + 0x110))(_t70,  *((intOrPtr*)(_t78 + 0x14)),  *((intOrPtr*)(_t78 + 0x18)));
				if(_t70 == 0x110) {
					E0053CBD9(_t56, 0, _t76, _t78 - 0x28,  *(_t78 + 8));
				}
				_t30 = _t56 + 0x58; // 0x58
				_t62 = 7;
				return E0057683A(memcpy(_t30, _t78 - 0x44, _t62 << 2));
			}

0x0053cc4f
0x0053cc4f
0x0053cc56
0x0053cc5b
0x0053cc6a
0x0053cc70
0x0053cc75
0x0053cc78
0x0053cc7a
0x0053cc7c
0x0053cc7c
0x0053cc81
0x0053cc88
0x0053cc8c
0x0053cc91
0x0053cc94
0x0053cc97
0x0053cc9c
0x0053cca2
0x0053cca5
0x0053cca8
0x0053ccae
0x0053ccbb
0x0053ccbb
0x0053ccbe
0x0053ccc8
0x0053ccd3
0x0053ccd3
0x0053cce9
0x0053ccf2
0x0053ccfc
0x0053ccfc
0x0053cd31
0x0053cd34
0x0053cd3f

APIs

__EH_prolog3_catch.LIBCMT ref: 0053CC56

Part of subcall function 00550FB1: __EH_prolog3.LIBCMT ref: 00550FB8

Part of subcall function 00537287: __CxxThrowException@8.LIBCMT ref: 0053729D
Part of subcall function 00537287: __EH_prolog3.LIBCMT ref: 005372AA

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_catchThrow
String ID:
API String ID: 24280941-0
Opcode ID: 0a8e3bcc2d4464be47a2c9fb6d6e04eec7b5c821809aaab54926b5bae11473fe
Instruction ID: 8a5e1b2320f170daf693e6e237f07a37b99370a0727e560439d5ae7161198d0f
Opcode Fuzzy Hash: 0a8e3bcc2d4464be47a2c9fb6d6e04eec7b5c821809aaab54926b5bae11473fe
Instruction Fuzzy Hash: BA213976A0020D9FDF15DFA4C4859DE3FB6FF88310F11846AF909AB241C771A981DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00402130, Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E00402130(intOrPtr __ecx, void* __edi, void* __esi) {
				void* __ebx;
				intOrPtr* _t15;
				void* _t17;
				signed int _t19;
				void* _t21;
				void* _t24;
				intOrPtr _t25;
				intOrPtr* _t29;
				void* _t39;
				intOrPtr _t42;
				intOrPtr* _t43;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t49;
				void* _t50;

				E00401460(__ecx, __edi, __esi, _t45);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t42 =  *((intOrPtr*)(__ecx));
				_t25 =  *((intOrPtr*)(_t42 - 0xc));
				_t43 = _t42 - 0x10;
				 *((intOrPtr*)(_t49 + 0xc)) = __ecx;
				_t15 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t43)) + 0x10))))(__edi, __esi, _t45, _t24, __ecx, 0x8007000e);
				_t46 =  *((intOrPtr*)(_t49 + 0x18));
				_t29 = _t15;
				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *_t15))))(_t46, 2); // executed
				_t39 = _t17;
				if(_t39 == 0) {
					E00402130(_t29, _t39, _t43);
				}
				if(_t25 < _t46) {
					_t46 = _t25;
				}
				_t6 = _t46 + 2; // 0x2
				_t8 = _t39 + 0x10; // 0x10
				_t47 = _t8;
				_t19 = E0056F99E(_t25, _t43 + 0x10, _t47, _t46 + _t6, _t43 + 0x10, _t46 + _t6);
				_t50 = _t49 + 0x10;
				 *((intOrPtr*)(_t39 + 4)) = _t25;
				asm("lock xadd [edx], eax");
				_t21 = (_t19 | 0xffffffff) - 1;
				if(_t21 <= 0) {
					_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t43)) + 4))))(_t43);
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)))) = _t47;
				return _t21;
			}

0x00402135
0x0040213a
0x0040213b
0x0040213c
0x0040213d
0x0040213e
0x0040213f
0x00402144
0x00402146
0x00402149
0x0040214c
0x00402158
0x0040215c
0x00402162
0x00402167
0x00402169
0x0040216d
0x0040216f
0x0040216f
0x00402176
0x00402178
0x00402178
0x0040217a
0x00402184
0x00402184
0x00402188
0x0040218d
0x00402190
0x00402199
0x0040219d
0x004021a0
0x004021aa
0x004021aa
0x004021b2
0x004021b7

APIs

Part of subcall function 00401460: _memcpy_s.LIBCMT ref: 0040149A

_memcpy_s.LIBCMT ref: 00402188

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: e27dbf537e4c60e7d37ffc6eb2fe56eae24c7459626b4816ad196b058c48be58
Instruction ID: e61a41a024e8eba4de3756d90020a3454991b64d400060801f79dece13103d87
Opcode Fuzzy Hash: e27dbf537e4c60e7d37ffc6eb2fe56eae24c7459626b4816ad196b058c48be58
Instruction Fuzzy Hash: D711C272200605AFD305DF68C884D6BB3B9FF893147108A6EE6598B391EB75E801CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00550FB1, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00550FB1(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr _t33;

				_t27 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E00576762(0x7228ee, __ebx, __edi, __esi);
				_t30 = __ecx;
				_t33 =  *((intOrPtr*)(_t31 + 8));
				_t34 = _t33 == 0;
				if(_t33 == 0) {
					L1:
					E00537287(_t22, _t23, _t27, _t30, _t34);
				}
				if( *_t30 == 0) {
					_t23 =  *0x8a9a1c; // 0x8a9a20
					if(_t23 != 0) {
						L5:
						_t19 = E00550B78(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x8a9a20;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E00550CC7(0x8a9a20);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x8a9a1c = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x8a9a1c; // 0x8a9a20
				_t28 = E00550979(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x8a9a1c; // 0x8a9a20
					E00550D6E(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E0057683A(_t28);
			}

0x00550fb1
0x00550fb1
0x00550fb1
0x00550fb1
0x00550fb8
0x00550fbd
0x00550fc1
0x00550fc7
0x00550fc9
0x00550fcb
0x00550fcb
0x00550fcb
0x00550fd3
0x00550fd5
0x00550fdd
0x00551000
0x00551000
0x00551005
0x00551009
0x00000000
0x00000000
0x00550fdf
0x00550fe4
0x00550fe7
0x00550feb
0x00550ff0
0x00550ff4
0x00550ff6
0x00550ffe
0x00000000
0x00000000
0x00000000
0x00000000
0x00550ffe
0x00550fdd
0x0055100d
0x00551018
0x0055101a
0x0055101c
0x0055101e
0x00551021
0x0055102c
0x0055102c
0x00551038

APIs

__EH_prolog3.LIBCMT ref: 00550FB8

Part of subcall function 00537287: __CxxThrowException@8.LIBCMT ref: 0053729D
Part of subcall function 00537287: __EH_prolog3.LIBCMT ref: 005372AA

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 821d8d153538dc79253e9c6d7a244b6523a21afc059e159a489a0035344a1752
Instruction ID: 190b55539f5033a33ae7022f19628ee569e8fb59869cea6fea157046041ac0a0
Opcode Fuzzy Hash: 821d8d153538dc79253e9c6d7a244b6523a21afc059e159a489a0035344a1752
Instruction Fuzzy Hash: 06015E356046139BEB24AF71982972D7EB1BF81362F20502EE881976E1EB30D985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD0, Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E00402DD0(void* __ebp, signed int _a4) {
				char _v12;
				char _v16;
				void* __edi;
				void* __esi;
				signed int _t16;
				void* _t19;
				signed int _t23;
				signed int _t28;
				signed int _t30;
				signed int _t33;
				intOrPtr* _t45;
				signed int* _t49;

				_t30 = _a4;
				if(_t30 > 0) {
					__eflags = (_t16 | 0xffffffff) / _t30 - 2;
					if(__eflags >= 0) {
						goto L2;
					} else {
						E00401C00(0);
						E0057080C( &_v16, 0x80d3d8);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t49 =  &_v12;
						_t33 =  *_t49;
						__eflags =  *(_t33 - 0xc);
						_t23 = _t33 - 0x10;
						_t45 =  *_t23;
						if( *(_t33 - 0xc) == 0) {
							L13:
							return _t23;
						} else {
							__eflags =  *(_t23 + 0xc);
							if( *(_t23 + 0xc) >= 0) {
								asm("lock xadd [edx], ecx");
								__eflags = (_t33 | 0xffffffff) - 1;
								if((_t33 | 0xffffffff) - 1 <= 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t23)) + 4))))(_t23);
								}
								_t23 =  *((intOrPtr*)( *((intOrPtr*)( *_t45 + 0xc))))() + 0x10;
								__eflags = _t23;
								 *_t49 = _t23;
								goto L13;
							} else {
								__eflags =  *(_t33 - 8);
								if( *(_t33 - 8) < 0) {
									_push(0x80070057);
									E00401460(_t33, _t45, _t49, __ebp);
								}
								 *(_t33 - 0xc) = 0;
								_t28 =  *_t49;
								__eflags = 0;
								 *_t28 = 0;
								return _t28;
							}
						}
					}
				} else {
					_t30 = 0;
					L2:
					_t19 = E005365B6(_t30 + _t30, _t30 + _t30); // executed
					return _t19;
				}
			}

0x00402dd0
0x00402dd9
0x00402df5
0x00402df8
0x00000000
0x00402dfa
0x00402e00
0x00402e0f
0x00402e14
0x00402e15
0x00402e16
0x00402e17
0x00402e18
0x00402e19
0x00402e1a
0x00402e1b
0x00402e1c
0x00402e1d
0x00402e1e
0x00402e1f
0x00402e21
0x00402e23
0x00402e25
0x00402e29
0x00402e2d
0x00402e2f
0x00402e7f
0x00402e81
0x00402e31
0x00402e31
0x00402e38
0x00402e5e
0x00402e63
0x00402e65
0x00402e6f
0x00402e6f
0x00402e7a
0x00402e7a
0x00402e7d
0x00000000
0x00402e3a
0x00402e3a
0x00402e3e
0x00402e40
0x00402e45
0x00402e45
0x00402e4a
0x00402e51
0x00402e53
0x00402e56
0x00402e5a
0x00402e5a
0x00402e38
0x00402e2f
0x00402ddb
0x00402ddb
0x00402ddd
0x00402de0
0x00402deb
0x00402deb

APIs

__CxxThrowException@8.LIBCMT ref: 00402E0F

Part of subcall function 005365B6: _malloc.LIBCMT ref: 005365D4

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Exception@8Throw_malloc
String ID:
API String ID: 3476970888-0
Opcode ID: f6942379a4a91f54bf616c33f9db2977143ef6a8e3762c947f9ae0a061549987
Instruction ID: 8fcecef98c9c3470cf0e5e96ebbdf60d4c83a2ba8d831acb221b7536cdba3e94
Opcode Fuzzy Hash: f6942379a4a91f54bf616c33f9db2977143ef6a8e3762c947f9ae0a061549987
Instruction Fuzzy Hash: A1E080B155020025DA4CE5319F1BB5F77556B90710F14493DB515D11C0FAB4D919C14B

Uniqueness

Uniqueness Score: -1.00%

Function 005365B6, Relevance: 1.5, APIs: 1, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E005365B6(void* __eflags, intOrPtr _a4) {
				void* _t3;
				intOrPtr* _t4;
				void* _t7;
				void* _t10;
				void* _t11;
				void* _t12;

				while(1) {
					_t3 = E00572AF6(_t7, _t10, _t11, _a4); // executed
					_t12 = _t3;
					if(_t12 != 0) {
						break;
					}
					_t4 =  *0x876374; // 0x536594
					if(_t4 != 0) {
						_push(_a4);
						if( *_t4() != 0) {
							continue;
						}
					}
					break;
				}
				return _t12;
			}

0x005365d1
0x005365d4
0x005365d9
0x005365de
0x00000000
0x00000000
0x005365be
0x005365c5
0x005365c7
0x005365cf
0x00000000
0x00000000
0x005365cf
0x00000000
0x005365c5
0x005365e4

APIs

_malloc.LIBCMT ref: 005365D4

Part of subcall function 00572AF6: __FF_MSGBANNER.LIBCMT ref: 00572B19
Part of subcall function 00572AF6: __NMSG_WRITE.LIBCMT ref: 00572B20
Part of subcall function 00572AF6: RtlAllocateHeap.NTDLL(00000000,00402F84), ref: 00572B6D

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 00b72620fbdbf11eb7dc47ad887edece2d71fbea14446ffc461a93ac0e440d7a
Instruction ID: cc35970e662832e1ca5059e3c067b94ef18a0cda60a56ca1aaf6c26375485454
Opcode Fuzzy Hash: 00b72620fbdbf11eb7dc47ad887edece2d71fbea14446ffc461a93ac0e440d7a
Instruction Fuzzy Hash: 20D012322045267B5A315699EC015967F58BB417F0B588039BC18D7259EE51DD2092D0

Uniqueness

Uniqueness Score: -1.00%

Function 0053FD25, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0053FD25(void* __ecx, int _a4) {
				void* _t8;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x4c)))) + 0x74)));
				}
				_t8 = E0053BCBF(_t9, _t10, GetDlgItem( *(__ecx + 0x20), _a4)); // executed
				return _t8;
			}

0x0053fd25
0x0053fd2e
0x0053fd4c
0x0053fd4c
0x0053fd3d
0x0053fd43

APIs

GetDlgItem.USER32(0000005C,?), ref: 0053FD36

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Item
String ID:
API String ID: 3207170592-0
Opcode ID: 9ea4c0277866910a5659888edd3916ce93bef99ebdfb885314b525deab998ac1
Instruction ID: 0c79224d71cda7fa11979ef939906b22e12aea81571af8ea4956fc8825a0902b
Opcode Fuzzy Hash: 9ea4c0277866910a5659888edd3916ce93bef99ebdfb885314b525deab998ac1
Instruction Fuzzy Hash: 03D01776440108DBCB50AF90D808A65BBA9BB85355F1044A9E6040E222CB33D8A2CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005367BB, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E005367BB(intOrPtr* __ecx, intOrPtr _a4) {
				void* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if(( *(__ecx + 0x3c) & 0x00000018) != 0) {
					_push(_a4);
					 *((intOrPtr*)( *__ecx + 0x8c))();
				}
				_t8 =  *0x7497ec( *((intOrPtr*)(_t12 + 0x20)), _a4); // executed
				return _t8;
			}

0x005367c1
0x005367c7
0x005367c9
0x005367ce
0x005367ce
0x005367da
0x005367e2

APIs

KiUserCallbackDispatcher.NTDLL(0000005C,?), ref: 005367DA

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: be77674ab9cb93e1d2a10898c26dfa1c900a81cbd83d2712ccc18dc4a52e5343
Instruction ID: e6803c63da540a714efbc80000b25c35547c85acc8afbb240aaf5663d5dbcdff
Opcode Fuzzy Hash: be77674ab9cb93e1d2a10898c26dfa1c900a81cbd83d2712ccc18dc4a52e5343
Instruction Fuzzy Hash: D4D01236000218EBCB115F55D848E86BFA9FF45365F05C469F98542921CB7198109B90

Uniqueness

Uniqueness Score: -1.00%

Function 00540008, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00540008(void* __ecx, int _a4) {
				int _t7;

				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x50)))) + 0xa0)));
				}
				_t7 = ShowWindow( *(__ecx + 0x20), _a4); // executed
				return _t7;
			}

0x00540011
0x00540029
0x00540029
0x00540019
0x00540020

APIs

ShowWindow.USER32(?,?,?,00536BA2,00000000,0000E146,00000000,0049EC8E,?,0049EC8E,F691760E), ref: 00540019

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f73e181c5665ea12810cf0040c1ba2b9aed84c00263fb62755ec99ddb3d91eab
Instruction ID: 223f80c7fce59ae330e5888eaa6798c82eb79dbae3209089a65468e7256f6db2
Opcode Fuzzy Hash: f73e181c5665ea12810cf0040c1ba2b9aed84c00263fb62755ec99ddb3d91eab
Instruction Fuzzy Hash: 6FD09276140648DFDB148B50E808FB53BB9FB9932AF6140A9E6480E562C733A862DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00570B75, Relevance: 1.5, APIs: 1, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00570B75(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0x846b08);
				E00576AF4(__ebx, __edi, __esi);
				E00579C63();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E00570A8A(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E00570BAB();
				return E00576B39( *((intOrPtr*)(_t18 - 0x1c)));
			}

0x00570b75
0x00570b77
0x00570b7c
0x00570b81
0x00570b86
0x00570b8d
0x00570b93
0x00570b96
0x00570b9d
0x00570baa

APIs

Part of subcall function 00579C63: __lock.LIBCMT ref: 00579C65

__onexit_nolock.LIBCMT ref: 00570B8D

Part of subcall function 00570A8A: __decode_pointer.LIBCMT ref: 00570A99
Part of subcall function 00570A8A: __decode_pointer.LIBCMT ref: 00570AA9
Part of subcall function 00570A8A: __msize.LIBCMT ref: 00570AC7
Part of subcall function 00570A8A: __realloc_crt.LIBCMT ref: 00570AEB
Part of subcall function 00570A8A: __realloc_crt.LIBCMT ref: 00570B01
Part of subcall function 00570A8A: __encode_pointer.LIBCMT ref: 00570B13
Part of subcall function 00570A8A: __encode_pointer.LIBCMT ref: 00570B21
Part of subcall function 00570A8A: __encode_pointer.LIBCMT ref: 00570B2C

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
String ID:
API String ID: 1316407801-0
Opcode ID: dafc1d033af8d0dfd5143ade0ddd496220bf6b629f45de168a3bac1b0f6498aa
Instruction ID: 2eaf22b147e63e0fbb6a9f58aeaf3b359dc9c514da4c23c599d506971cdd62ea
Opcode Fuzzy Hash: dafc1d033af8d0dfd5143ade0ddd496220bf6b629f45de168a3bac1b0f6498aa
Instruction Fuzzy Hash: FDD0677190160BEADB11BFA4E88AB9D7FB4BF81321F60C255B06CA61D2DA744A41AA11

Uniqueness

Uniqueness Score: -1.00%

Function 0057B7D8, Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0057B7D8() {
				void* _t1;

				_t1 = E0057B766(0); // executed
				return _t1;
			}

0x0057b7da
0x0057b7e0

APIs

__encode_pointer.LIBCMT ref: 0057B7DA

Part of subcall function 0057B766: TlsGetValue.KERNEL32(00000000,?,0057B7DF,00000000,0058D243,008A9DA8,00000000,00000314,?,0057AE7E,008A9DA8,Microsoft Visual C++ Runtime Library,00012010), ref: 0057B778
Part of subcall function 0057B766: TlsGetValue.KERNEL32(00000005,?,0057B7DF,00000000,0058D243,008A9DA8,00000000,00000314,?,0057AE7E,008A9DA8,Microsoft Visual C++ Runtime Library,00012010), ref: 0057B78F
Part of subcall function 0057B766: RtlEncodePointer.NTDLL(00000000,?,0057B7DF,00000000,0058D243,008A9DA8,00000000,00000314,?,0057AE7E,008A9DA8,Microsoft Visual C++ Runtime Library,00012010), ref: 0057B7CD

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: ac7e810d391da5ecd03269cb93c7ebd5edb02d3b92eceae30ec480b5f9d2cd9a
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0053F498, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0053F498(intOrPtr __ecx, void* __edx, WCHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t17;
				void* _t19;
				void* _t21;
				void* _t22;
				struct HINSTANCE__* _t24;

				_t17 = __edx;
				_push(__ecx);
				_push(_t21);
				_t13 = 0;
				_t19 = 0;
				_v8 = __ecx;
				_t25 = _a4;
				if(_a4 == 0) {
					L4:
					_t22 = E0053F010(_v8, _t17, _t19);
					if(_t19 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t22;
				} else {
					_t24 =  *(E00545CFD(0, 0, _t21, _t25) + 0xc);
					_t10 = FindResourceW(_t24, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t24, _t10);
						_t13 = _t7;
						if(_t13 != 0) {
							_t19 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}

0x0053f498
0x0053f49d
0x0053f49f
0x0053f4a1
0x0053f4a3
0x0053f4a5
0x0053f4a8
0x0053f4ab
0x0053f4df
0x0053f4e8
0x0053f4ec
0x0053f4f3
0x0053f4f3
0x0053f4f9
0x0053f4ad
0x0053f4b2
0x0053f4be
0x0053f4c6
0x00000000
0x0053f4c8
0x0053f4ca
0x0053f4d0
0x0053f4d4
0x0053f4dd
0x00000000
0x0053f4dd
0x0053f4d4
0x0053f4c6
0x0053f4ff

APIs

FindResourceW.KERNEL32(?,?,000000F0,PMP,?,00000000,?,?,00536B60,0049EC8E,?,0049EC8E,F691760E,PMP,?), ref: 0053F4BE
LoadResource.KERNEL32(?,00000000,?,00000000,?,?,00536B60,0049EC8E,?,0049EC8E,F691760E,PMP,?,?,00000000), ref: 0053F4CA
LockResource.KERNEL32(00000000,?,00000000,?,?,00536B60,0049EC8E,?,0049EC8E,F691760E,PMP,?,?,00000000), ref: 0053F4D7
FreeResource.KERNEL32(00000000,00000000,PMP,?,00000000,?,?,00536B60,0049EC8E,?,0049EC8E,F691760E,PMP,?,?,00000000), ref: 0053F4F3

Strings

PMP, xrefs: 0053F4A0

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID: PMP
API String ID: 1078018258-3175192350
Opcode ID: fc68987ece98928af548c6217aa0020b11d136157ecd6729ac827d714edf5e97
Instruction ID: 8f9d59e406d709f97012be18a4c594c9a465eaa013e4d81ab440d8c1df9f4f63
Opcode Fuzzy Hash: fc68987ece98928af548c6217aa0020b11d136157ecd6729ac827d714edf5e97
Instruction Fuzzy Hash: BCF0A43A6007037B8B105BA59CC896B7BACBB85361B148039FB0593201DFB4CD0087A4

Uniqueness

Uniqueness Score: -1.00%

Function 0056F98F, Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0056F98F(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x877864; // 0xf691760e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x8aa3e8 = _t6;
				 *0x8aa3e4 = _t22;
				 *0x8aa3e0 = _t25;
				 *0x8aa3dc = _t21;
				 *0x8aa3d8 = _t27;
				 *0x8aa3d4 = _t26;
				 *0x8aa400 = ss;
				 *0x8aa3f4 = cs;
				 *0x8aa3d0 = ds;
				 *0x8aa3cc = es;
				 *0x8aa3c8 = fs;
				 *0x8aa3c4 = gs;
				asm("pushfd");
				_pop( *0x8aa3f8);
				 *0x8aa3ec =  *_t31;
				 *0x8aa3f0 = _v0;
				 *0x8aa3fc =  &_a4;
				 *0x8aa338 = 0x10001;
				_t11 =  *0x8aa3f0; // 0x0
				 *0x8aa2ec = _t11;
				 *0x8aa2e0 = 0xc0000409;
				 *0x8aa2e4 = 1;
				_t12 =  *0x877864; // 0xf691760e
				_v812 = _t12;
				_t13 =  *0x877868; // 0x96e89f1
				_v808 = _t13;
				 *0x8aa330 = IsDebuggerPresent();
				_push(1);
				E00581011(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x76fa68);
				if( *0x8aa330 == 0) {
					_push(1);
					E00581011(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0056f98f
0x0056f98f
0x0056f98f
0x0056f98f
0x0056f98f
0x0056f98f
0x0056f98f
0x0056f995
0x0056f997
0x0056f997
0x0057c24e
0x0057c253
0x0057c259
0x0057c25f
0x0057c265
0x0057c26b
0x0057c271
0x0057c278
0x0057c27f
0x0057c286
0x0057c28d
0x0057c294
0x0057c29b
0x0057c29c
0x0057c2a5
0x0057c2ad
0x0057c2b5
0x0057c2c0
0x0057c2ca
0x0057c2cf
0x0057c2d4
0x0057c2de
0x0057c2e8
0x0057c2ed
0x0057c2f3
0x0057c2f8
0x0057c304
0x0057c309
0x0057c30b
0x0057c313
0x0057c31e
0x0057c32b
0x0057c32d
0x0057c32f
0x0057c334
0x0057c348

APIs

IsDebuggerPresent.KERNEL32 ref: 0057C2FE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0057C313
UnhandledExceptionFilter.KERNEL32(0076FA68), ref: 0057C31E
GetCurrentProcess.KERNEL32(C0000409), ref: 0057C33A
TerminateProcess.KERNEL32(00000000), ref: 0057C341

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 5f9def3328dbcd461f56107f37ff7c8c0e6382111f75d1e9798c434b03b0ac7d
Instruction ID: 915d8d33793436b88a24b967bbc542eae203ffde4114c015f51663bffbd58ba8
Opcode Fuzzy Hash: 5f9def3328dbcd461f56107f37ff7c8c0e6382111f75d1e9798c434b03b0ac7d
Instruction Fuzzy Hash: B321D2B8814304EFEB59DF69FC886593BE4FB0A311F00405AE90887F61E7B95985CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00538C8C, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00538C8C(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E00538A8B() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E00538C3B( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x8a95dc(_a4, _a8);
			}

0x00538c9b
0x00538caf
0x00538cc3
0x00538cdb
0x00538cc5
0x00538ccc
0x00538ccc
0x00538ce3
0x00000000
0x00538ce5
0x00000000
0x00538cec
0x00538ce3
0x00000000
0x00538cb1
0x00000000

APIs

MonitorFromWindow.USER32(00000002,00000000), ref: 00538CA3

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: FromMonitorWindow
String ID:
API String ID: 721739931-0
Opcode ID: 094d671605ab933dd0a6e905062837c7a25a691ae2c282c23e61c50eaebe5f3e
Instruction ID: 695e67ca76abb90d0c8cd5103582d41980cea75d3c332f3d22189acccea7a1b1
Opcode Fuzzy Hash: 094d671605ab933dd0a6e905062837c7a25a691ae2c282c23e61c50eaebe5f3e
Instruction Fuzzy Hash: AFF0143150520DAADF0AAF65CC09ABE7FA9BB45380F08D421FE1699021DF34CE15EB74

Uniqueness

Uniqueness Score: -1.00%

Function 005F67C0, Relevance: 3.1, APIs: 2, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005F67C0(void* _a4, char* _a8) {
				char* _v4;
				void* __ecx;
				void* __edi;
				void* __ebp;
				WCHAR* _t15;
				signed int _t20;
				long _t23;
				void* _t24;
				intOrPtr _t29;
				long _t34;
				void* _t35;
				WCHAR* _t36;

				_t35 = _t24;
				_t23 = 0x80;
				_v4 = _a8;
				while(1) {
					_t13 =  *((intOrPtr*)(_t35 + 0x14));
					if(_t23 >  *((intOrPtr*)(_t35 + 0x14))) {
						E0046B6F0(_t13, _t35, _t34, _t36, _t23 - _t13, 0);
					} else {
						E00403A70(_t35, _t36, _t23, 0xffffffff);
					}
					_t36 = _t35 + 4;
					if( *((intOrPtr*)(_t35 + 0x18)) < 8) {
						_t15 = _t36;
					} else {
						_t15 =  *_t36;
					}
					_t34 = FormatMessageW(0x400, _a4, 0, 0, _t15, _t23,  &_v4);
					if(_t34 != 0) {
						break;
					}
					_t20 = GetLastError();
					_t29 =  *((intOrPtr*)(_t35 + 0x18));
					 *((intOrPtr*)(_t35 + 0x14)) = _t34;
					if(_t29 > 0) {
						if(_t29 >= 8) {
							_t36 =  *_t36;
						}
						 *_t36 = 0;
					}
					if(_t20 != 0x7a) {
						return  ~_t20;
					} else {
						_t23 = _t23 - 0xffffff80;
						_v4 = _a8;
						continue;
					}
					L16:
				}
				E00460D50(_t35, _t34);
				return _t34;
				goto L16;
			}

0x005f67c9
0x005f67cb
0x005f67d0
0x005f67d4
0x005f67d4
0x005f67d9
0x005f67f0
0x005f67db
0x005f67e0
0x005f67e0
0x005f67f9
0x005f67fc
0x005f6803
0x005f67fe
0x005f67fe
0x005f67fe
0x005f6820
0x005f6824
0x00000000
0x00000000
0x005f6826
0x005f682c
0x005f682f
0x005f6834
0x005f6839
0x005f683b
0x005f683b
0x005f6840
0x005f6840
0x005f6847
0x005f6860
0x005f6849
0x005f684d
0x005f6850
0x00000000
0x005f6850
0x00000000
0x005f6847
0x005f6866
0x005f6872
0x00000000

APIs

FormatMessageW.KERNEL32(00000400,00000007,00000000,00000000,00000007,00000080,?,00000080,00000000,?,00000000,?,00000000,?,006286CC,?), ref: 005F681A
GetLastError.KERNEL32 ref: 005F6826

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 61e443422495f176c6f85a2a7f06309bb38ed157389ff63c365f4319888bd067
Instruction ID: 0a9ff1c577c4ce580c6d767dc8f9f7882ff7af33718900ee04120ac2b82f88ba
Opcode Fuzzy Hash: 61e443422495f176c6f85a2a7f06309bb38ed157389ff63c365f4319888bd067
Instruction Fuzzy Hash: 2211D531304309ABD724DF59DC80A3BB7E9FB94765F104A2EF656C7280DB24AD0487A5

Uniqueness

Uniqueness Score: -1.00%

Function 00531CB0, Relevance: 3.0, APIs: 2, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00531CB0(WCHAR* _a4) {
				signed int _v4;
				struct _WIN32_FIND_DATAW _v596;
				void* __esi;
				signed int _t7;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t20;

				_t22 =  &_v596;
				_t7 =  *0x877864; // 0xf691760e
				_v4 = _t7 ^  &_v596;
				_t21 = FindFirstFileW(_a4,  &_v596);
				FindClose(_t10);
				return E0056F98F(0 | _t21 != 0xffffffff, _t15, _v4 ^ _t22, _t19, _t20, _t21);
			}

0x00531cb0
0x00531cb6
0x00531cbd
0x00531cd8
0x00531cdb
0x00531cfe

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00531CD2
FindClose.KERNEL32(00000000), ref: 00531CDB

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8a0bd20c07d062be4312b1d962acb38d2beca0c3d887cbd9a101ac56bbca4f65
Instruction ID: 5900fd3ebc357a54204ebd91409402d3fc485d5d90955d8f52e36200b9d8af3b
Opcode Fuzzy Hash: 8a0bd20c07d062be4312b1d962acb38d2beca0c3d887cbd9a101ac56bbca4f65
Instruction Fuzzy Hash: 30E0D835504A506FC320BB74ED4E6EFB3E4BBCD315F400A18A869C32C0E7385944C78A

Uniqueness

Uniqueness Score: -1.00%

Function 005E9980, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E005E9980(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, int _a4) {
				signed int _v4;
				short _v28;
				signed int _t6;
				intOrPtr _t20;

				_t24 =  &_v28;
				_t6 =  *0x877864; // 0xf691760e
				_v4 = _t6 ^  &_v28;
				if(GetLocaleInfoW(_a4, 0x1004,  &_v28, 0xa) == 0) {
					return E0056F98F(0, __ebx, _v4 ^ _t24, _t20, __edi, __esi);
				} else {
					return E0056F98F(E0056F94A(), __ebx, _v4 ^ _t24 + 0x00000004, _t24, __edi, __esi, _t24);
				}
			}

0x005e9980
0x005e9983
0x005e998a
0x005e99a7
0x005e99d4
0x005e99a9
0x005e99c3
0x005e99c3

APIs

GetLocaleInfoW.KERNEL32(?,00001004,0000000A,0000000A,?,?,?,?,?,?,?), ref: 005E999F

Part of subcall function 0056F94A: __wcstoi64.LIBCMT ref: 0056F927

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: InfoLocale__wcstoi64
String ID:
API String ID: 627608980-0
Opcode ID: 8c4e10d96fdea6da1e05d3d6d8628b5319585f4716572cd2a1230eab1bc738e7
Instruction ID: e2d8e22d5e714923e8f5f34681a9338aaaeafd7d1b2f5961b0d4b15bacdd2896
Opcode Fuzzy Hash: 8c4e10d96fdea6da1e05d3d6d8628b5319585f4716572cd2a1230eab1bc738e7
Instruction Fuzzy Hash: 64F01CB1A143016BC644EF249856B6A7BE47BDC704F84096CB589CB293EA34D608C797

Uniqueness

Uniqueness Score: -1.00%

Function 005319A0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E005319A0() {
				signed int _v4;
				struct _OSVERSIONINFOW _v280;
				signed int _t7;
				intOrPtr _t15;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				struct _OSVERSIONINFOW* _t23;

				_t23 =  &_v280;
				_t7 =  *0x877864; // 0xf691760e
				_v4 = _t7 ^ _t23;
				_v280.dwOSVersionInfoSize = 0x114;
				GetVersionExW(_t23);
				if(_v280.dwPlatformId != 2 || _v280.dwMajorVersion < 5) {
					return E0056F98F(0, _t15, _v4 ^ _t23, _t20, _t21, _t22);
				} else {
					return E0056F98F(1, _t15, _v4 ^ _t23, _t20, _t21, _t22);
				}
			}

0x005319a0
0x005319a6
0x005319ad
0x005319b8
0x005319c0
0x005319cb
0x00531a04
0x005319d4
0x005319ed
0x005319ed

APIs

GetVersionExW.KERNEL32 ref: 005319C0

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a301b7f06e96a2c1ce2f44c02a96faa774ef12df9e8631a68dfcbeb9a294848f
Instruction ID: b2a258a0eed148425356061f55e403b0752fad9283d8b279e7c3e33a0fe7497b
Opcode Fuzzy Hash: a301b7f06e96a2c1ce2f44c02a96faa774ef12df9e8631a68dfcbeb9a294848f
Instruction Fuzzy Hash: 66F03030A043499FDB68EB24D51B3EE77E0BB99708F80886DD15987191DB399504C797

Uniqueness

Uniqueness Score: -1.00%

Function 005713F0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e0a2c263886073158f1ea0d4af6f1e38b24580483849dfd90d4d996c1a6f5f4e
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 24115B7720088243DE44CA7DF8B86B7AFA7FBD632172CC37AC04A4B744D122D945B608

Uniqueness

Uniqueness Score: -1.00%

Function 00538A8B, Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00538A8B() {
				void* __ebx;
				void* __esi;
				void* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				signed int _t16;
				signed int _t17;
				struct HINSTANCE__* _t19;
				void* _t21;
				void* _t24;
				void* _t25;

				_t17 = _t16 ^ _t16;
				_t24 =  *0x8a95f4 - _t17; // 0x1
				if(_t24 == 0) {
					_push(_t21);
					 *0x8a95f8 = E00538A31(_t17, _t21, __eflags);
					_t19 = GetModuleHandleW(L"USER32");
					__eflags = _t19 - _t17;
					if(_t19 == _t17) {
						L15:
						 *0x8a95d8 = _t17;
						 *0x8a95dc = _t17;
						 *0x8a95e0 = _t17;
						 *0x8a95e4 = _t17;
						 *0x8a95e8 = _t17;
						 *0x8a95ec = _t17;
						 *0x8a95f0 = _t17;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t19, "GetSystemMetrics");
						 *0x8a95d8 = _t6;
						__eflags = _t6 - _t17;
						if(_t6 == _t17) {
							goto L15;
						} else {
							_t7 = GetProcAddress(_t19, "MonitorFromWindow");
							 *0x8a95dc = _t7;
							__eflags = _t7 - _t17;
							if(_t7 == _t17) {
								goto L15;
							} else {
								_t8 = GetProcAddress(_t19, "MonitorFromRect");
								 *0x8a95e0 = _t8;
								__eflags = _t8 - _t17;
								if(_t8 == _t17) {
									goto L15;
								} else {
									_t9 = GetProcAddress(_t19, "MonitorFromPoint");
									 *0x8a95e4 = _t9;
									__eflags = _t9 - _t17;
									if(_t9 == _t17) {
										goto L15;
									} else {
										_t10 = GetProcAddress(_t19, "EnumDisplayMonitors");
										 *0x8a95ec = _t10;
										__eflags = _t10 - _t17;
										if(_t10 == _t17) {
											goto L15;
										} else {
											_t11 = GetProcAddress(_t19, "EnumDisplayDevicesW");
											 *0x8a95f0 = _t11;
											__eflags = _t11 - _t17;
											if(_t11 == _t17) {
												goto L15;
											} else {
												__eflags =  *0x8a95f8 - _t17; // 0x1
												if(__eflags == 0) {
													_push("GetMonitorInfoA");
												} else {
													_push("GetMonitorInfoW");
												}
												_t12 = GetProcAddress(_t19, ??);
												 *0x8a95e8 = _t12;
												__eflags = _t12 - _t17;
												if(_t12 == _t17) {
													goto L15;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x8a95f4 = 1;
					return _t5;
				} else {
					_t25 =  *0x8a95e8 - _t17; // 0x76924f40
					return 0 | _t25 != 0x00000000;
				}
			}

0x00538a8e
0x00538a90
0x00538a96
0x00538aa5
0x00538ab1
0x00538abc
0x00538abe
0x00538ac0
0x00538b67
0x00538b67
0x00538b6d
0x00538b73
0x00538b79
0x00538b7f
0x00538b85
0x00538b8b
0x00538b91
0x00538ac6
0x00538ad2
0x00538ad4
0x00538ad9
0x00538adb
0x00000000
0x00538ae1
0x00538ae7
0x00538ae9
0x00538aee
0x00538af0
0x00000000
0x00538af2
0x00538af8
0x00538afa
0x00538aff
0x00538b01
0x00000000
0x00538b03
0x00538b09
0x00538b0b
0x00538b10
0x00538b12
0x00000000
0x00538b14
0x00538b1a
0x00538b1c
0x00538b21
0x00538b23
0x00000000
0x00538b25
0x00538b2b
0x00538b2d
0x00538b32
0x00538b34
0x00000000
0x00538b36
0x00538b36
0x00538b3c
0x00538b45
0x00538b3e
0x00538b3e
0x00538b3e
0x00538b4b
0x00538b4d
0x00538b52
0x00538b54
0x00000000
0x00538b56
0x00538b58
0x00538b58
0x00538b58
0x00538b54
0x00538b34
0x00538b23
0x00538b12
0x00538b01
0x00538af0
0x00538adb
0x00538b5b
0x00538b66
0x00538a98
0x00538a9a
0x00538aa4
0x00538aa4

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,76925D80,00538C99,?,?,?,?,?,?,?,0053B685,00000000,00000002,00000028), ref: 00538AB6
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00538AD2
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00538AE7
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00538AF8
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00538B09
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00538B1A
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 00538B2B
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00538B4B

Strings

EnumDisplayMonitors, xrefs: 00538B14
USER32, xrefs: 00538AAC
GetMonitorInfoW, xrefs: 00538B3E
MonitorFromPoint, xrefs: 00538B03
MonitorFromRect, xrefs: 00538AF2
GetSystemMetrics, xrefs: 00538ACC
MonitorFromWindow, xrefs: 00538AE1
GetMonitorInfoA, xrefs: 00538B45
EnumDisplayDevicesW, xrefs: 00538B25

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: ab37c0ef62cb6ac929386d000bdf8ce62a4834b7df3a6b7795b519850bc1ff93
Instruction ID: b9b03a523ea0ed28322ac71538124c93d46fa972c8d481801497cc72022ccd9c
Opcode Fuzzy Hash: ab37c0ef62cb6ac929386d000bdf8ce62a4834b7df3a6b7795b519850bc1ff93
Instruction Fuzzy Hash: 4D216DF1D183529FD71A9F78ACD7979BFE8B24A750B14093FE182D2910EBB44441CE14

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEB0, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040DEB0(int _a4) {
				void* _v4;
				int _t20;
				int _t21;
				int _t23;
				void* _t28;
				long _t30;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t38;
				long _t39;
				struct HWND__* _t44;
				long _t48;

				_t44 = _a4;
				_t48 = _t39;
				 *(_t48 + 0x9c) = _t44;
				 *((intOrPtr*)(_t48 + 0xa8)) = SetWindowLongW(_t44, 0xfffffffc, 0x40d9e0);
				SetWindowLongW(_t44, 0xffffffeb, _t48);
				 *(_t48 + 0xac) = FindWindowExW(_t44, 0, L"SysListView32", 0);
				_t20 = GetSystemMetrics(0xb);
				_t21 = GetSystemMetrics(0xc);
				_a4 = GetSystemMetrics(0x31);
				_t23 = GetSystemMetrics(0x32);
				_v4 = LoadImageW(GetModuleHandleW(0), 0x85, 1, _t20, _t21, 0);
				_t28 = LoadImageW(GetModuleHandleW(0), 0x85, 1, _a4, _t23, 0);
				 *((intOrPtr*)(_t48 + 0xb0)) = SendMessageW( *(_t48 + 0xac), 0x1002, 0, 0);
				_t30 = SendMessageW( *(_t48 + 0xac), 0x1002, 1, 0);
				_t38 =  *0x8a7104; // 0x535e54
				 *(_t48 + 0xb4) = _t30;
				_t32 =  *_t38( *((intOrPtr*)(_t48 + 0xb0)), 0xffffffff, _v4);
				 *((intOrPtr*)(_t48 + 0xb8)) = _t32;
				_t33 =  *_t38( *(_t48 + 0xb4), 0xffffffff, _t28);
				 *((intOrPtr*)(_t48 + 0xbc)) = _t33;
				return _t33;
			}

0x0040debb
0x0040dec6
0x0040dec9
0x0040ded5
0x0040dedb
0x0040def5
0x0040defb
0x0040df01
0x0040df0b
0x0040df0f
0x0040df34
0x0040df49
0x0040df75
0x0040df7b
0x0040df83
0x0040df89
0x0040df97
0x0040dfa3
0x0040dfa9
0x0040dfac
0x0040dfb6

APIs

SetWindowLongW.USER32(00000000,000000FC,0040D9E0), ref: 0040DECF
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0040DEDB
FindWindowExW.USER32(00000000,00000000,SysListView32,00000000), ref: 0040DEE7
GetSystemMetrics.USER32(0000000B), ref: 0040DEFB
GetSystemMetrics.USER32(0000000C), ref: 0040DF01
GetSystemMetrics.USER32(00000031), ref: 0040DF07
GetSystemMetrics.USER32(00000032), ref: 0040DF0F
GetModuleHandleW.KERNEL32(00000000,00000085,00000001,00000000,00000000,00000000,?,?,00000000,0040E07B,?), ref: 0040DF26
LoadImageW.USER32(00000000,?,?,00000000,0040E07B,?), ref: 0040DF2F
GetModuleHandleW.KERNEL32(00000000,00000085,00000001,?,00000000,00000000,?,?,00000000,0040E07B,?), ref: 0040DF46
LoadImageW.USER32(00000000,?,?,00000000,0040E07B,?), ref: 0040DF49
SendMessageW.USER32(?,00001002,00000000,00000000), ref: 0040DF63
SendMessageW.USER32(?,00001002,00000001,00000000), ref: 0040DF7B

Strings

T^S, xrefs: 0040DF83
SysListView32, xrefs: 0040DEDF

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: MetricsSystem$Window$HandleImageLoadLongMessageModuleSend$Find
String ID: SysListView32$T^S
API String ID: 892298856-82136643
Opcode ID: fd6c046fb150ad11a3061bc99e34dbf4fcb811fd60e51d1273974bb66ccddd81
Instruction ID: ee64923d1212136130a869512907b2ec4bb14f4207abc4ba8e4616cbe772aef2
Opcode Fuzzy Hash: fd6c046fb150ad11a3061bc99e34dbf4fcb811fd60e51d1273974bb66ccddd81
Instruction Fuzzy Hash: 893153716443007BE620DB758C8AF57B7E9FB89B50F114A1EF359972D0D7B4A8008B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFC0, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 316
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040DFC0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				short _v104;
				WCHAR* _v108;
				short _v112;
				void* _v116;
				struct HWND__* _v120;
				long _v132;
				long _v140;
				struct HWND__* _v144;
				int _v148;
				struct HWND__* _v152;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t96;
				signed int _t97;
				int _t100;
				signed int _t102;
				signed int _t110;
				long _t112;
				signed int _t114;
				signed int _t121;
				struct HWND__* _t123;
				intOrPtr _t126;
				WCHAR* _t128;
				long _t132;
				intOrPtr _t135;
				signed int _t137;
				intOrPtr* _t155;
				struct HWND__* _t158;
				struct HWND__* _t159;
				void* _t163;
				signed int _t172;
				intOrPtr _t183;
				signed int _t185;
				char* _t194;
				WCHAR* _t196;
				intOrPtr _t202;
				intOrPtr _t203;
				long _t205;
				void* _t211;
				short _t213;
				long _t214;
				void* _t218;
				signed int _t220;
				int _t221;
				signed int _t226;

				_t220 = _t226;
				_push(0xffffffff);
				_push(0x6f0e28);
				_push( *[fs:0x0]);
				_t96 =  *0x877864; // 0xf691760e
				_t97 = _t96 ^ _t220;
				_v24 = _t97;
				_push(_t97);
				 *[fs:0x0] =  &_v16;
				_v20 = _t226 - 0x78;
				_t158 = _a4;
				_v120 = _t158;
				_t205 = _a16;
				_v132 = _t205;
				_t213 = GetWindowLongW(_t158, 0xffffffeb);
				_v112 = _t213;
				_t100 = _a8;
				if(_t100 == 0x111) {
					_t102 = (_a12 & 0x0000ffff) - 1;
					__eflags = _t102;
					if(_t102 == 0) {
						E00403680();
						_v8 = 0;
						E00403680();
						_v8 = 1;
						_t196 = _v108;
						__eflags =  *((intOrPtr*)(_t196 - 8)) - 0x00000104 | 0x00000001 -  *((intOrPtr*)(_t196 - 4));
						if(( *((intOrPtr*)(_t196 - 8)) - 0x00000104 | 0x00000001 -  *((intOrPtr*)(_t196 - 4))) < 0) {
							_push(0x104);
							E00402E90(_t158,  &_v108);
							_t196 = _v108;
						}
						GetDlgItemTextW(_t158, 0x480, _t196, 0x104);
						_t168 =  *((intOrPtr*)(_v108 - 8));
						_t110 = E0057078F(_v108,  *((intOrPtr*)(_v108 - 8)));
						__eflags = _t110;
						if(_t110 < 0) {
							L35:
							_push(0x80070057);
							E00401460(_t168, 0, _t213, _t220);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t158);
							_t159 = _v152;
							_push(_t220);
							_push(_t213);
							_push(0);
							_t112 = GetWindowLongW(_t159, 0xffffffeb);
							_t221 = _v148;
							_t214 = _t112;
							__eflags = _t221 - 0x101;
							if(__eflags > 0) {
								_t114 = _t221 - 0x102;
								__eflags = _t114;
								if(_t114 == 0) {
									 *((char*)(_t214 + 0x95)) = 1;
								} else {
									__eflags = _t114 == 0xc;
									if(_t114 == 0xc) {
										 *((char*)(_t214 + 0x96)) = 1;
									}
								}
								goto L57;
							} else {
								if(__eflags == 0) {
									__eflags = _v144 - 0xd;
									if(_v144 != 0xd) {
										goto L57;
									} else {
										__eflags =  *((char*)(_t214 + 0x96));
										if( *((char*)(_t214 + 0x96)) != 0) {
											 *((char*)(_t214 + 0x96)) = 0;
											goto L57;
										} else {
											__eflags =  *((char*)(_t214 + 0x95));
											if( *((char*)(_t214 + 0x95)) != 0) {
												_push(_t159);
												 *((char*)(_t214 + 0x95)) = 0;
												E0040D830(_t214);
											}
											return 0;
										}
									}
								} else {
									_t121 = _t221 - 8;
									__eflags = _t121;
									if(_t121 == 0) {
										_t123 = GetParent(_v144);
										__eflags = _t123 -  *((intOrPtr*)(_t214 + 0x9c));
										if(_t123 !=  *((intOrPtr*)(_t214 + 0x9c))) {
											__eflags =  *((char*)(_t214 + 0x95));
											if( *((char*)(_t214 + 0x95)) != 0) {
												_push(_t159);
												 *((char*)(_t214 + 0x95)) = 0;
												E0040D830(_t214);
											}
										}
										goto L57;
									} else {
										__eflags = _t121 != 0x7f;
										if(_t121 != 0x7f) {
											L57:
											return CallWindowProcW( *(_t214 + 0xa4), _t159, _t221, _v144, _v140);
										} else {
											_t172 = _v140;
											__eflags = _t172;
											if(_t172 == 0) {
												goto L57;
											} else {
												_t126 =  *((intOrPtr*)(_t172 + 4));
												__eflags = _t126 - 0x100;
												if(_t126 < 0x100) {
													goto L57;
												} else {
													__eflags = _t126 - 0x102;
													if(_t126 > 0x102) {
														goto L57;
													} else {
														__eflags =  *((intOrPtr*)(_t172 + 8)) - 0xd;
														if( *((intOrPtr*)(_t172 + 8)) != 0xd) {
															goto L57;
														} else {
															return 4;
														}
													}
												}
											}
										}
									}
								}
							}
						} else {
							_t168 = _v108;
							__eflags = _t110 -  *((intOrPtr*)(_t168 - 8));
							if(_t110 >  *((intOrPtr*)(_t168 - 8))) {
								goto L35;
							} else {
								 *(_t168 - 0xc) = _t110;
								_t198 = _v108;
								_v108[_t110] = 0;
								_t128 = _v108;
								__eflags =  *(_t128 - 0xc);
								if( *(_t128 - 0xc) == 0) {
									L33:
									_v8 = 0;
									E004036F0(_t198);
									_v8 = 0xffffffff;
									E004036F0(_t198);
									_t205 = _v132;
									goto L34;
								} else {
									_v8 = 2;
									_push(_v108);
									E00533950(_t158);
									_v8 = 1;
									__eflags =  *(_t213 + 0x54) & 0x00000800;
									if(( *(_t213 + 0x54) & 0x00000800) == 0) {
										L24:
										__eflags =  *((char*)(_t213 + 0x94));
										if( *((char*)(_t213 + 0x94)) != 0) {
											 *((char*)(_t213 + 0x94)) = 0;
											goto L33;
										} else {
											_t200 = _v108;
											_t135 =  *((intOrPtr*)(_v108 - 0xc));
											_t183 =  *(_t213 + 0x40) - 1;
											__eflags = _t135 - _t183;
											if(_t135 >= _t183) {
												_t135 = _t183;
											}
											E0057100F( *((intOrPtr*)(_t213 + 0x3c)), _t200, _t135);
											_t137 =  *(_v108 - 0xc);
											_t185 =  *(_t213 + 0x40);
											__eflags = _t137 - _t185;
											if(_t137 >= _t185) {
												_t137 = _t185;
											}
											_t199 = 0;
											 *((short*)( *((intOrPtr*)(_t213 + 0x3c)) + _t137 * 2)) = 0;
											_t58 = _t213 + 0x8c; // 0x8c
											E00405FC0(_t58, _t213,  *((intOrPtr*)(_t213 + 0x3c)));
											EndDialog( *(_t213 + 0x98), 1);
											_v8 = 0;
											E004036F0(0);
											_v8 = 0xffffffff;
											E004036F0(0);
											_t132 = 0;
											__eflags = 0;
										}
									} else {
										__eflags = 0;
										if(0 == 0) {
											goto L24;
										} else {
											FormatMessageW(0x1300, 0, 3, 0,  &_v112, 0, 0);
											_t198 = _v112;
											MessageBoxW(_t158, _v112,  *(_t213 + 0x50), 0x10030);
											LocalFree(_v112);
											E0040CA80(_t158, _t213, __eflags);
											goto L33;
										}
									}
								}
								goto L30;
							}
						}
					} else {
						__eflags = _t102 == 0xa001;
						if(_t102 == 0xa001) {
							 *(_t213 + 0x88) = 1;
						}
						goto L34;
					}
				} else {
					if(_t100 == 0x210 && (_a12 & 0x0000ffff) == 1) {
						GetClassNameW(_t205,  &_v104, 0x28);
						_t194 = L"SHELLDLL_DefView";
						_t155 =  &_v104;
						while(1) {
							_t202 =  *_t155;
							if(_t202 !=  *_t194) {
								break;
							}
							if(_t202 == 0) {
								L8:
								_t155 = 0;
							} else {
								_t203 =  *((intOrPtr*)(_t155 + 2));
								if(_t203 != _t194[2]) {
									break;
								} else {
									_t155 = _t155 + 4;
									_t194 =  &(_t194[4]);
									if(_t203 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t155 == 0) {
								E0040DEB0(_t205);
							}
							goto L34;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L10;
					}
					L34:
					_t199 = _a8;
					_t132 = CallWindowProcW( *(_t213 + 0xa0), _t158, _a8, _a12, _t205);
					L30:
					 *[fs:0x0] = _v16;
					_pop(_t211);
					_pop(_t218);
					_pop(_t163);
					return E0056F98F(_t132, _t163, _v24 ^ _t220, _t199, _t211, _t218);
				}
			}

0x0040dfc1
0x0040dfc3
0x0040dfc5
0x0040dfd0
0x0040dfd4
0x0040dfd9
0x0040dfdb
0x0040dfe1
0x0040dfe5
0x0040dfeb
0x0040dfee
0x0040dff1
0x0040dff4
0x0040dff7
0x0040e003
0x0040e005
0x0040e008
0x0040e010
0x0040e084
0x0040e084
0x0040e087
0x0040e0a6
0x0040e0ad
0x0040e0b3
0x0040e0b8
0x0040e0bc
0x0040e0cf
0x0040e0d1
0x0040e0d3
0x0040e0db
0x0040e0e0
0x0040e0e0
0x0040e0ef
0x0040e0f8
0x0040e0fd
0x0040e105
0x0040e107
0x0040e2fa
0x0040e2fa
0x0040e2ff
0x0040e304
0x0040e305
0x0040e306
0x0040e307
0x0040e308
0x0040e309
0x0040e30a
0x0040e30b
0x0040e30c
0x0040e30d
0x0040e30e
0x0040e30f
0x0040e310
0x0040e311
0x0040e315
0x0040e316
0x0040e317
0x0040e31d
0x0040e323
0x0040e327
0x0040e329
0x0040e32f
0x0040e3e9
0x0040e3e9
0x0040e3ee
0x0040e3fe
0x0040e3f0
0x0040e3f0
0x0040e3f3
0x0040e3f5
0x0040e3f5
0x0040e3f3
0x00000000
0x0040e335
0x0040e335
0x0040e3ad
0x0040e3b2
0x00000000
0x0040e3b4
0x0040e3b4
0x0040e3bb
0x0040e3de
0x00000000
0x0040e3bd
0x0040e3bd
0x0040e3c4
0x0040e3c6
0x0040e3c9
0x0040e3d0
0x0040e3d0
0x0040e3db
0x0040e3db
0x0040e3bb
0x0040e337
0x0040e339
0x0040e339
0x0040e33c
0x0040e385
0x0040e38b
0x0040e391
0x0040e393
0x0040e39a
0x0040e39c
0x0040e39f
0x0040e3a6
0x0040e3a6
0x0040e39a
0x00000000
0x0040e33e
0x0040e33e
0x0040e341
0x0040e405
0x0040e422
0x0040e347
0x0040e347
0x0040e34b
0x0040e34d
0x00000000
0x0040e353
0x0040e353
0x0040e356
0x0040e35b
0x00000000
0x0040e361
0x0040e361
0x0040e366
0x00000000
0x0040e36c
0x0040e36c
0x0040e370
0x00000000
0x0040e376
0x0040e37d
0x0040e37d
0x0040e370
0x0040e366
0x0040e35b
0x0040e34d
0x0040e341
0x0040e33c
0x0040e335
0x0040e10d
0x0040e10d
0x0040e110
0x0040e113
0x00000000
0x0040e119
0x0040e119
0x0040e11e
0x0040e121
0x0040e125
0x0040e128
0x0040e12b
0x0040e2c3
0x0040e2c3
0x0040e2ca
0x0040e2cf
0x0040e2d9
0x0040e2de
0x00000000
0x0040e131
0x0040e131
0x0040e138
0x0040e139
0x0040e141
0x0040e1b4
0x0040e1bb
0x0040e1fd
0x0040e1fd
0x0040e204
0x0040e299
0x00000000
0x0040e20a
0x0040e20a
0x0040e20d
0x0040e213
0x0040e214
0x0040e216
0x0040e218
0x0040e218
0x0040e220
0x0040e22b
0x0040e22e
0x0040e231
0x0040e233
0x0040e235
0x0040e235
0x0040e23a
0x0040e23c
0x0040e244
0x0040e24a
0x0040e258
0x0040e25e
0x0040e265
0x0040e26a
0x0040e274
0x0040e279
0x0040e279
0x0040e279
0x0040e1bd
0x0040e1bd
0x0040e1bf
0x00000000
0x0040e1c1
0x0040e1d4
0x0040e1e3
0x0040e1e8
0x0040e1f2
0x0040e2be
0x00000000
0x0040e2be
0x0040e1bf
0x0040e1bb
0x00000000
0x0040e12b
0x0040e113
0x0040e089
0x0040e089
0x0040e08e
0x0040e094
0x0040e094
0x00000000
0x0040e08e
0x0040e012
0x0040e017
0x0040e031
0x0040e037
0x0040e03c
0x0040e040
0x0040e040
0x0040e046
0x00000000
0x00000000
0x0040e04b
0x0040e062
0x0040e062
0x0040e04d
0x0040e04d
0x0040e055
0x00000000
0x0040e057
0x0040e057
0x0040e05a
0x0040e060
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e060
0x0040e055
0x0040e06b
0x0040e06d
0x0040e076
0x0040e076
0x00000000
0x0040e06d
0x0040e066
0x0040e068
0x00000000
0x0040e068
0x0040e2e1
0x0040e2e6
0x0040e2f2
0x0040e27b
0x0040e27e
0x0040e286
0x0040e287
0x0040e288
0x0040e296
0x0040e296

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040DFFD
GetClassNameW.USER32(?,?,00000028), ref: 0040E031
GetDlgItemTextW.USER32(?,00000480,?,00000104), ref: 0040E0EF
_wcsnlen.LIBCMT ref: 0040E0FD
FormatMessageW.KERNEL32(00001300,00000000,00000003,00000000,?,00000000,00000000), ref: 0040E1D4
MessageBoxW.USER32(?,?,?,00010030), ref: 0040E1E8
LocalFree.KERNEL32(?), ref: 0040E1F2
CallWindowProcW.USER32(?,?,?,?,?), ref: 0040E2F2
GetWindowLongW.USER32(?,000000EB), ref: 0040E31D
GetParent.USER32(?), ref: 0040E385
CallWindowProcW.USER32(?,?,?,?,?), ref: 0040E418

Strings

SHELLDLL_DefView, xrefs: 0040E037

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Window$CallLongMessageProc$ClassFormatFreeItemLocalNameParentText_wcsnlen
String ID: SHELLDLL_DefView
API String ID: 3354443168-137347452
Opcode ID: 44020874bfb6c623e408e2f816d6fe9f5ed0ecd503da61ddc6aebcd603dc9a74
Instruction ID: 16864f953623590f570b6009fca913e18f5c496bddb5147e367c80c755027003
Opcode Fuzzy Hash: 44020874bfb6c623e408e2f816d6fe9f5ed0ecd503da61ddc6aebcd603dc9a74
Instruction Fuzzy Hash: 66B1F3716003049BDB20DF6AC849BAFBBB9EB55300F10893EF55AAB3C1C779A941CB55

Uniqueness

Uniqueness Score: -1.00%

Function 005C6EBE, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E005C6EBE(void* __ebx, void* __edi, void* __esi, void* __eflags, int _a8) {
				short _v0;
				char* _v4;
				signed int _v16;
				intOrPtr* _v24;
				char _v52;
				char _v92;
				intOrPtr* _t38;
				signed int _t42;
				signed int _t43;
				char _t44;
				void* _t58;
				int _t60;
				intOrPtr _t63;

				_push(0x44);
				E00576762(0x727096, __ebx, __edi, __esi);
				_t1 =  &_v52; // 0x40453a
				E00406020(_t1, "invalid string position");
				_v16 = _v16 & 0x00000000;
				_t4 =  &_v52; // 0x40453a
				E00405EF0(_t4);
				_t6 =  &_v92; // 0x404512
				E0057080C(_t6, 0x80e02c);
				asm("int3");
				_push(0x44);
				E00576762(0x7270b9, __ebx, __edi, __esi);
				_t7 =  &_v52; // 0x40453a
				E00406020(_t7, "invalid string argument");
				_v16 = _v16 & 0x00000000;
				_t10 =  &_v52; // 0x40453a
				E00405D80(_t10);
				_t12 =  &_v92; // 0x404512
				E0057080C(_t12, 0x849fb4);
				asm("int3");
				_t38 = _v24;
				_push(__esi);
				_push(__edi);
				_t70 = _t38;
				if(_t38 != 0) {
					_t63 =  *_t38;
					_t60 =  *(_t38 + 4);
				} else {
					_t63 =  *((intOrPtr*)(E00572FF3(_t58, __edi, __esi, _t70) + 8));
					_t60 = E00572FA7(_t58, __edi, _t63, _t70);
				}
				if(_t63 != 0) {
					_a8 = _a8 & 0x00000000;
					_t42 = WideCharToMultiByte(_t60, 0,  &_v0, 1, _v4, E00572F8B(_t58, _t60, _t63, E005C70B6(_t60)), 0,  &_a8);
					__eflags = _t42;
					if(__eflags == 0) {
						goto L8;
					} else {
						__eflags = _a8;
						if(__eflags != 0) {
							goto L8;
						}
					}
				} else {
					_t44 = _v0;
					if(_t44 > 0xff) {
						L8:
						_t43 = E00576A0A(__eflags);
						 *_t43 = 0x2a;
						_t42 = _t43 | 0xffffffff;
						__eflags = _t42;
					} else {
						 *_v4 = _t44;
						_t42 = 1;
					}
				}
				return _t42;
			}

0x005c6ebe
0x005c6ec5
0x005c6ecf
0x005c6ed2
0x005c6ed7
0x005c6edb
0x005c6ee2
0x005c6eec
0x005c6ef0
0x005c6ef5
0x005c6ef6
0x005c6efd
0x005c6f07
0x005c6f0a
0x005c6f0f
0x005c6f13
0x005c6f1a
0x005c6f24
0x005c6f28
0x005c6f2d
0x005c6f33
0x005c6f36
0x005c6f37
0x005c6f38
0x005c6f3a
0x005c6f4d
0x005c6f4f
0x005c6f3c
0x005c6f41
0x005c6f49
0x005c6f49
0x005c6f54
0x005c6f6e
0x005c6f93
0x005c6f99
0x005c6f9b
0x00000000
0x005c6f9d
0x005c6f9d
0x005c6fa1
0x00000000
0x00000000
0x005c6fa1
0x005c6f56
0x005c6f56
0x005c6f62
0x005c6fa3
0x005c6fa3
0x005c6fa8
0x005c6fae
0x005c6fae
0x005c6f64
0x005c6f67
0x005c6f6b
0x005c6f6b
0x005c6f62
0x005c6fb4

APIs

__EH_prolog3.LIBCMT ref: 005C6EC5
__CxxThrowException@8.LIBCMT ref: 005C6EF0

Part of subcall function 0057080C: KiUserExceptionDispatcher.NTDLL(?,?,00402FC2,00000000,?,?,?,?,00402FC2,00000000,0080D3D8,00000000), ref: 0057084E

__EH_prolog3.LIBCMT ref: 005C6EFD
__CxxThrowException@8.LIBCMT ref: 005C6F28
____lc_handle_func.LIBCMT ref: 005C6F3C

Part of subcall function 00572FF3: __getptd.LIBCMT ref: 00572FF3

____lc_codepage_func.LIBCMT ref: 005C6F44

Part of subcall function 00572FA7: __getptd.LIBCMT ref: 00572FA7

__GetLocaleForCP.LIBCPMT ref: 005C6F73

Part of subcall function 005C70B6: __malloc_crt.LIBCMT ref: 005C70F4
Part of subcall function 005C70B6: __CreateLocForCP.LIBCPMT ref: 005C7104
Part of subcall function 005C70B6: InterlockedCompareExchange.KERNEL32(80070057,00000000,?), ref: 005C711B

____mb_cur_max_l_func.LIBCMT ref: 005C6F80

Part of subcall function 00572F8B: __getptd.LIBCMT ref: 00572F62

WideCharToMultiByte.KERNEL32(?,00000000,F691760E,00000001,?,00000000,00000000,00000000,?,?,00404562,00404512,00849FB4,0040453A,invalid string argument,00000044), ref: 005C6F93

Strings

invalid string argument, xrefs: 005C6F02
invalid string position, xrefs: 005C6ECA

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: __getptd$Exception@8H_prolog3Throw$ByteCharCompareCreateDispatcherExceptionExchangeInterlockedLocaleMultiUserWide____lc_codepage_func____lc_handle_func____mb_cur_max_l_func__malloc_crt
String ID: invalid string argument$invalid string position
API String ID: 3264674238-3740083952
Opcode ID: d66e5b4b9bda2fceaf7a74e36111d6aa11e3bf655acc328b1bc5baee1132fdfb
Instruction ID: eace8825470d3dcf32348b0a8077d503755e52118fb6eed50787047a436334cc
Opcode Fuzzy Hash: d66e5b4b9bda2fceaf7a74e36111d6aa11e3bf655acc328b1bc5baee1132fdfb
Instruction Fuzzy Hash: 2121A57250020AAEDB10EFE0E849FEE7B78FF44724F044029F505AB1C1DBB49A05D761

Uniqueness

Uniqueness Score: -1.00%

Function 0044CA90, Relevance: 18.3, APIs: 12, Instructions: 322
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0044CA90(void* __ebx, signed int __ecx) {
				void* __edi;
				void* __esi;
				intOrPtr _t115;
				intOrPtr _t117;
				signed int _t121;
				int _t122;
				signed int _t156;
				signed int _t159;
				void* _t161;
				signed int _t165;
				void* _t167;
				signed int _t169;
				signed int _t174;
				void* _t176;
				signed int _t178;
				void* _t188;
				void* _t191;
				signed int _t192;
				signed int _t193;
				signed int _t197;
				signed int _t208;
				signed int _t229;
				intOrPtr* _t242;
				signed int _t243;
				signed int _t247;
				signed int* _t248;
				void* _t251;
				intOrPtr _t252;
				intOrPtr* _t255;
				intOrPtr* _t256;
				void* _t257;
				void* _t258;

				_t188 = __ebx;
				_t247 =  *(_t257 + 8);
				_t242 = __ecx;
				_t115 =  *((intOrPtr*)(__ecx));
				_t229 =  *((intOrPtr*)(_t115 - 8)) - _t247;
				_t197 = 0x00000001 -  *((intOrPtr*)(_t115 - 0x10 + 0xc)) | _t229;
				if(1 < 0) {
					_push(_t247);
					_t197 = __ecx;
					E00402E90(__ebx, __ecx);
				}
				_t117 =  *_t242;
				if(_t247 < 0 || _t247 >  *((intOrPtr*)(_t117 - 8))) {
					_push(0x80070057);
					E00401460(_t197, _t242, _t247, _t251);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t258 = _t257 - 0x2c;
					_push(_t188);
					_push(_t251);
					_t252 =  *((intOrPtr*)(_t258 + 0x38));
					_push(_t247);
					_push(_t242);
					_t248 = _t197;
					GetClientRect( *(_t252 + 0x20), _t258 + 0x2c);
					_t243 =  *(_t258 + 0x48);
					__eflags = _t243;
					if(_t243 != 0) {
						 *_t243 = _t248[0x18];
						 *(_t243 + 4) = _t248[0x19];
						 *(_t243 + 8) = _t248[0x1a];
						_t229 = _t248[0x1b];
						 *(_t243 + 0xc) = _t229;
						E004010A0(_t252, _t243);
						__eflags = _t248[0x1c] - 1;
						if(_t248[0x1c] == 1) {
							 *_t243 =  *_t243 +  *(_t258 + 0x2c);
							__eflags =  *_t243;
						}
						__eflags = _t248[0x1e] - 3;
						if(_t248[0x1e] == 3) {
							_t23 = _t243 + 4;
							 *_t23 =  *(_t243 + 4) +  *((intOrPtr*)(_t258 + 0x30));
							__eflags =  *_t23;
						}
						__eflags = _t248[0x1d] - 2;
						if(_t248[0x1d] == 2) {
							_t229 =  *(_t258 + 0x34);
							_t27 = _t243 + 8;
							 *_t27 =  *(_t243 + 8) + _t229;
							__eflags =  *_t27;
						}
						__eflags = _t248[0x1f] - 4;
						if(_t248[0x1f] == 4) {
							_t31 = _t243 + 0xc;
							 *_t31 =  *(_t243 + 0xc) +  *((intOrPtr*)(_t258 + 0x38));
							__eflags =  *_t31;
						}
					}
					__eflags =  *_t248;
					if( *_t248 == 0) {
						__eflags = _t243;
						if(__eflags != 0) {
							 *(_t258 + 0x4c) = 0xffffffff;
							 *(_t258 + 0x44) = 0;
							_t191 = E00541CA6(_t188,  *(_t252 + 0x20), _t243, _t248, __eflags, GetDC( *(_t252 + 0x20)));
							 *(_t258 + 0x18) = GetDeviceCaps( *(_t191 + 8), 0xc) & 0x0000ffff;
							ReleaseDC( *(_t252 + 0x20),  *(_t191 + 4));
							_t192 = _t248[1];
							__eflags = 0;
							 *(_t258 + 0x1c) = 0;
							 *((intOrPtr*)(_t258 + 0x20)) = 0;
							 *((intOrPtr*)(_t258 + 0x24)) = 0;
							 *((intOrPtr*)(_t258 + 0x28)) = 0;
							_t255 =  *(_t248[6]);
							while(1) {
								_t156 = _t248[1];
								 *(_t258 + 0x18) = _t248[6];
								__eflags = _t192;
								if(_t192 == 0) {
									goto L20;
								}
								__eflags = _t192 - _t156;
								if(_t192 != _t156) {
									goto L20;
								}
								L21:
								__eflags = _t255 -  *(_t258 + 0x18);
								if(_t255 !=  *(_t258 + 0x18)) {
									__eflags = _t192;
									if(_t192 != 0) {
										_t174 =  *_t192;
									} else {
										E005709F4();
										_t174 = 0;
										__eflags = 0;
									}
									__eflags = _t255 -  *((intOrPtr*)(_t174 + 0x14));
									if(_t255 ==  *((intOrPtr*)(_t174 + 0x14))) {
										E005709F4();
									}
									_t176 = LoadImageW(_t248[0xf], E0050ACE0(_t255 + 8), 0, 0, 0, 0x2000);
									_push(_t258 + 0x1c);
									_push(_t258 + 0x44);
									_push(_t258 + 0x50);
									E0044AEF0(_t248,  *(_t258 + 0x18), _t176, _t243,  *(_t258 + 0x18));
									__eflags = _t192;
									if(_t192 != 0) {
										_t178 =  *_t192;
									} else {
										E005709F4();
										_t178 = 0;
										__eflags = 0;
									}
									__eflags = _t255 -  *((intOrPtr*)(_t178 + 0x14));
									if(_t255 ==  *((intOrPtr*)(_t178 + 0x14))) {
										E005709F4();
									}
									_t255 =  *_t255;
									continue;
								}
								_t256 =  *(_t248[0xd]);
								_t193 = _t248[8];
								while(1) {
									_t159 = _t248[8];
									 *(_t258 + 0x18) = _t248[0xd];
									__eflags = _t193;
									if(_t193 == 0) {
										goto L36;
									}
									__eflags = _t193 - _t159;
									if(_t193 != _t159) {
										goto L36;
									}
									L37:
									__eflags = _t256 -  *(_t258 + 0x18);
									if(_t256 !=  *(_t258 + 0x18)) {
										__eflags = _t193;
										if(_t193 != 0) {
											_t165 =  *_t193;
										} else {
											E005709F4();
											_t165 = 0;
											__eflags = 0;
										}
										__eflags = _t256 -  *((intOrPtr*)(_t165 + 0x14));
										if(_t256 ==  *((intOrPtr*)(_t165 + 0x14))) {
											E005709F4();
										}
										_t167 = LoadImageW(0, E00504A60(_t256 + 8), 0, 0, 0, 0x2010);
										_push(_t258 + 0x1c);
										_push(_t258 + 0x44);
										_push(_t258 + 0x50);
										E0044AEF0(_t248, _t258 + 0x50, _t167, _t243,  *(_t258 + 0x18));
										__eflags = _t193;
										if(_t193 != 0) {
											_t169 =  *_t193;
										} else {
											E005709F4();
											_t169 = 0;
											__eflags = 0;
										}
										__eflags = _t256 -  *((intOrPtr*)(_t169 + 0x14));
										if(_t256 ==  *((intOrPtr*)(_t169 + 0x14))) {
											E005709F4();
										}
										_t256 =  *_t256;
										continue;
									}
									_t161 =  *_t248;
									__eflags = _t161;
									if(_t161 != 0) {
										DeleteObject(_t161);
									}
									_t229 =  *(_t258 + 0x40);
									 *_t248 = _t229;
									CopyRect( &(_t248[0x10]), _t258 + 0x1c);
									goto L52;
									L36:
									E005709F4();
									goto L37;
								}
								L20:
								E005709F4();
								goto L21;
							}
						}
					}
					L52:
					_t121 =  *(_t258 + 0x44);
					__eflags = _t121;
					if(_t121 != 0) {
						_t229 =  *_t248;
						 *_t121 = _t229;
					}
					_t122 =  *(_t258 + 0x4c);
					__eflags = _t122;
					if(_t122 != 0) {
						 *_t122 = _t248[0x10].left;
						 *(_t122 + 4) = _t248[0x11];
						 *(_t122 + 8) = _t248[0x12];
						_t229 = _t248[0x13];
						 *(_t122 + 0xc) = _t229;
					}
					__eflags = _t243;
					if(_t243 != 0) {
						__eflags = _t248[0x1c] - 5;
						if(_t248[0x1c] == 5) {
							asm("cdq");
							_t122 = MulDiv(_t248[0x12] - _t248[0x10].left, ( *(_t243 + 0xc) -  *(_t243 + 4) ^ _t229) - _t229, _t248[0x13] - _t248[0x11]);
							_t208 =  *(_t243 + 8) - _t122;
							__eflags = _t208;
							 *_t243 = _t208;
						}
						__eflags = _t248[0x1d] - 5;
						if(_t248[0x1d] == 5) {
							asm("cdq");
							_t122 = MulDiv(_t248[0x12] - _t248[0x10].left, ( *(_t243 + 0xc) -  *(_t243 + 4) ^ _t229) - _t229, _t248[0x13] - _t248[0x11]) +  *_t243;
							__eflags = _t122;
							 *(_t243 + 8) = _t122;
						}
						__eflags = _t248[0x1e] - 5;
						if(_t248[0x1e] == 5) {
							asm("cdq");
							_t122 = MulDiv(_t248[0x13] - _t248[0x11], ( *(_t243 + 8) -  *_t243 ^ _t229) - _t229, _t248[0x12] - _t248[0x10].left);
							_t229 =  *(_t243 + 0xc) - _t122;
							__eflags = _t229;
							 *(_t243 + 4) = _t229;
						}
						__eflags = _t248[0x1f] - 5;
						if(_t248[0x1f] == 5) {
							asm("cdq");
							_t122 = MulDiv(_t248[0x13] - _t248[0x11], ( *(_t243 + 8) -  *_t243 ^ _t229) - _t229, _t248[0x12] - _t248[0x10]) +  *(_t243 + 4);
							__eflags = _t122;
							 *(_t243 + 0xc) = _t122;
						}
					}
					return _t122;
				} else {
					 *(_t117 - 0xc) = _t247;
					 *((short*)( *_t242 + _t247 * 2)) = 0;
					return _t117;
				}
			}

0x0044ca90
0x0044ca91
0x0044ca96
0x0044ca98
0x0044caa8
0x0044caaa
0x0044caac
0x0044caae
0x0044caaf
0x0044cab1
0x0044cab1
0x0044cab6
0x0044caba
0x0044cad1
0x0044cad6
0x0044cadb
0x0044cadc
0x0044cadd
0x0044cade
0x0044cadf
0x0044cae0
0x0044cae3
0x0044cae4
0x0044cae5
0x0044cae9
0x0044caea
0x0044caef
0x0044caf6
0x0044cafc
0x0044cb00
0x0044cb02
0x0044cb07
0x0044cb0c
0x0044cb12
0x0044cb15
0x0044cb1b
0x0044cb1e
0x0044cb23
0x0044cb27
0x0044cb2d
0x0044cb2d
0x0044cb2d
0x0044cb2f
0x0044cb33
0x0044cb39
0x0044cb39
0x0044cb39
0x0044cb39
0x0044cb3c
0x0044cb40
0x0044cb42
0x0044cb46
0x0044cb46
0x0044cb46
0x0044cb46
0x0044cb49
0x0044cb4d
0x0044cb53
0x0044cb53
0x0044cb53
0x0044cb53
0x0044cb4d
0x0044cb56
0x0044cb59
0x0044cb5f
0x0044cb61
0x0044cb6b
0x0044cb73
0x0044cb87
0x0044cba0
0x0044cba4
0x0044cbaa
0x0044cbad
0x0044cbaf
0x0044cbb3
0x0044cbb7
0x0044cbbb
0x0044cbc2
0x0044cbc4
0x0044cbc7
0x0044cbca
0x0044cbce
0x0044cbd0
0x00000000
0x00000000
0x0044cbd2
0x0044cbd4
0x00000000
0x00000000
0x0044cbdb
0x0044cbdb
0x0044cbdf
0x0044cbe1
0x0044cbe3
0x0044cc4e
0x0044cbe5
0x0044cbe5
0x0044cbea
0x0044cbea
0x0044cbea
0x0044cbec
0x0044cbef
0x0044cbf1
0x0044cbf1
0x0044cc0e
0x0044cc18
0x0044cc1d
0x0044cc26
0x0044cc2c
0x0044cc31
0x0044cc33
0x0044cc52
0x0044cc35
0x0044cc35
0x0044cc3a
0x0044cc3a
0x0044cc3a
0x0044cc3c
0x0044cc3f
0x0044cc41
0x0044cc41
0x0044cc46
0x00000000
0x0044cc46
0x0044cc59
0x0044cc5b
0x0044cc60
0x0044cc63
0x0044cc66
0x0044cc6a
0x0044cc6c
0x00000000
0x00000000
0x0044cc6e
0x0044cc70
0x00000000
0x00000000
0x0044cc77
0x0044cc77
0x0044cc7b
0x0044cc7d
0x0044cc7f
0x0044cce8
0x0044cc81
0x0044cc81
0x0044cc86
0x0044cc86
0x0044cc86
0x0044cc88
0x0044cc8b
0x0044cc8d
0x0044cc8d
0x0044cca8
0x0044ccb2
0x0044ccb7
0x0044ccc0
0x0044ccc6
0x0044cccb
0x0044cccd
0x0044ccec
0x0044cccf
0x0044cccf
0x0044ccd4
0x0044ccd4
0x0044ccd4
0x0044ccd6
0x0044ccd9
0x0044ccdb
0x0044ccdb
0x0044cce0
0x00000000
0x0044cce0
0x0044ccf0
0x0044ccf2
0x0044ccf4
0x0044ccf7
0x0044ccf7
0x0044ccfd
0x0044cd0a
0x0044cd0c
0x00000000
0x0044cc72
0x0044cc72
0x00000000
0x0044cc72
0x0044cbd6
0x0044cbd6
0x00000000
0x0044cbd6
0x0044cbc4
0x0044cb61
0x0044cd12
0x0044cd12
0x0044cd16
0x0044cd18
0x0044cd1a
0x0044cd1c
0x0044cd1c
0x0044cd1e
0x0044cd22
0x0044cd24
0x0044cd29
0x0044cd2e
0x0044cd34
0x0044cd37
0x0044cd3a
0x0044cd3a
0x0044cd3d
0x0044cd3f
0x0044cd50
0x0044cd53
0x0044cd68
0x0044cd6f
0x0044cd74
0x0044cd74
0x0044cd76
0x0044cd76
0x0044cd78
0x0044cd7b
0x0044cd90
0x0044cd99
0x0044cd99
0x0044cd9b
0x0044cd9b
0x0044cd9e
0x0044cda1
0x0044cdb5
0x0044cdbc
0x0044cdc1
0x0044cdc1
0x0044cdc3
0x0044cdc3
0x0044cdc6
0x0044cdc9
0x0044cddd
0x0044cde6
0x0044cde6
0x0044cde9
0x0044cde9
0x0044cdc9
0x0044cdf3
0x0044cac1
0x0044cac1
0x0044cac9
0x0044cace
0x0044cace

APIs

Part of subcall function 00401460: _memcpy_s.LIBCMT ref: 0040149A

GetClientRect.USER32(0000005C,?), ref: 0044CAF6
GetDC.USER32 ref: 0044CB7B
GetDeviceCaps.GDI32(?,0000000C), ref: 0044CB8F
ReleaseDC.USER32(0000005C,?), ref: 0044CBA4
LoadImageW.USER32(?,00000000,00000000,00000000,00000000,00002000), ref: 0044CC0E

Part of subcall function 004010A0: MapDialogRect.USER32(0000005C,0044CB23), ref: 004010AE
Part of subcall function 004010A0: MulDiv.KERNEL32(00000000,?,76921C00), ref: 004010C8
Part of subcall function 004010A0: MulDiv.KERNEL32(448B0675,0044CB23,?), ref: 004010DB
Part of subcall function 004010A0: MulDiv.KERNEL32(07012C24,?,76921C00), ref: 004010EF
Part of subcall function 004010A0: MulDiv.KERNEL32(03787E83,0044CB23,?), ref: 00401103

LoadImageW.USER32(00000000,00000000,00000000,00000000,00000000,00002010), ref: 0044CCA8
DeleteObject.GDI32(00000000), ref: 0044CCF7
CopyRect.USER32(?,?), ref: 0044CD0C
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044CD6F
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044CD97
MulDiv.KERNEL32(00000000,?,?), ref: 0044CDBC
MulDiv.KERNEL32(00000000,?,?), ref: 0044CDE4

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Rect$ImageLoad$CapsClientCopyDeleteDeviceDialogObjectRelease_memcpy_s
String ID:
API String ID: 407035062-0
Opcode ID: 4544d96f4cb5a1d1d7d870392fa8fcf7d82c39f13d22508e93bb0dddd7f557fe
Instruction ID: 7b77748234cafb5fa34e18f4e97944591aba0a42c814fc1284785814ba8e62ac
Opcode Fuzzy Hash: 4544d96f4cb5a1d1d7d870392fa8fcf7d82c39f13d22508e93bb0dddd7f557fe
Instruction Fuzzy Hash: 76C149B12017019FE764DF69C9C4A2BBBF5FF88300B148A1EE69A87651DB34F840CB59

Uniqueness

Uniqueness Score: -1.00%

Function 005C71A4, Relevance: 18.1, APIs: 12, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C71A4(void* __edx, short* _a4, int _a8, intOrPtr _a12, char* _a16, char _a20) {
				void* __edi;
				void* __esi;
				char _t35;
				int _t36;
				char _t37;
				char _t40;
				signed int _t46;
				void* _t48;
				void* _t49;
				char _t54;
				void* _t56;
				void* _t60;
				char _t63;
				signed short* _t64;
				short* _t66;
				char _t67;
				char* _t79;
				void* _t80;
				char _t81;
				char* _t82;

				_t78 = __edx;
				_t79 = _a8;
				if(_t79 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t79 != 0) {
						_t35 = _a20;
						__eflags = _t35;
						if(__eflags != 0) {
							_t81 =  *_t35;
							_t36 =  *((intOrPtr*)(_t35 + 4));
						} else {
							_t81 =  *(E00572FF3(__edx, _t79, _t80, __eflags) + 8);
							_t36 = E00572FA7(__edx, _t79, _t81, __eflags);
						}
						_a8 = _t36;
						__eflags = _t81;
						if(_t81 != 0) {
							_t37 = E005C70B6(_a8);
							_t82 = _a16;
							__eflags =  *_t82;
							_t67 = _t37;
							if( *_t82 == 0) {
								__eflags = _t67;
								if(__eflags != 0) {
									_t40 =  *( *((intOrPtr*)(_t67 + 4)) + ( *_t79 & 0x000000ff) + 0x1d) & 4;
									__eflags = _t40;
								} else {
									_t40 =  *(E00588226(_t78, _t82, __eflags) + ( *_t79 & 0x000000ff) * 2) & 0x8000;
								}
								__eflags = _t40;
								if(_t40 == 0) {
									__eflags = _a4;
									__eflags = MultiByteToWideChar(_a8, 9, _t79, 1, _a4, 0 | _a4 != 0x00000000);
									if(__eflags != 0) {
										goto L13;
									}
									goto L20;
								} else {
									_t48 = E00572F8B(_t78, _t79, _t82, _t67);
									__eflags = _a12 - _t48;
									if(_a12 >= _t48) {
										_t49 = E00572F8B(_t78, _t79, _t82, _t67);
										__eflags = _t49 - 1;
										if(_t49 <= 1) {
											L29:
											__eflags = _t79[1];
											if(_t79[1] != 0) {
												L18:
												return E00572F8B(_t78, _t79, _t82, _t67);
											}
											L19:
											 *_t82 =  *_t82 & 0x00000000;
											__eflags =  *_t82;
											L20:
											_t46 = E00576A0A(__eflags);
											 *_t46 = 0x2a;
											return _t46 | 0xffffffff;
										}
										__eflags = _a4;
										_t54 = MultiByteToWideChar(_a8, 9, _t79, E00572F8B(_t78, _t79, _t82, _t67), _a4, 0 | _a4 != 0x00000000);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L18;
										}
										goto L29;
									}
									 *_t82 =  *_t79;
									_t56 = 0xfffffffe;
									return _t56;
								}
							}
							_t82[1] =  *_t79;
							_t60 = E00572F8B(_t78, _t79, _t82, _t67);
							__eflags = _t60 - 1;
							if(_t60 <= 1) {
								goto L19;
							}
							__eflags = _a4;
							_t63 = MultiByteToWideChar(_a8, 9, _t82, 2, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t63;
							if(_t63 == 0) {
								goto L19;
							}
							 *_t82 =  *_t82 & 0x00000000;
							__eflags =  *_t82;
							goto L18;
						} else {
							_t64 = _a4;
							__eflags = _t64;
							if(_t64 != 0) {
								 *_t64 =  *_t79 & 0x000000ff;
							}
							L13:
							return 1;
						}
					} else {
						_t66 = _a4;
						if(_t66 != 0) {
							 *_t66 = 0;
						}
						goto L5;
					}
				}
			}

0x005c71a4
0x005c71ac
0x005c71b1
0x005c71ca
0x00000000
0x005c71b9
0x005c71bc
0x005c71d1
0x005c71d4
0x005c71d6
0x005c71e7
0x005c71e9
0x005c71d8
0x005c71dd
0x005c71e0
0x005c71e0
0x005c71ec
0x005c71ef
0x005c71f1
0x005c7209
0x005c720e
0x005c7211
0x005c7215
0x005c7217
0x005c726d
0x005c726f
0x005c728f
0x005c728f
0x005c7271
0x005c727d
0x005c727d
0x005c7292
0x005c7294
0x005c72f3
0x005c730b
0x005c730d
0x00000000
0x00000000
0x00000000
0x005c7296
0x005c7297
0x005c729d
0x005c72a0
0x005c72af
0x005c72b4
0x005c72b8
0x005c72e2
0x005c72e2
0x005c72e6
0x005c724b
0x00000000
0x005c7251
0x005c7257
0x005c7257
0x005c7257
0x005c725a
0x005c725a
0x005c725f
0x00000000
0x005c7265
0x005c72bc
0x005c72d4
0x005c72da
0x005c72dc
0x00000000
0x00000000
0x00000000
0x005c72dc
0x005c72a6
0x005c72a8
0x00000000
0x005c72a8
0x005c7294
0x005c721c
0x005c721f
0x005c7224
0x005c7228
0x00000000
0x00000000
0x005c722c
0x005c723e
0x005c7244
0x005c7246
0x00000000
0x00000000
0x005c7248
0x005c7248
0x00000000
0x005c71f3
0x005c71f3
0x005c71f6
0x005c71f8
0x005c71fe
0x005c71fe
0x005c7201
0x00000000
0x005c7203
0x005c71be
0x005c71be
0x005c71c3
0x005c71c7
0x005c71c7
0x00000000
0x005c71c3
0x005c71bc

APIs

____lc_handle_func.LIBCMT ref: 005C71D8
____lc_codepage_func.LIBCMT ref: 005C71E0
__GetLocaleForCP.LIBCPMT ref: 005C7209
____mb_cur_max_l_func.LIBCMT ref: 005C721F
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000002,?,00000000,00000000,00000001,?,00000000,00412868,00000000,?,?,?,?), ref: 005C723E
____mb_cur_max_l_func.LIBCMT ref: 005C724C
___pctype_func.LIBCMT ref: 005C7271
____mb_cur_max_l_func.LIBCMT ref: 005C7297
____mb_cur_max_l_func.LIBCMT ref: 005C72AF
____mb_cur_max_l_func.LIBCMT ref: 005C72C7
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,00000000,00000000,00000001,?,00000000,00412868,00000000,?,?,?,?), ref: 005C72D4
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,?,00000000,00412868,00000000,?,?,?,?), ref: 005C7305

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
String ID:
API String ID: 3819326198-0
Opcode ID: 01c7ab3aec0e9538e867dc0f42df562bb6773138ae8484cb9ebf670d90b4e1cc
Instruction ID: 63a185782f9dd89e30675026aa8b024016f899c48bb413d969a3c6b9117cbe48
Opcode Fuzzy Hash: 01c7ab3aec0e9538e867dc0f42df562bb6773138ae8484cb9ebf670d90b4e1cc
Instruction Fuzzy Hash: 5541C23510824AAEDB215FB0DC45F6A7FA8BF49351F28842DF855CA592E734C990EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00533540, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 160
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00533540(WCHAR* _a4, signed int* _a8) {
				intOrPtr _v4;
				char _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				WCHAR* _t26;
				void* _t29;
				signed int _t30;
				void* _t35;
				void* _t41;
				void* _t45;
				struct HINSTANCE__* _t47;
				signed int _t55;
				intOrPtr* _t60;
				short _t63;
				signed int _t76;
				WCHAR* _t82;
				signed int* _t86;
				short _t90;
				signed int _t93;

				_push(0xffffffff);
				_push(0x720620);
				_push( *[fs:0x0]);
				_t23 =  *0x877864; // 0xf691760e
				_push(_t23 ^ _t93);
				 *[fs:0x0] =  &_v12;
				_t82 = _a4;
				_t26 = _t82;
				_t90 = 0;
				_t80 =  &(_t26[1]);
				do {
					_t63 =  *_t26;
					_t26 =  &(_t26[1]);
				} while (_t63 != 0);
				if(_t26 - _t80 >> 1 >= 2) {
					_t29 = E005319A0();
					_t86 = _a8;
					if(_t29 == 0) {
						L11:
						_t30 = _t82[1] & 0x0000ffff;
						if(_t30 != 0x3a) {
							goto L14;
						} else {
							E00405FC0(_t86, _t86, _t82);
							_t45 = E0040BAD0( &_v20, 2);
							_v16 = 0;
							_push(_t45);
							E00405030(_t86);
							goto L20;
						}
					} else {
						_t47 = LoadLibraryW(L"kernel32.dll");
						_v16 = _t47;
						_t60 = GetProcAddress(_t47, "GetVolumePathNameW");
						if(_t60 == 0) {
							L10:
							FreeLibrary(_v16);
							if(_t90 == 0) {
								goto L11;
							}
						} else {
							 *_t60(_t82, E00404290(_t86, GetFullPathNameW(_t82, 0, 0, 0) + 1), GetFullPathNameW(_t82, 0, 0, 0) + 1);
							_t55 =  *_t86;
							_t76 =  *(_t55 - 8);
							if(_t55 == 0) {
								L8:
								_t76 =  *_t86;
								if(_t55 >  *((intOrPtr*)(_t76 - 8))) {
									goto L13;
								} else {
									 *(_t76 - 0xc) = _t55;
									_t80 = 0;
									 *((short*)( *_t86 + _t55 * 2)) = 0;
									E00533130(_t86);
									_t93 = _t93 + 4;
									_t90 = 1;
									goto L10;
								}
							} else {
								_t55 = E0057078F(_t55, _t76);
								_t93 = _t93 + 8;
								if(_t55 < 0) {
									L13:
									_push(0x80070057);
									_t30 = E00401460(_t76, _t82, _t86, _t90);
									L14:
									if(_t30 == 0x5c) {
										E00405FC0(_t86, _t86, _t82);
										_t33 =  *_t86;
										if( *((intOrPtr*)( *_t86 - 0xc)) > 2) {
											_t35 = E00570BC8(_t33 + 4, 0x5c);
											_t93 = _t93 + 8;
											if(_t35 != 0) {
												_t37 = _t35 -  *_t86 >> 1;
												if(_t35 -  *_t86 >> 1 != 0xffffffff) {
													if(E0040B320(_t86, 0x5c, _t37 + 1) != 0xffffffff) {
														_t80 =  &_v16;
														_t41 = E0040BAD0( &_v16, _t39);
														_v12 = 1;
														E00405A10(_t86, _t41);
														L20:
														_v4 = 0xffffffff;
														E004036F0(_t80);
													}
													E00533130(_t86);
													_t90 = 1;
													_t93 = _t93 + 4;
												}
											}
										}
									}
								} else {
									goto L8;
								}
							}
						}
					}
					 *[fs:0x0] = _v12;
					return _t90;
				} else {
					SetLastError(0x57);
					 *[fs:0x0] = _v12;
					return 0;
				}
			}

0x00533540
0x00533542
0x0053354d
0x00533553
0x0053355a
0x0053355f
0x00533565
0x00533569
0x0053356b
0x0053356d
0x00533570
0x00533570
0x00533573
0x00533576
0x00533582
0x005335a2
0x005335a7
0x005335ad
0x00533639
0x00533639
0x00533641
0x00000000
0x00533643
0x00533646
0x00533654
0x00533659
0x00533661
0x00533664
0x00000000
0x00533664
0x005335b3
0x005335b8
0x005335c4
0x005335ce
0x005335d2
0x00533626
0x0053362b
0x00533633
0x00000000
0x00000000
0x005335d4
0x005335ed
0x005335ef
0x005335f1
0x005335f6
0x00533606
0x00533606
0x0053360b
0x00000000
0x0053360d
0x0053360d
0x00533612
0x00533615
0x00533619
0x0053361e
0x00533621
0x00000000
0x00533621
0x005335f8
0x005335fa
0x005335ff
0x00533604
0x0053366b
0x0053366b
0x00533670
0x00533675
0x00533679
0x0053367e
0x00533683
0x00533689
0x00533691
0x00533696
0x0053369b
0x0053369f
0x005336a4
0x005336b4
0x005336b7
0x005336be
0x005336c3
0x005336ce
0x005336d3
0x005336d3
0x005336df
0x005336df
0x005336e5
0x005336ea
0x005336ef
0x005336ef
0x005336a4
0x0053369b
0x00533689
0x00000000
0x00000000
0x00000000
0x00533604
0x005335f6
0x005335d2
0x005336f8
0x00533707
0x00533584
0x00533586
0x00533592
0x005335a1
0x005335a1

APIs

SetLastError.KERNEL32(00000057,F691760E,?,?,?,00000001,?,?,00720620,000000FF,0040D104,?,?), ref: 00533586

Part of subcall function 005319A0: GetVersionExW.KERNEL32 ref: 005319C0

LoadLibraryW.KERNEL32(kernel32.dll,F691760E,?,?,?,00000001,?,?,00720620,000000FF,0040D104,?,?), ref: 005335B8
GetProcAddress.KERNEL32(00000000,GetVolumePathNameW), ref: 005335C8
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,00000001,?,?,00720620,000000FF,0040D104,?,?), ref: 005335DB
_wcsnlen.LIBCMT ref: 005335FA
FreeLibrary.KERNEL32(00720620,?,00000001,?,?,00720620,000000FF,0040D104,?,?), ref: 0053362B
_wcschr.LIBCMT ref: 00533691

Strings

kernel32.dll, xrefs: 005335B3
GetVolumePathNameW, xrefs: 005335BE

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Library$AddressErrorFreeFullLastLoadNamePathProcVersion_wcschr_wcsnlen
String ID: GetVolumePathNameW$kernel32.dll
API String ID: 2092321551-2075486213
Opcode ID: cc0bf5fb6a13e377f3fc3cbf9b977d6672e4f5e7cf30f79dd2936b2c8335fa69
Instruction ID: a69755ddce1d61bc36a7aec9f2fc601b1e28c8ffe443c964a7c5ae284a156086
Opcode Fuzzy Hash: cc0bf5fb6a13e377f3fc3cbf9b977d6672e4f5e7cf30f79dd2936b2c8335fa69
Instruction Fuzzy Hash: AF412671600601AFD710AF25DC46B2B7BD8FB84764F40052DF546D33D1DB79AA058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA80, Relevance: 15.2, APIs: 10, Instructions: 167
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040CA80(void* __ebx, void* __ecx, void* __eflags) {
				char _v4;
				char _v12;
				char _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				long _v28;
				WCHAR* _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t69;
				void* _t86;
				signed int _t92;
				signed int _t95;
				WCHAR* _t100;
				void* _t105;
				signed int _t107;
				WCHAR* _t140;
				long _t143;
				void* _t146;
				long _t148;
				intOrPtr _t150;
				void* _t152;
				signed int _t153;

				_t112 = __ebx;
				_push(0xffffffff);
				_push(0x6f0a50);
				_push( *[fs:0x0]);
				_t153 = _t152 - 0x10;
				_push(_t150);
				_push(_t148);
				_t69 =  *0x877864; // 0xf691760e
				_push(_t69 ^ _t153);
				 *[fs:0x0] =  &_v12;
				_t146 = __ecx;
				E00403680();
				_v4 = 0;
				E00403680();
				_v4 = 1;
				E00403680();
				_v4 = 2;
				E00403680();
				_v4 = 3;
				E0040C900(__ebx, __ecx, _t150,  &_v28);
				EnableWindow(GetDlgItem( *(_t146 + 0x98), 1),  *(_v32 - 0xc));
				if( *(_v32 - 0xc) != 0) {
					_t140 = _v20;
					if(( *((intOrPtr*)(_t140 - 8)) - 0x00000104 | 0x00000001 -  *((intOrPtr*)(_t140 - 4))) < 0) {
						_push(0x104);
						E00402E90(__ebx,  &_v20);
						_t140 = _v24;
					}
					GetCurrentDirectoryW(0x104, _t140);
					_t129 =  *((intOrPtr*)(_v20 - 8));
					_t92 = E0057078F(_v20,  *((intOrPtr*)(_v20 - 8)));
					_t153 = _t153 + 8;
					if(_t92 < 0) {
						L12:
						_push(0x80070057);
						E00401460(_t129, _t146, _t148, _t150);
						goto L13;
					} else {
						_t129 = _v20;
						if(_t92 >  *((intOrPtr*)(_t129 - 8))) {
							goto L12;
						} else {
							 *(_t129 - 0xc) = _t92;
							_v20[_t92] = 0;
							E0040BA40(_t112, _t146, _t150,  &_v16);
							_t100 = _v20;
							if( *((intOrPtr*)(_t100 - 0xc)) != 0) {
								_t150 =  *0x7492d4;
								SetCurrentDirectoryW(_t100);
								_t143 = _v24;
								_t148 = _v28;
								_t134 = 1 -  *((intOrPtr*)(_t143 - 4));
								if(( *((intOrPtr*)(_t143 - 8)) - 0x00000104 | 0x00000001) < 0) {
									_push(0x104);
									_t134 =  &_v24;
									E00402E90(_t112,  &_v24);
									_t143 = _v28;
								}
								_t105 = E00570E56(_t134, _t143, _t143, _t148, 0x104);
								_t153 = _t153 + 0xc;
								if(_t105 == 0) {
									L13:
									_t129 =  *((intOrPtr*)(_v32 - 8));
									_t95 = E0057078F(_v32,  *((intOrPtr*)(_v32 - 8)));
									_t153 = _t153 + 8;
									if(_t95 < 0) {
										goto L12;
									}
									_t129 = _v32;
									if(_t95 >  *((intOrPtr*)(_t129 - 8))) {
										goto L12;
									}
									 *(_t129 - 0xc) = _t95;
									 *((short*)(_v32 + _t95 * 2)) = 0;
								} else {
									_t129 =  *((intOrPtr*)(_v24 - 8));
									_t107 = E0057078F(_v24,  *((intOrPtr*)(_v24 - 8)));
									_t153 = _t153 + 8;
									if(_t107 < 0) {
										goto L12;
									} else {
										_t129 = _v24;
										if(_t107 >  *((intOrPtr*)(_t129 - 8))) {
											goto L12;
										} else {
											 *(_t129 - 0xc) = _t107;
											_v24[_t107] = 0;
											_push( &_v24);
											E00405030( &_v28);
										}
									}
								}
								SetCurrentDirectoryW(_v24);
							}
						}
					}
				}
				_t139 =  *(_t146 + 0x98);
				SendMessageW( *(_t146 + 0x98), 0x468, 0x480, _v28);
				_v4 = 2;
				E004036F0( *(_t146 + 0x98));
				_v4 = 1;
				E004036F0( *(_t146 + 0x98));
				_v4 = 0;
				E004036F0( *(_t146 + 0x98));
				_v4 = 0xffffffff;
				_t86 = E004036F0(_t139);
				 *[fs:0x0] = _v12;
				return _t86;
			}

0x0040ca80
0x0040ca80
0x0040ca82
0x0040ca8d
0x0040ca8e
0x0040ca91
0x0040ca92
0x0040ca94
0x0040ca9b
0x0040caa0
0x0040caa6
0x0040caac
0x0040cab1
0x0040cabd
0x0040cac2
0x0040cacb
0x0040cad0
0x0040cad9
0x0040cade
0x0040caea
0x0040cb07
0x0040cb15
0x0040cb1b
0x0040cb31
0x0040cb33
0x0040cb3c
0x0040cb41
0x0040cb41
0x0040cb4b
0x0040cb55
0x0040cb5a
0x0040cb5f
0x0040cb64
0x0040cc23
0x0040cc23
0x0040cc28
0x00000000
0x0040cb6a
0x0040cb6a
0x0040cb71
0x00000000
0x0040cb77
0x0040cb77
0x0040cb80
0x0040cb8b
0x0040cb90
0x0040cb98
0x0040cb9e
0x0040cba5
0x0040cba7
0x0040cbae
0x0040cbb7
0x0040cbc1
0x0040cbc3
0x0040cbc8
0x0040cbcc
0x0040cbd1
0x0040cbd1
0x0040cbdc
0x0040cbe1
0x0040cbe6
0x0040cc2d
0x0040cc31
0x0040cc36
0x0040cc3b
0x0040cc40
0x00000000
0x00000000
0x0040cc42
0x0040cc49
0x00000000
0x00000000
0x0040cc4b
0x0040cc54
0x0040cbe8
0x0040cbec
0x0040cbf1
0x0040cbf6
0x0040cbfb
0x00000000
0x0040cbfd
0x0040cbfd
0x0040cc04
0x00000000
0x0040cc06
0x0040cc06
0x0040cc0f
0x0040cc17
0x0040cc1c
0x0040cc1c
0x0040cc04
0x0040cbfb
0x0040cc5d
0x0040cc5d
0x0040cb98
0x0040cb71
0x0040cb64
0x0040cc63
0x0040cc75
0x0040cc7b
0x0040cc84
0x0040cc89
0x0040cc92
0x0040cc97
0x0040cca0
0x0040cca5
0x0040ccb1
0x0040ccba
0x0040ccc8

APIs

Part of subcall function 0040C900: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0040C913

GetDlgItem.USER32(?,00000001), ref: 0040CB00
EnableWindow.USER32(00000000), ref: 0040CB07
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040CB4B
_wcsnlen.LIBCMT ref: 0040CB5A
SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000,006F0A50,000000FF,0040D9AF,?,?,?,00000000,006F0D58,000000FF), ref: 0040CBA5
__wfullpath.LIBCMT ref: 0040CBDC
_wcsnlen.LIBCMT ref: 0040CBF1
SetCurrentDirectoryW.KERNEL32(?,?,80070057,?,?,00000000,006F0A50,000000FF,0040D9AF,?,?,?,00000000,006F0D58,000000FF), ref: 0040CC5D

Part of subcall function 00401460: _memcpy_s.LIBCMT ref: 0040149A

_wcsnlen.LIBCMT ref: 0040CC36
SendMessageW.USER32(?,00000468,00000480,F691760E), ref: 0040CC75

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CurrentDirectory_wcsnlen$MessageSend$EnableItemWindow__wfullpath_memcpy_s
String ID:
API String ID: 3662525890-0
Opcode ID: 897ec6eceec4752832e1c74955aa61eb9dd54b2f9a2ef8bdaeb19da222597cd5
Instruction ID: 6c48640f7c8e3a59b24785c511446392cdbd0bab8dc2b16245f8f33a0bc41396
Opcode Fuzzy Hash: 897ec6eceec4752832e1c74955aa61eb9dd54b2f9a2ef8bdaeb19da222597cd5
Instruction Fuzzy Hash: C5616B701083419FD304EF24D889A6BBBE9FF94304F044A2DF595972E1DB79A948CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00582363, Relevance: 15.1, APIs: 10, Instructions: 95
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00582363(void* __ebx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t17;
				void* _t43;
				intOrPtr* _t51;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t51 = E0058123E(8, 1);
					_t57 = _t51;
					if(_t51 != 0) {
						_t13 = E0058123E(0xd8, 1);
						 *_t51 = _t13;
						__eflags = _t13;
						if(__eflags != 0) {
							_t14 = E0058123E(0x220, 1);
							 *((intOrPtr*)(_t51 + 4)) = _t14;
							__eflags = _t14;
							if(__eflags != 0) {
								E005815A7( *_t51, 0x878148);
								_t48 =  *_t51;
								_t17 = E00582148(_a8,  *_t51, _a4);
								_pop(_t43);
								__eflags = _t17;
								if(__eflags != 0) {
									__eflags = E00575546(_t43, _t48, __eflags,  *((intOrPtr*)( *_t51 + 4)),  *((intOrPtr*)(_t51 + 4)));
									if(__eflags == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)))) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)))) = 1;
										L17:
										return _t51;
									}
									_push( *((intOrPtr*)(_t51 + 4)));
									E00572061(__ebx, 1, _t51, __eflags);
									E0058150E( *_t51);
									E00581336( *_t51);
									_push(_t51);
									E00572061(__ebx, 1, _t51, __eflags);
									L15:
									_t51 = 0;
									goto L17;
								}
								E0058150E( *_t51);
								E00581336( *_t51);
								_push(_t51);
								E00572061(__ebx, 1, _t51, __eflags);
								goto L15;
							}
							_push( *_t51);
							E00572061(__ebx, 1, _t51, __eflags);
							_push(_t51);
							E00572061(__ebx, 1, _t51, __eflags);
							L8:
							goto L3;
						}
						_push(_t51);
						E00572061(__ebx, 1, _t51, __eflags);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00576A0A(_t57))) = 0xc;
					goto L4;
				}
			}

0x0058236e
0x00582394
0x00000000
0x00582376
0x00582381
0x00582385
0x00582387
0x005823a0
0x005823a7
0x005823a9
0x005823ab
0x005823bc
0x005823c3
0x005823c6
0x005823c8
0x005823e1
0x005823ec
0x005823ee
0x005823f3
0x005823f4
0x005823f6
0x00582420
0x00582422
0x0058244a
0x0058244f
0x00582451
0x00000000
0x00582451
0x00582424
0x00582427
0x0058242e
0x00582435
0x0058243a
0x0058243b
0x00582443
0x00582443
0x00000000
0x00582443
0x005823fa
0x00582401
0x00582406
0x00582407
0x00000000
0x0058240c
0x005823ca
0x005823cc
0x005823d1
0x005823d2
0x005823b3
0x00000000
0x005823b3
0x005823ad
0x005823ae
0x00000000
0x005823ae
0x00582389
0x0058238e
0x00000000
0x0058238e

APIs

__calloc_crt.LIBCMT ref: 0058237C

Part of subcall function 0058123E: __calloc_impl.LIBCMT ref: 0058124F
Part of subcall function 0058123E: Sleep.KERNEL32(00000000,?,00402F93,?), ref: 00581266

__calloc_crt.LIBCMT ref: 005823A0
__calloc_crt.LIBCMT ref: 005823BC
__copytlocinfo_nolock.LIBCMT ref: 005823E1
__setlocale_nolock.LIBCMT ref: 005823EE
___removelocaleref.LIBCMT ref: 005823FA
___freetlocinfo.LIBCMT ref: 00582401
__setmbcp_nolock.LIBCMT ref: 00582419
___removelocaleref.LIBCMT ref: 0058242E
___freetlocinfo.LIBCMT ref: 00582435

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2969281212-0
Opcode ID: 66c270b48f1ad02ff8b4fd5ba34e2aacbeb88fa53e54423730d9d737226411fb
Instruction ID: 4eaf9ecb12bdcf93d4ffa556f8a5477fdecb72637cba27c86495a113768fda8f
Opcode Fuzzy Hash: 66c270b48f1ad02ff8b4fd5ba34e2aacbeb88fa53e54423730d9d737226411fb
Instruction Fuzzy Hash: E6217435104902DBE7317F65E81A91ABFD5FFC1750F20C819FC89A6261EE319941DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00538CF9, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00538CF9(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				int _t15;
				int _t19;
				intOrPtr* _t27;
				int _t31;
				struct tagMONITORINFO* _t37;
				intOrPtr _t40;

				if(E00538A8B() == 0) {
					if(_a4 != 0x12340042) {
						L13:
						_t15 = 0;
						L14:
						return _t15;
					}
					_t27 = _a8;
					if(_t27 == 0 ||  *_t27 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L13;
					} else {
						 *((intOrPtr*)(_t27 + 4)) = 0;
						 *((intOrPtr*)(_t27 + 8)) = 0;
						 *((intOrPtr*)(_t27 + 0xc)) = GetSystemMetrics(0);
						_t19 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t27 + 0x10) = _t19;
						 *((intOrPtr*)(_t27 + 0x24)) = 1;
						if( *_t27 >= 0x68) {
							MultiByteToWideChar(0, 0, "DISPLAY", 0xffffffff, _t27 + 0x28, 0x20);
						}
						_t15 = 1;
						goto L14;
					}
				}
				_t37 = _a8;
				_t31 = GetMonitorInfoW(_a4, _t37);
				if(_t31 != 0) {
					_t40 =  *0x8a95f8; // 0x1
					if(_t40 == 0 && _t37->cbSize >= 0x68) {
						_t3 = _t37 + 0x28; // 0x28
						MultiByteToWideChar(0, 0, _t3, 0xffffffff, _t3, 0x20);
					}
				}
				return _t31;
			}

0x00538d0a
0x00538d4b
0x00538db6
0x00538db6
0x00538db8
0x00000000
0x00538db8
0x00538d4d
0x00538d54
0x00000000
0x00538d6d
0x00538d6d
0x00538d70
0x00538d7e
0x00538d81
0x00538d89
0x00538d8a
0x00538d8b
0x00538d8c
0x00538d93
0x00538d96
0x00538d99
0x00538dac
0x00538dac
0x00538db2
0x00000000
0x00538db2
0x00538d54
0x00538d0c
0x00538d19
0x00538d1f
0x00538d21
0x00538d27
0x00538d30
0x00538d39
0x00538d39
0x00538d27
0x00000000

APIs

GetMonitorInfoW.USER32(00000002,00000000), ref: 00538D13
MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 00538D39
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 00538D63
GetSystemMetrics.USER32(00000000), ref: 00538D7A
GetSystemMetrics.USER32(00000001), ref: 00538D81
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 00538DAC

Strings

DISPLAY, xrefs: 00538DA3
B, xrefs: 00538D43

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: System$ByteCharInfoMetricsMultiWide$MonitorParameters
String ID: B$DISPLAY
API String ID: 3432410572-3316187204
Opcode ID: 7a1f13bc9b67c5b54ac3e6beac04c3f91529169bd6528df4aee3a9c6eba4e6be
Instruction ID: cc0f50ea430b6f125b61d7126276e02b0144e6840bea603858b4ecc545ad6cfc
Opcode Fuzzy Hash: 7a1f13bc9b67c5b54ac3e6beac04c3f91529169bd6528df4aee3a9c6eba4e6be
Instruction Fuzzy Hash: 7C21F571600320ABDF2A8F249C85ABB7FA8FB16760F144916FD15AF1C5DBB0D840CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00550D6E, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00550D6E(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t37;
				void* _t41;
				long _t43;
				void* _t44;
				void* _t49;
				long _t51;
				void* _t57;
				signed int _t59;
				long* _t66;
				long* _t68;
				void* _t69;
				void* _t70;

				E00576795(0x7228c3, __ebx, __edi, __esi);
				_t66 = __ecx;
				 *((intOrPtr*)(_t70 - 0x18)) = __ecx;
				_t68 =  &(__ecx[7]);
				 *(_t70 - 0x14) = _t68;
				 *0x7493b8(_t68, 0x10);
				_t37 =  *(_t70 + 8);
				if(_t37 <= 0 || _t37 >= __ecx[3]) {
					_push(_t68);
				} else {
					_t69 = TlsGetValue( *__ecx);
					if(_t69 == 0) {
						 *(_t70 - 4) = 0;
						_t41 = E00550946(0x10);
						__eflags = _t41;
						if(_t41 == 0) {
							_t69 = 0;
							__eflags = 0;
						} else {
							 *_t41 = 0x76b5d8;
							_t69 = _t41;
						}
						 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
						 *(_t69 + 8) = 0;
						 *(_t69 + 0xc) = 0;
						E00550AE9( &(_t66[5]), _t69);
						goto L5;
					} else {
						_t59 =  *(_t70 + 8);
						if(_t59 >=  *(_t69 + 8) &&  *((intOrPtr*)(_t70 + 0xc)) != 0) {
							L5:
							if( *(_t69 + 0xc) != 0) {
								_t43 = E0051D870(_t66[3], 4);
								_t57 = 2;
								_t44 = LocalReAlloc( *(_t69 + 0xc), _t43, ??);
							} else {
								_t51 = E0051D870(_t66[3], 4);
								_pop(_t57);
								_t44 = LocalAlloc(0, _t51);
							}
							_t80 = _t44;
							if(_t44 == 0) {
								 *0x7493b0( *(_t70 - 0x14));
								_t44 = E0053724F(0, _t57, _t66, _t69, _t80);
							}
							 *(_t69 + 0xc) = _t44;
							E00570A10(_t66, _t44 +  *(_t69 + 8) * 4, 0, _t66[3] -  *(_t69 + 8) << 2);
							 *(_t69 + 8) = _t66[3];
							TlsSetValue( *_t66, _t69);
							_t59 =  *(_t70 + 8);
						}
					}
					_t49 =  *(_t69 + 0xc);
					if(_t49 != 0 && _t59 <  *(_t69 + 8)) {
						 *((intOrPtr*)(_t49 + _t59 * 4)) =  *((intOrPtr*)(_t70 + 0xc));
					}
					_push( *(_t70 - 0x14));
				}
				return E0057683A( *0x7493b0());
			}

0x00550d75
0x00550d7a
0x00550d7c
0x00550d7f
0x00550d83
0x00550d86
0x00550d8c
0x00550d93
0x00550e94
0x00550da2
0x00550daa
0x00550dae
0x00550de2
0x00550de5
0x00550dea
0x00550dec
0x00550df8
0x00550df8
0x00550dee
0x00550dee
0x00550df4
0x00550df4
0x00550dfa
0x00550e02
0x00550e05
0x00550e08
0x00000000
0x00550db0
0x00550db0
0x00550db6
0x00550dc5
0x00550dc8
0x00550e2c
0x00550e32
0x00550e37
0x00550dca
0x00550dcf
0x00550dd5
0x00550dd8
0x00550dd8
0x00550e3d
0x00550e3f
0x00550e44
0x00550e4a
0x00550e4a
0x00550e52
0x00550e63
0x00550e6f
0x00550e74
0x00550e7a
0x00550e7a
0x00550db6
0x00550e7d
0x00550e82
0x00550e8c
0x00550e8c
0x00550e8f
0x00550e8f
0x00550ea0

APIs

__EH_prolog3_catch.LIBCMT ref: 00550D75
RtlEnterCriticalSection.NTDLL(?), ref: 00550D86
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,00545D0C,005372A3,005430AE,00406B82,?,?,?,?,?,006EFC38,000000FF), ref: 00550DA4
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,00545D0C,005372A3,005430AE,00406B82), ref: 00550DD8
RtlLeaveCriticalSection.NTDLL(?), ref: 00550E44
_memset.LIBCMT ref: 00550E63
TlsSetValue.KERNEL32(?,00000000), ref: 00550E74
RtlLeaveCriticalSection.NTDLL(?), ref: 00550E95

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 8b874b829da3aaf0c95393e926dc9c313844600bf28bc9fa37826b55c641d81c
Instruction ID: 4f8ae9190ba3110e44eb8a3408e9b89911ea5deb40e79d8268b9f224781ddec2
Opcode Fuzzy Hash: 8b874b829da3aaf0c95393e926dc9c313844600bf28bc9fa37826b55c641d81c
Instruction Fuzzy Hash: A731B275400606AFCB10AF50D89AC6ABFB5FF41311B20D92AF916A75A5CB30AD54CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00628230, Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 301
fileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00628230(void* __ebp, long long __fp0, intOrPtr* _a4, void* _a8, signed int _a12, char _a16, char _a20) {
				char _v0;
				struct _OVERLAPPED* _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				char _v84;
				char _v128;
				int _v136;
				void* _v152;
				char _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				char _v172;
				char _v176;
				void* _v180;
				char _v184;
				intOrPtr _v188;
				char _v192;
				intOrPtr _v196;
				long _v200;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				intOrPtr _t83;
				int _t88;
				void* _t90;
				int _t97;
				void* _t102;
				int _t105;
				long _t108;
				void* _t110;
				int _t112;
				void* _t114;
				int _t124;
				short* _t125;
				short* _t126;
				short* _t127;
				char* _t129;
				void* _t135;
				void* _t144;
				void* _t145;
				void* _t201;
				int _t202;
				long _t203;
				intOrPtr* _t206;
				void* _t207;
				void* _t211;
				signed int _t212;
				long long* _t214;
				void* _t215;
				intOrPtr _t216;
				char _t217;
				long long _t224;

				_t224 = __fp0;
				_push(0xffffffff);
				_push(0x735a34);
				_push( *[fs:0x0]);
				_t212 = _t211 - 0xac;
				_t78 =  *0x877864; // 0xf691760e
				_v16 = _t78 ^ _t212;
				_t80 =  *0x877864; // 0xf691760e
				_push(_t80 ^ _t212);
				 *[fs:0x0] =  &_v12;
				_t209 = _a12;
				_t144 = _a8;
				_t206 = _a4;
				_v180 = _t144;
				if(_t209 == 0) {
					_t209 =  &_a20;
				}
				_t83 =  *_t206;
				if(_a16 == 0) {
					_push(0);
					L6:
					 *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x94))))();
					L7:
					if( *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x60))))() != 2) {
						_t88 =  *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x10))))();
						__eflags = _t88;
						if(_t88 == 0) {
							L47:
							_t90 =  *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0xd4))))();
							 *[fs:0x0] = _v20;
							_t201 = _t144;
							_pop(_t207);
							_pop(_t145);
							return E0056F98F(_t90, _t145, _v24 ^ _t212,  *((intOrPtr*)( *_t206 + 0xd4)), _t201, _t207);
						}
						E00410080();
						_v8 = 0;
						_push(_t209);
						_push(_t144);
						_t202 = E00475130( &_v172);
						__eflags = _t202;
						if(_t202 < 0) {
							E00620000(_t144, _t209, _t224, _t206, L"PrintfV failed while trying to write message to debug log:");
							E00620000(_t144, _t209, _t224, _t206, _t144);
							_t212 = _t212 + 0x20;
							_t135 =  *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x70))))(_t209, 0, 0, 0);
							__eflags =  *(_t135 + 4);
							if( *(_t135 + 4) == 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x74))))(0xfffffff6);
								E0061FFD0(_t202, _t209);
							}
						}
						__eflags = _t202;
						if(_t202 <= 0) {
							L20:
							__eflags = _t202 - 1;
							if(_t202 <= 1) {
								L24:
								__eflags = _t202;
								if(_t202 == 0) {
									L26:
									E00496350( &_v180, 0x74a7dc, 2);
									goto L27;
								}
								_t125 = E0052DE40( &_v180, _t202 - 1);
								__eflags =  *_t125 - 0xa;
								if( *_t125 == 0xa) {
									goto L27;
								}
								goto L26;
							}
							_t28 = _t202 - 2; // -2
							_t126 = E0052DE40( &_v180, _t28);
							__eflags =  *_t126 - 0xd;
							if( *_t126 == 0xd) {
								goto L24;
							}
							_t30 = _t202 - 1; // -1
							_t209 = _t30;
							_t127 = E0052DE40( &_v180, _t30);
							__eflags =  *_t127 - 0xa;
							if( *_t127 != 0xa) {
								goto L24;
							}
							E00622BB0(_t209, 1, 0x74a7dc);
							goto L27;
						} else {
							_t20 = _t202 - 1; // -1
							_t209 = _t20;
							__eflags = _t209 - _v160;
							if(_t209 > _v160) {
								E005709F4();
							}
							_t129 = _v176;
							__eflags = _v156 - 8;
							if(_v156 < 8) {
								_t129 =  &_v176;
							}
							__eflags =  *((short*)(_t129 + _t209 * 2)) - 0xd;
							if( *((short*)(_t129 + _t209 * 2)) != 0xd) {
								goto L20;
							} else {
								E00496560(0x74ac3c);
								L27:
								E00410080();
								_v16 = 1;
								_t97 =  *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x48))))();
								__eflags = _t97;
								if(_t97 != 0) {
									L29:
									 *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x4c))))();
									E0061F4A0(_t206, _t224);
									_t214 = _t212 - 8;
									 *_t214 = _t224;
									E00478010( &_v156, L"[%f] ", 0);
									_t212 = _t214 + 0x10;
									L30:
									__eflags = _v0;
									if(_v0 != 0) {
										E00496350( &_v156, 0x786124, 2);
									}
									__eflags = _v136;
									if(_v136 != 0) {
										_push(0xffffffff);
										_push(0);
										_push( &_v156);
										_push(0);
										E00621D30( &_v184,  &_v156);
									}
									_t102 = _v180;
									_v200 = 0;
									__eflags = _v160 - 8;
									if(_v160 < 8) {
										_t102 =  &_v180;
									}
									_t105 = WriteFile( *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x10))))(), _t102, _v164 + _v164,  &_v200, 0);
									__eflags = _t105;
									if(_t105 != 0) {
										 *0x8ac5cc = 0;
									} else {
										_t108 = GetLastError();
										_push(0);
										_push(0);
										_t203 = _t108;
										E00620000(8, _t209, _t224, _t206, L"WriteFile failed while trying to write message to debug log:");
										_t110 = _v180;
										_t215 = _t212 + 0x10;
										__eflags = _v160 - 8;
										if(_v160 < 8) {
											_t110 =  &_v180;
										}
										_push(0);
										_push(0);
										E00620000(8, _t209, _t224, _t206, _t110);
										_t212 = _t215 + 0x10;
										_t112 = L0061F380(__eflags);
										__eflags = _t112;
										if(_t112 == 0) {
											__eflags =  *0x8ac5cc - _t112; // 0x0
											if(__eflags == 0) {
												 *0x8ac5cc = 1;
												_t114 =  *((intOrPtr*)( *((intOrPtr*)( *_t206 + 8))))();
												__eflags =  *((intOrPtr*)(_t114 + 0x18)) - 8;
												if( *((intOrPtr*)(_t114 + 0x18)) < 8) {
													_t115 = _t114 + 4;
													__eflags = _t114 + 4;
												} else {
													_t115 =  *(_t114 + 4);
												}
												_t216 = _t212 - 0x1c;
												_v188 = _t216;
												E00622AE0(_t216, 0x2338, _t115);
												_v20 = 2;
												_t217 = _t216 - 0x10;
												_v192 = _t217;
												_push(0x2337);
												_push(_t217);
												E0062A110();
												_v20 = 3;
												_v20 = 1;
												E00624210( &_v128, 0x14, 0xfffffff4);
												_v84 = 4;
												SetLastError(_t203);
												E00628210(L"WriteFile");
												_t212 = _t217 + 0xc;
												_v84 = 1;
												E00624360( &_v192, _t209);
											}
										}
									}
									_v20 = 0;
									E00410010();
									_v20 = 0xffffffff;
									E00410010();
									_t144 = _v196;
									goto L47;
								}
								_t124 =  *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x50))))();
								__eflags = _t124;
								if(_t124 == 0) {
									goto L30;
								}
								goto L29;
							}
						}
					}
					_push(_a12);
					_push(_t209);
					E00620000(_t144, _t209, _t224, _t206, _t144);
					_t212 = _t212 + 0x10;
					goto L47;
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x90))))() != 0) {
					goto L7;
				} else {
					_push(0);
					_push(0);
					_push(0x74a56c);
					_push(_t206);
					E00628230(_t209, _t224);
					_t83 =  *_t206;
					_t212 = _t212 + 0x10;
					_push(1);
					goto L6;
				}
			}

0x00628230
0x00628230
0x00628232
0x0062823d
0x0062823e
0x00628244
0x0062824b
0x00628256
0x0062825d
0x00628265
0x0062826b
0x00628272
0x00628279
0x00628280
0x00628286
0x00628288
0x00628288
0x00628297
0x0062829b
0x006282c3
0x006282c5
0x006282cb
0x006282cd
0x006282d9
0x006282fa
0x006282fc
0x006282fe
0x006285ec
0x006285f7
0x00628600
0x00628608
0x00628609
0x0062860b
0x00628620
0x00628620
0x00628308
0x0062830d
0x00628318
0x00628319
0x00628323
0x00628325
0x00628327
0x00628333
0x0062833d
0x00628347
0x0062834c
0x0062834e
0x00628352
0x0062835d
0x00628361
0x00628361
0x00628352
0x0062836b
0x0062836d
0x006283a2
0x006283a2
0x006283a5
0x006283e0
0x006283e0
0x006283e2
0x006283f5
0x00628400
0x00000000
0x00628400
0x006283ea
0x006283ef
0x006283f3
0x00000000
0x00000000
0x00000000
0x006283f3
0x006283a7
0x006283af
0x006283b4
0x006283b8
0x00000000
0x00000000
0x006283ba
0x006283ba
0x006283c2
0x006283c7
0x006283cb
0x00000000
0x00000000
0x006283d9
0x00000000
0x0062836f
0x0062836f
0x0062836f
0x00628372
0x00628376
0x00628378
0x00628378
0x0062837d
0x00628381
0x00628385
0x00628387
0x00628387
0x0062838b
0x00628390
0x00000000
0x00628392
0x0062839b
0x00628405
0x00628409
0x0062840e
0x0062841d
0x0062841f
0x00628421
0x00628430
0x00628439
0x0062843d
0x00628442
0x00628445
0x00628452
0x00628457
0x0062845a
0x0062845a
0x00628462
0x0062846f
0x0062846f
0x00628474
0x00628479
0x0062847b
0x0062847d
0x00628483
0x00628484
0x0062848a
0x0062848a
0x0062848f
0x00628493
0x0062849b
0x0062849f
0x006284a1
0x006284a1
0x006284bf
0x006284c5
0x006284c7
0x006285bc
0x006284cd
0x006284cd
0x006284d3
0x006284d5
0x006284dd
0x006284df
0x006284e4
0x006284e8
0x006284eb
0x006284ef
0x006284f1
0x006284f1
0x006284f5
0x006284f7
0x006284fb
0x00628500
0x00628503
0x00628508
0x0062850a
0x00628510
0x00628516
0x00628523
0x0062852a
0x0062852c
0x0062852f
0x00628536
0x00628536
0x00628531
0x00628531
0x00628531
0x00628539
0x0062853e
0x00628549
0x0062854e
0x00628556
0x0062855b
0x0062855f
0x00628564
0x00628565
0x0062856d
0x00628579
0x00628588
0x0062858d
0x00628596
0x006285a1
0x006285a6
0x006285a9
0x006285b5
0x006285b5
0x00628516
0x0062850a
0x006285c3
0x006285cf
0x006285d4
0x006285e3
0x006285e8
0x00000000
0x006285e8
0x0062842a
0x0062842c
0x0062842e
0x00000000
0x00000000
0x00000000
0x0062842e
0x00628390
0x0062836d
0x006282e2
0x006282e3
0x006282e6
0x006282eb
0x00000000
0x006282eb
0x006282a7
0x00000000
0x006282a9
0x006282a9
0x006282ab
0x006282ad
0x006282b2
0x006282b3
0x006282b8
0x006282ba
0x006282bd
0x00000000
0x006282bf

APIs

Part of subcall function 00475130: _vswprintf_s.LIBCMT ref: 0047517C

WriteFile.KERNEL32(00000000), ref: 006284BF
GetLastError.KERNEL32 ref: 006284CD

Part of subcall function 00620000: _printf.LIBCMT ref: 00620049
Part of subcall function 00620000: _printf.LIBCMT ref: 0062005D
Part of subcall function 00620000: _vwprintf.LIBCMT ref: 0062006B
Part of subcall function 00620000: _printf.LIBCMT ref: 006200A5

SetLastError.KERNEL32(00000000,00000014,000000F4), ref: 00628596

Part of subcall function 0061FFD0: __CxxThrowException@8.LIBCMT ref: 0061FFF9

Strings

PrintfV failed while trying to write message to debug log:, xrefs: 0062832D
WriteFile, xrefs: 0062859C
WriteFile failed while trying to write message to debug log:, xrefs: 006284D7
[%f] , xrefs: 0062844C

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: _printf$ErrorLast$Exception@8FileThrowWrite_vswprintf_s_vwprintf
String ID: PrintfV failed while trying to write message to debug log:$WriteFile$WriteFile failed while trying to write message to debug log:$[%f]
API String ID: 586685956-2798573165
Opcode ID: 855b637fc937aa6c3969c6751f020651f132c6b4b9fcfda6d14ae741e97f2ff6
Instruction ID: 3b5f47af0465b70b68380f3b2ecf034092fdd0f618a6a0d85141306623cfefd5
Opcode Fuzzy Hash: 855b637fc937aa6c3969c6751f020651f132c6b4b9fcfda6d14ae741e97f2ff6
Instruction Fuzzy Hash: DDB1EF30608710AFE720EB18DC81FAAB7E6BF95704F10491CF18557292DB75AA45CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00621F60, Relevance: 12.4, APIs: 8, Instructions: 383
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00621F60() {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t144;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				intOrPtr _t151;
				intOrPtr _t155;
				intOrPtr _t160;
				signed int _t162;
				signed int _t165;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t179;
				intOrPtr _t184;
				intOrPtr _t189;
				intOrPtr _t195;
				intOrPtr _t207;
				short* _t208;
				signed int _t212;
				signed int _t215;
				signed int _t216;
				void* _t217;
				signed int _t218;
				signed int _t223;
				signed int _t224;
				signed int _t226;
				signed int _t229;
				signed int _t231;
				signed int _t238;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t246;
				signed int _t249;
				intOrPtr _t253;
				intOrPtr _t254;
				signed int _t273;
				signed int _t282;
				intOrPtr _t300;
				signed int _t304;
				signed int _t305;
				signed int _t312;
				void* _t314;
				void* _t315;
				void* _t316;
				void* _t317;

				_t212 =  *(_t315 + 0x14);
				_t312 =  *(_t315 + 0x14);
				_t314 = _t217;
				_t304 =  *(_t315 + 0x24);
				if( *(_t314 + 0x14) < _t312) {
					L2:
					E005C6EBE(_t212, _t304, _t312, _t320);
					L3:
					_t218 =  *(_t314 + 0x14);
					_t253 =  *((intOrPtr*)(_t315 + 0x1c));
					_t144 = _t218 - _t312;
					if(_t144 < _t253) {
						_t253 = _t144;
						 *((intOrPtr*)(_t315 + 0x1c)) = _t253;
					}
					_t146 =  *((intOrPtr*)(_t212 + 0x14)) - _t304;
					_t305 =  *(_t315 + 0x28);
					if(_t146 < _t305) {
						_t305 = _t146;
					}
					_t323 = (_t146 | 0xffffffff) - _t305 - _t218 - _t253;
					if((_t146 | 0xffffffff) - _t305 <= _t218 - _t253) {
						E005C6E86(_t212, _t253, _t305, _t312, _t323);
					}
					_t149 =  *(_t314 + 0x14);
					_t254 =  *((intOrPtr*)(_t315 + 0x1c));
					_t215 = _t149 - _t254 + _t305;
					 *((intOrPtr*)(_t315 + 0x18)) = _t149 - _t312 - _t254;
					 *(_t315 + 0x10) = _t215;
					if(_t149 < _t215) {
						_t325 = _t215 - 0x7ffffffe;
						if(_t215 > 0x7ffffffe) {
							E005C6E86(_t215, _t254, _t305, _t312, _t325);
							_t254 =  *((intOrPtr*)(_t315 + 0x1c));
						}
						_t207 =  *((intOrPtr*)(_t314 + 0x18));
						if(_t207 >= _t215) {
							__eflags = _t215;
							if(_t215 == 0) {
								 *(_t314 + 0x14) = _t215;
								__eflags = _t207 - 8;
								if(_t207 < 8) {
									_t208 = _t314 + 4;
								} else {
									_t208 =  *(_t314 + 4);
								}
								__eflags = 0;
								 *_t208 = 0;
							}
						} else {
							E00403B10(_t314, _t215,  *(_t314 + 0x14));
							_t254 =  *((intOrPtr*)(_t315 + 0x1c));
						}
					}
					_t216 = _t314 + 4;
					if(_t314 ==  *(_t315 + 0x20)) {
						__eflags = _t305 - _t254;
						if(_t305 > _t254) {
							_t223 =  *(_t315 + 0x24);
							__eflags = _t223 - _t312;
							if(_t223 > _t312) {
								_t150 = _t312 + _t254;
								 *(_t315 + 0x20) = _t150;
								__eflags = _t150 - _t223;
								_t151 =  *((intOrPtr*)(_t314 + 0x18));
								if(_t150 > _t223) {
									__eflags = _t151 - 8;
									if(_t151 < 8) {
										_t224 = _t216;
									} else {
										_t224 =  *_t216;
									}
									__eflags = _t151 - 8;
									if(_t151 < 8) {
										 *(_t315 + 0x28) = _t216;
									} else {
										 *(_t315 + 0x28) =  *_t216;
									}
									E00403340( *((intOrPtr*)(_t315 + 0x2c)) + _t312 * 2, _t151 - _t312, _t224 +  *(_t315 + 0x28) * 2,  *((intOrPtr*)(_t315 + 0x1c)));
									_t155 =  *((intOrPtr*)(_t314 + 0x18));
									_t316 = _t315 + 0x10;
									__eflags = _t155 - 8;
									if(_t155 < 8) {
										_t226 = _t216;
									} else {
										_t226 =  *_t216;
									}
									__eflags = _t155 - 8;
									if(_t155 < 8) {
										 *(_t316 + 0x28) = _t216;
									} else {
										 *(_t316 + 0x28) =  *_t216;
									}
									E00403340( *((intOrPtr*)(_t316 + 0x34)) + (_t312 + _t305) * 2, _t155 - _t312 - _t305, _t226 +  *(_t316 + 0x24) * 2,  *((intOrPtr*)(_t316 + 0x18)));
									_t160 =  *((intOrPtr*)(_t314 + 0x18));
									_t317 = _t316 + 0x10;
									__eflags = _t160 - 8;
									if(_t160 < 8) {
										 *(_t317 + 0x18) = _t216;
									} else {
										 *(_t317 + 0x18) =  *_t216;
									}
									__eflags = _t160 - 8;
									if(_t160 < 8) {
										_t229 = _t216;
									} else {
										_t229 =  *_t216;
									}
									_push(_t305 -  *((intOrPtr*)(_t317 + 0x1c)));
									_t162 = _t160 - _t312 -  *(_t317 + 0x20);
									__eflags = _t162;
									_push( *((intOrPtr*)(_t317 + 0x1c)) + ( *(_t317 + 0x28) + _t305) * 2);
									_push(_t162);
									_push(_t229 +  *(_t317 + 0x2c) * 2);
								} else {
									__eflags = _t151 - 8;
									if(_t151 < 8) {
										_t231 = _t216;
									} else {
										_t231 =  *_t216;
									}
									__eflags = _t151 - 8;
									if(_t151 < 8) {
										 *(_t315 + 0x28) = _t216;
									} else {
										 *(_t315 + 0x28) =  *_t216;
									}
									E00403340( *((intOrPtr*)(_t315 + 0x34)) + (_t312 + _t305) * 2, _t151 - _t312 - _t305, _t231 +  *(_t315 + 0x24) * 2,  *((intOrPtr*)(_t315 + 0x18)));
									_t171 =  *((intOrPtr*)(_t314 + 0x18));
									_t317 = _t315 + 0x10;
									__eflags = _t171 - 8;
									if(_t171 < 8) {
										 *(_t317 + 0x20) = _t216;
									} else {
										 *(_t317 + 0x20) =  *_t216;
									}
									__eflags = _t171 - 8;
									if(_t171 < 8) {
										_t273 = _t216;
									} else {
										_t273 =  *_t216;
									}
									_push(_t305);
									_push( *(_t317 + 0x24) + ( *(_t317 + 0x24) -  *((intOrPtr*)(_t317 + 0x1c)) + _t305) * 2);
									_push(_t171 - _t312);
									_push(_t273 + _t312 * 2);
								}
								E00403340();
							} else {
								_t173 =  *((intOrPtr*)(_t314 + 0x18));
								__eflags = _t173 - 8;
								if(_t173 < 8) {
									_t238 = _t216;
								} else {
									_t238 =  *_t216;
								}
								__eflags = _t173 - 8;
								if(_t173 < 8) {
									 *(_t315 + 0x20) = _t216;
								} else {
									 *(_t315 + 0x20) =  *_t216;
								}
								E0056FF76(_t216,  *((intOrPtr*)(_t315 + 0x2c)) + (_t312 + _t305) * 2, _t173 - _t312 - _t305 + _t173 - _t312 - _t305, _t238 + ( *(_t315 + 0x20) + _t312) * 2,  *((intOrPtr*)(_t315 + 0x18)) +  *((intOrPtr*)(_t315 + 0x18)));
								_t179 =  *((intOrPtr*)(_t314 + 0x18));
								_t317 = _t315 + 0x10;
								__eflags = _t179 - 8;
								if(_t179 < 8) {
									_t282 = _t216;
								} else {
									_t282 =  *_t216;
								}
								__eflags = _t179 - 8;
								if(_t179 < 8) {
									_t241 = _t216;
								} else {
									_t241 =  *_t216;
								}
								E0056FF76(_t216, _t241 + _t312 * 2, _t179 - _t312 + _t179 - _t312, _t282 +  *(_t317 + 0x28) * 2, _t305 + _t305);
							}
						} else {
							_t184 =  *((intOrPtr*)(_t314 + 0x18));
							__eflags = _t184 - 8;
							if(_t184 < 8) {
								_t242 = _t216;
							} else {
								_t242 =  *_t216;
							}
							__eflags = _t184 - 8;
							if(_t184 < 8) {
								 *(_t315 + 0x20) = _t216;
							} else {
								 *(_t315 + 0x20) =  *_t216;
							}
							E0056FF76(_t216,  *(_t315 + 0x24) + _t312 * 2, _t184 - _t312 + _t184 - _t312, _t242 +  *(_t315 + 0x28) * 2, _t305 + _t305);
							_t189 =  *((intOrPtr*)(_t314 + 0x18));
							_t317 = _t315 + 0x10;
							__eflags = _t189 - 8;
							if(_t189 < 8) {
								_t244 = _t216;
							} else {
								_t244 =  *_t216;
							}
							__eflags = _t189 - 8;
							if(_t189 < 8) {
								 *(_t317 + 0x24) = _t216;
							} else {
								 *(_t317 + 0x24) =  *_t216;
							}
							E0056FF76(_t216,  *(_t317 + 0x28) + (_t312 + _t305) * 2, _t189 - _t312 - _t305 + _t189 - _t312 - _t305, _t244 + ( *(_t317 + 0x20) + _t312) * 2,  *(_t317 + 0x18) +  *(_t317 + 0x18));
						}
					} else {
						_t195 =  *((intOrPtr*)(_t314 + 0x18));
						if(_t195 < 8) {
							_t246 = _t216;
						} else {
							_t246 =  *_t216;
						}
						if(_t195 < 8) {
							 *(_t315 + 0x28) = _t216;
						} else {
							 *(_t315 + 0x28) =  *_t216;
						}
						E0056FF76(_t216,  *((intOrPtr*)(_t315 + 0x34)) + (_t312 + _t305) * 2, _t195 - _t312 - _t305 + _t195 - _t312 - _t305, _t246 + ( *(_t315 + 0x20) + _t312) * 2,  *((intOrPtr*)(_t315 + 0x18)) +  *((intOrPtr*)(_t315 + 0x18)));
						_t300 =  *((intOrPtr*)(_t315 + 0x30));
						_t317 = _t315 + 0x10;
						if( *((intOrPtr*)(_t300 + 0x18)) < 8) {
							_t301 = _t300 + 4;
							__eflags = _t300 + 4;
						} else {
							_t301 =  *(_t300 + 4);
						}
						_t201 =  *((intOrPtr*)(_t314 + 0x18));
						if( *((intOrPtr*)(_t314 + 0x18)) < 8) {
							_t249 = _t216;
						} else {
							_t249 =  *_t216;
						}
						E0056F99E(_t216, _t249, _t249 + _t312 * 2, _t201 - _t312 + _t201 - _t312, _t301 +  *(_t317 + 0x28) * 2, _t305 + _t305);
					}
					_t165 =  *(_t317 + 0x20);
					 *(_t314 + 0x14) = _t165;
					if( *((intOrPtr*)(_t314 + 0x18)) >= 8) {
						_t216 =  *_t216;
					}
					 *((short*)(_t216 + _t165 * 2)) = 0;
					return _t314;
				}
				_t320 =  *((intOrPtr*)(_t212 + 0x14)) - _t304;
				if( *((intOrPtr*)(_t212 + 0x14)) >= _t304) {
					goto L3;
				}
				goto L2;
			}

0x00621f62
0x00621f68
0x00621f6c
0x00621f6f
0x00621f76
0x00621f7d
0x00621f7d
0x00621f82
0x00621f82
0x00621f85
0x00621f8b
0x00621f8f
0x00621f91
0x00621f93
0x00621f93
0x00621f9a
0x00621f9c
0x00621fa2
0x00621fa4
0x00621fa4
0x00621fad
0x00621faf
0x00621fb1
0x00621fb1
0x00621fb6
0x00621fb9
0x00621fc5
0x00621fc9
0x00621fcd
0x00621fd3
0x00621fd5
0x00621fdb
0x00621fdd
0x00621fe2
0x00621fe2
0x00621fe6
0x00621feb
0x00621fff
0x00622001
0x00622003
0x00622006
0x00622009
0x00622010
0x0062200b
0x0062200b
0x0062200b
0x00622013
0x00622015
0x00622015
0x00621fed
0x00621ff4
0x00621ff9
0x00621ff9
0x00621feb
0x00622018
0x0062201f
0x006220af
0x006220b1
0x00622142
0x00622146
0x00622148
0x006221cf
0x006221d2
0x006221d6
0x006221d8
0x006221db
0x0062225c
0x0062225f
0x00622265
0x00622261
0x00622261
0x00622261
0x00622267
0x0062226a
0x00622274
0x0062226c
0x0062226e
0x0062226e
0x00622290
0x00622295
0x00622298
0x0062229b
0x0062229e
0x006222a4
0x006222a0
0x006222a0
0x006222a0
0x006222a6
0x006222a9
0x006222b3
0x006222ab
0x006222ad
0x006222ad
0x006222d4
0x006222d9
0x006222dc
0x006222df
0x006222e2
0x006222ec
0x006222e4
0x006222e6
0x006222e6
0x006222f0
0x006222f3
0x006222f9
0x006222f5
0x006222f5
0x006222f5
0x00622303
0x0062230e
0x0062230e
0x00622315
0x00622316
0x0062231e
0x006221dd
0x006221dd
0x006221e0
0x006221e6
0x006221e2
0x006221e2
0x006221e2
0x006221e8
0x006221eb
0x006221f5
0x006221ed
0x006221ef
0x006221ef
0x00622216
0x0062221b
0x0062221e
0x00622221
0x00622224
0x0062222e
0x00622226
0x00622228
0x00622228
0x00622232
0x00622235
0x0062223b
0x00622237
0x00622237
0x00622237
0x00622245
0x0062224f
0x00622252
0x00622256
0x00622256
0x0062231f
0x0062214e
0x0062214e
0x00622151
0x00622154
0x0062215a
0x00622156
0x00622156
0x00622156
0x0062215c
0x0062215f
0x00622169
0x00622161
0x00622163
0x00622163
0x00622190
0x00622195
0x00622198
0x0062219b
0x0062219e
0x006221a4
0x006221a0
0x006221a0
0x006221a0
0x006221a6
0x006221a9
0x006221af
0x006221ab
0x006221ab
0x006221ab
0x006221c5
0x006221c5
0x006220b7
0x006220b7
0x006220ba
0x006220bd
0x006220c3
0x006220bf
0x006220bf
0x006220bf
0x006220c5
0x006220c8
0x006220d2
0x006220ca
0x006220cc
0x006220cc
0x006220ef
0x006220f4
0x006220f7
0x006220fa
0x006220fd
0x00622103
0x006220ff
0x006220ff
0x006220ff
0x00622105
0x00622108
0x00622112
0x0062210a
0x0062210c
0x0062210c
0x00622138
0x00622138
0x00622025
0x00622025
0x0062202b
0x00622031
0x0062202d
0x0062202d
0x0062202d
0x00622036
0x00622040
0x00622038
0x0062203a
0x0062203a
0x00622067
0x0062206c
0x00622070
0x00622077
0x00622080
0x00622080
0x00622079
0x0062207b
0x0062207b
0x00622083
0x00622089
0x0062208f
0x0062208b
0x0062208b
0x0062208b
0x006220a5
0x006220a5
0x00622324
0x0062232f
0x00622332
0x00622334
0x00622334
0x00622339
0x00622343
0x00622343
0x00621f78
0x00621f7b
0x00000000
0x00000000
0x00000000

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00621FB1
std::_String_base::_Xlen.LIBCPMT ref: 00621FDD
_memmove_s.LIBCMT ref: 00622067
_memcpy_s.LIBCMT ref: 006220A5
_memmove_s.LIBCMT ref: 006220EF
_memmove_s.LIBCMT ref: 00622138
_memmove_s.LIBCMT ref: 00622190
_memmove_s.LIBCMT ref: 006221C5

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: _memmove_s$String_base::_Xlenstd::_$_memcpy_s
String ID:
API String ID: 3470545318-0
Opcode ID: a8f0f543fcb72918d58ef2294f2849b3379a95796c4b89e35ead6f3e41a68077
Instruction ID: 3207145a5a38bbe8e756ff4a64c1343cab9232cea7e868ccbab4acd482045109
Opcode Fuzzy Hash: a8f0f543fcb72918d58ef2294f2849b3379a95796c4b89e35ead6f3e41a68077
Instruction Fuzzy Hash: 57D17170304623DF8B08CF58D8E486BB7A7FBC9344B604A5DE5458B219DB30EA56CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004142C0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004142C0(void* __ecx, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v56;
				char _v60;
				char _v80;
				char _v84;
				signed int _t26;
				signed int _t30;
				signed char _t44;
				void* _t54;

				_push(0xffffffff);
				_push(0x6f1a58);
				_push( *[fs:0x0]);
				_t26 =  *0x877864; // 0xf691760e
				_push(_t26 ^ _t54 - 0x00000044);
				 *[fs:0x0] =  &_v12;
				_t30 = _a4 & 0x00000017;
				 *(__ecx + 8) = _t30;
				_t44 =  *(__ecx + 0xc) & _t30;
				if(_t44 != 0) {
					if(_a8 != 0) {
						E0057080C(0, 0);
					}
					if((_t44 & 0x00000004) != 0) {
						E00406020( &_v80, "ios_base::badbit set");
						_v8 = 0;
						E00413C40( &_v84);
						_t44 =  &_v60;
						E0057080C(_t44, 0x8101bc);
					}
					_t47 =  &_v80;
					if((_t44 & 0x00000002) != 0) {
						E00406020( &_v80, "ios_base::failbit set");
						_v8 = 1;
						_t47 =  &_v56;
						E00413C40( &_v84);
						E0057080C( &_v60, 0x8101bc);
					}
					E00406020(_t47, "ios_base::eofbit set");
					_v8 = 2;
					E00413C40( &_v84);
					_t30 = E0057080C( &_v60, 0x8101bc);
				}
				 *[fs:0x0] = _v12;
				return _t30;
			}

0x004142c0
0x004142c2
0x004142cd
0x004142d1
0x004142d8
0x004142dd
0x004142e7
0x004142ea
0x004142f0
0x004142f2
0x004142fd
0x00414303
0x00414303
0x0041430b
0x00414316
0x0041431b
0x0041432c
0x00414336
0x0041433b
0x0041433b
0x00414343
0x00414347
0x0041434e
0x00414353
0x00414360
0x00414364
0x00414373
0x00414373
0x0041437d
0x00414382
0x00414393
0x004143a2
0x004143a2
0x004143ab
0x004143b6

APIs

__CxxThrowException@8.LIBCMT ref: 00414303

Part of subcall function 0057080C: KiUserExceptionDispatcher.NTDLL(?,?,00402FC2,00000000,?,?,?,?,00402FC2,00000000,0080D3D8,00000000), ref: 0057084E

__CxxThrowException@8.LIBCMT ref: 0041433B
__CxxThrowException@8.LIBCMT ref: 00414373
__CxxThrowException@8.LIBCMT ref: 004143A2

Strings

ios_base::eofbit set, xrefs: 00414378
ios_base::failbit set, xrefs: 00414349
ios_base::badbit set, xrefs: 0041430D

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Exception@8Throw$DispatcherExceptionUser
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4200477539-1866435925
Opcode ID: 2a6456b1bffef794f648cfce49acb1d6109f0e63bc01f2e3ee1984259e235423
Instruction ID: 7aa2c79da0115d47a2ad62fac4b8be94bef1c78773ff819aac035737f412f703
Opcode Fuzzy Hash: 2a6456b1bffef794f648cfce49acb1d6109f0e63bc01f2e3ee1984259e235423
Instruction Fuzzy Hash: DE218072188344ABC305EB51C956B9BB7F4BF84B04F004A1DF19A962C1EBBDE944CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00427760, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 427
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00427760() {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t127;
				signed int _t130;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				intOrPtr _t139;
				signed int _t142;
				signed int _t143;
				signed int _t152;
				intOrPtr _t155;
				signed int _t158;
				signed int _t163;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t171;
				signed int _t172;
				signed int _t183;
				signed int _t185;
				signed int _t187;
				signed int _t191;
				intOrPtr _t194;
				signed int _t196;
				void* _t198;
				signed int _t200;
				signed int _t205;
				signed int* _t206;
				intOrPtr* _t208;
				signed int _t211;
				signed int _t212;
				signed int* _t218;
				signed int _t219;
				signed int _t220;
				signed int _t222;
				signed int* _t223;
				intOrPtr _t224;
				intOrPtr _t225;
				intOrPtr* _t226;
				signed int _t227;
				signed int _t239;
				void* _t241;
				void* _t242;
				void* _t247;
				void* _t248;
				void* _t261;
				void* _t264;
				intOrPtr* _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t276;
				signed int _t277;
				void* _t280;
				signed int _t284;
				signed int* _t286;
				signed int _t288;
				signed short* _t290;
				signed int _t293;
				intOrPtr _t294;
				signed int _t296;
				signed int _t299;
				signed int _t301;
				signed int _t304;
				void* _t305;
				void* _t306;
				void* _t307;
				void* _t310;
				signed int _t311;

				_push(_t212);
				_t1 = _t305 + 0x10; // 0x504d67
				_t299 =  *_t1;
				_t196 = _t212;
				 *(_t305 + 0x10) = _t196;
				if(_t299 < 0) {
					_t299 = 0;
				}
				_t242 =  *_t196;
				_t284 =  *(_t242 - 0xc);
				if(_t299 > _t284) {
					_t299 = _t284;
				}
				_t267 =  *((intOrPtr*)(_t305 + 0x1c));
				if(_t267 == 0) {
					_t268 = 0;
					__eflags = 0;
				} else {
					_t241 = _t267 + 2;
					do {
						_t194 =  *_t267;
						_t267 = _t267 + 2;
					} while (_t194 != 0);
					_t268 = _t267 - _t241 >> 1;
				}
				if(_t268 <= 0) {
					L15:
					return _t284;
				} else {
					_t284 = _t284 + _t268;
					if((0x00000001 -  *((intOrPtr*)(_t242 - 4)) |  *((intOrPtr*)(_t242 - 8)) - _t284) < 0) {
						_push(_t284);
						E00402E90(_t196, _t196);
					}
					_t198 =  *_t196 + _t299 * 2;
					E004012F0(_t198, _t268, _t284, E0056FF76(_t198,  *_t196 + (_t268 + _t299) * 2, _t284 - _t268 - _t299 + _t284 - _t268 - _t299 + 2, _t198, _t284 - _t268 - _t299 + _t284 - _t268 - _t299 + 2));
					_t218 =  *(_t305 + 0x30);
					E004012F0(_t198, _t268, _t284, E0056F99E(_t198, _t218, _t198, _t268 + _t268, _t218, _t268 + _t268));
					_t306 = _t305 + 0x28;
					if(_t284 < 0) {
						L16:
						_push(0x80070057);
						E00401460(_t218, _t268, _t284, _t299);
						asm("int3");
						asm("int3");
						asm("int3");
						_t307 = _t306 - 0x20;
						_push(_t198);
						_push(_t299);
						_push(_t284);
						_push(_t268);
						_t270 =  *(_t307 + 0x34);
						_t301 = 0;
						_t286 = _t218;
						 *(_t307 + 0x1c) = _t286;
						__eflags = _t270;
						if(_t270 == 0) {
							L21:
							__eflags = 0;
							return 0;
						} else {
							_t127 = _t270;
							_t247 = _t127 + 2;
							do {
								_t219 =  *_t127;
								_t127 = _t127 + 2;
								__eflags = _t219;
							} while (_t219 != 0);
							_t200 = _t127 - _t247 >> 1;
							 *(_t307 + 0x14) = _t200;
							__eflags = _t200;
							if(_t200 != 0) {
								_t130 =  *(_t307 + 0x38);
								__eflags = _t130;
								if(_t130 == 0) {
									 *(_t307 + 0x10) = 0;
								} else {
									_t264 = _t130 + 2;
									do {
										_t239 =  *_t130;
										_t130 = _t130 + 2;
										__eflags = _t239;
									} while (_t239 != 0);
									 *(_t307 + 0x10) = _t130 - _t264 >> 1;
								}
								_t288 =  *_t286;
								_t132 = _t288 +  *(_t288 - 0xc) * 2;
								 *(_t307 + 0x20) = _t132;
								__eflags = _t288 - _t132;
								if(_t288 >= _t132) {
									L57:
									return _t301;
								} else {
									do {
										_t134 = E00571F2F(_t288, _t270);
										_t307 = _t307 + 8;
										__eflags = _t134;
										while(_t134 != 0) {
											_t288 = _t134 + _t200 * 2;
											_t301 = _t301 + 1;
											_t134 = E00571F2F(_t288, _t270);
											_t307 = _t307 + 8;
											__eflags = _t134;
										}
										__eflags = _t288;
										if(_t288 == 0) {
											_t135 = 0;
											__eflags = 0;
										} else {
											_t187 = _t288;
											_t248 = _t187 + 2;
											do {
												_t220 =  *_t187;
												_t187 = _t187 + 2;
												__eflags = _t220;
											} while (_t220 != 0);
											_t135 = _t187 - _t248 >> 1;
										}
										_t288 = _t288 + 2 + _t135 * 2;
										__eflags = _t288 -  *(_t307 + 0x20);
									} while (_t288 <  *(_t307 + 0x20));
									 *(_t307 + 0x20) = _t301;
									__eflags = _t301;
									if(_t301 <= 0) {
										goto L57;
									} else {
										_t136 =  *( *(_t307 + 0x1c));
										_t273 =  *(_t136 - 0xc);
										_t205 = ( *(_t307 + 0x10) -  *(_t307 + 0x14)) * _t301 + _t273;
										__eflags = _t205 - _t273;
										 *(_t307 + 0x18) = _t273;
										 *(_t307 + 0x28) = _t205;
										_t222 = _t205;
										if(_t205 <= _t273) {
											_t222 = _t273;
										}
										__eflags = 0x00000001 -  *((intOrPtr*)(_t136 - 4)) |  *((intOrPtr*)(_t136 - 8)) - _t222;
										if((0x00000001 -  *((intOrPtr*)(_t136 - 4)) |  *((intOrPtr*)(_t136 - 8)) - _t222) < 0) {
											_push(_t222);
											E00402E90(_t205,  *(_t307 + 0x20));
										}
										_t223 =  *(_t307 + 0x1c);
										_t304 =  *_t223;
										_t139 = _t304 + _t273 * 2;
										 *(_t307 + 0x24) = _t304;
										 *((intOrPtr*)(_t307 + 0x2c)) = _t139;
										__eflags = _t304 - _t139;
										if(_t304 < _t139) {
											do {
												_t288 = E00571F2F(_t304,  *(_t307 + 0x34));
												_t307 = _t307 + 8;
												__eflags = _t288;
												if(_t288 != 0) {
													_t211 =  *(_t307 + 0x10) +  *(_t307 + 0x10);
													__eflags = _t211;
													do {
														_t280 = _t273 - (_t288 -  *(_t307 + 0x24) >> 1) -  *(_t307 + 0x14);
														_t304 = _t211 + _t288;
														E004012F0(_t211, _t280, _t288, E0056FF76(_t211, _t304, _t280 + _t280, _t288 +  *(_t307 + 0x14) * 2, _t280 + _t280));
														E004012F0(_t211, _t280, _t288, E0056F99E(_t211,  *(_t307 + 0x14), _t288, _t211,  *((intOrPtr*)(_t307 + 0x4c)), _t211));
														_t183 =  *(_t307 + 0x38);
														 *((intOrPtr*)(_t307 + 0x44)) =  *((intOrPtr*)(_t307 + 0x44)) + _t183 -  *((intOrPtr*)(_t307 + 0x3c));
														_t223 = 0;
														 *((short*)(_t288 + (_t280 + _t183) * 2)) = 0;
														_t185 = E00571F2F(_t304,  *((intOrPtr*)(_t307 + 0x5c)));
														_t273 =  *(_t307 + 0x48);
														_t288 = _t185;
														_t307 = _t307 + 0x30;
														__eflags = _t288;
													} while (_t288 != 0);
													_t205 =  *(_t307 + 0x28);
												}
												__eflags = _t304;
												if(_t304 == 0) {
													_t171 = 0;
													__eflags = 0;
												} else {
													_t172 = _t304;
													_t75 = _t172 + 2; // 0x2
													_t261 = _t75;
													do {
														_t223 =  *_t172;
														_t172 = _t172 + 2;
														__eflags = _t223;
													} while (_t223 != 0);
													_t171 = _t172 - _t261 >> 1;
												}
												_t304 = _t304 + 2 + _t171 * 2;
												__eflags = _t304 -  *((intOrPtr*)(_t307 + 0x2c));
											} while (_t304 <  *((intOrPtr*)(_t307 + 0x2c)));
										}
										__eflags = _t205;
										if(_t205 < 0) {
											L58:
											_push(0x80070057);
											E00401460(_t223, _t273, _t288, _t304);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t205);
											_push(_t288);
											_t206 = _t223;
											_t290 =  *_t206;
											_push(_t273);
											_t142 = E0057196B(_t223,  *_t290 & 0x0000ffff);
											_t310 = _t307 + 4;
											__eflags = _t142;
											if(_t142 != 0) {
												do {
													_t166 = _t290[1] & 0x0000ffff;
													_t290 =  &(_t290[1]);
													_t167 = E0057196B(_t223, _t166);
													_t310 = _t310 + 4;
													__eflags = _t167;
												} while (_t167 != 0);
											}
											_t143 =  *_t206;
											__eflags = _t290 - _t143;
											if(_t290 == _t143) {
												L67:
												return _t206;
											} else {
												_t224 =  *((intOrPtr*)(_t143 - 0xc));
												_t293 = _t290 - _t143 >> 1;
												__eflags = 0x00000001 -  *((intOrPtr*)(_t143 - 4)) |  *((intOrPtr*)(_t143 - 8)) - _t224;
												if((0x00000001 -  *((intOrPtr*)(_t143 - 4)) |  *((intOrPtr*)(_t143 - 8)) - _t224) < 0) {
													_push(_t224);
													E00402E90(_t206, _t206);
												}
												_t225 =  *((intOrPtr*)( *_t206 - 0xc));
												_t276 = _t225 - _t293;
												_t92 = _t276 + 2; // 0x2
												_t226 = _t225 + _t225 + 2;
												E004012F0(_t206, _t276, _t293, E0056FF76(_t206,  *_t206, _t226,  &(( *_t206)[_t293]), _t276 + _t92));
												_t311 = _t310 + 0x14;
												__eflags = _t276;
												if(_t276 < 0) {
													L68:
													_push(0x80070057);
													E00401460(_t226, _t276, _t293, _t304);
													asm("int3");
													asm("int3");
													asm("int3");
													_push(0xffffffff);
													_push(0x6f44f9);
													_push( *[fs:0x0]);
													_push(_t226);
													_push(_t206);
													_push(_t293);
													_push(_t276);
													_t152 =  *0x877864; // 0xf691760e
													_push(_t152 ^ _t311);
													 *[fs:0x0] = _t311 + 0x14;
													_t208 = _t226;
													_t277 =  *(_t311 + 0x28);
													 *((intOrPtr*)(_t311 + 0x10)) = 0;
													__eflags = _t277;
													if(_t277 < 0) {
														_t277 = 0;
														__eflags = 0;
													}
													_t155 =  *_t208;
													_t294 =  *((intOrPtr*)(_t155 - 0xc));
													__eflags = _t277 - _t294;
													if(__eflags < 0) {
														_t227 =  *(_t155 - 0x10);
														__eflags = _t227;
														if(_t227 == 0) {
															L75:
															_t158 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(E00543198())) + 0x10))))();
														} else {
															_t158 =  *((intOrPtr*)( *((intOrPtr*)( *_t227 + 0x10))))();
															__eflags = _t158;
															if(_t158 == 0) {
																goto L75;
															}
														}
														__eflags = _t294 - _t277;
														_t296 =  *(_t311 + 0x28);
														E0040B470( *_t208 + (_t294 - _t277) * 2, _t277, _t158);
													} else {
														_t296 =  *(_t311 + 0x24);
														E0040B7B0(__eflags, _t208);
													}
													 *((intOrPtr*)(_t311 + 0x1c)) = 0;
													 *((intOrPtr*)(_t311 + 0x10)) = 1;
													 *[fs:0x0] =  *((intOrPtr*)(_t311 + 0x14));
													return _t296;
												} else {
													_t163 =  *_t206;
													__eflags = _t276 -  *((intOrPtr*)(_t163 - 8));
													if(_t276 >  *((intOrPtr*)(_t163 - 8))) {
														goto L68;
													} else {
														 *(_t163 - 0xc) = _t276;
														__eflags = 0;
														( *_t206)[_t276] = 0;
														goto L67;
													}
												}
											}
										} else {
											_t223 =  *(_t307 + 0x1c);
											_t168 =  *_t223;
											__eflags = _t205 -  *((intOrPtr*)(_t168 - 8));
											if(_t205 >  *((intOrPtr*)(_t168 - 8))) {
												goto L58;
											} else {
												_t301 =  *(_t307 + 0x20);
												 *(_t168 - 0xc) = _t205;
												__eflags = 0;
												 *((short*)( *_t223 + _t205 * 2)) = 0;
												goto L57;
											}
										}
									}
								}
							} else {
								goto L21;
							}
						}
					} else {
						_t218 =  *(_t306 + 0x10);
						_t191 =  *_t218;
						if(_t284 >  *((intOrPtr*)(_t191 - 8))) {
							goto L16;
						} else {
							 *(_t191 - 0xc) = _t284;
							 *((short*)( *_t218 + _t284 * 2)) = 0;
							goto L15;
						}
					}
				}
			}

0x00427760
0x00427763
0x00427763
0x00427768
0x0042776b
0x00427771
0x00427773
0x00427773
0x00427775
0x00427777
0x0042777c
0x0042777e
0x0042777e
0x00427780
0x00427786
0x004277a1
0x004277a1
0x00427788
0x00427788
0x00427790
0x00427790
0x00427793
0x00427796
0x0042779d
0x0042779d
0x004277a5
0x00427819
0x00427820
0x004277a7
0x004277aa
0x004277b8
0x004277ba
0x004277bd
0x004277bd
0x004277cf
0x004277e1
0x004277e6
0x004277f7
0x004277fc
0x00427801
0x00427823
0x00427823
0x00427828
0x0042782d
0x0042782e
0x0042782f
0x00427830
0x00427833
0x00427834
0x00427835
0x00427836
0x00427837
0x0042783b
0x0042783d
0x0042783f
0x00427843
0x00427845
0x00427869
0x0042786c
0x00427872
0x00427847
0x00427847
0x00427849
0x00427850
0x00427850
0x00427853
0x00427856
0x00427856
0x0042785f
0x00427861
0x00427865
0x00427867
0x00427875
0x00427879
0x0042787b
0x00427895
0x0042787d
0x0042787d
0x00427880
0x00427880
0x00427883
0x00427886
0x00427886
0x0042788f
0x0042788f
0x00427899
0x0042789e
0x004278a1
0x004278a5
0x004278a7
0x00427a3f
0x00427a48
0x004278b0
0x004278b0
0x004278b2
0x004278b7
0x004278ba
0x004278bc
0x004278c0
0x004278c5
0x004278c6
0x004278cb
0x004278ce
0x004278ce
0x004278d2
0x004278d4
0x004278f1
0x004278f1
0x004278d6
0x004278d6
0x004278d8
0x004278e0
0x004278e0
0x004278e3
0x004278e6
0x004278e6
0x004278ed
0x004278ed
0x004278f3
0x004278f7
0x004278f7
0x004278fd
0x00427901
0x00427903
0x00000000
0x00427909
0x00427915
0x0042791a
0x0042791d
0x0042791f
0x00427921
0x00427925
0x00427929
0x0042792b
0x0042792d
0x0042792d
0x0042793c
0x0042793e
0x00427940
0x00427945
0x00427945
0x0042794a
0x0042794e
0x00427950
0x00427954
0x00427958
0x0042795c
0x0042795e
0x00427964
0x0042796f
0x00427971
0x00427974
0x00427976
0x00427980
0x00427980
0x00427982
0x00427993
0x00427997
0x004279a7
0x004279ba
0x004279bf
0x004279ce
0x004279d2
0x004279d5
0x004279d9
0x004279de
0x004279e2
0x004279e4
0x004279e7
0x004279e7
0x004279eb
0x004279eb
0x004279ef
0x004279f1
0x00427a11
0x00427a11
0x004279f3
0x004279f3
0x004279f5
0x004279f5
0x00427a00
0x00427a00
0x00427a03
0x00427a06
0x00427a06
0x00427a0d
0x00427a0d
0x00427a13
0x00427a17
0x00427a17
0x00427964
0x00427a21
0x00427a23
0x00427a4b
0x00427a4b
0x00427a50
0x00427a55
0x00427a56
0x00427a57
0x00427a58
0x00427a59
0x00427a5a
0x00427a5b
0x00427a5c
0x00427a5d
0x00427a5e
0x00427a5f
0x00427a60
0x00427a61
0x00427a62
0x00427a64
0x00427a69
0x00427a6b
0x00427a70
0x00427a73
0x00427a75
0x00427a77
0x00427a77
0x00427a7b
0x00427a7f
0x00427a84
0x00427a87
0x00427a87
0x00427a77
0x00427a8b
0x00427a8d
0x00427a8f
0x00427aed
0x00427af2
0x00427a91
0x00427a91
0x00427aa3
0x00427aa5
0x00427aa7
0x00427aa9
0x00427aac
0x00427aac
0x00427ab3
0x00427ab8
0x00427aba
0x00427ac3
0x00427acf
0x00427ad4
0x00427ad7
0x00427ad9
0x00427af3
0x00427af3
0x00427af8
0x00427afd
0x00427afe
0x00427aff
0x00427b00
0x00427b02
0x00427b0d
0x00427b0e
0x00427b0f
0x00427b10
0x00427b11
0x00427b12
0x00427b19
0x00427b1e
0x00427b24
0x00427b26
0x00427b2a
0x00427b32
0x00427b34
0x00427b36
0x00427b36
0x00427b36
0x00427b38
0x00427b3a
0x00427b3d
0x00427b3f
0x00427b4f
0x00427b52
0x00427b54
0x00427b61
0x00427b6d
0x00427b56
0x00427b5b
0x00427b5d
0x00427b5f
0x00000000
0x00000000
0x00427b5f
0x00427b72
0x00427b77
0x00427b7f
0x00427b41
0x00427b41
0x00427b48
0x00427b48
0x00427b84
0x00427b8c
0x00427b9a
0x00427ba8
0x00427adb
0x00427adb
0x00427add
0x00427ae0
0x00000000
0x00427ae2
0x00427ae2
0x00427ae7
0x00427ae9
0x00000000
0x00427ae9
0x00427ae0
0x00427ad9
0x00427a25
0x00427a25
0x00427a29
0x00427a2b
0x00427a2e
0x00000000
0x00427a30
0x00427a30
0x00427a34
0x00427a39
0x00427a3b
0x00000000
0x00427a3b
0x00427a2e
0x00427a23
0x00427903
0x00000000
0x00000000
0x00000000
0x00427867
0x00427803
0x00427803
0x00427807
0x0042780c
0x00000000
0x0042780e
0x0042780e
0x00427815
0x00000000
0x00427815
0x0042780c
0x00427801

APIs

_memmove_s.LIBCMT ref: 004277DB
_memcpy_s.LIBCMT ref: 004277F1

Strings

gMP, xrefs: 00427763, 00427834

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: _memcpy_s_memmove_s
String ID: gMP
API String ID: 95007514-2623890443
Opcode ID: 50337a74d35963773359df8169ca45e712d2128b5a70c316dc6d2cee418dde0c
Instruction ID: f8c8c5cf4d2c2218556ef0eb668db844f690a4b23719b738e4f85cd503cc707f
Opcode Fuzzy Hash: 50337a74d35963773359df8169ca45e712d2128b5a70c316dc6d2cee418dde0c
Instruction Fuzzy Hash: 7ED1DF726082259FC714EF68E88892BB3E9FF84304F444A2EF8459B351EB74ED05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00624AE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00624AE0(struct %anon52 __ecx, void* __ebp, void* __eflags) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				union _LARGE_INTEGER _v28;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				signed int _t84;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				void* _t111;
				void* _t135;
				intOrPtr* _t136;
				void* _t139;
				struct %anon52 _t140;
				void* _t143;
				void* _t146;

				_t146 = __eflags;
				_t84 =  *0x877864; // 0xf691760e
				 *[fs:0x0] =  &_v12;
				_t140 = __ecx;
				_v36.LowPart = __ecx;
				E00622410(__ecx);
				_v4 = 0;
				_t136 =  *0x7493c4;
				_t4 = _t140 + 0x20; // 0x20
				 *((intOrPtr*)(__ecx)) = 0x786904;
				 *_t136(_t4, _t84 ^ _t143 - 0x00000018, _t135, _t139, _t111,  *[fs:0x0], 0x73570a, 0xffffffff);
				_v8 = 1;
				_t6 = _t140 + 0x38; // 0x38
				 *_t136(_t6);
				_v12 = 2;
				_t8 = _t140 + 0x50; // 0x50
				_t92 = _t8;
				 *((intOrPtr*)(_t92 + 0x18)) = 7;
				 *((intOrPtr*)(_t92 + 0x14)) = 0;
				_v40 = _t92;
				 *((short*)(_t92 + 4)) = 0;
				_v12 = 4;
				_t14 = _t140 + 0x74; // 0x74
				_t93 = _t14;
				 *((intOrPtr*)(__ecx + 0x6c)) = 0;
				 *((char*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(_t93 + 0x18)) = 7;
				 *((intOrPtr*)(_t93 + 0x14)) = 0;
				_v40 = _t93;
				 *((short*)(_t93 + 4)) = 0;
				_v12 = 6;
				_t22 = _t140 + 0x90; // 0x90
				_t94 = _t22;
				 *((intOrPtr*)(_t94 + 0x18)) = 7;
				 *((intOrPtr*)(_t94 + 0x14)) = 0;
				_v40 = _t94;
				 *((short*)(_t94 + 4)) = 0;
				_v12 = 8;
				_t28 = _t140 + 0xb4; // 0xb4
				E00622560(_t28, _t146);
				_v12 = 9;
				_t30 = _t140 + 0xdc; // 0xdc
				E00622BF0(_t30);
				_v12 = 0xa;
				 *((intOrPtr*)(__ecx + 0xf8)) = 0;
				 *((intOrPtr*)(__ecx + 0xfc)) = 0;
				 *((intOrPtr*)(__ecx + 0x100)) = 0;
				 *((intOrPtr*)(__ecx + 0x104)) = 0;
				_t36 = _t140 + 0x110; // 0x110
				 *((char*)(__ecx + 0x10c)) = 0;
				E005F2990(_t36);
				_v12 = 0xb;
				 *((intOrPtr*)(__ecx + 0x12c)) = 0;
				 *((intOrPtr*)(__ecx + 0x130)) = 0;
				 *((intOrPtr*)(__ecx + 0x134)) = 0;
				 *((intOrPtr*)(__ecx + 0x138)) = 0;
				E00622C60();
				_v12 = 0xc;
				_t45 = _t140 + 0x1a0; // 0x1a0
				 *((char*)(__ecx + 0x19c)) = 0;
				E00622560(_t45, _t146);
				_v12 = 0xd;
				_t48 = _t140 + 0x1c0; // 0x1c0
				E00622560(_t48, _t146);
				_v12 = 0xe;
				_t50 = _t140 + 0x200; // 0x200
				 *((short*)(__ecx + 0x1e0)) = 9;
				 *((char*)(__ecx + 0x1e2)) = 0;
				 *((char*)(__ecx + 0x1e3)) = 0;
				 *((intOrPtr*)(__ecx + 0x1e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x1ec)) = 0;
				 *((intOrPtr*)(__ecx + 0x1f0)) = 0;
				 *((intOrPtr*)(__ecx + 0x1f4)) = 0;
				 *((intOrPtr*)(__ecx + 0x1f8)) = 0;
				 *((intOrPtr*)(__ecx + 0x1fc)) = 0;
				E00623830(_t50, _t146);
				_v12 = 0xf;
				_t61 = _t140 + 0x218; // 0x218
				E006238A0(_t61, _t146);
				_v12 = 0x10;
				 *((intOrPtr*)(__ecx + 0x230)) = 0;
				 *((char*)(__ecx + 0x234)) = 0;
				 *((char*)(__ecx + 0x235)) = 0;
				 *((char*)(__ecx + 0xd8)) = 0;
				E00623390(_t28);
				E00624510(__ecx);
				if(QueryPerformanceFrequency( &_v28) == 0) {
					 *(_t140 + 0x1e8) = GetTickCount();
					 *((intOrPtr*)(_t140 + 0x1ec)) = 0;
					 *(_t140 + 0x1f0) = 0;
					 *((intOrPtr*)(_t140 + 0x1f4)) = 0;
				} else {
					QueryPerformanceCounter( &_v36);
					 *(_t140 + 0x1e8) = _v36.LowPart;
					 *((intOrPtr*)(_t140 + 0x1ec)) = _v32;
					 *(_t140 + 0x1f0) = _v28.LowPart;
					 *((intOrPtr*)(_t140 + 0x1f4)) = _v24;
				}
				_v12 = 0xffffffff;
				 *[fs:0x0] = _v20;
				return _t140;
			}

0x00624ae0
0x00624af4
0x00624b00
0x00624b06
0x00624b08
0x00624b0c
0x00624b13
0x00624b17
0x00624b1d
0x00624b21
0x00624b27
0x00624b29
0x00624b2e
0x00624b32
0x00624b34
0x00624b39
0x00624b39
0x00624b43
0x00624b46
0x00624b49
0x00624b4d
0x00624b51
0x00624b56
0x00624b56
0x00624b59
0x00624b5c
0x00624b5f
0x00624b62
0x00624b65
0x00624b69
0x00624b6d
0x00624b72
0x00624b72
0x00624b78
0x00624b7d
0x00624b80
0x00624b84
0x00624b88
0x00624b8d
0x00624b95
0x00624b9a
0x00624b9f
0x00624ba5
0x00624baa
0x00624baf
0x00624bb5
0x00624bbb
0x00624bc1
0x00624bc7
0x00624bcd
0x00624bd3
0x00624bd8
0x00624bdd
0x00624be3
0x00624bef
0x00624bf5
0x00624bfb
0x00624c00
0x00624c05
0x00624c0b
0x00624c11
0x00624c16
0x00624c1b
0x00624c21
0x00624c26
0x00624c30
0x00624c36
0x00624c3d
0x00624c43
0x00624c49
0x00624c4f
0x00624c55
0x00624c5b
0x00624c61
0x00624c67
0x00624c6d
0x00624c72
0x00624c77
0x00624c7d
0x00624c82
0x00624c89
0x00624c8f
0x00624c95
0x00624c9b
0x00624ca1
0x00624ca8
0x00624cba
0x00624cf7
0x00624cfd
0x00624d03
0x00624d09
0x00624cbc
0x00624cc1
0x00624cd3
0x00624cdd
0x00624ce3
0x00624ce9
0x00624ce9
0x00624d0f
0x00624d1d
0x00624d2b

APIs

RtlInitializeCriticalSection.NTDLL(00000020), ref: 00624B27
RtlInitializeCriticalSection.NTDLL(00000038), ref: 00624B32
QueryPerformanceFrequency.KERNEL32(?), ref: 00624CB2
QueryPerformanceCounter.KERNEL32(?), ref: 00624CC1
GetTickCount.KERNEL32 ref: 00624CF1

Strings

0Mb, xrefs: 00624B21

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CriticalInitializePerformanceQuerySection$CountCounterFrequencyTick
String ID: 0Mb
API String ID: 3950734871-1027673534
Opcode ID: 4129c6865b9dc461a9e3ad0a7b03704269bc974aeb2d98b4f12a9dbe996fc9d1
Instruction ID: 7b03ec1c8a7143b84d0c97f0395708583289783bd8d136fc1a7b4228cf14aa0c
Opcode Fuzzy Hash: 4129c6865b9dc461a9e3ad0a7b03704269bc974aeb2d98b4f12a9dbe996fc9d1
Instruction Fuzzy Hash: 3261D570408B819FC365DF39D494B9BFBE1BF59304F84496EE8AA83252D774A108CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004144C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004144C0(void* __ebp, void* __eflags) {
				intOrPtr* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t27;
				intOrPtr _t28;
				void* _t32;
				void* _t37;
				intOrPtr _t43;
				intOrPtr _t53;
				signed int _t56;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				signed int _t61;
				void* _t63;

				_t59 = __ebp;
				_push(0xffffffff);
				_push(0x6f1ae8);
				_push( *[fs:0x0]);
				_t61 = _t60 - 0x14;
				_t23 =  *0x877864; // 0xf691760e
				_push(_t23 ^ _t61);
				 *[fs:0x0] =  &_v12;
				E005C6A1A( &_v28, 0);
				_v8 = 0;
				_t53 =  *0x8a7268; // 0x27d4138
				_v36 = _t53;
				_t27 = E004120D0();
				_t39 = _v0;
				_t56 = _t27;
				_t28 =  *_v0;
				if(_t56 >=  *((intOrPtr*)(_t28 + 0xc))) {
					_t43 = 0;
					L2:
					if( *((char*)(_t28 + 0x14)) == 0) {
						L6:
						_t57 = _t43;
						L7:
						if(_t57 != 0) {
							L13:
							_v4 = 0xffffffff;
							E005C6A42( &_v28);
							 *[fs:0x0] = _v12;
							return _t57;
						}
						L8:
						if(_t53 == 0) {
							_t32 = E00413EF0(_t51, _t59,  &_v32, _t39);
							_t63 = _t61 + 8;
							if(_t32 == 0xffffffff) {
								E00570628( &_v24, "bad cast");
								E0057080C( &_v28, 0x8102b0);
							}
							_t57 = _v32;
							 *0x8a7268 = _t57;
							E00401D10();
							E005C6C90(_t39, _t51, _t53, _t57, _t57);
							_t61 = _t63 + 4;
						} else {
							_t57 = _t53;
						}
						goto L13;
					}
					_t37 = E005C6BA1();
					if(_t56 >=  *((intOrPtr*)(_t37 + 0xc))) {
						goto L8;
					}
					_t51 =  *((intOrPtr*)(_t37 + 8));
					_t57 =  *((intOrPtr*)( *((intOrPtr*)(_t37 + 8)) + _t56 * 4));
					goto L7;
				}
				_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + _t56 * 4));
				if(_t43 != 0) {
					goto L6;
				}
				goto L2;
			}

0x004144c0
0x004144c0
0x004144c2
0x004144cd
0x004144ce
0x004144d4
0x004144db
0x004144e0
0x004144ec
0x004144f1
0x004144f9
0x00414504
0x00414508
0x0041450d
0x00414511
0x00414513
0x00414518
0x0041453c
0x00414524
0x00414528
0x00414540
0x00414540
0x00414542
0x00414544
0x00414598
0x00414598
0x004145a4
0x004145af
0x004145bd
0x004145bd
0x00414546
0x00414548
0x00414554
0x00414559
0x0041455f
0x0041456a
0x00414579
0x00414579
0x0041457e
0x00414584
0x0041458a
0x00414590
0x00414595
0x0041454a
0x0041454a
0x0041454a
0x00000000
0x00414548
0x0041452a
0x00414532
0x00000000
0x00000000
0x00414534
0x00414537
0x00000000
0x00414537
0x0041451d
0x00414522
0x00000000
0x00000000
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004144EC

Part of subcall function 004120D0: std::_Lockit::_Lockit.LIBCPMT ref: 004120FF

std::bad_exception::bad_exception.LIBCMT ref: 0041456A
__CxxThrowException@8.LIBCMT ref: 00414579
std::locale::facet::facet_Register.LIBCPMT ref: 00414590

Strings

bad cast, xrefs: 00414561

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: ae5ce08d895f13aa64f755791156dcb147ce6eeeaf8bad35840a54b217a3531f
Instruction ID: 10fa5c2307eb7ccd21b706b0d4e6fe61f273f31eb126e851c76d83ac48783979
Opcode Fuzzy Hash: ae5ce08d895f13aa64f755791156dcb147ce6eeeaf8bad35840a54b217a3531f
Instruction Fuzzy Hash: 5021EC71508321AFC714DF10D845BAAB7A5FBC4720F04061EF556AB392E738AD85CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00620000, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00620000(void* __ebx, void* __ebp, long long __fp0, intOrPtr* _a4, char _a12) {
				void* __edi;
				void* __esi;
				intOrPtr _t16;
				void* _t21;
				intOrPtr* _t25;
				signed int _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t33;
				intOrPtr _t37;
				intOrPtr* _t42;
				void* _t44;
				long long* _t45;
				void* _t46;
				long long _t57;

				_t57 = __fp0;
				_t33 = __ebx;
				_t41 = _a12;
				if(_a12 == 0) {
					_t41 =  &_a12;
				}
				_t42 = _a4;
				if( *((intOrPtr*)( *((intOrPtr*)( *_t42 + 0x48))))() != 0) {
					L4:
					_t16 =  *_t42;
					_t40 =  *((intOrPtr*)(_t16 + 0x4c));
					 *( *((intOrPtr*)(_t16 + 0x4c)))(0);
					E0061F4A0(_t42, _t57);
					_t45 = _t44 - 8;
					 *_t45 = _t57;
					_push(L"[%f] ");
					E006D959B(_t33,  *((intOrPtr*)(_t16 + 0x4c)), _t41, _t42, _t50);
					_t44 = _t45 + 0xc;
					L5:
					_t51 = _a12;
					if(_a12 != 0) {
						_push(0x786124);
						E006D959B(_t33, _t40, _t41, _t42, _t51);
						_t44 = _t44 + 4;
					}
					_t21 = E006D9547(_a4, _t41);
					_t46 = _t44 + 8;
					if(_t21 <= 0) {
						L13:
						_push(E00588C1A() + 0x20);
						return E0057380A(_t33, _t40, _t41, _t42, E00588C1A() + 0x20);
					} else {
						_t40 = _a4;
						_t25 = _t40;
						_t42 = _t25 + 2;
						do {
							_t37 =  *_t25;
							_t25 = _t25 + 2;
						} while (_t37 != 0);
						_t28 =  *(_t40 + (_t25 - _t42 >> 1) * 2 - 2) & 0x0000ffff;
						if(_t28 != 0xd) {
							_t55 = _t28 - 0xa;
							if(_t28 != 0xa) {
								_push(0x74ac3c);
								E006D959B(_t33, _t40, _t41, _t42, _t55);
								_t46 = _t46 + 4;
							}
						}
						goto L13;
					}
				}
				_t31 =  *_t42;
				_t40 =  *((intOrPtr*)(_t31 + 0x50));
				_t32 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0x50))))();
				_t50 = _t32;
				if(_t32 == 0) {
					goto L5;
				}
				goto L4;
			}

0x00620000
0x00620000
0x00620002
0x00620008
0x0062000a
0x0062000a
0x0062000e
0x0062001d
0x0062002c
0x0062002c
0x0062002e
0x00620035
0x00620039
0x0062003e
0x00620041
0x00620044
0x00620049
0x0062004e
0x00620051
0x00620051
0x00620056
0x00620058
0x0062005d
0x00620062
0x00620062
0x0062006b
0x00620070
0x00620075
0x006200ad
0x006200b5
0x006200c0
0x00620077
0x00620077
0x0062007b
0x0062007d
0x00620080
0x00620080
0x00620083
0x00620086
0x0062008f
0x00620098
0x0062009a
0x0062009e
0x006200a0
0x006200a5
0x006200aa
0x006200aa
0x0062009e
0x00000000
0x00620098
0x00620075
0x0062001f
0x00620021
0x00620026
0x00620028
0x0062002a
0x00000000
0x00000000
0x00000000

APIs

_printf.LIBCMT ref: 00620049
_printf.LIBCMT ref: 0062005D
_vwprintf.LIBCMT ref: 0062006B
_printf.LIBCMT ref: 006200A5

Strings

[%f] , xrefs: 00620044

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: _printf$_vwprintf
String ID: [%f]
API String ID: 3054331231-1714217608
Opcode ID: 4c2fc97d2da446e3a5d82176a6739ad04135a404399d6431224c075484fdff80
Instruction ID: 67275cb42405f9b3da3de8ba541585962bccd91b870957d031b6929a919e1b64
Opcode Fuzzy Hash: 4c2fc97d2da446e3a5d82176a6739ad04135a404399d6431224c075484fdff80
Instruction Fuzzy Hash: A41106B5A006115BEA21FB28E805B9E7793AFD8700F044459F98157346EA31ED45C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 006226B0, Relevance: 7.7, APIs: 5, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E006226B0(void* __ecx, void* __ebp, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16) {
				signed int _v4;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t64;
				signed int _t68;
				intOrPtr _t70;
				signed int _t75;
				intOrPtr _t76;
				intOrPtr _t89;
				signed int _t97;
				signed int _t101;
				intOrPtr _t103;
				signed int _t105;
				intOrPtr _t109;
				intOrPtr* _t110;
				intOrPtr* _t112;
				signed int _t123;
				signed int _t135;
				signed int _t136;
				signed int _t139;
				signed int _t142;
				intOrPtr _t146;
				void* _t148;
				void* _t149;
				signed int _t150;
				intOrPtr* _t152;
				void* _t156;

				_t149 = __ebp;
				_t148 = __ecx;
				_t103 = _a12;
				if(_t103 == 0) {
					L12:
					_t142 = _a4;
					__eflags =  *(_t148 + 0x14) - _t142;
					if(__eflags < 0) {
						E005C6EBE(_t100, _t142, _t148, __eflags);
					}
					_t64 =  *(_t148 + 0x14);
					_push(_t149);
					_t150 = _a8;
					_t105 = _t64 - _t142;
					__eflags = _t105 - _t150;
					if(_t105 < _t150) {
						_t150 = _t105;
					}
					_t101 = _a16;
					_t125 = (_t123 | 0xffffffff) - _t101;
					__eflags = (_t123 | 0xffffffff) - _t101 - _t64 - _t150;
					if(__eflags <= 0) {
						E005C6E86(_t101, _t125, _t142, _t148, __eflags);
					}
					_t108 =  *(_t148 + 0x14) - _t142 - _t150;
					_a16 =  *(_t148 + 0x14) - _t142 - _t150;
					__eflags = _t101 - _t150;
					if(_t101 < _t150) {
						_t89 =  *((intOrPtr*)(_t148 + 0x18));
						__eflags = _t89 - 8;
						if(_t89 < 8) {
							_t135 = _t148 + 4;
						} else {
							_t135 =  *((intOrPtr*)(_t148 + 4));
						}
						_a4 = _t135;
						__eflags = _t89 - 8;
						if(_t89 < 8) {
							_t136 = _t148 + 4;
						} else {
							_t136 =  *((intOrPtr*)(_t148 + 4));
						}
						_a8 = _t136;
						__eflags = _t89 - _t142 - _t101 + _t89 - _t142 - _t101;
						_t125 = _a8 + (_t142 + _t101) * 2;
						E0056FF76(_t101, _a8 + (_t142 + _t101) * 2, _t89 - _t142 - _t101 + _t89 - _t142 - _t101, _a4 + (_t142 + _t150) * 2, _t108 + _t108);
						_t156 = _t156 + 0x10;
					}
					__eflags = _t101;
					if(_t101 > 0) {
						L28:
						_t68 =  *(_t148 + 0x14) - _t150 + _t101;
						_a4 = _t68;
						__eflags = _t68 - 0x7ffffffe;
						if(__eflags > 0) {
							E005C6E86(_t101, _t125, _t142, _t148, __eflags);
							_t68 = _a4;
						}
						_t109 =  *((intOrPtr*)(_t148 + 0x18));
						__eflags = _t109 - _t68;
						if(_t109 >= _t68) {
							__eflags = _t68;
							if(__eflags != 0) {
								goto L32;
							} else {
								 *(_t148 + 0x14) = _t68;
								__eflags = _t109 - 8;
								if(_t109 < 8) {
									__eflags = 0;
									 *((short*)(_t148 + 4)) = 0;
									return _t148;
								} else {
									__eflags = 0;
									 *((short*)( *((intOrPtr*)(_t148 + 4)))) = 0;
									return _t148;
								}
							}
						} else {
							E00403B10(_t148, _t68,  *(_t148 + 0x14));
							__eflags = _v4;
							L32:
							if(__eflags > 0) {
								__eflags = _t150 - _t101;
								if(_t150 < _t101) {
									_t76 =  *((intOrPtr*)(_t148 + 0x18));
									_t112 = _t148 + 4;
									__eflags = _t76 - 8;
									if(_t76 < 8) {
										_a8 = _t112;
									} else {
										_a8 =  *_t112;
									}
									__eflags = _t76 - 8;
									if(_t76 >= 8) {
										_t112 =  *_t112;
									}
									__eflags = _t76 - _t142 - _t101 + _t76 - _t142 - _t101;
									E0056FF76(_t101, _t112 + (_t142 + _t101) * 2, _t76 - _t142 - _t101 + _t76 - _t142 - _t101, _a8 + (_t142 + _t150) * 2, _a16 + _a16);
									_t156 = _t156 + 0x10;
								}
								_t70 =  *((intOrPtr*)(_t148 + 0x18));
								_t152 = _t148 + 4;
								__eflags = _t70 - 8;
								if(_t70 < 8) {
									_t110 = _t152;
								} else {
									_t110 =  *_t152;
								}
								E0056F99E(_t101, _t110, _t110 + _t142 * 2, _t70 - _t142 + _t70 - _t142, _a12, _t101 + _t101);
								_t75 = _a4;
								__eflags =  *((intOrPtr*)(_t148 + 0x18)) - 8;
								 *(_t148 + 0x14) = _t75;
								if( *((intOrPtr*)(_t148 + 0x18)) >= 8) {
									_t152 =  *_t152;
								}
								__eflags = 0;
								 *((short*)(_t152 + _t75 * 2)) = 0;
							}
							goto L50;
						}
					} else {
						__eflags = _t150;
						if(_t150 <= 0) {
							L50:
							return _t148;
						} else {
							goto L28;
						}
					}
				} else {
					_t146 =  *((intOrPtr*)(__ecx + 0x18));
					_t97 = __ecx + 4;
					if(_t146 < 8) {
						_t123 = _t97;
					} else {
						_t123 =  *_t97;
					}
					if(_t103 < _t123) {
						goto L12;
					} else {
						if(_t146 < 8) {
							_t139 = _t97;
						} else {
							_t139 =  *_t97;
						}
						_t100 =  *(_t148 + 0x14);
						_t123 = _t139 +  *(_t148 + 0x14) * 2;
						if(_t123 <= _t103) {
							goto L12;
						} else {
							if(_t146 >= 8) {
								_t97 =  *_t97;
							}
							_push(_a16);
							_push(_t103 - _t97 >> 1);
							_push(_t148);
							_push(_a8);
							_push(_a4);
							return E00621F60();
						}
					}
				}
			}

0x006226b0
0x006226b2
0x006226b4
0x006226bb
0x00622710
0x00622710
0x00622714
0x00622717
0x00622719
0x00622719
0x0062271e
0x00622723
0x00622724
0x00622728
0x0062272a
0x0062272c
0x0062272e
0x0062272e
0x00622730
0x00622739
0x0062273b
0x0062273d
0x0062273f
0x0062273f
0x00622749
0x0062274b
0x0062274f
0x00622751
0x00622753
0x00622756
0x00622759
0x00622760
0x0062275b
0x0062275b
0x0062275b
0x00622763
0x00622767
0x0062276a
0x00622771
0x0062276c
0x0062276c
0x0062276c
0x0062277b
0x0062278e
0x00622794
0x00622798
0x0062279d
0x0062279d
0x006227a0
0x006227a2
0x006227ac
0x006227b1
0x006227b3
0x006227b7
0x006227bc
0x006227be
0x006227c3
0x006227c3
0x006227c7
0x006227ca
0x006227cc
0x006227fd
0x006227ff
0x00000000
0x00622801
0x00622801
0x00622804
0x00622807
0x0062281e
0x00622821
0x00622828
0x00622809
0x0062280d
0x00622810
0x00622817
0x00622817
0x00622807
0x006227ce
0x006227d5
0x006227de
0x006227e0
0x006227e0
0x006227e6
0x006227e8
0x006227ea
0x006227ed
0x006227f0
0x006227f3
0x0062282b
0x006227f5
0x006227f7
0x006227f7
0x0062282f
0x00622832
0x00622834
0x00622834
0x0062284d
0x00622857
0x0062285c
0x0062285c
0x0062285f
0x00622862
0x00622865
0x00622868
0x0062286f
0x0062286a
0x0062286a
0x0062286a
0x00622883
0x00622888
0x0062288f
0x00622893
0x00622896
0x00622898
0x00622898
0x0062289b
0x0062289d
0x0062289d
0x00000000
0x006227e0
0x006227a4
0x006227a4
0x006227a6
0x006228a2
0x006228a8
0x00000000
0x00000000
0x00000000
0x006227a6
0x006226bd
0x006226bd
0x006226c0
0x006226c6
0x006226cc
0x006226c8
0x006226c8
0x006226c8
0x006226d0
0x00000000
0x006226d2
0x006226d5
0x006226db
0x006226d7
0x006226d7
0x006226d7
0x006226dd
0x006226e0
0x006226e5
0x00000000
0x006226e7
0x006226ea
0x006226ec
0x006226ec
0x006226f8
0x006226fb
0x00622700
0x00622701
0x00622702
0x0062270d
0x0062270d
0x006226e5
0x006226d0

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0062273F
_memmove_s.LIBCMT ref: 00622798
std::_String_base::_Xlen.LIBCPMT ref: 006227BE

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: String_base::_Xlenstd::_$_memmove_s
String ID:
API String ID: 3596149717-0
Opcode ID: 7a98916fc08560951c5a65eadd76c6caf68842e045ec762e06981a30a9d269b0
Instruction ID: b8f0f98b072056702ed4cedb31ddb90cf248419be2b389c2a5a290de67550463
Opcode Fuzzy Hash: 7a98916fc08560951c5a65eadd76c6caf68842e045ec762e06981a30a9d269b0
Instruction Fuzzy Hash: A361C371704A179F8724DE68E9E486BB3E7FFC4700B108A2DE446CB655E730E909CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4C0, Relevance: 7.7, APIs: 5, Instructions: 202
windowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040C4C0(void* __ecx, int _a4, long* _a8) {
				signed int _v4;
				char _v524;
				int _v540;
				char* _v544;
				short _v556;
				void* _v564;
				intOrPtr _v588;
				char _v596;
				int _v600;
				intOrPtr _v608;
				signed int _v612;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				long _t48;
				signed int _t53;
				signed int _t56;
				intOrPtr _t64;
				intOrPtr* _t67;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr* _t86;
				signed int _t90;
				void* _t93;
				long _t94;
				long _t95;
				void* _t97;
				long _t102;
				intOrPtr _t110;
				signed int _t117;
				void* _t124;
				void* _t125;
				int _t127;
				void* _t128;
				long* _t130;
				intOrPtr* _t131;
				void* _t133;
				intOrPtr _t135;
				int _t136;
				void* _t139;
				signed int _t140;

				_t140 = _t139 - 0x234;
				_t46 =  *0x877864; // 0xf691760e
				_v4 = _t46 ^ _t140;
				_push(_t93);
				_t130 = _a8;
				_t48 =  *_t130;
				_t124 = __ecx;
				_t117 =  *((intOrPtr*)(_t48 - 8)) - 0x104;
				if((0x00000001 -  *((intOrPtr*)(_t48 - 0x10 + 0xc)) | _t117) < 0) {
					_push(0x104);
					E00402E90(_t93, _t130);
				}
				_t135 =  *0x74983c;
				_t94 = SendMessageW( *(_t124 + 0x98), 0x466, 0x104,  *_t130);
				_t53 =  *_t130;
				_t102 =  *(_t53 - 8);
				if(_t53 == 0) {
					L4:
					_t102 =  *_t130;
					if(_t53 >  *((intOrPtr*)(_t102 - 8))) {
						goto L11;
					} else {
						 *(_t102 - 0xc) = _t53;
						_t121 = 0;
						 *((short*)( *_t130 + _t53 * 2)) = 0;
						if(_t94 >= 0) {
							_v556 = 0;
							_v544 =  &_v524;
							_v540 = 0x104;
							SendMessageW( *(_t124 + 0xac), 0x1073, _a4,  &_v564);
							E00533130(_t130);
							_t86 =  &_v524;
							_t140 = _t140 + 4;
							_t121 = _t86 + 2;
							do {
								_t110 =  *_t86;
								_t86 = _t86 + 2;
							} while (_t110 != 0);
							E00404610(_t94, _t130, _t124,  &_v524, _t86 - _t121 >> 1);
							_t90 = 1;
						} else {
							_t90 = 0;
						}
						_pop(_t128);
						_pop(_t133);
						_pop(_t97);
						return E0056F98F(_t90, _t97, _v4 ^ _t140, _t121, _t128, _t133);
					}
				} else {
					_t53 = E0057078F(_t53, _t102);
					_t140 = _t140 + 8;
					if(_t53 < 0) {
						L11:
						_push(0x80070057);
						E00401460(_t102, _t124, _t130, _t135);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0xffffffff);
						_push(0x6f0980);
						_push( *[fs:0x0]);
						_push(_t94);
						_push(_t135);
						_push(_t130);
						_push(_t124);
						_t56 =  *0x877864; // 0xf691760e
						_push(_t56 ^ _t140 - 0x00000010);
						 *[fs:0x0] =  &_v596;
						_t95 = _t102;
						_v612 = 1;
						E00403680();
						_v588 = 0;
						SetCurrentDirectoryW( *(_t95 + 0x80));
						_t131 =  *((intOrPtr*)(_t95 + 4));
						_t136 =  *(_t95 + 0x18);
						while(1) {
							_t125 =  *( *(_t95 + 0x18));
							_t64 =  *((intOrPtr*)(_t95 + 4));
							if(_t131 == 0 || _t131 != _t64) {
								E005709F4();
							}
							if(_t136 == _t125) {
								break;
							}
							_v600 = _t136;
							if(_t131 == 0) {
								E005709F4();
							}
							_t127 = _a4;
							if(_t131 == 0) {
								_t71 = 0;
							} else {
								_t71 =  *_t131;
							}
							if(_t127 ==  *((intOrPtr*)(_t71 + 0x14))) {
								E005709F4();
							}
							if(_t131 != 0) {
								_t72 =  *_t131;
							} else {
								E005709F4();
								_t72 = 0;
							}
							if(_t127 ==  *((intOrPtr*)(_t72 + 0x14))) {
								E005709F4();
							}
							_v612 = _v612 & RemoveDirectoryW( *(_t127 + 8));
							if(_t131 == 0) {
								E005709F4();
							}
							_t136 = _a4;
							if(_t131 == 0) {
								_t75 = 0;
							} else {
								_t75 =  *_t131;
							}
							if(_t136 ==  *((intOrPtr*)(_t75 + 0x14))) {
								E005709F4();
							}
						}
						_v588 = 0xffffffff;
						_t67 = _v608 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						if((_t117 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t67)) + 4))))(_t67);
						}
						 *[fs:0x0] = _v596;
						return _v612;
					} else {
						goto L4;
					}
				}
			}

0x0040c4c0
0x0040c4c6
0x0040c4cd
0x0040c4d4
0x0040c4d7
0x0040c4de
0x0040c4e7
0x0040c4f1
0x0040c4f9
0x0040c4fb
0x0040c502
0x0040c502
0x0040c509
0x0040c523
0x0040c525
0x0040c527
0x0040c52c
0x0040c540
0x0040c540
0x0040c545
0x00000000
0x0040c54b
0x0040c54b
0x0040c550
0x0040c552
0x0040c558
0x0040c57c
0x0040c58c
0x0040c59c
0x0040c5a4
0x0040c5a7
0x0040c5ac
0x0040c5b0
0x0040c5b3
0x0040c5b6
0x0040c5b6
0x0040c5b9
0x0040c5bc
0x0040c5cd
0x0040c5d2
0x0040c55a
0x0040c55a
0x0040c55a
0x0040c563
0x0040c564
0x0040c566
0x0040c574
0x0040c574
0x0040c52e
0x0040c530
0x0040c535
0x0040c53a
0x0040c5d9
0x0040c5d9
0x0040c5de
0x0040c5e3
0x0040c5e4
0x0040c5e5
0x0040c5e6
0x0040c5e7
0x0040c5e8
0x0040c5e9
0x0040c5ea
0x0040c5eb
0x0040c5ec
0x0040c5ed
0x0040c5ee
0x0040c5ef
0x0040c5f0
0x0040c5f2
0x0040c5fd
0x0040c601
0x0040c602
0x0040c603
0x0040c604
0x0040c605
0x0040c60c
0x0040c611
0x0040c617
0x0040c61d
0x0040c625
0x0040c62a
0x0040c639
0x0040c642
0x0040c645
0x0040c647
0x0040c64a
0x0040c64c
0x0040c651
0x0040c657
0x0040c657
0x0040c65e
0x00000000
0x00000000
0x0040c660
0x0040c666
0x0040c668
0x0040c668
0x0040c66d
0x0040c672
0x0040c678
0x0040c674
0x0040c674
0x0040c674
0x0040c67d
0x0040c67f
0x0040c67f
0x0040c686
0x0040c6bb
0x0040c688
0x0040c688
0x0040c68d
0x0040c68d
0x0040c692
0x0040c694
0x0040c694
0x0040c6a3
0x0040c6a9
0x0040c6ab
0x0040c6ab
0x0040c6b0
0x0040c6b5
0x0040c6bf
0x0040c6b7
0x0040c6b7
0x0040c6b7
0x0040c6c4
0x0040c6c6
0x0040c6c6
0x0040c6c4
0x0040c6d0
0x0040c6dc
0x0040c6e5
0x0040c6ec
0x0040c6f6
0x0040c6f6
0x0040c700
0x0040c70f
0x00000000
0x00000000
0x00000000
0x0040c53a

APIs

SendMessageW.USER32(?,00000466,00000104,F69175FE), ref: 0040C521
_wcsnlen.LIBCMT ref: 0040C530
SendMessageW.USER32 ref: 0040C5A4
SetCurrentDirectoryW.KERNEL32(?), ref: 0040C639
RemoveDirectoryW.KERNEL32(?), ref: 0040C69D

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: DirectoryMessageSend$CurrentRemove_wcsnlen
String ID:
API String ID: 3938141628-0
Opcode ID: 207b44f670fcd3b8e9fef96be2d20a872f0fa96a262133beb5174130018b6a34
Instruction ID: 17a9b4a8d42686428f68ec88832d215a1429a1390c8c7237210a6a7f12deb480
Opcode Fuzzy Hash: 207b44f670fcd3b8e9fef96be2d20a872f0fa96a262133beb5174130018b6a34
Instruction Fuzzy Hash: E4619F71604201DFC720EF68D885A6BB7E4FF88310F104A2AE559AB391D775E900CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00621D30, Relevance: 7.7, APIs: 5, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00621D30(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t63;
				signed int _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t82;
				signed int _t83;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				void* _t96;
				intOrPtr* _t97;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t105;
				void* _t106;
				intOrPtr _t107;
				signed int _t109;
				intOrPtr* _t113;
				void* _t114;
				void* _t115;
				signed int _t124;

				_t96 = __edx;
				_t82 =  *((intOrPtr*)(_t114 + 0x10));
				_t107 =  *((intOrPtr*)(_t114 + 0x10));
				_t105 =  *(_t114 + 0x14);
				_t106 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x14)) < _t105) {
					L2:
					E005C6EBE(_t82, _t105, _t106, _t118);
				} else {
					_t118 =  *((intOrPtr*)(_t107 + 0x14)) - _t82;
					if( *((intOrPtr*)(_t107 + 0x14)) < _t82) {
						goto L2;
					}
				}
				_t51 =  *((intOrPtr*)(_t107 + 0x14)) - _t82;
				_t83 =  *(_t114 + 0x20);
				if(_t51 < _t83) {
					_t83 = _t51;
				}
				_t120 = (_t51 | 0xffffffff) -  *(_t106 + 0x14) - _t83;
				if((_t51 | 0xffffffff) -  *(_t106 + 0x14) <= _t83) {
					E005C6E86(_t83, _t96, _t105, _t106, _t120);
				}
				if(_t83 <= 0) {
					L42:
					return _t106;
				} else {
					_t109 =  *(_t106 + 0x14) + _t83;
					 *(_t114 + 0x14) = _t109;
					_t122 = _t109 - 0x7ffffffe;
					if(_t109 > 0x7ffffffe) {
						E005C6E86(_t83, _t96, _t105, _t106, _t122);
					}
					_t55 =  *((intOrPtr*)(_t106 + 0x18));
					if(_t55 >= _t109) {
						__eflags = _t109;
						if(_t109 != 0) {
							goto L12;
						} else {
							 *(_t106 + 0x14) = _t109;
							__eflags = _t55 - 8;
							if(_t55 < 8) {
								__eflags = 0;
								 *((short*)(_t106 + 4)) = 0;
								return _t106;
							} else {
								__eflags = 0;
								 *((short*)( *((intOrPtr*)(_t106 + 4)))) = 0;
								return _t106;
							}
						}
					} else {
						E00403B10(_t106, _t109,  *(_t106 + 0x14));
						_t124 = _t109;
						L12:
						if(_t124 > 0) {
							_t56 =  *((intOrPtr*)(_t106 + 0x18));
							_t89 = _t106 + 4;
							if(_t56 < 8) {
								_t97 = _t89;
							} else {
								_t97 =  *_t89;
							}
							if(_t56 >= 8) {
								_t89 =  *_t89;
							}
							E0056FF76(_t83, _t89 + (_t105 + _t83) * 2, _t56 - _t105 - _t83 + _t56 - _t105 - _t83, _t97 + _t105 * 2,  *(_t106 + 0x14) - _t105 +  *(_t106 + 0x14) - _t105);
							_t62 =  *((intOrPtr*)(_t114 + 0x28));
							_t115 = _t114 + 0x10;
							if(_t106 != _t62) {
								__eflags =  *((intOrPtr*)(_t62 + 0x18)) - 8;
								if( *((intOrPtr*)(_t62 + 0x18)) < 8) {
									_t99 = _t62 + 4;
								} else {
									_t99 =  *((intOrPtr*)(_t62 + 4));
								}
								_t63 =  *((intOrPtr*)(_t106 + 0x18));
								_t113 = _t106 + 4;
								__eflags = _t63 - 8;
								if(_t63 < 8) {
									_t91 = _t113;
								} else {
									_t91 =  *_t113;
								}
								__eflags = _t63 - _t105 + _t63 - _t105;
								E0056F99E( *(_t115 + 0x20), _t91, _t91 + _t105 * 2, _t63 - _t105 + _t63 - _t105, _t99 +  *(_t115 + 0x20) * 2, _t83 + _t83);
							} else {
								_t69 =  *((intOrPtr*)(_t115 + 0x1c));
								if(_t105 < _t69) {
									_t69 = _t69 + _t83;
								}
								 *((intOrPtr*)(_t115 + 0x1c)) = _t69;
								_t70 =  *((intOrPtr*)(_t106 + 0x18));
								_t113 = _t106 + 4;
								if(_t70 < 8) {
									_t101 = _t113;
								} else {
									_t101 =  *_t113;
								}
								if(_t70 < 8) {
									_t93 = _t113;
								} else {
									_t93 =  *_t113;
								}
								E0056FF76( *(_t115 + 0x20), _t93 + _t105 * 2, _t70 - _t105 + _t70 - _t105, _t101 +  *(_t115 + 0x20) * 2, _t83 + _t83);
							}
							_t68 =  *(_t115 + 0x24);
							 *(_t106 + 0x14) = _t68;
							if( *((intOrPtr*)(_t106 + 0x18)) >= 8) {
								_t113 =  *_t113;
							}
							 *((short*)(_t113 + _t68 * 2)) = 0;
						}
						goto L42;
					}
				}
			}

0x00621d30
0x00621d31
0x00621d36
0x00621d3c
0x00621d40
0x00621d45
0x00621d4c
0x00621d4c
0x00621d47
0x00621d47
0x00621d4a
0x00000000
0x00000000
0x00621d4a
0x00621d54
0x00621d56
0x00621d5c
0x00621d5e
0x00621d5e
0x00621d66
0x00621d68
0x00621d6a
0x00621d6a
0x00621d71
0x00621eb3
0x00621eb8
0x00621d77
0x00621d7a
0x00621d7c
0x00621d80
0x00621d86
0x00621d88
0x00621d88
0x00621d8d
0x00621d92
0x00621db7
0x00621db9
0x00000000
0x00621dbb
0x00621dbb
0x00621dbe
0x00621dc1
0x00621dd7
0x00621dda
0x00621de2
0x00621dc3
0x00621dc6
0x00621dc9
0x00621dd1
0x00621dd1
0x00621dc1
0x00621d94
0x00621d9b
0x00621da0
0x00621da2
0x00621da2
0x00621da8
0x00621dab
0x00621db1
0x00621de5
0x00621db3
0x00621db3
0x00621db3
0x00621dea
0x00621dec
0x00621dec
0x00621e08
0x00621e0d
0x00621e11
0x00621e16
0x00621e5f
0x00621e63
0x00621e6a
0x00621e65
0x00621e65
0x00621e65
0x00621e6d
0x00621e70
0x00621e73
0x00621e76
0x00621e7d
0x00621e78
0x00621e78
0x00621e78
0x00621e8c
0x00621e93
0x00621e18
0x00621e18
0x00621e1e
0x00621e20
0x00621e20
0x00621e22
0x00621e26
0x00621e29
0x00621e2f
0x00621e36
0x00621e31
0x00621e31
0x00621e31
0x00621e3b
0x00621e42
0x00621e3d
0x00621e3d
0x00621e3d
0x00621e58
0x00621e58
0x00621e98
0x00621ea3
0x00621ea6
0x00621ea8
0x00621ea8
0x00621ead
0x00621ead
0x00000000
0x00621da2
0x00621d92

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00621D6A
std::_String_base::_Xlen.LIBCPMT ref: 00621D88
_memmove_s.LIBCMT ref: 00621E08
_memmove_s.LIBCMT ref: 00621E58

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: String_base::_Xlen_memmove_sstd::_
String ID:
API String ID: 2295234635-0
Opcode ID: cb26b33b8263706d9fd94c0566f6d95352fdbca99d3edd6dfd42264a0d58372f
Instruction ID: fe090735d5426c3463d9d60424ec6f1e88acd7b49ec4e3c41cbb54796fe856db
Opcode Fuzzy Hash: cb26b33b8263706d9fd94c0566f6d95352fdbca99d3edd6dfd42264a0d58372f
Instruction Fuzzy Hash: 3951B631208B198B8720DF58EDC486AB3F7FFA6301B514A6DE491CB611E730EA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00575426, Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00575426(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x846eb8);
				E00576AF4(__ebx, __edi, __esi);
				_t31 = E0057BA6A(__ebx, __edx, __edi, _t35);
				_t15 =  *0x878138; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E005870E4(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x877d60; // 0x27c2c48
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x877938;
								if(__eflags != 0) {
									_push(_t33);
									E00572061(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x877d60; // 0x27c2c48
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x877d60; // 0x27c2c48
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E005754C1();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00579BF7(_t29, _t31, 0x20);
				}
				return E00576B39(_t33);
			}

0x00575426
0x00575426
0x00575426
0x00575426
0x00575428
0x0057542d
0x00575437
0x00575439
0x00575441
0x00575462
0x00575468
0x0057546c
0x0057546f
0x00575472
0x00575478
0x0057547a
0x0057547c
0x0057547f
0x00575485
0x00575487
0x00575489
0x0057548f
0x00575491
0x00575492
0x00575497
0x0057548f
0x00575487
0x00575498
0x0057549d
0x005754a0
0x005754a6
0x005754aa
0x005754aa
0x005754b0
0x005754b7
0x00575449
0x00575449
0x00575449
0x0057544e
0x00575452
0x00575457
0x0057545f

APIs

__getptd.LIBCMT ref: 00575432

Part of subcall function 0057BA6A: __getptd_noexit.LIBCMT ref: 0057BA6D
Part of subcall function 0057BA6A: __amsg_exit.LIBCMT ref: 0057BA7A

__amsg_exit.LIBCMT ref: 00575452
__lock.LIBCMT ref: 00575462
InterlockedDecrement.KERNEL32(?), ref: 0057547F
InterlockedIncrement.KERNEL32(027C2C48), ref: 005754AA

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 0901312e7f980a9c554688be486ff60acc66d32c416aeffaa788bfcc2f15a30c
Instruction ID: 2ac78a3f0df863ff83d986678395c14c69fc7c2ea10a623af489bd37b9df12e6
Opcode Fuzzy Hash: 0901312e7f980a9c554688be486ff60acc66d32c416aeffaa788bfcc2f15a30c
Instruction Fuzzy Hash: 7301C831900B169BDB21AF24B84DB5D7F61BF41712F14C005F80CA7280DB7498C1EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 004010A0, Relevance: 7.5, APIs: 5, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004010A0(void* __ecx, struct tagRECT* _a4) {
				long _t26;
				struct tagRECT* _t37;
				void* _t38;

				_t37 = _a4;
				_t38 = __ecx;
				MapDialogRect( *(__ecx + 0x20), _t37);
				_t37->left = MulDiv( *_t37,  *(_t38 + 0x78),  *(_t38 + 0x80));
				_t7 =  &(_t37->top); // 0x448b0675
				_t37->top = MulDiv( *_t7,  *(_t38 + 0x7c),  *(_t38 + 0x84));
				_t11 =  &(_t37->right); // 0x7012c24
				_t37->right = MulDiv( *_t11,  *(_t38 + 0x78),  *(_t38 + 0x80));
				_t15 =  &(_t37->bottom); // 0x3787e83
				_t26 = MulDiv( *_t15,  *(_t38 + 0x7c),  *(_t38 + 0x84));
				_t37->bottom = _t26;
				return _t26;
			}

0x004010a3
0x004010a7
0x004010ae
0x004010ca
0x004010d5
0x004010dd
0x004010e9
0x004010f1
0x004010fd
0x00401103
0x00401105
0x0040110b

APIs

MapDialogRect.USER32(0000005C,0044CB23), ref: 004010AE
MulDiv.KERNEL32(00000000,?,76921C00), ref: 004010C8
MulDiv.KERNEL32(448B0675,0044CB23,?), ref: 004010DB
MulDiv.KERNEL32(07012C24,?,76921C00), ref: 004010EF
MulDiv.KERNEL32(03787E83,0044CB23,?), ref: 00401103

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: DialogRect
String ID:
API String ID: 811346838-0
Opcode ID: e501a48b4559675cff7a34522b9b12c4dbfbd290f142b3867c4d40f1865b1fba
Instruction ID: 429462aa1b5da2b62d0f4f63ab234a833851784a1cc45ecba70b21865d5b3f8f
Opcode Fuzzy Hash: e501a48b4559675cff7a34522b9b12c4dbfbd290f142b3867c4d40f1865b1fba
Instruction Fuzzy Hash: 0C0123B9600A01AFD714DB69D884D67F7E9FB8D610B10CA1DE6A9C3710E774F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00572061, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E00572061(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x846b28);
				_t8 = E00576AF4(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E00576B39(_t8);
				}
				if( *0x8aed30 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x8aa2dc, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E00576A0A(_t31);
						 *_t10 = E005769C8(GetLastError());
					}
					goto L9;
				}
				E005870E4(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E00587212(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E00587242();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E005720B7();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x00572061
0x00572063
0x00572068
0x0057206d
0x00572072
0x005720e9
0x005720ee
0x005720ee
0x0057207b
0x005720c0
0x005720c1
0x005720c9
0x005720cf
0x005720d1
0x005720d3
0x005720e6
0x005720e8
0x00000000
0x005720d1
0x0057207f
0x00572085
0x0057208a
0x00572090
0x00572095
0x00572097
0x00572098
0x00572099
0x0057209f
0x005720a0
0x005720a7
0x005720b0
0x00000000
0x005720b2
0x005720b2
0x00000000
0x005720b2

APIs

__lock.LIBCMT ref: 0057207F

Part of subcall function 005870E4: __mtinitlocknum.LIBCMT ref: 005870FA
Part of subcall function 005870E4: __amsg_exit.LIBCMT ref: 00587106
Part of subcall function 005870E4: RtlEnterCriticalSection.NTDLL(?), ref: 0058710E

___sbh_find_block.LIBCMT ref: 0057208A
___sbh_free_block.LIBCMT ref: 00572099
HeapFree.KERNEL32(00000000,00402F93,00846B28,0000000C,005870C5,00000000,008473D0,0000000C,005870FF,00402F93,?,?,0058C36A,00000004,008475B0,0000000C), ref: 005720C9
GetLastError.KERNEL32(?,0058C36A,00000004,008475B0,0000000C,00581254,00402F93,?,00000000,00000000,00000000,?,0057BA1C,00000001,00000214), ref: 005720DA

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 2c41d3bbaa24b791d76aaf54a877c0ea1d428914cd3ab114549b7a00e2d834de
Instruction ID: 912eeccdf80d11c9b567ff9e73cb7cda32ef46fa519d3ae3fc2706aeae72ed36
Opcode Fuzzy Hash: 2c41d3bbaa24b791d76aaf54a877c0ea1d428914cd3ab114549b7a00e2d834de
Instruction Fuzzy Hash: B1018F3190520AAADB307B74BC0EB5E3FA0FF41320F20C409F508A6191DB789980EB65

Uniqueness

Uniqueness Score: -1.00%

Function 00412C10, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00412C10(char __ecx, char __edx, void* __eflags, char _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed int _t72;
				void* _t91;
				char _t117;
				char* _t118;
				char* _t120;
				short _t123;
				short _t125;
				void* _t127;
				intOrPtr* _t128;
				char _t131;
				signed int _t133;
				void* _t134;

				_t117 = __edx;
				_push(0xffffffff);
				_push(0x6f14e0);
				_push( *[fs:0x0]);
				_push(_t127);
				_t72 =  *0x877864; // 0xf691760e
				_push(_t72 ^ _t133);
				 *[fs:0x0] =  &_v16;
				_v20 = _t134 - 0x24;
				_t131 = __ecx;
				_v36 = __ecx;
				_t128 = E005713C5(_t127, __ecx, __eflags);
				 *((intOrPtr*)(_t131 + 8)) = 0;
				 *((intOrPtr*)(_t131 + 0x10)) = 0;
				 *((intOrPtr*)(_t131 + 0x14)) = 0;
				_v8 = 0;
				_v32 = E005C6FB5(__edx);
				_v28 = _t117;
				_push( &_v32);
				_push(0);
				 *((intOrPtr*)(_t131 + 8)) = E00412B70( *((intOrPtr*)(_t128 + 8)));
				_v44 = E005C6FB5(_t117);
				_v40 = _t117;
				_t118 =  &_v44;
				_push(_t118);
				 *((intOrPtr*)(_t131 + 0x10)) = E004127D0("false", 0);
				_v52 = E005C6FB5(_t118);
				_v48 = _t118;
				_push( &_v52);
				 *((intOrPtr*)(_t131 + 0x14)) = E004127D0("true", 0);
				_v8 = 0xffffffff;
				_v52 = E005C6FB5(_t118);
				_v48 = _t118;
				_v24 =  *((intOrPtr*)( *_t128));
				_v28 = 0;
				_v36 = 0;
				_t120 =  &_v24;
				E005C71A4(_t120,  &_v28, _t120, 1,  &_v36,  &_v52);
				 *((short*)(_t131 + 0xc)) = _v28;
				_v52 = E005C6FB5(_t120);
				_v48 = _t120;
				_v24 =  *((intOrPtr*)( *((intOrPtr*)(_t128 + 4))));
				_v28 = 0;
				_v36 = 0;
				_t91 = E005C71A4( &_v36,  &_v28,  &_v24, 1,  &_v36,  &_v52);
				_t123 = _v28;
				 *((short*)(_t131 + 0xe)) = _t123;
				if(_a8 != 0) {
					E005C6FB5(_t123);
					_push( &_v52);
					_push(0);
					 *((intOrPtr*)(_t131 + 8)) = E00412B70(0x74a6ed);
					_v52 = E005C6FB5(_t123);
					_v48 = _t123;
					_a8 = 0x2e;
					_v28 = 0;
					_v36 = 0;
					E005C71A4( &_v36,  &_v28,  &_a8, 1,  &_v36,  &_v52);
					_t125 = _v28;
					 *((short*)(_t131 + 0xc)) = _t125;
					_v52 = E005C6FB5(_t125);
					_v48 = _t125;
					_a8 = 0x2c;
					_v28 = 0;
					_v36 = 0;
					_t91 = E005C71A4( &_a8,  &_v28,  &_a8, 1,  &_v36,  &_v52);
					 *((short*)(_t131 + 0xe)) = _v28;
				}
				 *[fs:0x0] = _v16;
				return _t91;
			}

0x00412c10
0x00412c13
0x00412c15
0x00412c20
0x00412c26
0x00412c27
0x00412c2e
0x00412c32
0x00412c38
0x00412c3b
0x00412c3d
0x00412c45
0x00412c49
0x00412c4c
0x00412c4f
0x00412c52
0x00412c5a
0x00412c5d
0x00412c63
0x00412c64
0x00412c6e
0x00412c76
0x00412c79
0x00412c7c
0x00412c7f
0x00412c8b
0x00412c93
0x00412c96
0x00412c9c
0x00412cab
0x00412cae
0x00412cba
0x00412cbd
0x00412cc4
0x00412cc7
0x00412cca
0x00412cd7
0x00412cdf
0x00412ce8
0x00412cf1
0x00412cf4
0x00412cfc
0x00412cff
0x00412d02
0x00412d17
0x00412d1f
0x00412d23
0x00412d2a
0x00412d30
0x00412d38
0x00412d39
0x00412d44
0x00412d4c
0x00412d4f
0x00412d52
0x00412d56
0x00412d59
0x00412d6e
0x00412d73
0x00412d77
0x00412d80
0x00412d83
0x00412d86
0x00412d8a
0x00412d8d
0x00412da2
0x00412dae
0x00412dae
0x00412db5
0x00412dc3

APIs

_localeconv.LIBCMT ref: 00412C40

Part of subcall function 005713C5: __getptd.LIBCMT ref: 005713C5

Part of subcall function 005C6FB5: ____lc_handle_func.LIBCMT ref: 005C6FB8
Part of subcall function 005C6FB5: ____lc_codepage_func.LIBCMT ref: 005C6FC0

Part of subcall function 005C71A4: ____lc_handle_func.LIBCMT ref: 005C71D8
Part of subcall function 005C71A4: ____lc_codepage_func.LIBCMT ref: 005C71E0
Part of subcall function 005C71A4: __GetLocaleForCP.LIBCPMT ref: 005C7209
Part of subcall function 005C71A4: ____mb_cur_max_l_func.LIBCMT ref: 005C721F
Part of subcall function 005C71A4: MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000002,?,00000000,00000000,00000001,?,00000000,00412868,00000000,?,?,?,?), ref: 005C723E
Part of subcall function 005C71A4: ____mb_cur_max_l_func.LIBCMT ref: 005C724C
Part of subcall function 005C71A4: ___pctype_func.LIBCMT ref: 005C7271
Part of subcall function 005C71A4: ____mb_cur_max_l_func.LIBCMT ref: 005C7297
Part of subcall function 005C71A4: ____mb_cur_max_l_func.LIBCMT ref: 005C72AF
Part of subcall function 005C71A4: ____mb_cur_max_l_func.LIBCMT ref: 005C72C7
Part of subcall function 005C71A4: MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,00000000,00000000,00000001,?,00000000,00412868,00000000,?,?,?,?), ref: 005C72D4

Part of subcall function 005C71A4: MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,?,00000000,00412868,00000000,?,?,?,?), ref: 005C7305

Strings

,, xrefs: 00412D86
true, xrefs: 00412C9E
false, xrefs: 00412C81

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$____lc_codepage_func____lc_handle_func$Locale___pctype_func__getptd_localeconv
String ID: ,$false$true
API String ID: 2736391094-760133229
Opcode ID: 2819a324a739790238c7607ac4691ae6a6ba4a83427bb2393162aa6667ea8179
Instruction ID: d1e174b73e5cdb255e8666b9263776f8ca611b4cc7469ff14b2a0ac743c7ad05
Opcode Fuzzy Hash: 2819a324a739790238c7607ac4691ae6a6ba4a83427bb2393162aa6667ea8179
Instruction Fuzzy Hash: 5951E9B2C00609AECB11DFE9D881AEEFBB8FF48310F04852EE515A7240E7749644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00624820, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00624820(void* __eflags, void* __fp0, long _a4, intOrPtr _a8) {
				void* _v8;
				char _v16;
				intOrPtr _v20;
				short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t20;
				signed short _t26;
				long _t29;
				void* _t35;
				short* _t36;
				void* _t37;
				void* _t50;
				short _t54;
				signed int _t56;
				void* _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				void* _t69;

				_t69 = __fp0;
				_push(0xffffffff);
				_push(0x735578);
				_push( *[fs:0x0]);
				_t58 = _t57 - 0x14;
				_push(_t37);
				_push(_t50);
				_t20 =  *0x877864; // 0xf691760e
				_push(_t20 ^ _t56);
				 *[fs:0x0] =  &_v16;
				_v20 = _t58;
				_t26 = E0061CD80( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(E0062AA00(0x8ac5c4, _t50))) + 0x40))))() & 0x0000ffff);
				_t59 = _t58 + 4;
				_t51 = _a4;
				_t29 = FormatMessageW(0x1100, 0, _a4, _t26 & 0xffff,  &_v24, 0, 0);
				_v8 = 0;
				if(_t29 <= 0) {
					_t54 = L"Unable to retrieve or format Windows Error message.";
				} else {
					_t36 = E00570BC8(_v24, 0xd);
					_t59 = _t59 + 8;
					if(_t36 != 0) {
						 *_t36 = 0;
					}
					_t54 = _v24;
				}
				_t60 = _t59 - 0x1c;
				_v28 = _t60;
				E00623C30(_t60, L"Windows function %s returned an error. Error code: %u", _a8);
				_v8 = 1;
				_t61 = _t60 - 0xc;
				_v32 = _t61;
				E00622AE0(_t61, 0x258f, _t54);
				_v8 = 2;
				_v36 = _t61 - 0x10;
				E0062A110(_t61 - 0x10, 0x258e, _t51);
				_v8 = 3;
				_push(0xfffffff4);
				_v8 = 0;
				_t35 = E006246E0(_t37, _t51, 0, _t69);
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _t35;
			}

0x00624820
0x00624823
0x00624825
0x00624830
0x00624831
0x00624834
0x00624836
0x00624837
0x0062483e
0x00624842
0x00624848
0x00624862
0x00624867
0x00624879
0x00624884
0x0062488a
0x00624893
0x006248b1
0x00624895
0x0062489b
0x006248a0
0x006248a5
0x006248a9
0x006248a9
0x006248ac
0x006248ac
0x006248b6
0x006248bb
0x006248c9
0x006248ce
0x006248d2
0x006248d7
0x006248e1
0x006248e6
0x006248ef
0x006248f8
0x00624900
0x00624904
0x00624906
0x0062490a
0x00624912
0x0062491c
0x0062492a

APIs

FormatMessageW.KERNEL32(00001100,00000000,?,?,?,00000000,00000000), ref: 00624884
_wcschr.LIBCMT ref: 0062489B

Strings

Unable to retrieve or format Windows Error message., xrefs: 006248B1, 006248DA
Windows function %s returned an error. Error code: %u, xrefs: 006248C3

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: FormatMessage_wcschr
String ID: Unable to retrieve or format Windows Error message.$Windows function %s returned an error. Error code: %u
API String ID: 1380484177-955878296
Opcode ID: 3d533678e0449e0af7f3b4ae3e84e2542f40e5a0bd6c4751945c6feb490081fb
Instruction ID: 7ee41433359050a31a379cb0c10f922ec0bcfc7c33716e6e1e06487d2a4e4b9e
Opcode Fuzzy Hash: 3d533678e0449e0af7f3b4ae3e84e2542f40e5a0bd6c4751945c6feb490081fb
Instruction Fuzzy Hash: 6131EAB1E00654BBDB10EBA9DD06BAFBBB9EF45710F104269F514A73C1DB749A0087A2

Uniqueness

Uniqueness Score: -1.00%

Function 00404610, Relevance: 6.2, APIs: 4, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00404610(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, short _a8) {
				char _v12;
				signed int _v16;
				void* __esi;
				void* __ebp;
				intOrPtr _t34;
				short _t36;
				signed int _t46;
				signed int _t54;
				intOrPtr _t57;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t71;
				void* _t72;
				short _t80;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed int _t91;
				intOrPtr _t92;
				void* _t93;
				signed int _t102;
				signed int _t103;
				void* _t109;
				void* _t110;

				_t83 = __edi;
				_push(__ebx);
				_t62 = __ecx;
				_t34 =  *__ecx;
				_t67 = _a4;
				_t102 =  *(_t34 - 0xc);
				_t35 = _a8;
				_t91 = _t67 - _t34 >> 1;
				if(_a8 < 0) {
					_push(0x80070057);
					_t35 = E00401460(_t67, __edi, _t91, _t102);
				}
				if(_t67 != 0) {
					_t36 = E0057078F(_t67, _t35);
					_t109 = _t109 + 8;
					_a8 = _t36;
					_t80 = _t36;
				} else {
					_t80 = 0;
					_a8 = 0;
				}
				if(0x7fffffff - _t80 < _t102) {
					_push(0x80070057);
					E00401460(_t67, _t83, _t91, _t102);
				}
				_push(_t83);
				_t84 = _t80 + _t102;
				if((0x00000001 -  *((intOrPtr*)( *_t62 - 0x10 + 0xc)) |  *((intOrPtr*)( *_t62 - 0x10 + 8)) - _t84) < 0) {
					_push(_t84);
					E00402E90(_t62, _t62);
					_t80 = _a4;
				}
				_t71 =  *_t62;
				_t92 = _t71 + _t91 * 2;
				if(_t91 > _t102) {
					_t92 = _a4;
				}
				_t72 = _t71 + _t102 * 2;
				E0056F99E(_t62, _t72, _t72, _t80 + _t80, _t92, _t80 + _t80);
				_t110 = _t109 + 0x10;
				if(_t84 < 0) {
					L14:
					_push(0x80070057);
					E00401460(_t72, _t84, _t92, _t102);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t102);
					_t103 = _v16;
					_push(_t92);
					_t93 = _t72;
					__eflags = _t103 - 0x7ffffffe;
					if(__eflags > 0) {
						E005C6E86(_t62, _t80, _t84, _t93, __eflags);
					}
					_t46 =  *(_t93 + 0x18);
					__eflags = _t46 - _t103;
					if(_t46 >= _t103) {
						__eflags = _v12;
						if(_v12 == 0) {
							L27:
							__eflags = _t103;
							if(_t103 != 0) {
								L31:
								__eflags = 0 - _t103;
								asm("sbb eax, eax");
								return  ~_t46;
							} else {
								 *(_t93 + 0x14) = _t103;
								__eflags = _t46 - 8;
								if(_t46 < 8) {
									_t46 = 0;
									__eflags = 0;
									 *((short*)(_t93 + 4)) = 0;
									goto L31;
								} else {
									__eflags = 0 - _t103;
									 *((short*)( *((intOrPtr*)(_t93 + 4)))) = 0;
									asm("sbb eax, eax");
									return  ~0x00000000;
								}
							}
						} else {
							__eflags = _t103 - 8;
							if(_t103 >= 8) {
								goto L27;
							} else {
								_push(_t84);
								_t85 =  *(_t93 + 0x14);
								__eflags = _t103 - _t85;
								if(_t103 < _t85) {
									_t85 = _t103;
								}
								__eflags = _t46 - 8;
								if(_t46 >= 8) {
									_t51 = _t93 + 4;
									_push(_t62);
									_t63 =  *((intOrPtr*)(_t93 + 4));
									__eflags = _t85;
									if(__eflags > 0) {
										E0056F99E(_t63, _t85 + _t85, _t51, 0x10, _t63, _t85 + _t85);
										_t110 = _t110 + 0x10;
									}
									_t46 = E005365E5(_t63, _t85, _t93, __eflags, _t63);
								}
								 *(_t93 + 0x14) = _t85;
								 *(_t93 + 0x18) = 7;
								 *((short*)(_t93 + 4 + _t85 * 2)) = 0;
								__eflags = 0 - _t103;
								asm("sbb eax, eax");
								return  ~_t46;
							}
						}
					} else {
						_t54 = E00403B10(_t93, _t103,  *(_t93 + 0x14));
						__eflags = 0 - _t103;
						asm("sbb eax, eax");
						return  ~_t54;
					}
				} else {
					_t57 =  *_t62;
					if(_t84 >  *((intOrPtr*)(_t57 - 8))) {
						goto L14;
					} else {
						 *(_t57 - 0xc) = _t84;
						 *((short*)( *_t62 + _t84 * 2)) = 0;
						return 0;
					}
				}
			}

0x00404610
0x00404610
0x00404612
0x00404614
0x00404616
0x0040461a
0x00404622
0x00404626
0x0040462a
0x0040462c
0x00404631
0x00404631
0x00404638
0x00404644
0x00404649
0x0040464c
0x00404650
0x0040463a
0x0040463a
0x0040463c
0x0040463c
0x0040465b
0x0040465d
0x00404662
0x00404662
0x00404677
0x00404678
0x0040467f
0x00404681
0x00404684
0x00404689
0x00404689
0x0040468d
0x00404691
0x00404694
0x00404696
0x00404696
0x004046a0
0x004046a4
0x004046a9
0x004046ae
0x004046c9
0x004046c9
0x004046ce
0x004046d3
0x004046d4
0x004046d5
0x004046d6
0x004046d7
0x004046d8
0x004046d9
0x004046da
0x004046db
0x004046dc
0x004046dd
0x004046de
0x004046df
0x004046e0
0x004046e1
0x004046e5
0x004046e6
0x004046e8
0x004046ee
0x004046f0
0x004046f0
0x004046f5
0x004046f8
0x004046fa
0x00404715
0x0040471a
0x00404773
0x00404773
0x00404775
0x0040479c
0x0040479e
0x004047a0
0x004047a6
0x00404777
0x00404777
0x0040477a
0x0040477d
0x00404797
0x00404797
0x00404799
0x00000000
0x0040477f
0x00404786
0x00404788
0x0040478b
0x00404791
0x00404791
0x0040477d
0x0040471c
0x0040471c
0x0040471f
0x00000000
0x00404721
0x00404721
0x00404722
0x00404725
0x00404727
0x00404729
0x00404729
0x0040472b
0x0040472e
0x00404730
0x00404733
0x00404734
0x00404736
0x00404738
0x00404742
0x00404747
0x00404747
0x0040474b
0x00404753
0x00404756
0x00404759
0x00404762
0x00404767
0x0040476a
0x00404770
0x00404770
0x0040471f
0x004046fc
0x00404703
0x0040470a
0x0040470c
0x00404712
0x00404712
0x004046b0
0x004046b0
0x004046b5
0x00000000
0x004046b7
0x004046b7
0x004046be
0x004046c6
0x004046c6
0x004046b5

APIs

_wcsnlen.LIBCMT ref: 00404644
_memcpy_s.LIBCMT ref: 004046A4

Part of subcall function 00401460: _memcpy_s.LIBCMT ref: 0040149A

std::_String_base::_Xlen.LIBCPMT ref: 004046F0

Part of subcall function 005C6E86: __EH_prolog3.LIBCMT ref: 005C6E8D
Part of subcall function 005C6E86: __CxxThrowException@8.LIBCMT ref: 005C6EB8

_memcpy_s.LIBCMT ref: 00404742

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: _memcpy_s$Exception@8H_prolog3String_base::_ThrowXlen_wcsnlenstd::_
String ID:
API String ID: 1562039508-0
Opcode ID: 65ff3429a9ba71684d94003bec36a6694ab6681608bef542283aea978105472d
Instruction ID: 8570ff6d7286fd8afa0f46f470e97271a122fe144bc4d1bc60e05922a73b41d0
Opcode Fuzzy Hash: 65ff3429a9ba71684d94003bec36a6694ab6681608bef542283aea978105472d
Instruction Fuzzy Hash: 2241F5B26002159FC714EF78E98492BB3D9EFD1310B104A7FE546E7291FA39E84487A9

Uniqueness

Uniqueness Score: -1.00%

Function 004044A0, Relevance: 6.2, APIs: 4, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004044A0(intOrPtr* __ecx, void* __edi, void* __ebp, signed int _a4, signed int _a8) {
				char _v12;
				signed int _v16;
				void* __ebx;
				void* __esi;
				intOrPtr _t26;
				intOrPtr _t27;
				signed int _t30;
				signed int _t37;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				signed int _t59;
				void* _t70;
				signed int _t72;
				signed int _t73;
				signed int _t78;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				intOrPtr* _t90;
				signed int* _t91;
				void* _t95;
				void* _t96;

				_push(__ebp);
				_push(__edi);
				_t72 = _a8;
				_t90 = __ecx;
				if(_t72 != 0) {
					_t78 = _a4;
					__eflags = _t78;
					if(_t78 == 0) {
						_push(0x80070057);
						E00401460(__ecx, _t72, _t78, __ecx);
					}
					_t26 =  *_t90;
					_t80 = _t78 - _t26 >> 1;
					__eflags = 0x00000001 -  *((intOrPtr*)(_t26 - 4)) |  *((intOrPtr*)(_t26 - 8)) - _t72;
					_t47 =  *((intOrPtr*)(_t26 - 0xc));
					if((0x00000001 -  *((intOrPtr*)(_t26 - 4)) |  *((intOrPtr*)(_t26 - 8)) - _t72) < 0) {
						_push(_t72);
						E00402E90(_t47, _t90);
					}
					_t27 =  *_t90;
					_t70 =  *((intOrPtr*)(_t27 - 8)) +  *((intOrPtr*)(_t27 - 8));
					__eflags = _t80 - _t47;
					_t48 = _t72 + _t72;
					_push(_t48);
					if(_t80 > _t47) {
						_t59 = _a4;
						_push(_t59);
						_push(_t70);
						_push(_t27);
						E0056F99E(_t48, _t59);
					} else {
						_t59 = _t27 + _t80 * 2;
						_push(_t59);
						_push(_t70);
						_push(_t27);
						E0056FF76(_t48);
					}
					_t96 = _t95 + 0x10;
					__eflags = _t72;
					if(_t72 < 0) {
						L12:
						_push(0x80070057);
						E00401460(_t59, _t72, _t80, _t90);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t48);
						_t49 = _v16;
						_push(_t80);
						_t81 = _t59;
						__eflags = _t49 - 0xfffffffe;
						if(__eflags > 0) {
							E005C6E86(_t49, _t70, _t72, _t81, __eflags);
						}
						_t30 =  *(_t81 + 0x18);
						__eflags = _t30 - _t49;
						if(_t30 >= _t49) {
							__eflags = _v12;
							if(_v12 == 0) {
								L25:
								__eflags = _t49;
								if(_t49 != 0) {
									L29:
									__eflags = 0 - _t49;
									asm("sbb eax, eax");
									return  ~_t30;
								} else {
									 *(_t81 + 0x14) = _t49;
									__eflags = _t30 - 0x10;
									if(_t30 < 0x10) {
										_t83 = _t81 + 4;
										__eflags = _t83;
										 *_t83 = 0;
										goto L29;
									} else {
										__eflags = 0 - _t49;
										 *( *(_t81 + 4)) = _t49;
										asm("sbb eax, eax");
										return  ~_t30;
									}
								}
							} else {
								__eflags = _t49 - 0x10;
								if(_t49 >= 0x10) {
									goto L25;
								} else {
									_push(_t72);
									_t73 =  *(_t81 + 0x14);
									__eflags = _t49 - _t73;
									if(_t49 < _t73) {
										_t73 = _t49;
									}
									__eflags = _t30 - 0x10;
									if(_t30 >= 0x10) {
										_t34 = _t81 + 4;
										_push(_t90);
										_t91 =  *(_t81 + 4);
										__eflags = _t73;
										if(__eflags > 0) {
											E0056F99E(_t49, _t59, _t34, 0x10, _t91, _t73);
											_t96 = _t96 + 0x10;
										}
										_t30 = E005365E5(_t49, _t73, _t81, __eflags, _t91);
									}
									 *(_t81 + 0x14) = _t73;
									 *(_t81 + 0x18) = 0xf;
									 *((char*)(_t81 + _t73 + 4)) = 0;
									__eflags = 0 - _t49;
									asm("sbb eax, eax");
									return  ~_t30;
								}
							}
						} else {
							_t37 = E00403920(_t81, _t49,  *(_t81 + 0x14));
							__eflags = 0 - _t49;
							asm("sbb eax, eax");
							return  ~_t37;
						}
					} else {
						_t40 =  *_t90;
						__eflags = _t72 -  *((intOrPtr*)(_t40 - 8));
						if(_t72 >  *((intOrPtr*)(_t40 - 8))) {
							goto L12;
						} else {
							 *(_t40 - 0xc) = _t72;
							_t41 =  *_t90;
							__eflags = 0;
							 *((short*)(_t48 + _t41)) = 0;
							return _t41;
						}
					}
				} else {
					return E00402E20(__ecx);
				}
			}

0x004044a0
0x004044a1
0x004044a2
0x004044a6
0x004044aa
0x004044b7
0x004044bb
0x004044bd
0x004044bf
0x004044c4
0x004044c4
0x004044c9
0x004044db
0x004044dd
0x004044e0
0x004044e3
0x004044e5
0x004044e8
0x004044e8
0x004044ed
0x004044f3
0x004044f5
0x004044f7
0x004044fa
0x004044fb
0x0040450a
0x0040450e
0x0040450f
0x00404510
0x00404511
0x004044fd
0x004044fd
0x00404500
0x00404501
0x00404502
0x00404503
0x00404503
0x00404516
0x00404519
0x0040451b
0x00404538
0x00404538
0x0040453d
0x00404542
0x00404543
0x00404544
0x00404545
0x00404546
0x00404547
0x00404548
0x00404549
0x0040454a
0x0040454b
0x0040454c
0x0040454d
0x0040454e
0x0040454f
0x00404550
0x00404551
0x00404555
0x00404556
0x00404558
0x0040455b
0x0040455d
0x0040455d
0x00404562
0x00404565
0x00404567
0x00404582
0x00404587
0x004045db
0x004045db
0x004045dd
0x004045ff
0x00404601
0x00404603
0x00404609
0x004045df
0x004045df
0x004045e2
0x004045e5
0x004045f9
0x004045f9
0x004045fc
0x00000000
0x004045e7
0x004045ec
0x004045ee
0x004045f0
0x004045f6
0x004045f6
0x004045e5
0x00404589
0x00404589
0x0040458c
0x00000000
0x0040458e
0x0040458e
0x0040458f
0x00404592
0x00404594
0x00404596
0x00404596
0x00404598
0x0040459b
0x0040459d
0x004045a0
0x004045a1
0x004045a3
0x004045a5
0x004045ac
0x004045b1
0x004045b1
0x004045b5
0x004045bd
0x004045be
0x004045c1
0x004045ca
0x004045cf
0x004045d2
0x004045d8
0x004045d8
0x0040458c
0x00404569
0x00404570
0x00404577
0x00404579
0x0040457f
0x0040457f
0x0040451d
0x0040451d
0x00404520
0x00404523
0x00000000
0x00404525
0x00404525
0x00404528
0x0040452b
0x0040452d
0x00404535
0x00404535
0x00404523
0x004044ac
0x004044b3
0x004044b3

APIs

_memmove_s.LIBCMT ref: 00404503

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: _memmove_s
String ID:
API String ID: 800865076-0
Opcode ID: d1e0c57be5759d7cf5bc11996f5f5f132018445054e3a811ccd3a688d0664433
Instruction ID: b2a89bf1b91da41d4a4c40c79da0d3eec33f53e671dbd152dcaf751805a389b2
Opcode Fuzzy Hash: d1e0c57be5759d7cf5bc11996f5f5f132018445054e3a811ccd3a688d0664433
Instruction Fuzzy Hash: AF41F7B2500610AFD714EE68D984A2FB3D9EFD1314F11493FF646A72C1D634E84487A5

Uniqueness

Uniqueness Score: -1.00%

Function 0062A490, Relevance: 6.1, APIs: 4, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0062A490(void* __fp0, char* _a4, char* _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t38;
				signed int _t39;
				intOrPtr _t46;
				void* _t49;
				void* _t51;
				intOrPtr _t53;
				void* _t67;
				void* _t69;
				intOrPtr _t73;
				void* _t74;
				intOrPtr* _t75;
				intOrPtr _t76;
				void* _t105;
				char* _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr* _t109;
				intOrPtr _t110;
				signed int _t111;
				void* _t112;
				intOrPtr _t113;
				intOrPtr _t116;

				_t122 = __fp0;
				_t113 = _t112 - 0xd0;
				_t38 =  *0x877864; // 0xf691760e
				_t39 = _t38 ^ _t111;
				_v24 = _t39;
				 *[fs:0x0] =  &_v16;
				_v20 = _t113;
				_t106 = _a8;
				_t109 = E0062AA00(0x8ac5c4, _t106);
				_v120 = _t109;
				_t75 =  *0x7493b8;
				 *_t75( *((intOrPtr*)( *((intOrPtr*)( *_t109 + 4))))(_t39, _t105, _t108, _t74,  *[fs:0x0], 0x736013, 0xffffffff));
				_t46 =  *((intOrPtr*)( *((intOrPtr*)( *_t109))))();
				_v124 = _t46;
				_v128 = _t46;
				 *_t75(_t46);
				_v8 = 0;
				_t49 =  *((intOrPtr*)( *((intOrPtr*)( *_t109 + 0x70))))();
				_t117 =  *((intOrPtr*)(_t49 + 4));
				if( *((intOrPtr*)(_t49 + 4)) != 0 || L005C7318(_t117) != 0) {
					__eflags = _a4;
					if(_a4 != 0) {
						E0062A320(_t75, _t109, _t122, 0x232d, 0);
					}
					_t103 =  *_t109;
					_t51 =  *((intOrPtr*)( *((intOrPtr*)( *_t109 + 4))))();
					goto L10;
				} else {
					_t77 = _a4;
					if(_a4 != 0) {
						_v8 = 1;
						E006296B0(_t109, __fp0);
						E00622C60();
						_v8 = 2;
						__eflags = _t106;
						if(__eflags == 0) {
							_t67 = E00628BF0(_t77);
							_t116 = _t113 - 0x18;
							_v132 = _t116;
							_push(_t67);
							E0062A110();
							_t113 = _t116 + 8;
							_v8 = 3;
							_v8 = 2;
							_t69 = E00624020( &_v224, 0x14, _t77, _t116);
							_v8 = 4;
							E00623D50( &_v116, __eflags, _t69);
							_v8 = 2;
							E005F2900( &_v224, __eflags);
							_t106 =  &_v116;
						}
						 *((intOrPtr*)( *((intOrPtr*)( *_t109 + 0x78))))(_t106);
						E00629620(_t77, __eflags, _t122, 0);
						_t103 =  *_t109;
						 *((intOrPtr*)( *((intOrPtr*)( *_t109 + 0xd8))))(_t106, 0x74a7c4);
						E00628F30(_t77, __eflags, _t122, 0x2328);
						_v8 = 1;
						E005F2900( &_v116, __eflags);
						_v8 = 0;
						E0061FFD0(_t106, _t111);
					} else {
						E006296B0(_t109, __fp0);
						_t73 =  *_t109;
						_t103 =  *((intOrPtr*)(_t73 + 4));
						_t51 =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 4))))();
						L10:
						 *0x7493b0(_t51);
					}
				}
				_v8 = 0xffffffff;
				_t53 = _v124;
				if(_t53 != 0) {
					_t53 =  *0x7493b0(_t53);
				}
				 *[fs:0x0] = _v16;
				_pop(_t107);
				_pop(_t110);
				_pop(_t76);
				return E0056F98F(_t53, _t76, _v24 ^ _t111, _t103, _t107, _t110);
			}

0x0062a490
0x0062a4a1
0x0062a4a7
0x0062a4ac
0x0062a4ae
0x0062a4b8
0x0062a4be
0x0062a4c1
0x0062a4ce
0x0062a4d0
0x0062a4dd
0x0062a4e3
0x0062a4eb
0x0062a4ed
0x0062a4f0
0x0062a4f4
0x0062a4f6
0x0062a504
0x0062a506
0x0062a50a
0x0062a618
0x0062a61c
0x0062a627
0x0062a627
0x0062a62c
0x0062a633
0x00000000
0x0062a51d
0x0062a51d
0x0062a522
0x0062a539
0x0062a53f
0x0062a547
0x0062a54c
0x0062a550
0x0062a552
0x0062a555
0x0062a55a
0x0062a55f
0x0062a562
0x0062a564
0x0062a569
0x0062a56c
0x0062a573
0x0062a57d
0x0062a582
0x0062a58a
0x0062a58f
0x0062a599
0x0062a59e
0x0062a59e
0x0062a5a9
0x0062a5b2
0x0062a5ba
0x0062a5c5
0x0062a5cc
0x0062a5d4
0x0062a5db
0x0062a5e0
0x0062a5e9
0x0062a524
0x0062a526
0x0062a52b
0x0062a52f
0x0062a532
0x0062a635
0x0062a636
0x0062a636
0x0062a522
0x0062a63c
0x0062a643
0x0062a648
0x0062a64b
0x0062a64b
0x0062a654
0x0062a65c
0x0062a65d
0x0062a65e
0x0062a66c

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 0062A4E3
RtlEnterCriticalSection.NTDLL(00000000), ref: 0062A4F4
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0062A636
RtlLeaveCriticalSection.NTDLL(?), ref: 0062A64B

Part of subcall function 006296B0: RtlEnterCriticalSection.NTDLL(00000000), ref: 006296F6

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: d414857cdf3e73a5c470975cbb0acbf7d996ded38bcd7c00547957ca9044bb51
Instruction ID: 848a78ecfafab3cca212b40ffceb47abd05c1f76541ba8b9d63c7c99dd2beb3d
Opcode Fuzzy Hash: d414857cdf3e73a5c470975cbb0acbf7d996ded38bcd7c00547957ca9044bb51
Instruction Fuzzy Hash: 1B51A170A00618DFDB10EFA8D855BAEBBB6BF94700F14415DE505A7392CB749E05CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00532950, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00532950(void* __ebx, void* __edi, void* __ebp, void* __eflags, WCHAR* _a4) {
				intOrPtr _v4;
				char _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				char _v40;
				void* _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v72;
				intOrPtr _v80;
				void* _v84;
				void* __ecx;
				void* __esi;
				signed int _t37;
				signed int _t46;
				signed int _t49;
				void* _t52;
				intOrPtr _t55;
				WCHAR* _t71;
				WCHAR* _t87;
				void* _t90;
				void* _t93;
				void* _t94;
				void* _t99;
				signed int _t100;
				signed int _t101;

				_t99 = __ebp;
				_t90 = __edi;
				_t66 = __ebx;
				_push(0xffffffff);
				_push(0x7203e8);
				_push( *[fs:0x0]);
				_push(_t93);
				_t37 =  *0x877864; // 0xf691760e
				_push(_t37 ^ _t100);
				 *[fs:0x0] =  &_v12;
				E00403680();
				_v4 = 0;
				_t87 = _v16;
				if(( *((intOrPtr*)(_t87 - 8)) - 0x00000104 | 0x00000001 -  *((intOrPtr*)(_t87 - 4))) < 0) {
					_push(0x104);
					E00402E90(__ebx,  &_v16);
					_t87 = _v20;
				}
				GetCurrentDirectoryW(0x104, _t87);
				_t71 =  *((intOrPtr*)(_v16 - 8));
				_t46 = E0057078F(_v16, _t71);
				_t101 = _t100 + 8;
				if(_t46 < 0) {
					L7:
					_push(0x80070057);
					E00401460(_t71, _t90, _t93, _t99);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0xffffffff);
					_push(0x720418);
					_push( *[fs:0x0]);
					_push(_t71);
					_push(_t93);
					_push(_t90);
					_t49 =  *0x877864; // 0xf691760e
					_push(_t49 ^ _t101);
					 *[fs:0x0] =  &_v40;
					_t52 = E00403680();
					_v32 = 0;
					_push(1);
					L005DA8A8();
					_t94 = _t52;
					E004048A0(_t66,  &_v48, _t94, _t99, _v24, _v20);
					_push(_v56);
					_push(0);
					_push(_t94);
					L005DA898();
					_t55 = _v48;
					_push(_t94);
					_push(0x4000000);
					_push(_t55);
					L005DA888();
					_push(_t94);
					L005DA768();
					_v72 = 0xffffffff;
					E004036F0(_v56);
					 *[fs:0x0] = _v80;
					return _t55;
				} else {
					_t71 = _v16;
					if(_t46 >  *((intOrPtr*)(_t71 - 8))) {
						goto L7;
					} else {
						 *(_t71 - 0xc) = _t46;
						_t89 = _v16;
						_v16[_t46] = 0;
						if(SetCurrentDirectoryW(_a4) != 0) {
							SetCurrentDirectoryW(_v16);
							_v4 = 0xffffffff;
							E004036F0(_t89);
							 *[fs:0x0] = _v12;
							return 1;
						} else {
							_v4 = 0xffffffff;
							E004036F0(_t89);
							 *[fs:0x0] = _v12;
							return 0;
						}
					}
				}
			}

0x00532950
0x00532950
0x00532950
0x00532950
0x00532952
0x0053295d
0x0053295f
0x00532960
0x00532967
0x0053296c
0x00532976
0x0053297b
0x00532983
0x00532999
0x0053299b
0x005329a4
0x005329a9
0x005329a9
0x005329b3
0x005329bd
0x005329c2
0x005329c7
0x005329cc
0x00532a47
0x00532a47
0x00532a4c
0x00532a51
0x00532a52
0x00532a53
0x00532a54
0x00532a55
0x00532a56
0x00532a57
0x00532a58
0x00532a59
0x00532a5a
0x00532a5b
0x00532a5c
0x00532a5d
0x00532a5e
0x00532a5f
0x00532a60
0x00532a62
0x00532a6d
0x00532a6e
0x00532a6f
0x00532a70
0x00532a71
0x00532a78
0x00532a7d
0x00532a87
0x00532a8c
0x00532a94
0x00532a96
0x00532a9f
0x00532aab
0x00532ab4
0x00532ab5
0x00532ab7
0x00532ab8
0x00532abd
0x00532ac1
0x00532ac2
0x00532ac7
0x00532ac8
0x00532acd
0x00532ad0
0x00532ad5
0x00532ae1
0x00532aec
0x00532af9
0x005329ce
0x005329ce
0x005329d5
0x00000000
0x005329d7
0x005329dd
0x005329e0
0x005329e6
0x005329f3
0x00532a1e
0x00532a20
0x00532a2c
0x00532a3a
0x00532a46
0x005329f5
0x005329f5
0x00532a01
0x00532a0c
0x00532a18
0x00532a18
0x005329f3
0x005329d5

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,F691760E,00000000,?,00000000,007203E8,000000FF,00534248,?), ref: 005329B3
_wcsnlen.LIBCMT ref: 005329C2
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?), ref: 005329EF
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?), ref: 00532A1E

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CurrentDirectory$_wcsnlen
String ID:
API String ID: 3690881241-0
Opcode ID: e49e706252dba39c31ae4df116aa3aa39fbb9d3d7ae69700261c027d8b5b8352
Instruction ID: 4a26b6777aa53cfe69e41348a9ad16e24f6539acae16a5d92df41a6ae5ef7b09
Opcode Fuzzy Hash: e49e706252dba39c31ae4df116aa3aa39fbb9d3d7ae69700261c027d8b5b8352
Instruction Fuzzy Hash: D6418C71108741AFD314DF28D845B5BBBE8FB84720F108A2EF455973E1DB79A904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0058898C, Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0058898C(void* __edx, void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				void* __ebx;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t74;

				_t74 = _a8;
				if(_t74 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t74 != 0) {
						E00570C1A(0,  &_v20, __edx, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0057182B( *_t74 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t74, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00576A0A(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t74[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t74, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t74 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00588996
0x0058899d
0x005889b4
0x00000000
0x005889a4
0x005889a6
0x005889c0
0x005889c5
0x005889c8
0x005889cb
0x005889f4
0x005889fb
0x005889fd
0x00588a7e
0x00588a99
0x00588a9b
0x005889db
0x005889db
0x005889de
0x005889e0
0x005889e3
0x005889e3
0x005889e3
0x005889e3
0x00000000
0x005889e9
0x00588a5d
0x00588a5d
0x00588a62
0x00588a68
0x00588a6b
0x00588a6d
0x00588a70
0x00588a70
0x00588a70
0x00588a70
0x00000000
0x00588a74
0x005889ff
0x00588a02
0x00588a08
0x00588a0b
0x00588a32
0x00588a35
0x00588a3b
0x00000000
0x00000000
0x00588a3d
0x00588a40
0x00000000
0x00000000
0x00588a42
0x00588a42
0x00588a48
0x00588a4b
0x005889b9
0x005889b9
0x00588a54
0x00000000
0x00588a54
0x00588a0d
0x00588a10
0x00000000
0x00000000
0x00588a14
0x00588a25
0x00588a2b
0x00588a2d
0x00588a30
0x00000000
0x00000000
0x00000000
0x00588a30
0x005889cd
0x005889d0
0x005889d2
0x005889d8
0x005889d8
0x00000000
0x005889a8
0x005889a8
0x005889ad
0x005889b1
0x005889b1
0x00000000
0x005889ad
0x005889a6

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005889C0
__isleadbyte_l.LIBCMT ref: 005889F4
MultiByteToWideChar.KERNEL32(00000080,00000009,00570215,?,00000000,00000000,?,?,?,?,00570215,00000000,?), ref: 00588A25
MultiByteToWideChar.KERNEL32(00000080,00000009,00570215,00000001,00000000,00000000,?,?,?,?,00570215,00000000,?), ref: 00588A93

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 953a600a3988815404a10296b7c57803034d3b26a7ee608bcdca6d3040db6093
Instruction ID: 06e17c0475506e20f9ef774080ba15f5043929e9fc7c009556165c486cd96cc8
Opcode Fuzzy Hash: 953a600a3988815404a10296b7c57803034d3b26a7ee608bcdca6d3040db6093
Instruction Fuzzy Hash: 2F31B231600256EFDF11EF64C8849BA3FA5FF01361F588569E8A5AB1D1EB30DD80DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00537AC4, Relevance: 6.1, APIs: 4, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00537AC4(void* __ebx, void* __edi, void* __esi, void* __eflags, long* _a4, intOrPtr _a8, short _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				long* _t20;
				intOrPtr* _t23;
				long _t25;
				intOrPtr _t31;
				long* _t32;
				void* _t42;

				_t42 = __eflags;
				_t36 = __esi;
				_t35 = __edi;
				_t29 = __ebx;
				_push(4);
				E00576762(0x720d26, __ebx, __edi, __esi);
				_t31 = E005365B6(_t42, 0xc);
				_v16 = _t31;
				_t20 = 0;
				_v4 = 0;
				if(_t31 != 0) {
					_t20 = E00537A7A(_t31);
				}
				_t32 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t32;
				_a4 = _t20;
				E0057080C( &_a4, 0x841d68);
				asm("int3");
				_t23 = _v0;
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				_t25 = FormatMessageW(0x1100, 0,  *(_t32 + 8), 0x800,  &_a12, 0, 0);
				if(_t25 != 0) {
					E005372D2(_t29, 0, _t35, _t36, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t25 = 1;
					__eflags = 1;
				} else {
					 *_a4 = _t25;
				}
				return _t25;
			}

0x00537ac4
0x00537ac4
0x00537ac4
0x00537ac4
0x00537ac4
0x00537acb
0x00537ad8
0x00537ada
0x00537add
0x00537adf
0x00537ae4
0x00537ae6
0x00537ae6
0x00537aeb
0x00537aee
0x00537af2
0x00537af5
0x00537b01
0x00537b06
0x00537b0c
0x00537b13
0x00537b15
0x00537b15
0x00537b2b
0x00537b33
0x00537b48
0x00537b53
0x00537b5b
0x00537b5b
0x00537b35
0x00537b38
0x00537b38
0x00537b5d

APIs

__EH_prolog3.LIBCMT ref: 00537ACB

Part of subcall function 005365B6: _malloc.LIBCMT ref: 005365D4

__CxxThrowException@8.LIBCMT ref: 00537B01
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000800,?,00000000,00000000,?,00000000,00841D68,00000004,00401476,00000000,00402E4A,80070057), ref: 00537B2B
LocalFree.KERNEL32(?,?,00000000,0080D3D8,00000000), ref: 00537B53

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: b468769b45fb6c5fd4a3f13ac7f9b689d8ac1e42045e4b1d1aa715df1071a2db
Instruction ID: 3ba0da48e358f031677a12323855c810fd6c5908a1ebd0eb37336395be1f266a
Opcode Fuzzy Hash: b468769b45fb6c5fd4a3f13ac7f9b689d8ac1e42045e4b1d1aa715df1071a2db
Instruction Fuzzy Hash: 571151B1A04249AFDF149F64CC45EAE3FA5FF88350F10C529F5258B291E6718A50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0053CF6D, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0053CF6D(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 =  *0x749844;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageW(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E0053BCEB(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E0053CC4F(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E0053CF6D(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x0053cf6d
0x0053cf6d
0x0053cf77
0x0053cf7d
0x0053cfe0
0x0053cfe0
0x0053cfe4
0x00000000
0x00000000
0x0053cf81
0x0053cf85
0x0053cfaf
0x0053cf87
0x0053cf88
0x0053cf8d
0x0053cf8f
0x0053cf91
0x0053cf94
0x0053cf97
0x0053cf9a
0x0053cf9d
0x0053cf9e
0x0053cf9e
0x0053cf8f
0x0053cfb5
0x0053cfb9
0x0053cfbc
0x0053cfbe
0x0053cfc0
0x0053cfd2
0x0053cfd2
0x0053cfc0
0x0053cfda
0x0053cfda
0x0053cfe9

APIs

GetTopWindow.USER32(00000000), ref: 0053CF7D
GetTopWindow.USER32(00000000), ref: 0053CFBC
GetWindow.USER32(00000000,00000002), ref: 0053CFDA

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d87ab7426f1119474d96078969bc5ea1e87057af9382c30819e8390dc5d6d94b
Instruction ID: 4a1d2431320ef71235c059044f21890e3a18f7c95345739026a15d00a6c06c15
Opcode Fuzzy Hash: d87ab7426f1119474d96078969bc5ea1e87057af9382c30819e8390dc5d6d94b
Instruction Fuzzy Hash: 1A01083604551ABBCF236FA59C09EAF3F6ABF49350F048011FE1466020D73AC971EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0053724F, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0053724F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v16;
				char _v24;
				intOrPtr _v36;
				intOrPtr _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t29;

				_t21 = __ecx;
				_t26 = _t29;
				_push(__ecx);
				_v8 = 0x8764b8;
				E0057080C( &_v8, 0x841c00);
				asm("int3");
				_push(_t26);
				_t27 = _t29;
				_push(_t21);
				_v16 = 0x8765d0;
				E0057080C( &_v16, 0x841cb4);
				asm("int3");
				_push(_t27);
				_push(_t21);
				_v24 = 0x8766e8;
				E0057080C( &_v24, 0x841cf8);
				asm("int3");
				_push(4);
				E00576762(0x720d02, __ebx, __edi, __esi);
				_t22 = E00550946(0x164);
				_v36 = _t22;
				_t18 = 0;
				_v24 = 0;
				if(_t22 != 0) {
					_t18 = E00545423(_t22);
				}
				return E0057683A(_t18);
			}

0x0053724f
0x00537252
0x00537254
0x0053725e
0x00537265
0x0053726a
0x0053726d
0x0053726e
0x00537270
0x0053727a
0x00537281
0x00537286
0x00537289
0x0053728c
0x00537296
0x0053729d
0x005372a2
0x005372a3
0x005372aa
0x005372b9
0x005372bb
0x005372be
0x005372c0
0x005372c5
0x005372c7
0x005372c7
0x005372d1

APIs

__CxxThrowException@8.LIBCMT ref: 00537281
__CxxThrowException@8.LIBCMT ref: 00537265

Part of subcall function 0057080C: KiUserExceptionDispatcher.NTDLL(?,?,00402FC2,00000000,?,?,?,?,00402FC2,00000000,0080D3D8,00000000), ref: 0057084E

__CxxThrowException@8.LIBCMT ref: 0053729D
__EH_prolog3.LIBCMT ref: 005372AA

Part of subcall function 00550946: LocalAlloc.KERNEL32(00000040,0080D3D8,?,005372B9,00000164,00000004,00000000,00841CF8,?,?,005372EE,00000000,0080D3D8,00000000,?,?), ref: 00550950

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Exception@8Throw$AllocDispatcherExceptionH_prolog3LocalUser
String ID:
API String ID: 2921020066-0
Opcode ID: be115f0c403173fddc8fe33fbdddce681a9e973e873deb7ba4ae63e1110c2b7d
Instruction ID: 4d857bb845e84b83d37248cd34b44178a70e64e6af31e19141270e421da23409
Opcode Fuzzy Hash: be115f0c403173fddc8fe33fbdddce681a9e973e873deb7ba4ae63e1110c2b7d
Instruction Fuzzy Hash: 8AF086B094020DBB8F44FBD59D4E99E7EECFBC4708F604054B21CD7281EAB09A049662

Uniqueness

Uniqueness Score: -1.00%

Function 005527D3, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E005527D3(signed int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t13;
				intOrPtr* _t14;
				void* _t15;
				signed int _t16;
				void* _t19;
				intOrPtr* _t20;

				_t16 = _a4;
				_t21 = _t16 - 0x11;
				if(_t16 >= 0x11) {
					E00537287(_t13, _t15, _t16, _t19, _t21);
				}
				if( *0x8a9aac == 0) {
					E0055276A();
				}
				_t14 =  *0x7493b8;
				_t20 = 0x8a9c60 + _t16 * 4;
				if( *_t20 == 0) {
					 *_t14(0x8a9c48);
					if( *_t20 == 0) {
						 *0x7493c4(0x8a9ab0 + _t16 * 0x18);
						 *_t20 =  *_t20 + 1;
					}
					 *0x7493b0(0x8a9c48);
				}
				return  *_t14(0x8a9ab0 + _t16 * 0x18);
			}

0x005527db
0x005527de
0x005527e1
0x005527e3
0x005527e3
0x005527ef
0x005527f1
0x005527f1
0x005527f6
0x005527fc
0x00552806
0x0055280d
0x00552812
0x0055281f
0x00552825
0x00552825
0x0055282c
0x0055282c
0x00552842

APIs

RtlEnterCriticalSection.NTDLL(008A9C48), ref: 0055280D
RtlInitializeCriticalSection.NTDLL(?), ref: 0055281F
RtlLeaveCriticalSection.NTDLL(008A9C48), ref: 0055282C
RtlEnterCriticalSection.NTDLL(?), ref: 0055283C

Part of subcall function 00537287: __CxxThrowException@8.LIBCMT ref: 0053729D
Part of subcall function 00537287: __EH_prolog3.LIBCMT ref: 005372AA

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 111f6bb95d133fa9afdfa282b23233828a16bda79deb9f075188036b630dc107
Instruction ID: d2a0a5ded2fb020f323ce694fb0132e40d2439f9afab2c095ea7046ba3b924ed
Opcode Fuzzy Hash: 111f6bb95d133fa9afdfa282b23233828a16bda79deb9f075188036b630dc107
Instruction Fuzzy Hash: 90F02B336042145FEB109FD9DC49B16BBA9FBE3322F015017F68082596C734AC85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00550979, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(008A9A3C), ref: 00550987
TlsGetValue.KERNEL32(008A9A20,?,?,?,00551018,?,00000004,00545D0C,005372A3,005430AE,00406B82,?,?,?,?,?), ref: 0055099B
RtlLeaveCriticalSection.NTDLL(008A9A3C), ref: 005509B1
RtlLeaveCriticalSection.NTDLL(008A9A3C), ref: 005509BC

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 34bb549d8db12738614e8f3f53e362f5b831793e00f12d54bc0f537d462a1675
Instruction ID: 6edfc45df79282fe7cf829afda3e106b05bf6e723abf6efdc25446f840d135bd
Opcode Fuzzy Hash: 34bb549d8db12738614e8f3f53e362f5b831793e00f12d54bc0f537d462a1675
Instruction Fuzzy Hash: F7F090362042009FD3209F15DC88C277BB9FA863B13159417FD468319AC770F805CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0058160B, Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0058160B(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x8472e8);
				E00576AF4(__ebx, __edi, __esi);
				_t28 = E0057BA6A(__ebx, __edx, __edi, _t30);
				_t13 =  *0x878138; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E005870E4(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x878220; // 0x27c1a58
					 *((intOrPtr*)(_t29 - 0x1c)) = E005815CD(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E00581675();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E0057BA6A(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E00579BF7(_t25, _t26, 0x20);
				}
				return E00576B39(_t28);
			}

0x0058160b
0x0058160b
0x0058160b
0x0058160b
0x0058160b
0x0058160d
0x00581612
0x0058161c
0x0058161e
0x00581626
0x0058164a
0x0058164c
0x00581652
0x00581656
0x00581659
0x00581664
0x00581667
0x0058166e
0x00581628
0x00581628
0x0058162c
0x00000000
0x0058162e
0x00581633
0x00581633
0x0058162c
0x00581638
0x0058163c
0x00581641
0x00581649

APIs

__getptd.LIBCMT ref: 00581617

Part of subcall function 0057BA6A: __getptd_noexit.LIBCMT ref: 0057BA6D
Part of subcall function 0057BA6A: __amsg_exit.LIBCMT ref: 0057BA7A

__getptd.LIBCMT ref: 0058162E
__amsg_exit.LIBCMT ref: 0058163C
__lock.LIBCMT ref: 0058164C

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 3f46c32c5992e7b6e96e644784c304ee384b70d2ca87f4267cfbf67c6b80dcaa
Instruction ID: 0ec5cdf36f6ea05611cc178c2b95ee94073d4ed8ebc4ff308f7e494b69c4d61d
Opcode Fuzzy Hash: 3f46c32c5992e7b6e96e644784c304ee384b70d2ca87f4267cfbf67c6b80dcaa
Instruction Fuzzy Hash: EDF0F032900B02DBD720BB65E40EB483BA4BB80710F188249F89AB76D2DB749942DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407620, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00407620(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v25;
				void* _v32;
				int _v36;
				int _v40;
				void* __ebx;
				void* __ebp;
				signed int _t26;
				int _t36;
				signed int _t56;
				void* _t57;

				_push(0xffffffff);
				_push(0x6efeb3);
				_push( *[fs:0x0]);
				_t26 =  *0x877864; // 0xf691760e
				_push(_t26 ^ _t56);
				 *[fs:0x0] =  &_v16;
				_v20 = _t57 - 0xe4;
				_v40 = 0;
				_v36 = 0;
				E00406B10(0, _t56, L"Unknown Error");
				_v8 = 0;
				E00406B10(0, _t56, L"No details available");
				_v8 = 1;
				_v25 = 0;
				_v8 = 2;
				_push( &_v36);
				_t50 = _a8;
				_v40 = E00406E00(__ecx, _a4, _a8, _a12);
				_v25 = 1;
				_v8 = 1;
				_v8 = 0;
				E004036F0(_t50);
				_v8 = 0xffffffff;
				E004036F0(_t50);
				_t36 = _v36;
				if(_t36 != 0) {
					PostQuitMessage(_t36);
				}
				 *[fs:0x0] = _v16;
				return _v40;
			}

0x00407623
0x00407625
0x00407630
0x0040763a
0x00407641
0x00407645
0x0040764b
0x00407652
0x00407655
0x00407660
0x00407665
0x00407670
0x00407675
0x00407679
0x0040767c
0x00407683
0x00407688
0x00407697
0x0040769a
0x0040769e
0x0040773d
0x00407743
0x00407748
0x00407752
0x00407757
0x0040775c
0x0040775f
0x0040775f
0x0040776b
0x00407779

APIs

PostQuitMessage.USER32(?), ref: 0040775F

Strings

Unknown Error, xrefs: 00407658
No details available, xrefs: 00407668

Memory Dump Source

Source File: 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306022114.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.306401068.00000000007E5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306464432.0000000000873000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306472081.000000000088D000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306474975.0000000000890000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306481299.00000000008A0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306487957.00000000008B2000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306511828.0000000000909000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.306516203.000000000090C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.306520602.000000000090E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: MessagePostQuit
String ID: No details available$Unknown Error
API String ID: 1657236379-1431358846
Opcode ID: bc493fea0f34e4fb9856c61d40aa1454de57b90f514fc46e54c02ef2a6dfc989
Instruction ID: 127b24aa5c63a26d34d6f1aa7a4f2fe1d32302aba82d320e27a4332599dea590
Opcode Fuzzy Hash: bc493fea0f34e4fb9856c61d40aa1454de57b90f514fc46e54c02ef2a6dfc989
Instruction Fuzzy Hash: 9B216D71D05248EFCB00DF99C981AEEBBB8EB09354F10456EE411B7281D7796A04CBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: setup.exe PID: 7152 Parent PID: 4616

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: setup.exe PID: 7152 Parent PID: 4616 setup.exeCOMMON

Execution Graph

Function 0053B595, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175
windowCOMMON

Function 00550B78, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMON

Function 0049EBD0, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 222
windowCOMMON

Function 004052D0, Relevance: 3.1, APIs: 2, Instructions: 103
COMMON

Function 0053FF3D, Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Function 00579C4B, Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 0053CC4F, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 00402130, Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00550FB1, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Function 00402DD0, Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Function 005365B6, Relevance: 1.5, APIs: 1, Instructions: 23
COMMONLIBRARYCODE

Function 0053FD25, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Function 005367BB, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Function 00540008, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Function 00570B75, Relevance: 1.5, APIs: 1, Instructions: 14
COMMONLIBRARYCODE

Function 0057B7D8, Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Function 0053F498, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
COMMON

Function 0056F98F, Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 00538C8C, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Function 005F67C0, Relevance: 3.1, APIs: 2, Instructions: 75
windowCOMMON

Function 00531CB0, Relevance: 3.0, APIs: 2, Instructions: 22
fileCOMMON

Function 005E9980, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 005319A0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 00538A8B, Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82
libraryloaderCOMMON

Function 0040DEB0, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 95
windowCOMMON

Function 0040DFC0, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 316
windowCOMMON

Function 005C6EBE, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87
COMMONLIBRARYCODE

Function 0044CA90, Relevance: 18.3, APIs: 12, Instructions: 322
COMMON

Function 005C71A4, Relevance: 18.1, APIs: 12, Instructions: 139
COMMON

Function 00533540, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 160
libraryloaderCOMMON

Function 0040CA80, Relevance: 15.2, APIs: 10, Instructions: 167
windowCOMMON

Function 00582363, Relevance: 15.1, APIs: 10, Instructions: 95
COMMONLIBRARYCODE

Function 00538CF9, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84
COMMON

Function 00550D6E, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMON

Function 00628230, Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 301
fileCOMMON

Function 00621F60, Relevance: 12.4, APIs: 8, Instructions: 383
COMMON

Function 004142C0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 65
COMMON

Function 00427760, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 427
COMMON

Function 00624AE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136
COMMON

Function 004144C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
COMMON

Function 00620000, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68
COMMON

Function 006226B0, Relevance: 7.7, APIs: 5, Instructions: 204
COMMON

Function 0040C4C0, Relevance: 7.7, APIs: 5, Instructions: 202
windowCOMMON

Function 00621D30, Relevance: 7.7, APIs: 5, Instructions: 159
COMMON

Function 00575426, Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Function 004010A0, Relevance: 7.5, APIs: 5, Instructions: 46
COMMON

Function 00572061, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 00412C10, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151
COMMON

Function 00624820, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
windowCOMMON

Function 00404610, Relevance: 6.2, APIs: 4, Instructions: 174
COMMON

Function 004044A0, Relevance: 6.2, APIs: 4, Instructions: 161
COMMON